/ Shopping

Scam watch: fake verification pop-up

creidt card

While shopping online, a Which? member nearly fell victim to a sophisticated online credit card scam that none of our experts have come across before.

Member Alastair Robertson told us:

After placing an order with an online butchers and filling in my debit card details, the Bank of Scotland card verification page popped up. I’d seen it before and began to fill it in, but soon realised it was asking for more information than usual. It had boxes for the 16-digit card number, expiry date and security code. 

I closed the pages and placed my order by phone. 

A few hours later, I received an automated call from the Bank of Scotland fraud department. The voice asked for the 16-digit number on the front of my debit card in order to deal with the problem. It told me I had entered this incorrectly and asked for the card’s expiry date. It then claimed I also entered that incorrectly and asked for my sort code. At this point, I hung up and phoned Bank of Scotland directly – neither the pop-up nor the phone call had come from it.’

Our say on fake verification pop-ups

This is a very clever scam that none of our experts have come across before. The pop-up emerged at the exact time you’d expect such a page to appear, and the phone call was well timed, too.

The details needed to pull off this scam may have been obtained as a result of spyware being installed on the member’s PC.

We can confirm that card verification pages and automated calls from your bank rarely ask for additional card details. You should report such cases to the police and Action Fraud.

Have you come across a similar scam? What happened?

Comments
Profile photo of Ian
Member

Impressive. A very subtle scam and W? deserves plaudits for publishing it. A similar (though not as subtle) scam is doing the rounds with regard to the new Coop membership card.

Profile photo of Patrick Taylor
Member

It seems curious that this new subtle attack has been attributed to spy-ware on the members computer rather than a man-in-the middle attack, or possibly the vendors site has been hacked. Has Which? spoken to the other parties?

I have checked the normally well-informed [i}The Register[i/] and can find nothing on this particular form of attack which is indeed a very subtle.

Profile photo of John Ward
Member

My first thought was that the butcher’s website had been attacked. If it was the customer’s computer it would happen each time they made an on-line payment via Mastercard or Visa.

Member
Lloyd says:
23 October 2016

A MitM attack can only occur if the ‘man’ in the middle is able to successfully impersonate both endpoints, something that two sites communicating over TLS using certificates from a trusted Certificate Authority render a virtual impossibility. So assuming this was over HTTPS using a modern Web browser I would suggest the issue is most likely on the client endpoint, e.g the victim’s PC

Profile photo of duncan lucas
Member

Thats why I have more than 6 security add ons that block that type of thing and no they arent all the simple kind , some interrogate any popups / URL,s and a lot more, pretty sophisticated stuff but you need it. One blocker is now blocking 477 trackers alone , another blocking over 20 types of scams , tracking bad URL,s etc etc . Also HTTPS only being used + clean links /script blocking and more . I visited a website that tests your browser and got a clean bill of health- visit and check yours – Your Social Media Fingerprint .htr thats a step in the right direction the less info the less attacks . Right enough Windows is a sure fire target for hackers .

Profile photo of william
Member

Don’t agree with you’re experts. More like someone has definitely hacked the butchers website to place the new popup. The new code probably captures all the personal info that the host website displays about you to save you having to enter it. Which is how the fraudster had your name/phone number and know which bank card you’d used.

Profile photo of duncan lucas
Member

William has a point , its probably a java script popup , not a virus in your computer thats why I also have a comprehensive java script blocker but it has a downside many websites wont display properly and some just give a blank screen but I also have other browsers if I want to access proven good websites .

Profile photo of duncan lucas
Member

For those with popup problems then get Ublock Origin for chrome/firefox , download ONLY from -github.com/gorhill/uBlock . I have it as part of a comprehensive app . which blocks websites which have malware on them of any sort. Remember its UBlock Origin NOT UBlock which has been bought out recently and now has complaints about it. Also watch out some ISP,s and Windows/Mac block – github.com but its okay they just dont like the way it gives away free independent malware protection even China and other countries block it .

Member
JoeBloggs says:
24 October 2016

If you trust the internet for financial transactions then expect to lose money at some point. Trust no-one. and sorry Duncan but there is no such thing as free that’s why github gets blocked. 99.9% of computer users don’t know how they work or what they are capable of and the other 0.1% are criminals who do and people trying to stop the criminals. Even the police are too far behind the criminals.

