filkertom | New Credit Card Scam

Ooooh, this is a nasty one. And I bet I might've fallen for it, as delivered, and I usually count myself pretty good on these things.

(Forwarded from my mom)

This one is pretty slick since they provide YOU with all the information, except the one piece they want.

WARNING...New Credit Card Scam.

Note, the callers do not ask for your card number; they already have it.

This information is worth reading. By understanding how the VISA & MasterCard Telephone Credit Card Scam works, you'll be better prepared to protect yourself.

One of our employees was called on Wednesday from "VISA", and I was called on Thursday from "MasterCard". The scam works like this:

Person calling says "This is (name), and I'm calling from the Security and Fraud Department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card which was issued by (name of bank). Did you purchase an Anti-Telemarketing Device for $497.99 from a Marketing company based in Arizona?" When you say "No", the caller continues with, "Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $297 to $497, just under the $500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?" You say "yes".

The caller continues - "I will be starting a Fraud investigation. If you have any questions, you should call the 1-800 number listed on the back of your card (1-800-VISA) and ask for Security. You will need to refer to this Control Number. The caller then gives you a 6 digit number. "Do you need me to read it again?"

Here's the IMPORTANT part on how the scam works.

The caller then says, "I need to verify you are in possession of your card". He'll ask you to "turn your card over and look for some numbers". There are 7 numbers; the first 4 are part of your card number the next 3 are the security Numbers' that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to prove you have the card. The caller will ask you to read the 3 numbers to him. After you tell the caller the 3 numbers, he'll say, "That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?" After you say No the caller then thanks you and states, "Don't hesitate to call back if you do", and hangs up.

You actually say very little, and they never ask for or tell you the Card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of $497.99 was charged to our card. Long story made short - we made a real fraud report and closed the VISA account. VISA is reissuing us a new number.

What the scammers want is the 3-digit PIN number on the back of the card.

Don't give it to them. Instead, tell them you'll call VISA or MasterCard directly for verification of their conversation. The real VISA told us that they will never ask for anything on the card as they already know the information since they issued the card! If you give the scammers your 3 Digit PIN Number, you think you're receiving a credit. However, by the time you get your statement you'll see charges for purchases you didn't make, and by then it's almost to late and/or more difficult to actually file a fraud report.

What makes this more remarkable is that on Thursday, I got a call from a "Jason Richardson of MasterCard" with a word-for-word repeat of the VISA scam. This time I didn't let him finish. I hung up! We filed a police report, as instructed by VISA. The police said they are taking several of these reports daily! They also urged us to tell everybody we know that this scam is happening. Please pass this on to all your family and friends.

By informing each other, we protect each other.

Threaded | Top-Level Comments Only

From:

capplor.livejournal.com

NEVER give out your information to strangers who call you. Do not call them back at the number they give you. Look up your own contact information for whatever credit company and use that.

The dressing changes, but the scam is the same.

From:

secanth.livejournal.com

May I have permission to link to this in my own journal? I'd like to get it out to as many folk as possible...

From:

ericcoleman

My first reaction to something like this is to look it up at Snopes.

http://www.snopes.com/crime/warnings/creditcard.asp

Snopes says it's so ...

Smooth this ...

From:

darthparadox.livejournal.com

Wow. They get more devious every day.

There's one bit of this that doesn't make sense, though, and that's asking for that verification code to make sure the card owner is in possession of his/her card. And that's because it's in the owner's interest to make sure the card hasn't been lost/stolen, so why is a numerical verification necessary? Of course, that only occurred to me reading through it a second time, and when it just goes by on the phone so quickly...

It's also highly scary how much information these assholes already have. I'm beginning to wonder whether it's worthwhile to switch credit cards every year or so, just to try to stay ahead of them.

From:

holzman.livejournal.com

Good catch Tom.

(I'm now speaking of one of a handful of people that Visa certifies to assess the cardholder data security of merchants and clearing houses.)

The only legitimate purpose for that 3-digit pin is for you to verify to an internet web site that you are in possession of the card. No human being ever legitimately requests that number.

From:

filkertom.livejournal.com

By all means.

From:

filkertom.livejournal.com

Thing is, it's a very, very reasonable sounding scam. If they can get most of your information, that's sometimes good enough... but there are only a few key data points, like your Social Security number and this code, that can really fuck you up.

From:

filkertom.livejournal.com

I believe the reasoning is: Okay, we've given you minimal data, but enough to let you know that we do indeed have records of you. Now, quid pro quo -- the only person who would have that card is the card holder, which, since we called you at home, should be you.

As

holzman points out below, however, the code is pretty much only for Internet verification. But if someone else gets it, they can use your card online with impunity.

From:

ladypoetess.livejournal.com

Actually, I get requests for it all the time. Ordering pizza and using the card over the phone, paying my phone bill over the phone, etc. Most times that I use my card for telephone transactions, the person I am dealing with on the other end requests the 3 digit pin number.

From:

tibicina.livejournal.com

Well, mail order places that you call to order things will also ask for it, because they effectively operate like the internet sites. That said, *you* will always be calling *them*. Not the other way around.

Actually, what really scared me working at a mail order place for a while is that you honestly don't need that number to put the charge through. It's kind of disturbing just how little information you actually need to put a charge on a card.

