back to article Phishers offer credit card discounts to prospective marks

Phishing fraudsters are using promises of financial discounts to trick unwary users into handing over their credit card details. Scam emails that form the basis of the fraud claim to be part of MasterCard's SecureCode scheme. Con men are attempting to exploit a lack of familiarity with the recently introduced programme, which …

COMMENTS

This topic is closed for new posts.
  1. Dave

    No surprises

    Being as phishing scams love to target banks, building societies, paypal - anything to do with cash then I am surprised it took this long.

    Enough people will always click on links and be fooled by a lookalike web site (possibly with a vaguely sensible looking domain name to further fool them) to make these scams worthwhile.

    Until all mail clients stop implementing hyperlink clickthroughs (or at the very least give big warnings) then these scams will continue - and lets face it - chances of link clicks being disabled in outlook etc. is minimal).

    I am afraid the only way some people will learn is by being conned :-(

  2. Anonymous Coward
    Alert

    Yes but it has some plausibility

    If it didn't it wouldn't work CC companies have tried all sorts schemes to lure customers it's not that great a stretch "if it seems to good to be true" is still valid but just who is ripping you off is not as easy to figure out sometimes is it a credit card company or a phisher.

  3. Anonymous Coward
    Anonymous Coward

    Just remove the human from the chain

    Everyone gets a USB chip & pin reader with their debit card, set to read only that card, with a browser plugin which communicats with the bank and not the merchant.

    If the human is still in the chain, making something foolproof will only make better idiots.

  4. Anonymous Coward
    Anonymous Coward

    It's the banks that need to improve authentication

    I've got to agree with the chap above that mentioned the additional authentication. Banks should be forced to have a minimum standard of authentication, but preferebaly one that doesn't involve tokens or card readers.

    Personally I think they are just a pain in the arse to use.

    As for the email scam, it's MasterCard and Visa who need a slap for this for introducing an authentication scheme and doing sod all to promote or publicise it and the way it helps. If people had been educated, then they would know when something was or wasn't a scam. Guess they are too busy counting thier money though......

  5. Solomon Grundy

    Better Solution

    Cash. Cash. Cash.

    Screw credit cards.

  6. Dr. Mouse

    RE: Just remove the human from the chain

    Even better, make the C&P card include a usb interface.

  7. Anonymous Coward
    Paris Hilton

    Ah so now we know what solomon grunday did on a thursday

    He talked out of his arse on a thursday.

    Paris Hilton because even she's not stupid enough to think you can make online purchases with cash

  8. Jon
    Flame

    VerifiedByVisa/SecureCode is hideously insecure anyway

    The procedure for me to sign up to Verified By Visa a few years ago was:

    - HSBC send me a letter on headed notepaper telling me to call them on this number or else they'll disable my ability to use my card online

    - Being a suspicious person, I call HSBC telephone banking line; they tell me they no nothing about it but I should call the number on the letter (which they don't verify).

    - "HSBC" person on phone asks for all my credit card details. They then give me web address to visit, and assign me a guessable username and a temporary password of "password" (no I'm not kidding).

    - I go to web site. it's https://something.arcot.com - secure site, but SSL certificate owned by a company I've never heard of, no obvious links to HSBC (other than the easily copyable logos).

    - I enter the username and password they just gave me.

    - I confirm some details & enter my new Verified By Visa password.

    You'll note that there was no way in any of the above for me to be sure I was communicating with HSBC. I might have just given my details to a phisher who sent out real snail-mail letters. (Actually I spent half an hour doing research & eventually decided that Arcot (http://www.arcot.com/) are probably a legit but incompetent provider of security services to banks.)

    Now, what about entering my VBV password when I buy something? Well, it's done inside a frame on the merchants site. So it's hard for me to check that the frame I'm about to enter my password in is really HSBC's "secure" VBV web site, because I can't see the URL (unless I right-click & choose properties - which I'm not going to do every time). And even if I did, it's an arcot URL, not a HSBC one. So the merchant could use a classic man-in-the-middle attack - serve the VBV password page from their own secure web site, remember the password & pass it on to HSBC. Once the transaction goes through, the merchant has a record of my VBV password in addition to all the other credit card details, and can go spend my money at other VBV sites. I can imagine the conversation with the bank: "But they used your VBV password! It must have been you! And if not, then your PC must have a virus so tough."

