Credit card fraud

Page may contain affiliate links. Please see terms for details.

Ranger

New Member
Location
Fife borders
But how do they get your address??

When it happened to me they had my date of birth, mother maiden name the whole sheebang, the person at the fraud investigation unit said professional gangs will clone cards and then research you so they can then get credit scored as you to buy really expensive stuff on credit, using your credit card to make the down payment and your credit score
 

Dan B

Disengaged member
What I'd expect to see from an organisation that actually knows what they are doing is something like:

"Your card information is protected by SSL encryption whenever it is transmitted over public networks to/from our systems. When it arrives on our systems it is encrypted before storage and securely discarded as soon as we no longer need it to process your order. Once on our system no individual user can retrieve the card number. All our web applications are written to industry best practice (Open Web Application Security Project - OWASP) and all our systems are kept up to date and regularly tested by independent penetration testing companies.

Additionally, we are fully compliant with all parts of the Payment Card Industry Data Security Standard (PCI DSS)."

Most of that (if you substitute "port scanned once a year" for "regularly tested by independent penetration testing companies" is covered by PCIDSS, in fact.


Not that I'm altogether convinced by PCIDSS - it does include certain gems of stupidity like the wireless network audit - but it's an improvement on the "nothing" that went before it.
 
Location
Gatley
[/size]
Most of that (if you substitute "port scanned once a year" for "regularly tested by independent penetration testing companies" is covered by PCIDSS, in fact.





Interesting - must double check the standards as we're doing penetration testing and port scanning annually/quarterly and I thought that was mandated.


But my general point was that if a competent company is trying to re-assure you they shouldn't just say 'we use https' which is what Waterstones did. Equally I'm not sure saying 'We are PCI DSS compliant' is adequate as most people outside the card processing industry (and a fair few inside!) have no idea what it is...

Not that I'm altogether convinced by PCIDSS - it does include certain gems of stupidity like the wireless network audit - but it's an improvement on the "nothing" that went before it.

Absolutely just doing PCI DSS is no guarantee of securty, but I came across a merchant earlier this year who, when I failed to get my card to work on their site (https secured...), asked me to email my card number and card security code to them... in two separate emails so that it was secure !!! When I tried to, very politely, point out that they were being idiotic I simply got a response back saying that if it was in two emails it was fine! I'm guessing that if someone put them through the PCI DSS process it would be an infinite improvement on what they're currently doing.
 
OP
OP
asterix

asterix

Comrade Member
Location
Limoges or York
Well, cloning the 'shop window' should be obvious from the address bar in your browser i.e. it should be https://www.waterstones.co.uk/... and web browsers will alert you if the certificate presented doesn't match the site name; in theory certificate issuers check that the certificate is issued to a bona-fide organisation. There are occasionally fakes sites, but generally they get taken down very, very quickly as most ISP/hosting providers will have nothing to do with them.

It's easy to forget to look at address bars in the heat of the moment.:blush:

Maybe this is why some sites, a very few IME, present you with a specific (you will have already chosen these) image and phrase as you log on? If you don't recognise both then don't go there!

Have seen only Bank of America and Skipton Bsoc do this, so far.
 

byegad

Legendary Member
Location
NE England
After a spate of garage based card harvesting some years back we decided to pay cash only for filling up the cars. It works well and means far fewer transactions that can be harvested in the year.
 

Dan B

Disengaged member
But my general point was that if a competent company is trying to re-assure you they shouldn't just say 'we use https' which is what Waterstones did.
Oh, agreed absolutely

I came across a merchant earlier this year who, when I failed to get my card to work on their site (https secured...), asked me to email my card number and card security code to them...
Actually I'd be surprised if they didn't have PCIDSS already - most merchant services have taken a pretty hard line on it - but in a company too small to need external audits it's easy to get by "ticking the boxes" instead of actually understanding the issues. Management may well just say to IT "deal with it" without really making sure the rest of the company (like customer support) has taken it to heart

 
Top Bottom