[IP] more on Vishing (voice/phone phishing) - public incident]
Begin forwarded message:
From: mis@xxxxxxxxxx
Date: June 23, 2006 2:09:01 PM EDT
To: jeremy.epstein@xxxxxxxxxxxxxx, dave@xxxxxxxxxx
Subject: [dave@xxxxxxxxxx: [IP] more on Vishing (voice/phone
phishing) - public incident]
actually, that isn't completely accurate.
these days an issuing bank seldom handles physical plastic or card
activation.
it's almost always outsourced (e.g. to first data). you can see
this by noticing the return address on the card mailer is
omaha, for example.
a modern bank does little more than assume the financial risk. they
don't print or mail statements, either. they don't even handle first
tier customer service in some cases!
so let's reframe the question, slightly:
what information does the card activation number know about you?
the 800 number on the sticker can map to fine-grained information about
which issuer or even what kind card it is (gold, platinum, ordinaire).
lots of different 800 numbers map to lots of different greetings.
in addition, given the realtime ANI information (they know your calling
number) that decodes to one of a small number of issued but not yet
activated cards.
these pieces of information are sometimes used to figure out what
products to annoyingly try to upsell you while you're "waiting"
for activation (which takes no time at all).
----- Forwarded message from David Farber <dave@xxxxxxxxxx> -----
Delivered-To: mis@xxxxxxxxxx
From: David Farber <dave@xxxxxxxxxx>
Subject: [IP] more on Vishing (voice/phone phishing) - public incident
Date: Fri, 23 Jun 2006 13:51:49 -0400
To: ip@xxxxxxxxxxxxxx
X-Listbox-UUID: 01BACAE0-02E1-11DB-8451-E29CD0E87AF7
Reply-To: dave@xxxxxxxxxx
List-ID: <ip@xxxxxxxxxxxxxx>
X-Listbox-List-ID: 247 <ip@xxxxxxxxxxxxxx>
List-Software: listbox.com v2.0
List-Help: <http://v2.listbox.com/doc/help_sub?
list_name=ip@xxxxxxxxxxxxxx>
List-Subscribe: <mailto:subscribe-ip@xxxxxxxxxxxxxx>, <http://
v2.listbox.com/subscribe/?listname=ip@xxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:unsubscribe-ip@xxxxxxxxxxxxxx>, <http://
v2.listbox.com/member/unsubscribe/?listname=ip@xxxxxxxxxxxxxx>
Errors-To: listbox+trampoline+247+126024+d7e60df8@xxxxxxxxxxxxxx
Begin forwarded message:
From: Jeremy Epstein <jeremy.epstein@xxxxxxxxxxxxxx>
Date: June 23, 2006 1:48:51 PM EDT
To: dave@xxxxxxxxxx, ip@xxxxxxxxxxxxxx, ge@xxxxxxxxxxxx
Subject: RE: [IP] Vishing (voice/phone phishing) - public incident
The Websense article notes that "the phone response does not mention the
bank name, which could be a potential indicator that this number is
being
used for fraud against other entities." In my experience, most (if
not all)
of the credit card validation lines (which you call to enable the credit
card received in the mail) do not state the name of the entity - largely
because the huge credit card issuers have numerous different brands, but
they all share the same phone number. As an example, I have branded
Visa
cards from United Airlines, Amazon.com, and Micro Center, and they're
all
really Chase Bank. Until you enter your number, they don't know
which type
of account you have.
So the fact that it doesn't mention the bank name could be appealing to
customer expectations that the name is not provided!
--Jeremy
-------------------------------------
You are subscribed as mis@xxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
----- End forwarded message -----
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/