[conspire] Warning to domain owners: renewal/transfer scam

Tue Sep 30 13:40:53 PDT 2008

Quoting Michael C. Toren (mct at toren.net):

> The only trouble was that, because I was travelling, I wouldn't be able to
> retrieve any messages they left at the number they had on file for another
> week.  "Oh, I see.  No problem," the operator said.  "I'm still required
> to leave you a voicemail message, though.  What number would you like me
> to dial?"

{headsmack}

Another example of a real-world security issue:  One of my banks, out of
the blue, sent me a (bank-"branded") AmEx card, saying it was a
replacement for / upgrade of my existing VISA card with account number
ending in, say, 1234.  I was requested, as per usual, to call a
toll-free number from my home telephone to activate the card.

Now, you cannot spend your life vetting _everything_, but some caution
is obviously useful concerning unsolicited business communications whose
sender you've not even verified, especially ones that are likely to
involve soliciting personal information from you.  (Aside from that, I
find the bank's decision to "upgrade" me to a card type I didn't
request, without asking me, vexing, but that's a different topic.)

I thought, for starters, did the mail include any information that would
normally be known only to a firm I'm already dealing with?  Ah, there's 
the four digits from a VISA credit-card account (rendered here as 1234).
I figured it's worth a few minutes to check, so I dug through my records
-- and, hey, I couldn't find records of my ever having such an account
number.

So, bearing in mind that the card's sender had _not_ been validated, 
I telephoned the indicated customer-service number, keyed in the credit
card account number, and requested an agent.  (Ever notice that the 
firm or firms handling these calls self-identifies only as "Card Services"?
One strongly suspects yet more outsourced call centres under contract,
using shared database data.)   I described the situation, pointing out
that I had no record of a -1234 VISA account.

Agent (immediately):  "Yes, that was an error.  The correct VISA number 
suffix is 6351."

I had a list of my credit card numbers in front of me, and this one was
a match.  The agent offered to activate the card for me.

I explained my security concern; the agent fully understood.  Neither of
us was sure about _precisely_ how a fraud artist could use forged credit
card mailings sent out via USPS, but collecting personal information
could be part of it.

I haven't yet used that AmEx card; I'm considering actually telephoning
my bank directly and double-checking that it really is from them -- but
the agent's ability to instantly quote a correct account suffix was
reassuring.