more on Vishing (voice/phone phishing) - public incident]

[David Farber <dave () farber net>]

Begin forwarded message:

From: mis () seiden com
Date: June 23, 2006 2:09:01 PM EDT
To: jeremy.epstein () webmethods com, dave () farber net
Subject: [dave () farber net: [IP] more on Vishing (voice/phone  
phishing) - public incident]

actually, that isn't completely accurate.

these days an issuing bank seldom handles physical plastic or card
activation.

it's almost always outsourced (e.g. to first data).  you can see
this by noticing the return address on the card mailer is
omaha, for example.

a modern bank does little more than assume the financial risk.  they
don't print or mail statements, either.  they don't even handle first
tier customer service in some cases!

so let's reframe the question, slightly:

what information does the card activation number know about you?

the 800 number on the sticker can map to fine-grained information about
which issuer or even what kind card it is (gold, platinum, ordinaire).
lots of different 800 numbers map to lots of different greetings.

in addition, given the realtime ANI information (they know your calling
number) that decodes to one of a small number of issued but not yet
activated cards.

these pieces of information are sometimes used to figure out what
products to annoyingly try to upsell you while you're "waiting"
for activation (which takes no time at all).


----- Forwarded message from David Farber <dave () farber net> -----

Delivered-To: mis () seiden com
From: David Farber <dave () farber net>
Subject: [IP] more on  Vishing (voice/phone phishing) - public incident
Date: Fri, 23 Jun 2006 13:51:49 -0400
To: ip () v2 listbox com
X-Listbox-UUID: 01BACAE0-02E1-11DB-8451-E29CD0E87AF7
Reply-To: dave () farber net
List-ID: <ip () v2 listbox com>
X-Listbox-List-ID: 247 <ip () v2 listbox com>
List-Software: listbox.com v2.0
List-Help: <http://v2.listbox.com/doc/help_sub? 
list_name=ip () v2 listbox com>
List-Subscribe: <mailto:subscribe-ip () v2 listbox com>, <http:// 
v2.listbox.com/subscribe/?listname=ip () v2 listbox com>
List-Unsubscribe: <mailto:unsubscribe-ip () v2 listbox com>, <http:// 
v2.listbox.com/member/unsubscribe/?listname=ip () v2 listbox com>
Errors-To: listbox+trampoline+247+126024+d7e60df8 () v2 listbox com



Begin forwarded message:

From: Jeremy Epstein <jeremy.epstein () webmethods com>
Date: June 23, 2006 1:48:51 PM EDT
To: dave () farber net, ip () v2 listbox com, ge () linuxbox org
Subject: RE: [IP] Vishing (voice/phone phishing) - public incident

The Websense article notes that "the phone response does not mention the
bank name, which could be a potential indicator that this number is
being
used for fraud against other entities."  In my experience, most (if
not all)
of the credit card validation lines (which you call to enable the credit
card received in the mail) do not state the name of the entity - largely
because the huge credit card issuers have numerous different brands, but
they all share the same phone number.  As an example, I have branded
Visa
cards from United Airlines, Amazon.com, and Micro Center, and they're
all
really Chase Bank.  Until you enter your number, they don't know
which type
of account you have.

So the fact that it doesn't mention the bank name could be appealing to
customer expectations that the name is not provided!

--Jeremy


-------------------------------------
You are subscribed as mis () seiden com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting- 
people/

----- End forwarded message -----


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/