Profile photo of duncan lucas
Member

Joe I am trying to understand your post before I reply . If you watch my posts I say many times I do not use Internet banking -Paypal or any other electronic transmission of funds through the web. No such thing as Free could you elucidate for me ? If a digital software designer designs virus/malware protection software that competes with BB versions are you saying that its okay to block their website ? Especially as this designer designed the ORIGINAL piece of software , I know full well github is hated by BB and commercial interests but they arent ripping off other people the designs are original by the original owners / designers of the software not stolen from BB , its quite the other way around . Are you defending restriction of Internet use in the case of FREE software that belongs to the original designers ? In that case you would be approving a monopoly system worldwide . Lets get it straight – we are not talking of porn websites , although western government dont block them for some reason nor are we talking about scamming/hacking / building nukes / parcel bombs etc- “”terrorist ” acts we are talking one thing GREED , AVARICE/ Monopolizing /control of the public you are certainly aware of this government telling ISP,s to censor/block political websites or websites speaking the truth , they have been doing it for years but now with the Snooper Charter going through the House of Lords , even they are unhappy about it as it gives GCHQ unlimited powers of intrusion I wont go into what they can do as it would upset viewers but its comprehensive to say the least far surpasses the NSA /FBI.

Profile photo of DerekP
Member

As regards “free software” there are two kinds of “free”.

“free” as in free beer or as in a free lunch: no charge is made for the use of the software, but you don’t get to own the copyright of the version you download and the free version may be there to encourage you to spend money in other ways, e.g. free antivirus software may be there to encourage you to upgrade to a paid-for version.

“free” as in free speech. You can download the software and all of its source code, so you can know exactly how it works and what it does (and see if it contains any malicious code). You can (usually) also modify and distribute copies, so long as you continue to honour original licence conditions, including the ones about releasing your modified source code. You may have to pay for this kind of software – or it may also be free, as in free beer.

Those of us who have to write software as part of our day jobs, do like to take a pay packet home each month. So we generally don’t work for free, even though we may sometimes be able to release free software, when this is consistent with our overall objectives.

Profile photo of duncan lucas
Member

Derek I have no problem with software engineers being paid for their work/designs and most people buy paid for versions as they feel they get more comprehensive protection . I stlll have a paid protection on my now disused Win 7 Prof part of my PC , its got a year or more to run . The problem with it is in its haste to become part of the Windows system – guess what has happened ? MS now controls it , not me. Github not only help with free scanners but I have a comprehensive app that has -135,255 network filters on it + 63,077 cosmetic ones , most updated by github + another github/EFF recommended app that is now blocking 14 short of 500 trackers + others . Posters wonder why their details are known Derek , i am sure you know why , the companies concerned are very blatant about it , big flashy websites boasting about their ability to track to source in the US. Even my 6 security apps are stretched and I need others like HTTPS everywhere /Clean LInks and more besides and most of them arent for hackers they are to prevent diversion and getting hit with massive advertising , its a world of a difference not being blasted with popups , moving ads etc, etc. Why should the public be forced to put up with that ?

Profile photo of duncan lucas
Member

Derek ,as you mentioned open source and malicious code I think you might be interested that the IoT bot – Mirai has just gone open source, This is the one I posted about when answering a poster on not getting “smart meters ” . I found it hard to believe at the number of household electrical, items in the US that are now wi-fi Internet attached with many complaints due to easy access by this virus . I had a look at a tech website with a live -full screen Mirai attacks shown in target “hits ” as in nuked , and yes in the 3 minutes I watched it England had 4 attacks -Eire -1 .

Profile photo of duncan lucas
Member

Surprise-surprise Derek, it seems the Government doesnt agree with you about open source and github . Guess who has taken a github account ?- – GCHQ with its “Gaffer ” programme , check it out.

Profile photo of DerekP
Member

Actually Duncan, I did not express any views on github.

All I did in my post above was reply to JoeBloggs, to contribute what free software meant to me – both as an author and as a user.

Regarding open source software I did find a gov.uk webpage that said:

“Where appropriate, government will procure open source solutions. When used in conjunction with compulsory open standards, open source presents significant opportunities for the design and delivery of interoperable solutions.”

and also some 2015 press releases highlighting the acceptance of LibreOffice for use in UK government projects.

Member

A pharmacy rang me to advise I had been over charged . They asked for my most recent CC details so they could give me a refund, then they billed me for a further supply of over priced tablets . Fortunately the Natwest cc were on the ball and charged back immediately, but never take for granted that all cc companies are on your side or that you will get redress from the FSA.

