Forums

Latest CC scam

Started by Don Y November 26, 2016
Call claiming to be from <legit card issuer> for <legit card holder>
having CC ending in <legit 4 digits>:
    "Please call us immediately to discuss some suspicious activity
    on your card!  Call us any time of day at 800 379 8461"
Of course, you *know* the first thing that will greet you will be
an AVR system that will request your *full* credit card number
followed by some questions to "verify your identity".

Yeah.  Sure.

Immediately call card issuer so THEY are watching for suspicious activity
*or* willing to immediately issue a new card number!

Why is it that we still have such easily spoofed "authentication mechanisms"?
On 11/26/2016 8:25 AM, Don Y wrote:
> Call claiming to be from <legit card issuer> for <legit card holder> > having CC ending in <legit 4 digits>: > "Please call us immediately to discuss some suspicious activity > on your card! Call us any time of day at 800 379 8461" > Of course, you *know* the first thing that will greet you will be > an AVR system that will request your *full* credit card number > followed by some questions to "verify your identity". > > Yeah. Sure. > > Immediately call card issuer so THEY are watching for suspicious activity > *or* willing to immediately issue a new card number! > > Why is it that we still have such easily spoofed "authentication mechanisms"?
Turns out the alert was genuine -- though no idea as to the veracity of the phone number provided. Also appears the card number was stolen from an Office Depot transaction. Yeah, we'll be buying lots more there -- NOT!
On 11/26/2016 10:25 AM, Don Y wrote:
> Call claiming to be from <legit card issuer> for <legit card holder> > having CC ending in <legit 4 digits>: > "Please call us immediately to discuss some suspicious activity > on your card! Call us any time of day at 800 379 8461" > Of course, you *know* the first thing that will greet you will be > an AVR system that will request your *full* credit card number > followed by some questions to "verify your identity". > > Yeah. Sure. > > Immediately call card issuer so THEY are watching for suspicious activity > *or* willing to immediately issue a new card number! > > Why is it that we still have such easily spoofed "authentication > mechanisms"?
A truly cryptographically secure white-list "the call is 100% originating from a phone with the number and owner on record" caller-ID system has been on the drawing board and in negotiation between the telcos and the FCC for years and years IIRC, the main problem being that for the system to work every telco and data provider has to implement the standard to a, well, standard, and if there's any provider which doesn't implement the system, all the scam artists, spammers, and general useless types will immediately flock to the one that doesn't implement it, or does a half-hearted job of it. That would require regulation, which telcos are generally not big into. I believe one of The Donald's "who knows if this will ever happen" bright ideas was to dissolve the FCC, or at least massively reduce its influence in the area of consumer affairs, i.e. how many shady hustlers can call you at dinnertime concurrently. Enjoy!
On Sat, 26 Nov 2016 08:43:34 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:

>On 11/26/2016 8:25 AM, Don Y wrote: >> Call claiming to be from <legit card issuer> for <legit card holder> >> having CC ending in <legit 4 digits>: >> "Please call us immediately to discuss some suspicious activity >> on your card! Call us any time of day at 800 379 8461" >> Of course, you *know* the first thing that will greet you will be >> an AVR system that will request your *full* credit card number >> followed by some questions to "verify your identity". >> >> Yeah. Sure. >> >> Immediately call card issuer so THEY are watching for suspicious activity >> *or* willing to immediately issue a new card number! >> >> Why is it that we still have such easily spoofed "authentication mechanisms"? > >Turns out the alert was genuine -- though no idea as to the veracity >of the phone number provided. > >Also appears the card number was stolen from an Office Depot transaction. > >Yeah, we'll be buying lots more there -- NOT!
In all these years I've had that happen to me only once, in 2012, while I was consulting at TLSI on Long Island, AMEX called. Apparently someplace there had cloned my card, but AMEX immediately stopped all transactions and sent a new card by FEDEX over-night to my hotel. ...Jim Thompson -- | James E.Thompson | mens | | Analog Innovations | et | | Analog/Mixed-Signal ASIC's and Discrete Systems | manus | | STV, Queen Creek, AZ 85142 Skype: skypeanalog | | | Voice:(480)460-2350 Fax: Available upon request | Brass Rat | | E-mail Icon at http://www.analog-innovations.com | 1962 | I'm looking for work... see my website.
On 11/26/2016 9:01 AM, Jim Thompson wrote:
> On Sat, 26 Nov 2016 08:43:34 -0700, Don Y
>> Turns out the alert was genuine -- though no idea as to the veracity >> of the phone number provided. >> >> Also appears the card number was stolen from an Office Depot transaction. >> >> Yeah, we'll be buying lots more there -- NOT! > > In all these years I've had that happen to me only once, in 2012, > while I was consulting at TLSI on Long Island, AMEX called. Apparently > someplace there had cloned my card, but AMEX immediately stopped all > transactions and sent a new card by FEDEX over-night to my hotel.
I've never had a problem with my AMEX card. I can recall making $5000 & $10000 charges without incident (my first, in ~1980, an AMEX rep wanted to talk to me at the time of the transaction. thereafter, they'd just "run the charge"). In this case, I bought some thumb drives at Office Depot (or maybe Office Max? same outfit) and 4 days later there are 2 charges (AT Office Depot!) totaling $1K on the card. Hopefully, Office Max has to eat them and not the CC issuer (Visa) as it seems most likely that an employee *or* their "system" is the likely source of the "leak" (I seldom use that card)
On Sat, 26 Nov 2016 08:43:34 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:

