New Credit Card Scam (fwd)

Lance James lancej at securescience.net
Mon Jul 11 20:13:23 EDT 2005 

Jason Holt wrote:

>
> I remember the first time a site asked for the number on the back of 
> my credit card.  It was a Walmart or Amazon purchase, and with no 
> warning they redirected me to some site with a questionable domain. I 
> thought for sure my session was being hijacked, and my bank had given 
> me no idea what the number was for or whether it was something I was 
> supposed to give out.
>
> To me, this is closely related to the discussions we have here about 
> web browser security semantics.  With a very good understanding of the 
> underlying PKI, we can usually sort out "secure" from "suspicious" 
> site behaviors with some discussion, but how is the average user (or 
> even the average engineer) supposed to cope?  Is there a standard or 
> even just a document somewhere that defines best practices for both 
> server and user behavior with respect to SSL web sites and credit card 
> transactions?  Or are we leaving them to forward emails to each other 
> warning them not to give out their 3-digit codes over the phone, and 
> that they had better make sure their Dell doesn't have a DHS keylogger 
> installed...


Even with standards in place for the consumer, that's only half of the 
circle. Phishers/Scammers are evolving rapidly and are either black hats 
themselves or have access to employing black hats to compromise sites, 
or perform cross-user attacks on the user. Companies like Amazon are 
only as secure as how they have devised their infrastructure - and as 
you and everyone else here knows, SSL is one layer of the "security in 
depth" infrastructure model. This threat vector has not been addressed 
by commercial entities that offer transaction services for many reasons, 
one being that the procurement process takes a long time just to get any 
security technology in place to fend off these attacks. Soon phishers 
will just use the site itself to phish users, pushing away the 
dependency on tricking the user with a "spoofed" or "mirrored" site.

>
>                             -J
>
> ---------- Forwarded message ----------
> Date: Mon, 11 Jul 2005 11:28:50 -0700 To: undisclosed-recipients:  ;
> Subject: New Credit Card Scam
>
> I got this from a co-worker today:
>  Apparently, they don't ask for your number, just the 3 digit code on the
> back. They'll tell you they're calling from your Visa or Mastercard 
> company
> and that they're trying to verify whether or not you've made a $497.99
> purchase from a company in Arizona or something. They'll tell you to call
> your credit card company if you have any questions, etc, and they 
> never ask
> for your card number, so it sounds pretty legit, but it's not. If it does
> happen to you, within a few minutes of the phone call you'll have a 
> charge
> for $497.99 on your card. You can always call the credit card company
> yourself and make sure they're the ones wanting to check about fradulent
> charges, so if you get a call that sounds fishy, just tell them you'll 
> call
> them back at the number on your card.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to 
> majordomo at metzdowd.com
>
>


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list