Phishing fraudsters are using promises of financial discounts to trick unwary users into handing over their credit card details. Scam emails that form the basis of the fraud claim to be part of MasterCard's SecureCode scheme. Con men are attempting to exploit a lack of familiarity with the recently introduced programme, which …
Being as phishing scams love to target banks, building societies, paypal - anything to do with cash then I am surprised it took this long.
Enough people will always click on links and be fooled by a lookalike web site (possibly with a vaguely sensible looking domain name to further fool them) to make these scams worthwhile.
Until all mail clients stop implementing hyperlink clickthroughs (or at the very least give big warnings) then these scams will continue - and lets face it - chances of link clicks being disabled in outlook etc. is minimal).
I am afraid the only way some people will learn is by being conned :-(
Yes but it has some plausibility
If it didn't it wouldn't work CC companies have tried all sorts schemes to lure customers it's not that great a stretch "if it seems to good to be true" is still valid but just who is ripping you off is not as easy to figure out sometimes is it a credit card company or a phisher.
Just remove the human from the chain
Everyone gets a USB chip & pin reader with their debit card, set to read only that card, with a browser plugin which communicats with the bank and not the merchant.
If the human is still in the chain, making something foolproof will only make better idiots.
It's the banks that need to improve authentication
I've got to agree with the chap above that mentioned the additional authentication. Banks should be forced to have a minimum standard of authentication, but preferebaly one that doesn't involve tokens or card readers.
Personally I think they are just a pain in the arse to use.
As for the email scam, it's MasterCard and Visa who need a slap for this for introducing an authentication scheme and doing sod all to promote or publicise it and the way it helps. If people had been educated, then they would know when something was or wasn't a scam. Guess they are too busy counting thier money though......
Cash. Cash. Cash.
Screw credit cards.
RE: Just remove the human from the chain
Even better, make the C&P card include a usb interface.
Ah so now we know what solomon grunday did on a thursday
He talked out of his arse on a thursday.
Paris Hilton because even she's not stupid enough to think you can make online purchases with cash
VerifiedByVisa/SecureCode is hideously insecure anyway
The procedure for me to sign up to Verified By Visa a few years ago was:
- HSBC send me a letter on headed notepaper telling me to call them on this number or else they'll disable my ability to use my card online
- Being a suspicious person, I call HSBC telephone banking line; they tell me they no nothing about it but I should call the number on the letter (which they don't verify).
- "HSBC" person on phone asks for all my credit card details. They then give me web address to visit, and assign me a guessable username and a temporary password of "password" (no I'm not kidding).
- I go to web site. it's https://something.arcot.com - secure site, but SSL certificate owned by a company I've never heard of, no obvious links to HSBC (other than the easily copyable logos).
- I enter the username and password they just gave me.
- I confirm some details & enter my new Verified By Visa password.
You'll note that there was no way in any of the above for me to be sure I was communicating with HSBC. I might have just given my details to a phisher who sent out real snail-mail letters. (Actually I spent half an hour doing research & eventually decided that Arcot (http://www.arcot.com/) are probably a legit but incompetent provider of security services to banks.)
Now, what about entering my VBV password when I buy something? Well, it's done inside a frame on the merchants site. So it's hard for me to check that the frame I'm about to enter my password in is really HSBC's "secure" VBV web site, because I can't see the URL (unless I right-click & choose properties - which I'm not going to do every time). And even if I did, it's an arcot URL, not a HSBC one. So the merchant could use a classic man-in-the-middle attack - serve the VBV password page from their own secure web site, remember the password & pass it on to HSBC. Once the transaction goes through, the merchant has a record of my VBV password in addition to all the other credit card details, and can go spend my money at other VBV sites. I can imagine the conversation with the bank: "But they used your VBV password! It must have been you! And if not, then your PC must have a virus so tough."
@ one of the anonymous cowards...
"As for the email scam, it's MasterCard and Visa who need a slap for this for introducing an authentication scheme and doing sod all to promote or publicise it and the way it helps."
