Begin forwarded message:
From: [EMAIL PROTECTED]
Date: June 23, 2006 2:09:01 PM EDT
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [EMAIL PROTECTED]: [IP] more on Vishing (voice/phone
phishing) - public incident]
actually, that isn't completely accurate.
these days an issuing bank seldom handles physical plastic or card
activation.
it's almost always outsourced (e.g. to first data). you can see
this by noticing the return address on the card mailer is
omaha, for example.
a modern bank does little more than assume the financial risk. they
don't print or mail statements, either. they don't even handle first
tier customer service in some cases!
so let's reframe the question, slightly:
what information does the card activation number know about you?
the 800 number on the sticker can map to fine-grained information about
which issuer or even what kind card it is (gold, platinum, ordinaire).
lots of different 800 numbers map to lots of different greetings.
in addition, given the realtime ANI information (they know your calling
number) that decodes to one of a small number of issued but not yet
activated cards.
these pieces of information are sometimes used to figure out what
products to annoyingly try to upsell you while you're "waiting"
for activation (which takes no time at all).
----- Forwarded message from David Farber <[EMAIL PROTECTED]> -----
Delivered-To: [EMAIL PROTECTED]
From: David Farber <[EMAIL PROTECTED]>
Subject: [IP] more on Vishing (voice/phone phishing) - public incident
Date: Fri, 23 Jun 2006 13:51:49 -0400
To: [email protected]
X-Listbox-UUID: 01BACAE0-02E1-11DB-8451-E29CD0E87AF7
Reply-To: [EMAIL PROTECTED]
List-ID: <[email protected]>
X-Listbox-List-ID: 247 <[email protected]>
List-Software: listbox.com v2.0
List-Help: <http://v2.listbox.com/doc/help_sub?
[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>, <http://
v2.listbox.com/subscribe/[EMAIL PROTECTED]>
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>, <http://
v2.listbox.com/member/unsubscribe/[EMAIL PROTECTED]>
Errors-To: [EMAIL PROTECTED]
Begin forwarded message:
From: Jeremy Epstein <[EMAIL PROTECTED]>
Date: June 23, 2006 1:48:51 PM EDT
To: [EMAIL PROTECTED], [email protected], [EMAIL PROTECTED]
Subject: RE: [IP] Vishing (voice/phone phishing) - public incident
The Websense article notes that "the phone response does not mention the
bank name, which could be a potential indicator that this number is
being
used for fraud against other entities." In my experience, most (if
not all)
of the credit card validation lines (which you call to enable the credit
card received in the mail) do not state the name of the entity - largely
because the huge credit card issuers have numerous different brands, but
they all share the same phone number. As an example, I have branded
Visa
cards from United Airlines, Amazon.com, and Micro Center, and they're
all
really Chase Bank. Until you enter your number, they don't know
which type
of account you have.
So the fact that it doesn't mention the bank name could be appealing to
customer expectations that the name is not provided!
--Jeremy
-------------------------------------
You are subscribed as [EMAIL PROTECTED]
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
----- End forwarded message -----
-------------------------------------
You are subscribed as [email protected]
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
