Yahoo! follies.

Perry E. Metzger perry at
Fri Oct 12 18:21:06 EDT 2007

Today's hall of shame entrant is, oddly, not a bank, but Yahoo!.

     Yahoo! Wallet. Because shopping is more fun than typing.

     o Store all your credit card, shipping and billing information.
       (Never type it in again!)
     o Easy check out at 1000s of merchants.
     o Use Wallet for purchases all around Yahoo!
     o Safe, Simple, and Secure.

     Sign up now.


Earlier today, I discovered that someone had stolen my credit card

These days, it is important to test out the credit card you've stolen
somehow before using it for a big purchase. If you have physical
possession of the card, the usual means these days is to do a small
charge at a gas station. If you don't have physical possession, you
need other means. Apparently, the means by which my particular thieves
tested out their new acquisition was with the use of Yahoo!'s "Yahoo!
Wallet" facility, and this is apparently a spreading practice.
It is with no small irony that "Yahoo! Wallet" advertises itself as
"Safe, Simple and Secure".

My issuing bank shut off my card after a charge was made with "Yahoo!
Wallet". The charge was for $1. There was also a much larger
suspicious charge, but the test was apparently via "Yahoo!  Wallet".

I suggested to the guy at my issuing bank's fraud department that we
call up the "Yahoo! Wallet" people up, just to make sure the attempted
$1 charge (which Yahoo! makes and afterwards reverses to test the card
numbers they are given -- kind of them to automate that step for
fraudsters) wasn't somehow triggered by something I had done without
realizing it, and to see if we could find out anything about who had
made the charge.

The fellow at my issuing bank's fraud department thought it would do
no good, but he called up Yahoo! with me on the phone anyway, with a
sound of resignation in his voice as he did it. I later learned why he
sounded so unenthusiastic. He'd been down this route before.  "Yahoo!
Wallet"'s customer service is run out of the Philippines, and has the
same keen sense of organization, training and fraud prevention that
one might find among kindergarteners with lifelong iodine deficiency.

We were quickly informed of about four or five things by the customer
service representative, all of them mutually contradictory and some of
them frankly incomprehensible because of the mangled grammar. However,
one thing he did say consistently was that he could not release
information on the account that had been created with my credit card
-- not even if I, the lawful owner of the account, requested it, and
not even if the issuing bank requested it. They would only release
such information if they got a legal order to do so, although there is
no right to financial privacy in US law on the part of people using
another person's account fraudulently.

It was explained to us, by the fairly confused and not entirely well
trained representative, that he could only release the information to
us if the credit card number that had been entered in was incorrect
and had not been successfully charged -- a policy that made just about
as close to no sense as one can imagine.

I asked to speak to a supervisor, and my bank's rep and I were
transferred after some time to an equally clueless individual.

"So let me get this straight. You are not allowed to give the fraud
investigation department at the issuing bank information about a
fraudulent account opened using a credit card from the issuing bank
even if both the issuing bank and the legitimate owner of the card
request it."

"Yes sir."

"But if the credit card number had been incorrect and we had somehow
gave it you, you could give us the account information."

"Yes sir."

"You do realize that not only does this make absolutely no sense, it
also makes ``Yahoo! Wallet'' the ideal way for people to check cards
before committing credit card fraud, right?"

And the rep went on to explain that wasn't their intent -- but their
intent clearly doesn't matter, only the results matter.

After the Yahoo! people (well, not really Yahoo! but almost certainly
the low bid contractor) got off the phone with us, the guy from my
bank noted to me that he had suspected the whole thing would be a
waste of time, as it was. I asked him how it was that Yahoo! could
operate with policies like this without getting their merchant account
pulled, and he opined that he didn't know, but he was no more pleased
with it than me.

So, let me note to all of you out there trying to commit financial
fraud, that "Yahoo! Wallet" is an especially Safe, Simple and Secure
way for you to verify that an account you have stolen is good. It is
especially Safe and Secure because Yahoo! will do their utmost to
block legitimate investigation into fraudulent use of credit

One wonders what exactly the people who came up with these policies
were thinking, since doubtless this costs them money and will
eventually result in serious trouble for them, but my experience in
such matters is that, for the people who set such services up,
thinking is the last thing on their minds.

Perry E. Metzger		perry at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list