Fraudsters are dining out on the proceeds of a new credit card scam. Con men are using credit card details harvested from a bogus (and now defunct) gadget website – called www.instant-av.co.uk – to fund huge restaurant orders. One London restaurant alone lost £10,000 supplying food and drink against stolen card details …
What has the secure symbol got to do with fraud?
I'm confused how having "the padlock" symbol (ie you credit card details are transmitted over SSL) would help in this situation.
When you have fraudsters that have setup a fake website selling non-existant goods to harvest credit card details, whether your card details are encypted or not when they are winging their way to the fraudsters is surely irrelevant?
The only thing you'll gain is the knowledge that they won't be intercepted by any other fraudsters out to defraud the original fraudsters!
What's the padlock got to do with it? That just means your data is sent encrypted over the network. If the unscrupulous bugger at the other end is printing off your details and going on a shopping spree, I fail to see how HTTPS will help.
Follow the rules...
> London restaurants should be wary of any orders they may receive over the telephone where the customer wants to pay with more than one credit card, especially when punters say the order will be collected by taxi.
This sounds like those restaurants have failed to pay attention to the rules set down by their Card Processing service.
Nat West's Streamline cautions users that any transaction, especially Cardholder Not Present, where the purchaser offers to pay with more than one card should be treated as suspicious and that goods should never be handed over to a third party.
Also if someone offers to pay CNP and then comes to pick up the goods, the retailer should cancel the CNP transaction and process the card physically.
I don't doubt that other Card Processors have similar rules.
Displaying padlock symbol? Duh
Er, am I missing something? How is it relevant that a Web page displays a padlock for secure link? There's no obvious link between a Web page securely communicating with the server, and the people who run that server not being crooks?!?!!
Padlock? Yeah, right.
Just because a website has a valid server certificate doesn't mean you should trust it. All it means is that your details can't be intercepted en-route. The gits at the other end could still be ripping you off, which by the sound of it is exactly what happened here.
Secure connections make no difference here
"Firstly, always look for the padlock symbol that shows the site is secure."
Rubbish. If you can't trust the people running the website, who cares whether your credit card details were transmitted to them securely.
"instant-av.co.uk did not display the "padlock" security symbol that indicates credit card details are being transmitted across an encrypted link."
So? A padlock means nothing if the site itself is bogus.
overrides common sense. The "no padlock" hence unencrypted data transfer should have been enough to stop purchasers. On top of that there is the giving of credit card details to a internet based business that is a new and unknown entity. My heart bleeds.
Any Joe can set up a commercial site with empty promises. I am surprised this kind of thing doesn't happen more often. There are times I wish I wasn't so honest, I could be a very rich man instead of a poor honest one.
"A fool and his money are soon parted"
Expect more of this in our must have society.
Watch out for that padlock!
"Firstly, always look for the padlock symbol that shows the site is secure."
This has to be a dumbest, and yet most common, bit of web security advice.
How hard is it for a website to display a padlock gif?
How hard is it for a Web site to display a padlock GIF?
Trivial. But that is not what we're talking about.
A padlock in the body of a Web site means nothing. A padlock on the outside frame of the window means the Web site is secured with an SSL certificate. A Web master can't draw a GIF picture of a padlock on the outside frame of the window.
Of course, having a security certificate means nothing if the site itself is untrustworthy. But anyone anywhere who submits a credit card number to a site WITHOUT a security certificate is foolish in the extreme. Entering a credit card number on a Web site not displaying a symbol showing a secure connection is just begging to have your credit card information stolen. It's mind-boggling how many people don't know that one simple thing.
Gav, Gav, Gav...
How do you get your browser to display a padlock in the status bar? Or get browsers like Opera or Mozilla, who use the address bar instead, to display the appropriate 'secure' option?
You can't. But that's not to say that you're wrong about that being the dumbest and yet most commonly given web security advice. :-)
i think thats what Gav was getting at....
...that just saying 'look for a padlock' in order to make the average noob online consumer be sure their transaction is safe isn't enough, you do indeed need to get them to look in the right places. As pointed out, its not always in the same place, depending on your browser.
Padlock is irrelevant
Having a padlock or not is irrelevant. I have dealt with one particular website without a padlock before and the goods still arrived as promised and to date I have not detected any entries on my card's bill which I'm not able to identify. Likewise, as a web developer, I can attest that creating a so-called "secure" website is too easy - anyone with a Windows 2000 advance server or Windows 2003 enterprise installation (which wouldn't be too hard to get off torrent from any warez site) can make themselves a certificate which would trigger the padlock logo.
Like many have said, the padlock is just an indication that the connection is secure between you and the other end. It wouldn't make any difference if the owner of the website is a crook anyway.
Padlock - some justification
Actually the author has probably thought this through. Some (probably many) web users need to be able to do something that's easy to remember and perform to be satisified to a point with the security of a web site.
The padlock indicates that a server certificate is present and that it has been issued by a certificate authority known to the browser e.g. Thawte, Verisign etc. Some checks will have been carried out by the CA on the server certificate applicant. If the cert wasn't issued by a known CA then the browser informs the web user.
If you trust the authority and the checks it has made on the server applicant then you can reach a level of trust for the server. Not perfect as you don't know what the checks are and therefore the quality of the information.
Padlock... You what??
The padlock is perhaps the most common bit of badly given security advice. While it does mean the transmissions are encrypted, in this case what difference would it have made? If I was operating a secure website but had dodgy employees, whats to stop them using the card details to make purchasing? The padlock only helps if you have someone sniffing the details.. doesnt stop fraud internally.
Authentication and Encryption
>> I'm confused how having "the padlock" symbol (ie you credit card details are transmitted over SSL) would help in this situation.
A valid SSL certificate doesn't just ensure encryption, it also authenticates the server as being operated by someone who has registered with an issuing body.
Additionaly, whilst it might not always be safe to give your card details when the 'padlock not being displayed' - It is always unsafe to give your card details to someone who neither authenticates themselves to you nor takes care to encrypt your details.
Google has suspended payment facilities??
"Google has suspended payment facilities on sites believed to be associated with the scam."
Are they saying the scammers have registered with google checkout??? if they did, then they wouldn't get to see the credit card numbers... and the suckers would have seen the padlock...
The whole idea seems to be harvesting cc Numbers not actually charging people for the fake ipods with a legit online payment system... or have I missed something