Card Social Engineering Still a Problem

Stories like this one just reinforce how hard it is to educate the consumer. Credit card companies started using the security code on the back of the card to fight fraud, and so criminals created a scheme to update their database with the security code information:

Recently, a representative of Senior Health Insurance Counseling for Kansas (SHICK) called our office to report that a number of their clients were being called and asked for their credit card information. The scam they described is particularly insidious because of the professionalism of the caller on the other end of the line.

Of course these are professionals. There is money at stake, and a growing underground economy, so the criminals will not only pay to increase their chance of success but they also might be in competition with each other — the bar has been raised for criminals.

The caller will ask you to read the three numbers to him to verify you are in possession of the card.
[…]
What makes this such a successful scam is that they never ask for your account number or other personal information. They have most of the information, and so they sound legitimate.

Agreed. People tend to trust someone who can authenticate themselves to them. “I know these three things about you…”

The problem is the victims do not realize that there never should be a reason to read the security code to the card companies. This is a business logic flaw. Why prove possession of the card to a credit card company? The opposite is supposed to be true. If you call the card companies and say you do not have the card, they will send you a new one. If you say you are in possession of the card, they will say “ok, have a nice day”. They need you to prove your identity, but they need no proof of card possession from you. They only need retailers to prove that a purchase was made by you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.