Time-traveling deceased former president and liberal agitator Abraham Lincoln comments on present-day affairs from a secure location (the 1970s)

Thursday, March 30, 2006

So, I understand you'd like some credit card numbers

Robert X. Cringley (or at least, the latest incarnation of Robert X. Cringley) had an amusing idea about how to deal with phishing schemes: give them the information they're looking for.

He didn't mean that you should turn over your credit card numbers, he meant that you should fill out the form with valid-looking, yet incorrect information - the idea being that phishers would have to sort through all of the data to find the real information. He reasoned that if everyone did this, phishing schemes would all but disappear. Imagine it - if they had to sort through 10,000 fake entries to find the 10 or 15 real ones, would it be worth the effort anymore? Probably not, unless someone was careless enough to put in their Amex Black number.

So, a few days ago I got an email imploring me to log in to my bank and update my information. Trouble was, it wasn't from my bank. I checked out the URL, and sure enough, it was a domain registered in the last couple of days - a fake site copied-and-pasted from the bank's site. I checked out the form, and it posted to a PHP page at the same domain - passing the username and password via the form post to what appeared to be an email script. It also passed an email address. Whoops.

I changed the email address target to one I use for junk mail, typed some gibberish in the other fields and clicked submit. Seconds later I had an email with the form fields. Heh.

It recently occurred to me that the Luhn formula, which is used to verify card numbers, can also be used to generate credit card numbers (not real ones, of course). If one were to say, write a script that generated thousands of fake card numbers and then automatically posted them using XMLHTTP along with automatically generated fake pins, then someone would have to do a lot of work to find the 'real' cards - the ones actually submitted by less tech savvy people who fell for the scheme.

And if one were to hypothetically do this to a form that also automatically emailed the submissions to the phisher, then one would have the added benefit of knowing that the phisher received tens of thousands of emails, probably to the point where their free email account collapsed.

Hypothetically.

posted by 1970s Abraham Lincoln at 3:09 PM

1 Comments:

Blogger Zieak said...

I have derived great joy from spamming the phishers. I'd pay for a program that would generate fake card numbers for me to paste in.

1:25 PM

 

Post a Comment

<< Home