Couldn't agree more. The only reason I know what they are is because I managed the development of my previous employer's online shopping facilities. Public promotion is practically non-existant. I still haven't signed up for it myself though, because I'm careful where I use my card and don't succumb to phishers.
If only the ISP's could think of a way to build anti phishing measures into their service...perhaps they could finance this with some targeted advertising of some sort.
Verified by and SecureCode are worthless
So my card details get compromised, some ratbag in some foreign land has them. They then try to run up some bills on my card and make themselves some money.
"Oh noes. I don't have his SecureCode. What am I going to do?" Oh. Wait a minute. It's an entirely optional thing, I can buy from a different retailer that doesn't use SecureCode.
Until they make Verified By and SecureCode compulsory for all of their online retailers they're just a pain in my arse when I try to buy something. An extra screen I need to go through.
Paris because she must have designed SecureCode and Verified By
>USB chip & pin reader with their debit card
Why not just a usb dongle instead of a credit card?
Could even have buttons on it for the pin rather than some dodgy keyboard entry...
NO HTML email. NONE! If you want something, send the link in plain text, and then use it. It becomes VERY obvious then there is a problem.
EBAY, PayPal are you listening?
Oh, address me by name. It always helps.
Undesclosed Recipients: To the bin!
I for one would not fall for this, as none of the banks I do business with have implemented SecureCode. In fact, this article is the first time I even hear about such a scheme.
Anyway, it seems it requires a Maestro card, tough; one bank tried implementing that about 10 years ago over here and the backlash was such that they just rolled back the entire scheme. So no Maestro cards here.
Some banks use "Chip & PIN", minus the PIN ;) so basically we're still stuck in magstripe stone age. Oh well, at least online banking uses compulsory tokens since last year.
It doesn't matter what precautions banks, etc, use.
Phishers can openly admit they are spamming random addresses, knowing that some morons will fall for it.
"If you are not customer of Natwest Bank Personal and Commercial please ignore this notification!"
RE: Verified by and SecureCode are worthless
It may be worthless to the online customer but not to the merchant. The two schemes stop the merchant having the dreaded chargebacks on Customer Not Present (CNP) transactions that can end up costing the merchant a lot of money (If the goods were paid for using one of the two schemes).
Rogue sites are more worrying
It's man-in-the-middle attacks with a redirect from a rogue website that I'm most worried about. Email is obvious and relatively simple. But what happens if someone sets up a fake website includes a payment link to a fake checkout.google.com page and simply harvests credit card details rather than sending them to Google. It can look secure, SSL certs can be bought for $15. All it needs to do is show a 'Sorry timeout page' and you wouldn't know you've been hit.
Even spotting fake URLs can be hard even with plain text. Would you spot the difference between http://checkout.google.co.uk and http://checkout-google.co.uk on a quick glance (or http://www-mastercard.co.uk or http;//www2-barclays.co.uk etc)?
The only way I can see to beat phishers is that any access codes you use should be created as a hash of your password with the page URL through a simple offline coder. You never enter the real password/code, only the hash, so rogue URLs will always generate an incorrect hash.
Chip and Pin flaw...
...there's a flaw with Chip and Pin anyway. Here's how to get round it in shops, anyway:
1) Get a natwest/barclays/whoever card reader to test your handiwork.
2) Steal a chip and pin card.
3) Scratch/electrocute the chip till it wont read (test this with the reader from step one)
4) Practise the signature on the back of the card
5) Use it in a shop
6) "Sorry sir, the chip's broken. Would you sign for it instead?"
7) "Of course, I'd love to".
And I trade my discount in where???
Weeeel I guess it all beats Green Shield Stamps.......
A random thought
>If only the ISP's could think of a way to build anti phishing measures into their service...perhaps they could finance this with some targeted advertising of some sort.<
I wonder if, once opted into this scheme, you become a victim of a phishing site, BT or whoever, will be accountable for all losses sustained by you. Now that would be funny.
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Intel's Raspberry Pi rival Galileo can now run Windows
- Microsoft and HTC are M8s again: New One mobe sports WinPhone