Vishing is reckoned to let baddies collect details about three-digit security codes, expiration dates and other essential ID information - as well as card and account numbers.
Of course, you'd never be fooled this way but what Secure Computing's VP of strategic accounts Paul Henry says is that,
“Consumers need
to be made aware of this new threat as it hits the UK. Like
most other social-engineering exploits, vishing relies upon the
’hacking’ of a common procedure that fits within
the victim’s 'comfort zone'. Specifically, this
methodology takes advantage of what has become a normal practice for US
credit card users. It is normal when calling a credit
card provider to be asked to enter your 16-digit credit card number
before having the opportunity to speak to a credit-card
representative. Consumers need to be extra vigilant when giving out
their information on the phone.”
According to Secure Computing, baddies configure a "war dialler" that dials up numbers in a given region and the following typically happens when a call is answered,
* An automated recording
is played to alert the consumer that their credit card has had
fraudulent activity and giving instructions to call a
particular phone number immediately. This could be an
0800 number, often with a spoofed caller ID for the financial company
that's supposed to be represented
* When that number is called, it is answered by a typical computer-generated voice, saying the consumer has reached account-verification and requesting that the card's 16-digit number be input on the phone's key pad
* Once the card number is entered, the visher has all of the information necessary (telephone number, full name and address by a reverse phone-number look-up) to place fraudulent charges on the card
* The call can then be used to harvest additional details such as security PIN, expiry date, date of birth, bank account number and more
* When that number is called, it is answered by a typical computer-generated voice, saying the consumer has reached account-verification and requesting that the card's 16-digit number be input on the phone's key pad
* Once the card number is entered, the visher has all of the information necessary (telephone number, full name and address by a reverse phone-number look-up) to place fraudulent charges on the card
* The call can then be used to harvest additional details such as security PIN, expiry date, date of birth, bank account number and more
Henry reckons that “Common sense is the first line of protection” and that “Anyone who is called by a bank should take the appropriate steps to protect their personal information and their bank account.” But how can you prevent yourself becoming a victim? Well, you have to think before acting and realise that,
* Your credit card company will normally refer by first and last name
either in any communication in email or via a phone call. Not being
refered by full name should be the first sign that the communication
may very well be a vishing call.
* It is important never to call a telephone number provided in a phone call or an e-mail regarding possible security issues with any credit card or bank account. Only the phone number on the back of your credit card or on your bank statement should be called to report the matter. If the call was legitimate, your credit card company or bank will have a record and will be able to assist.
* If anyone calls purporting to be a credit card provider and requests the CCV, immediately hang up and call the phone number on the back of the credit card and report the attempt. Again, if the call was legitimate, the credit card provider will have knowledge of it.
Take care (and that means also taking the same precautions if you get
something like this come in by email!) - and don't forget to let us
have your thoughts in the HEXUS.community.* It is important never to call a telephone number provided in a phone call or an e-mail regarding possible security issues with any credit card or bank account. Only the phone number on the back of your credit card or on your bank statement should be called to report the matter. If the call was legitimate, your credit card company or bank will have a record and will be able to assist.
* If anyone calls purporting to be a credit card provider and requests the CCV, immediately hang up and call the phone number on the back of the credit card and report the attempt. Again, if the call was legitimate, the credit card provider will have knowledge of it.
HEXUS.links
HEXUS.community - discussion thread about this article
Secure Computing - home page