Profile photo of Patrick Taylor
Member

“So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.
Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.
“For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens,” said Tal Liberman, Security Research Team Leader of enSilo.
“However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount.”

thehackernews.com/2016/10/code-injection-attack.html

And it affects all Windows machines. How secure is online commerce?

Member
Zouk says:
29 October 2016

As a user who is not a technical computer expert am I wrong to trust Barclays Bank online safeguards? I use the card reader to log on along with other security requirements designed by Barclays. Are their methods insecure?

Profile photo of duncan lucas
Member

Zouk , put it this way , you are a lot more secure than other methods of entering your code . A one -time code is generated that is not held in the machine . Your card reader could be -in THEORY – counterfeit, modified, or infected with malware but all things being equal , if you dont lend it out , let the family use it etc then its pretty safe , nothing digital is guaranteed 100 % safe . BUT it could be scammed NEVER , and I mean ,NEVER , RE-SYNC your device , I dont care who tells you when you are online a reputable bank wont ask you to do that. One flaw is that there have been cases of fraud by card-reader where the customer loses liability protection and YOU end up paying ,not the fraudster. But all-in-all –yes you are better protected than others.

Profile photo of Ian
Member

Key pads (as opposed to card readers) are possibly more secure, since they have on-chip algorithms which calculate a prime number based on the time you use it, the number of times you’ve used it previously and the prime base number in question. Because the internal chronometer on the card is synchronised with the bank’s clocks, you should get a unique code each time that will only work at the time you choose it, or close to that time. But, as Duncan sagely notes, nothing digital is ever 100% foolproof.

Member

The same thing happened to me a few days ago, buying Virgin train tickets. I started filling in the info asked for by what looked like the bank’s card verification box, but thought I’d not seen so much detail asked for previously, so I aborted the sale. When I subsequently tried again, several times, to buy tickets, the Virgin website kept saying there was an error and payment failed. I phoned and Virgin said they were trying to fix website problems. After a day of this I bought through Trainline. I didn’t get a phone call though.
Should I now worry that I have something nasty lodged in my laptop? I’m not techy – most of the comments above mean nothing to me.

Profile photo of duncan lucas
Member

MLD – as you are not (your words ) “a techy ” download -from Malwarebytes website only- malwarebytes.com/antirootkit/ — install it and run it and take its advice or – kaspersky virus removal tool – support.kaspersky.com/viruses/kvrt2015 . IF MS block them from being installed let me know or it could be a virus blocking installation . Do this FIRST and then get back. If others have problems with Virgin,s website then its a general thing but if only you have a problem then -yes – you have malware. Try another computer just to verify.

Profile photo of duncan lucas
Member

MLD- I tried two Virgin Train websites and didnt see any malware on both when I went to “buy ” , on the other hand I got a warning box asking me if I wanted to let Virgin ( this website ) know my location , obviously I clicked on the -never for this website .Secondly Virgin use Java script, beloved by hackers , as my protection was blocking it for this website I had to re-direct to a non-Java website , worth keeping in mind, so if you still have problems its your computer thats got them not the website – at PRESENT ( nothing is 100 % safe in digiland )

Member
Ron Thornton says:
30 October 2016

This happened to me when buying premium bonds from the National Savings and Investments web site. I was purchasing a large amount of bonds so presumed Lloyds (my bank) were being more careful than usual. I have up to date F-Secure protection installed on my computer and have not seen this bank verification request appear with any other on line purchase before or since. Is it feasible the NS&I website has been illegally accessed?

Profile photo of duncan lucas
Member

Ron I cant find any malware on the website , although the initial informational webpage is insecure that is not the case when you go to the actual website to do business , but the new log-in states last month they changed the password situation . I noticed that NS+I although government owned is a non-ministerial dept. also the server is in London while GOV.UK server is in the US , now that worries me, that means it is subject to US law and given a US High Court order YOUR info is available to US authorities , and that is now being changed by the US government under Homeland Security to allow access WITHOUT a Court Order. Any company in the UK , in US Law is a FOREIGN company and therefore more open to information gathering than a US owned /based company. All our data under the new EU Agreement has been transferred to the US its supposed to be secure but it is not from US security agencies .

Member

A ‘retailer’ phoned me and apologised profusely for over charging. ‘Could I please let them have my new CC details so that they could refund me and give a substantial discount on recurring orders?’ They did not refund me. They doubled the the charge. Happily the Natwest proved to be on my side on this occasion They charged back all transactions and reported the fraud.