  9. Johnny FireBlade

    @ one of the anonymous cowards...

    "As for the email scam, it's MasterCard and Visa who need a slap for this for introducing an authentication scheme and doing sod all to promote or publicise it and the way it helps."

    Couldn't agree more. The only reason I know what they are is because I managed the development of my previous employer's online shopping facilities. Public promotion is practically non-existant. I still haven't signed up for it myself though, because I'm careful where I use my card and don't succumb to phishers.

  10. Anonymous Coward
    Flame

    If only....

    If only the ISP's could think of a way to build anti phishing measures into their service...perhaps they could finance this with some targeted advertising of some sort.

  11. David Barr
    Paris Hilton

    Verified by and SecureCode are worthless

    So my card details get compromised, some ratbag in some foreign land has them. They then try to run up some bills on my card and make themselves some money.

    "Oh noes. I don't have his SecureCode. What am I going to do?" Oh. Wait a minute. It's an entirely optional thing, I can buy from a different retailer that doesn't use SecureCode.

    Until they make Verified By and SecureCode compulsory for all of their online retailers they're just a pain in my arse when I try to buy something. An extra screen I need to go through.

    Paris because she must have designed SecureCode and Verified By

  12. Anonymous Coward
    Anonymous Coward

    >USB chip & pin reader with their debit card

    Why not just a usb dongle instead of a credit card?

    Could even have buttons on it for the pin rather than some dodgy keyboard entry...

  13. Herby

    Simple solution?

    NO HTML email. NONE! If you want something, send the link in plain text, and then use it. It becomes VERY obvious then there is a problem.

    EBAY, PayPal are you listening?

    Oh, address me by name. It always helps.

    Undesclosed Recipients: To the bin!

  14. Daniel B.
    Thumb Down

    SecureCode?

    I for one would not fall for this, as none of the banks I do business with have implemented SecureCode. In fact, this article is the first time I even hear about such a scheme.

    Anyway, it seems it requires a Maestro card, tough; one bank tried implementing that about 10 years ago over here and the backlash was such that they just rolled back the entire scheme. So no Maestro cards here.

    Some banks use "Chip & PIN", minus the PIN ;) so basically we're still stuck in magstripe stone age. Oh well, at least online banking uses compulsory tokens since last year.

  15. Anonymous John
    Unhappy

    It doesn't matter what precautions banks, etc, use.

    Phishers can openly admit they are spamming random addresses, knowing that some morons will fall for it.

    For example.

    "If you are not customer of Natwest Bank Personal and Commercial please ignore this notification!"

  16. Dafydd Lawrence

    RE: Verified by and SecureCode are worthless

    It may be worthless to the online customer but not to the merchant. The two schemes stop the merchant having the dreaded chargebacks on Customer Not Present (CNP) transactions that can end up costing the merchant a lot of money (If the goods were paid for using one of the two schemes).

  17. Saul Dobney

    Rogue sites are more worrying

    It's man-in-the-middle attacks with a redirect from a rogue website that I'm most worried about. Email is obvious and relatively simple. But what happens if someone sets up a fake website includes a payment link to a fake checkout.google.com page and simply harvests credit card details rather than sending them to Google. It can look secure, SSL certs can be bought for $15. All it needs to do is show a 'Sorry timeout page' and you wouldn't know you've been hit.

    Even spotting fake URLs can be hard even with plain text. Would you spot the difference between http://checkout.google.co.uk and http://checkout-google.co.uk on a quick glance (or http://www-mastercard.co.uk or http;//www2-barclays.co.uk etc)?

    The only way I can see to beat phishers is that any access codes you use should be created as a hash of your password with the page URL through a simple offline coder. You never enter the real password/code, only the hash, so rogue URLs will always generate an incorrect hash.

  18. This post has been deleted by its author

  19. Waldo
    Paris Hilton

    And I trade my discount in where???

    Weeeel I guess it all beats Green Shield Stamps.......

  20. Tony Paulazzo
    IT Angle

    A random thought

    >If only the ISP's could think of a way to build anti phishing measures into their service...perhaps they could finance this with some targeted advertising of some sort.<

    I wonder if, once opted into this scheme, you become a victim of a phishing site, BT or whoever, will be accountable for all losses sustained by you. Now that would be funny.

This topic is closed for new posts.