Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Phisher Hopes You're Outraged | Main | Diplomas for Dollars »

February 21, 2006

Trust But Verify

One of my credit cards offers online access to check current activity and such. I check that Web site almost daily to make sure there isn't anything suspicious going on.

(The card company, itself, is pretty good at detecting problems. A couple of years ago, my card was double-swiped at a San Francisco restaurant. In a few weeks, someone with a card made with my magnetic stripe data tried to buy gas in Florida. That's how a lot of card crooks test the validity of a stolen card or stripe—by attempting to make a small purchase where they don't have to hand the card to a clerk and can make a fast getaway. Anyway, the transaction didn't pass the card company's "smell" test, and they contacted me immediately before the transaction ever posted.)

When I went to log into the site today, I was surprised to see not only a completely new-looking site, but my bookmarked URL had been automatically redirected to a URL I didn't recognize. Here was this well-designed page, begging me to enter my login name and password.

The sound of bells you might have heard in the distance were the alarms going off inside my head.

A radical transformation such as that in this day and age is incredibly suspicious. I don't recall receiving any notification about a change in Web access, nor do I remember seeing any advisories about this on the old site yesterday. There have been cases in which financial institution Domain Name Service data has been temporarily compromised, redirecting users to fraudulent copies of the good sites, so I was aware that this was a possibility.

Before proceeding one step further, I got on the phone to my credit card company. After following the right breadcrumb trail through their electronic phone system, I spoke with a customer service person for their Internet services. She informed me that they did, indeed, change over the Web site, URLs, and such. To make doubly sure that she was legit, I was satisfied that the information she provided to me about my account was something that only the card company would know.

I share this experience primarily to demonstrate how watchful we must all be, and offer an example of how to go about checking out your suspicions without exposing yourself to even more risks. You can't be too careful these days, but you can be too trusting.

Posted on February 21, 2006 at 12:03 PM