Earlier this week I was reading this article (A con as big as the Ritz (part 1) part 2) from The Guardian about Elliot Castro, who managed to extract a lot of money from other people’s credit cards:
I knew you needed a range of security information to back up any significant purchase on a card, not just the data on the card itself. Yet that was all I was being given when customers were buying phones through me. Every few minutes I was helplessly keying in the numbers. Hundreds of 16-digit runs, expiry dates and issue numbers. Not enough.
Then, one day, I received a call from a guy who owned a business. He needed to order 10 phones and wanted to pay with his corporate American Express card. This was it. I wasn’t even aware of what I was doing at first, but something clicked and I moved into action. I asked the man to hold. I sat looking at my reflection in the screen, steadying myself and concocting my scheme. I put the headphones back on. "Are you there, sir? I’ve got American Express on the other line. I’m just going to ask you some security questions."
It went like a dream. I asked him every question I could think of, far more than would have been necessary, and he rattled off the answers without hesitation. I scribbled them all down in a notebook, along with the original card details, then thanked him and hung up. Soon this was a common practice, whenever someone had a friendly voice and a large order to place, and my notebook slowly filled up.
That’s quite clever because if you phone a company it’s reasonable to expect that they will ask you those type of questions. Then I read in today’s SCMP about a somewhat similar con which is apparently being operated here in Hong Kong (Slick card gang fleeces rugby fans – subscription required):
Rugby fans have been fleeced of hundreds of thousands of dollars – the latest victims of a gang of sophisticated bank-card fraudsters, say police. Thousands of fans in Hong Kong for this weekend’s Sevens have been warned to be on alert.
The thieves take bank cards and business cards, but nothing else, from wallets and purses. Their victims may not realise anything is missing, say police.
Armed with the business card, the gang researches a cardholder’s background before calling them and pretending to be from their bank’s lost-card service. The caller – a "super-smooth professional" in the words of one victim – says he will cancel the cards and provide a temporary password to access accounts once the account holder has typed their PIN into their phone.
I suppose it’s easy to be taken in by these people, but the banks always say that you should never give out your PIN number to anyone, including bank staff. Given that, it would be interesting to know what attitude the bank will take about refunding the money that has been stolen.
I tend to very suspicious of people who ask me for bits of personal information, though it seems to be compulsory to tell companies in Hong Kong your Hong Kong ID number, and as a result this must be about the least secure piece of personal information in existence. Some companies demand to see your ID card, but others just take the number over the phone and then seem to believe that this proves something.
The other problem is that when they do ask for personal information to verify your identity, it would help considerably if their records were up-to-date. When I’m asked for my work phone number or the name of my employer, I have to guess whether they collected this information 2 years ago or 5 years ago or 10 years ago and whether it has been updated since then. Not such a good system after all.
I suppose it helps to reduce fraud, but, as Elliot Castro and the "super-smooth professional" have demonstrated, you can’t totally prevent it.
Ordinary Gweilo 
Leave a comment