>On 11/26/2016 8:25 AM, Don Y wrote: >> Call claiming to be from <legit card issuer> for <legit card holder> >> having CC ending in <legit 4 digits>: >> "Please call us immediately to discuss some suspicious activity >> on your card! Call us any time of day at 800 379 8461" >> Of course, you *know* the first thing that will greet you will be >> an AVR system that will request your *full* credit card number >> followed by some questions to "verify your identity". >> >> Yeah. Sure. >> >> Immediately call card issuer so THEY are watching for suspicious activity >> *or* willing to immediately issue a new card number! >> >> Why is it that we still have such easily spoofed "authentication mechanisms"? > >Turns out the alert was genuine -- though no idea as to the veracity >of the phone number provided. > >Also appears the card number was stolen from an Office Depot transaction. > >Yeah, we'll be buying lots more there -- NOT!
If you never buy anything from a company that's been compromised at some point, you won't be spending much.
On Sat, 26 Nov 2016 09:01:09 -0700, Jim Thompson
<To-Email-Use-The-Envelope-Icon@On-My-Web-Site.com> wrote:

>On Sat, 26 Nov 2016 08:43:34 -0700, Don Y ><blockedofcourse@foo.invalid> wrote: > >>On 11/26/2016 8:25 AM, Don Y wrote: >>> Call claiming to be from <legit card issuer> for <legit card holder> >>> having CC ending in <legit 4 digits>: >>> "Please call us immediately to discuss some suspicious activity >>> on your card! Call us any time of day at 800 379 8461" >>> Of course, you *know* the first thing that will greet you will be >>> an AVR system that will request your *full* credit card number >>> followed by some questions to "verify your identity". >>> >>> Yeah. Sure. >>> >>> Immediately call card issuer so THEY are watching for suspicious activity >>> *or* willing to immediately issue a new card number! >>> >>> Why is it that we still have such easily spoofed "authentication mechanisms"? >> >>Turns out the alert was genuine -- though no idea as to the veracity >>of the phone number provided. >> >>Also appears the card number was stolen from an Office Depot transaction. >> >>Yeah, we'll be buying lots more there -- NOT! > >In all these years I've had that happen to me only once, in 2012, >while I was consulting at TLSI on Long Island, AMEX called. Apparently >someplace there had cloned my card, but AMEX immediately stopped all >transactions and sent a new card by FEDEX over-night to my hotel.
I had my debit card number lifted once. My wife noticed a charge at a TJ Max on the North side of the city. Since I was on a business trip and we never shop at TJ Max, she contacted the CU and they put a stop to it. I did have to wait for a new debit card and PIN, which was a PITA, since we're 1000mi from the CU. She could get me cash for the week, or so, it took to get a new card. My card has been involved in all sorts of security breaches, though, including HF and HD. Never saw a problem from those breaches, though. It's not worth worrying about. Sure it's a PITA when it happens but it's the bank that's financially responsible.
On Sat, 26 Nov 2016 08:25:45 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:

>Call claiming to be from <legit card issuer> for <legit card holder> >having CC ending in <legit 4 digits>: > "Please call us immediately to discuss some suspicious activity > on your card! Call us any time of day at 800 379 8461" >Of course, you *know* the first thing that will greet you will be >an AVR system that will request your *full* credit card number >followed by some questions to "verify your identity". > >Yeah. Sure. > >Immediately call card issuer so THEY are watching for suspicious activity >*or* willing to immediately issue a new card number! > >Why is it that we still have such easily spoofed "authentication mechanisms"?
Had something similar to that a few years back. My bank calls me (an actual person) asking if i had just used my CC (never asked for the last 4 digits) for a flight to the Phillipines. "No", I said. OK. Transaction denied. Card cancelled. New one issued. No problems since. I'm defininately staying with that bank.
On 11/26/2016 10:01 AM, Jim Thompson wrote:
> On Sat, 26 Nov 2016 08:43:34 -0700, Don Y > <blockedofcourse@foo.invalid> wrote: > >> On 11/26/2016 8:25 AM, Don Y wrote: >>> Call claiming to be from <legit card issuer> for <legit card holder> >>> having CC ending in <legit 4 digits>: >>> "Please call us immediately to discuss some suspicious activity >>> on your card! Call us any time of day at 800 379 8461" >>> Of course, you *know* the first thing that will greet you will be >>> an AVR system that will request your *full* credit card number >>> followed by some questions to "verify your identity". >>> >>> Yeah. Sure. >>> >>> Immediately call card issuer so THEY are watching for suspicious activity >>> *or* willing to immediately issue a new card number! >>> >>> Why is it that we still have such easily spoofed "authentication mechanisms"? >> >> Turns out the alert was genuine -- though no idea as to the veracity >> of the phone number provided. >> >> Also appears the card number was stolen from an Office Depot transaction. >> >> Yeah, we'll be buying lots more there -- NOT! > > In all these years I've had that happen to me only once, in 2012, > while I was consulting at TLSI on Long Island, AMEX called. Apparently > someplace there had cloned my card, but AMEX immediately stopped all > transactions and sent a new card by FEDEX over-night to my hotel. > > ...Jim Thompson >
Had our card # stolen twice when my daughter was in college. They had quite a bit of skimming going on at the time. We blame it on her card, but we will never know for sure. Someone stayed in a Red Roof inn, had a $200 steak dinner and bought $200 worth of items from a CVS in South Florida. The second time it happened they made five $50 charges on Itunes. I recently received chip cards, I haven't authorized them, but I recently received an email from the company that I must do it be 12/15/16. Mikek
On 11/26/2016 10:27 AM, Kevin Glover wrote:
> On Sat, 26 Nov 2016 08:25:45 -0700, Don Y > <blockedofcourse@foo.invalid> wrote: > >> Call claiming to be from <legit card issuer> for <legit card holder> >> having CC ending in <legit 4 digits>: >> "Please call us immediately to discuss some suspicious activity >> on your card! Call us any time of day at 800 379 8461" >> Of course, you *know* the first thing that will greet you will be >> an AVR system that will request your *full* credit card number >> followed by some questions to "verify your identity". >> >> Yeah. Sure. >> >> Immediately call card issuer so THEY are watching for suspicious activity >> *or* willing to immediately issue a new card number! >> >> Why is it that we still have such easily spoofed "authentication mechanisms"? > > Had something similar to that a few years back. My bank calls me (an > actual person) asking if i had just used my CC (never asked for the > last 4 digits) for a flight to the Phillipines. "No", I said. > OK. Transaction denied. Card cancelled. New one issued. No problems > since. > I'm defininately staying with that bank.
The problem becomes one of identifying who the scammers are on these unsolicited "notification calls" (in my post). I.e., they didn't tell me anything that a scammer couldn't discover from examining my past charges (I suspect they can probably even dig up my phone number!). So, do you return the call to the number THEY provided (and hope its not a scammer on the other end of the line)? Or, call the number printed on your CC statement (which is what I did)? I figure if I'd opted to "take their bait" and call the number they'd provided, I'd turn the tables on them: "No, I'm not going to give you any identifying information to prove MY identity -- YOU CALLED ME! So, *you* prove that you're who you claim to be by providing the information ("shared secrets") that you would otherwise have expected FROM me!" We need cards that have human readable challenge-response systems. So, failing to have the actual card makes purchases impossible regardless of whether you're buying over the phone or in person. [I'll need to revisit Office Depot -- as an observer -- to recall if their machines were chipped or swiped. If the former, then one has to wonder how the fraudulent charges were made, "in person" (counterfeit card). If the latter, there's obviously something wrong with the technology!]