HSBC and MasterCard Battle Phishing with Phishing Technique

Here’s a little internet security quiz for you.

You’re planning a trip and are using the internet to reserve a lovely B&B in Scotland. You’ve filled out reservation information and now are going to use your credit card to pay.

You fill in your card number, expiry date, the 3 or 4 digit security number on the back/front of the card, your name, home address etc.

You press “SUBMIT”

After pressing submit, a window pops up, taking you to a different site, where you’re asked to fill in some of the same information you’ve just given, plus your date of birth.

You should:

a) cancel the transaction immediately
b) never put in the additional information being requested
c) copy down the address in the window and call your bank immediately
d) all of the above – you’re being phished.

If you answered a,b,c, or D, you’re correct.

Unless of course you have a Mastercard account.

Because, for some bizarre reason, this is exactly the technique Mastercard has begun using to try to bring ‘more security’ to your online transactions.

And it’s bound to fail miserably.

The scenario I described above is exactly what happened today. The popup looked like this:

Now, pop-ups are bad enough and always put me off.

But this one comes from a domain I don’t know (its not my bank or mastercard.com) and it uses the same kind of language I always see in those spam emails. You know, “free service”, “get it now” to make things more secure – oh, and guess what – you can’t complete your transaction without doing so…

We immediately bailed on the transaction fearing we’d been phished.

In a way, we had been – except it wasn’t a bad guy – it was Mastercard

OMG. Whoever talked them into this new online security move apparently doesn’t actually use the internet.

To make matters worse, even if you were going to institute such a lame scheme, you’d think Mastercard would tell their customers via their monthly statement that this was coming. You know, a heads up ?

Didn’t happen.

After spending 20 minutes on the phone with our bank, HSBC, we were reassured that this is legit.

I should point out that if you go to securecode.com you will be redirected to Mastercard. However, if you try the URL that was in the popup – a subdomain – you get a very un-Mastercard looking error screen (click it for a larger version)

This plan is doomed to fail. Mastercard’s new securecode system sends off alarm bells for even the most seasoned internet shopper.

Ironically, Mastercard may in fact reduce internet fraud by reducing internet transactions – their new system will cause people to cancel their transaction for fear they’re being duped.

Leave a Reply

Your email address will not be published. Required fields are marked *