Monday, June 28, 2004

Internet Fraud

I've seen a lot of attempts to use the internet to defraud people but one that reached my inbox, last night, was particularly shocking. The email was a very slick HTML document that looked at though it came from onlinesecurity@visa.com. The subject of the email was "Protect your debit card from fraudulent online transactions". This was the email's pitch:

All online merchants receive every day thousands of online fraud complaints.

In order to prevent any fraudulent activity with your card we offer you free enroll in Verified by Visa program.

Verified by Visa protects your card with a password you create, giving you reassurance that only you can use your card online.

Simply activate your card and create your personal password. You'll get the added confidence that your card is safe when you shop at online stores.

Once your card is activated, your card number will be recognized whenever you purchase at participating online stores. You'll enter your password in the Verified by Visa window, your identity will be verified, and the transaction will be completed.

You may activate now by filling out the form below. If your card issuer is participating in Verified by Visa (most issuers are) we'll verify your identiy, create your Verified by Visa password and email it to you.
The effectiveness of the pitch was hightened by graphics culled directly from the Visa web sight which, unfortunately, more than compensates for the occasional lapses of English in the pitch.

The real insidious thing was the form that was embedded in the email (which I will not reproduce). Among the information that the form asked for was your credit card number, your expiration date, your name on the card, all of your address information, your phone number, your card validation code (with helpful instructions on how to obtain it), your email address, you bank routing number, your checking account number, your social security number, your ATM pin code, your mother's maiden name and your driver's licence number.

In other words, a laundry list of the information that's needed to commit an act of identity theft. A close look at the HTML of the form revealed that the information was actually being sent to a yahoo email address by way of a third party website.

I work in the IT realm and I've been playing with HTML since it was introduced. It's not hard for me to see through this kind of trick but I genuinely fear for the many, many people on the web who aren't saavy to the tricks that people can play with the clever manipulation of form tags. I think that it would be hideously easy for someone who was technologically innocent to be duped by this kind of trick. I shudder to think of how many people's bank accounts and credit cards have already been raided by these scum bags.

Please, please, please try to educate your friends and families on the basics of internet security. At the very minimum, make sure that they understand that no legitimate business would ever email them with a request for confidential information. Not their banks, not their credit card companies, not anyone. Do whatever you can to drill that into their heads. Identity theft is a very real and serious problem. We can't expect everyone to be as technologically sophisticated at the bastards who purpetrate these scams but we can do something to make sure that our loved one's know how to avoid exposing themselves to this kind of fraud.

No comments:

what is this?

Tell me when this blog is updated. . .