From:

ericcoleman

It's one of the best I have ever seen.

From:

fleetfootmike.livejournal.com

Surely that's for any 'cardholder not present' transaction?

From:

dandelion-diva.livejournal.com

Thank you! And thank your mom for me too.:)

Gessi

From:

lightning-rose.livejournal.com

Yes. That 3 digit number is not part of the data in the magnetic strip, so at least in theory it's known only to the card holder.

From:

darthparadox.livejournal.com

Yep. It sounds awfully legit, and I've no doubt they're going to take in a lot of people this way. *sigh*

From:

jrtom.livejournal.com

Thanks for taking the time to put the word out in detail. I've posted a link to this.

From:

sarekofvulcan.livejournal.com

Well, semi-new, at least -- the Snopes date is from last year. But I might well have fallen for it...

From:

giza.livejournal.com

That 3 digit number isn't a PIN, it's actually a Card Verification Value (CVV) code. The way it's supposed to work is that when you order something legitimately, the merchant takes that number and passes it along to their credit card processor, who passes it to the card holder's bank, who checks to make sure the code exists.

Then, all of the parties involved discard the CVV. It is not retained in any way, shape, or form. The security implication of this is that since nobody but the card holder and their bank keeps the CVV around is to cut down on fraud.

Not that this makes the scam you just mentioned any less nasty. Just thought I'd shed light on what that number on the back of the card is all about. :-)

From:

armb.livejournal.com

> However, by the time you get your statement you'll see charges for purchases you didn't make, and by then it's almost to late and/or more difficult to actually file a fraud report.

The potential problem is that you think "that's the one they called me about, it's already being dealt with" - it wouldn't be too late if you reported when you first saw the charges on your statement, which without the phone call you would.

Changing the subject slightly - phishing has gone beyond using self signed certificates (http://www.schneier.com/blog/archives/2005/12/new_phishing_tr.html) (relying on the large number of legitimate businesses who use certificates that trigger warnings and people not looking at the details) to using certificates from a well known CA (http://it.slashdot.org/article.pl?sid=06/02/13/2143251).

From:

holzman.livejournal.com

It is only needed for the first cardholder transaction.

Lots of merchants are unclear on this.

From:

filkertom.livejournal.com

You're exactly right. On the other hand, a lot of people think of it as yet another PIN, and it's possibly easier to explain it to them that way, because they know "PIN".

From:

giza.livejournal.com

Good point, I hadn't considered the "user" side of that technology. :-)

From:

spectre-eric.livejournal.com

I have always been reluctant to deal with inbound calls claiming to represent them. I specifically remember frustrating a phone operative.

I don't remember what I did, but in the future, I will call themback. (To avoid phishing.)

From:

jhayman.livejournal.com

Great post.

If I've learned anything about VISA and their ilk, is that they ALWAYS get in touch by hard copy mail. Or they themselves make a press release, so the story is all over the media.

They don't phone, and they don't e-mail.

From:

gan-chan.livejournal.com

You could do that, but it would absolutely kill your credit rating. A lender looks at a constant churn of charge accounts and thinks you're doing it because you can't keep in good standing with the card issuer.

What is worthwhile is the auto-generating single-use numbers that some card issuers are doing these days. You use your real card, and their website, to generate a one-time (or short-lived) different card number, and plug that into the sites where you're shopping. You can assign these secondary numbers a credit limit that's $1 over whatever it is you want to buy.

That way you limit your damages, limit your exposure.

From:

nimuejohn.livejournal.com

What I find really scary is that someone can make a withdrawl from your bank account using nothing more than the account number, which is printed right on all your checks. In the U.S. anyways; I know from a security list I sub that European bank accounts don't have this "feature". And yes, I called by bank to verify this because I thought the poster was yanking my chain.

From:

vettecat.livejournal.com

That is pretty scary. But the "Before your next statement, the credit will be sent to (gives you your address)" jumped out at me as a flaw in the logic, b/c wouldn't they just credit it to your card? Since when do they mail out checks?

From:

keristor.livejournal.com

That's a good point, but I suspect most people wouldn't think of that until after the conversation. Another point, at least in the UK when there is a fraud reported the card companies want you to sign a form stating that you didn't make the purchase(s), so they send that to your address and you have to return it my mail (or possibly fax).

From:

filkertom.livejournal.com

Exactly. Now, the banks that issue cards will sometimes e-mail. I've had one of my two cardholder banks trying to get me to take a credit line increase for over a year and a half, no matter how many times I tell them no. (They want to increase my line $350, and charge me $100 for the privilege. Feh.)

And PayPal and eBay always use your full name in their legit e-mails, not "Dear PayPal Member" or whatever.

From:

filkertom.livejournal.com

Indeed. I think they're counting on the combination of your initial panic at possibly being defrauded and their having some of your information to distract you from any logical gaps in their spiel.

From:

alyramoondancer.livejournal.com

And at least one of them (I forget if it's Paypal or eBay or both) also will have any legitimate e-mails from them go to your online inbox at eBay (or Paypal or both), so if the e-mail isn't there, you know it's not from them. Both have addresses where you can report spoofs/phishing attempts as well (spoof@ebay.com and spoof@paypal.com). I routinely report spoof/phishing spam.

Tom, thanks for posting this. I'm spreading the word, too.