[Dshield] Anti-Phishing

Laura Vance vancel at winfreeacademy.com
Mon Mar 20 16:39:27 GMT 2006

DigitalNation wrote:

>Most online credit card transactions now require CVV2 numbers be inputted.
>This is the direction all transactions are headed in. Our merchant provider
>has CVV2 as standard and will not process any transaction without it. Visa
>here in Canada has been using "VERIFIED by VISA" systems for 2 years now.
>All in all, this means that having just the number and expiry doesn't cut it
>I think the idea here of bombarding phishers is good one....but like said
>previously, you would need to tap into BOTNET or have a widely dispersed
>group of systems available to you to pull it off. I have myself gone to
>phish sites and inputted BS info by proxy just to tick them off....I would
>love to see some sort of application that inputs all kind of false data that
>they would have to wade through. Heck, they force us to wade through all the
>phish-mail they proliferate.
>M. McBride
>Security Admin
>Vancouver, Canada
Sorry for the late reply, I was on spring break last week.

There are guidelines set forth by Visa every year, and merchants always 
have the option to follow or not follow them.  The CVV2 is merely a 
guideline... the merchant is charged more if they don't provide certain 
key information in the transaction, but it is by no means required.

We provided a service that allowed each merchant to force certain fields 
to be present.  If the merchant decided they wanted us to decline any 
transaction through their account that didn't have (for example) at 
least the card number, date, CVV2, zip code, and cardholder name, our 
system would block the transaction.  However, that was a function set up 
by the merchant.  I'm sure there are some card processors and merchant 
banks that don't give the merchant the option, but it's not required by 
Visa.  Think about when you use your credit card at a gas pump.  Until 
recently all you did was slide the card and the pump came to life.  Now 
there are certain gas stations that require you to input your zip 
code... and that's it.

Here's a little FYI tidbit.  In 2001, Visa set forth a guideline that 
nothing printed out or given back to the customer is supposed to have 
the entire credit card number.... not even the "merchant copy" that you 
sign.  That copy is usually left on the table, and the merchant 
computers have your whole number, so there is no need to print it on the 
reciept.  There is a provision in that guideline that gives this rule a 
little more bite in that if you report the merchant to Visa, that 
merchant will lose their credit card processing until they fix their 
systems.  I only know about that rule because we had to modify our 
systems to hide the full number after the transaction.

Since my time with that company, there are a few things that I've 
changed about my credit card usage.  First, I have a super low limit 
credit card that I use for Internet transactions ($300 max).  That way 
if my number is stolen, it doesn't hurt much if I can't dispute the 
charges.  I also use this card for any business that I don't completely 
trust the minimum wage cashiers to not get my number later and try to 
use it.  Second, if I see my full card number on a receipt, I physically 
hand the signed copy to either my server or a nearby server so it 
doesn't sit on the table waiting for someone to copy it down (or I 
scribble it out).  Third, I shred everything that has more than my name 
and address pre-printed on it.  Anything that is "pre-approved" with an 
activation code gets shredded... any credit card application form gets 
shredded (the cute letter just goes in the trash).  And fourth, I don't 
give any credit card information to anyone that called me unless they 
can give me specific information about my account that's not generally 
available to the public and not guessable.  People can say they are 
anyone with any company and it's amazing how many people believe them.

Someone a while back (it may not have been this list) posted that they 
don't give their entire credit card number to their bank only the last 4 
digits, because they're afraid of fraud.  The examples that were given 
were situations like changing an account password or transferring funds 
or something like that.  If you think about it, if you decide that all 
you want your bank to require from you is the exact information that is 
on every receipt for your credit card, you've nullified one of the 
reasons for not printing the entire card number on the receipt.  I want 
my bank to ask my entire card number, my address, my zip code, my middle 
name, my birthdate.... as much as it takes to verify that it's really me 
before they change something on my account.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list