And Behind Technology Door Number Two, Fraud Galore

When I got the third call from my credit card company about “possible fraudulent use,” I felt impatient, irritated. Twice before the calls had been false alarms about “suspicious activity.” First, my credit card company cancelled a legitimate order our company had placed online. The second call, about “a number of suspicious online charges,” turned out to be three, all legitimate.

Our new technologies, however, breed fraudulent schemes like standing water breeds mosquitoes, so read on. Misinformation about hotel room keys and ignorance about bank schemes, caller id’s and credit card security are genuine threats lurking out there in the dark corners of the world, virtual and real.

First, about hotel room keys – you know the credit-card like room “key” you’ve been handed by the front desk. An incorrect report, call it an Internet myth, states that a major hotel chain put your entire profile – your credit card number, expiration date, billing address – on your room key. Not true. False. Just keep your room key to yourself because that magnetic strip can reveal your name and room number. When you check out, destroy the card or return it to the front desk.

Online bank fraud, on the other hand, represents a genuine threat. Here’s one clever scheme I investigated. First, you get an urgent email, from security@yourbank.com, urging you to help the bank solve an emergency security problem. You click on an email link to security.yourbank.com and the page looks identical to your bank’s. You are asked to log in and change your password because, the security team explains, the bank’s had a security breach. Always helpful, you log in, change your password, and get a thank you on screen.

You sigh with relief, but actually you have just given away your username and password to a criminal, a “phisher.” Here’s how it works. The first con is that the “From” line in the email address is faked to get your attention. The mailto:George.Bush@thewhitehouse.gov second con is that the link you read in your email, www.yourbank.com/security is just text – it doesn’t actually go to your bank. The actual destination is the scammer’s server. The con artist hopes you won’t notice the address you actually arrive at. The third scam is that the site looks just like your bank’s Website, logo and all, easy duplication for a dedicated crook. The coups d’etat: when you “log in” to “change” passwords, you actually give the scammer your real username and password. The phisher then promptly logs in to your online bank account and looks for a way to get money out of it.

AOL often reminds its customers that “we’ll never ask you for your password.” Your bank and your credit card company also want you to remember that they won’t ask you for your password, either.

What about the bank card company, though, that calls you to discuss possible fraud on your company credit card? How are you supposed to know the person who calls you is really from your credit card company? Well, don’t rely on caller i.d.

VOIP (voice over ip) technology, the technology that enables people to make long distance phone calls over the Internet to local phone numbers, can actually be used to spoof a caller i.d. number. So your caller i.d. system could actually tell you that you have a call from your credit card company’s 1-800 number on the incoming line when instead you’re getting a fraudulent call from Cancun.

Therefore, if you get a call about “possible fraudulent charges” on your account, use the phone number on the back of your card and call back. That’s what I did. Now, remember that I fully expected another waste of time. Then my customer service/security rep said, “In the last 8 hours, did you purchase the following five items online?” My answer was no. Five times. In two minutes, we agreed that my credit card and that account number were toast. Evidently even the three digit code on the back of my card had been compromised.

Here is some good news about defeating online fraud. My credit card company has recently enabled Websites to use a password system similar to the PIN number required for use of an ATM card. If your credit card company hasn’t started issuing passwords yet, urge them to. You wouldn’t want an ATM card without a PIN number, so why use a credit card for online purchases without one?

This article first appeared as a column written by Dave Tedlock, NetOutcomes' president, for Tucson Business Edge, a monthly magazine published by the daily newspaper, the Tucson Citizen.

Click HERE to return to Articles page