Some years ago when I was doing more stuff in spam and phishing I came across a phishing site for a small US bank. The list of phished card details was available through the interface and it was clear that there were some real people local to the bank who had given their name, address, card number, PIN, SSN, ... everything.
I decided to contact the bank. After filling in the form for contact on their web site giving all the details of the site, I did get an email back and eventually I got someone on the phone. This person (who said they were in charge of bank computer security) thanked me and said that they were going to try to deal with it (I had also contacted the school district whose computer was hosting the site to get it shut down).
I then told this person that there were real account details on the phisher site and would they like the list of people's account numbers so they could inform their customer/shut down their debit card etc. The bank officer replied, "No." As far as they were concerned the people who were that stupid got what they deserved.
I was flabbergasted, but couldn't do much to make the bank do something.
So, using the names and addresses of the people from the phishing site I managed to track a couple of them down (they were small businesses whose business addresses were available on the web) and phoned them up so they would be alerted. They took it pretty well considering that some weird British guy was calling them from France to tell them their US bank account details were at risk.
A few years back, when "Verified by Visa" first came out, I was taken aback the first time I saw it. It's not at all hard to imagine that you're being phished by this strange page.
I called the customer service number for my Visa card and asked if this was a real Visa card "feature". After spending a couple of minutes asking around, nobody knew what the heck it was.
If Visa has a division that takes security seriously, they certainly need to work hard on the customer-facing aspects of it.
VbV has to be some of the worst security engineering I've ever seen. iframe content, arbitrary domain (securesuite?!), trivially guessable or resettable details.
Verified by visa is hideous security theatre. I have no idea why banks fail so hard at security. They're actively targeted by criminal gangs; they stand to lose money if they get it wrong; they have money and expertise to get it right. Yet they all suck.
They fail so hard because Visa and the banks aren't the ones liable for losses. Liability falls to you (if you don't report) or the merchant (through charge backs).
Visa and the bank make their money either way. Merchants have no choice but to "bend over and take it up the tailpipe".
Sounds like they were trying to avoid liability. If you know person X has had his account hijacked, and you do nothing, you're probably liable under some law or another. If you don't know the exact identities involved, you can feign ignorance and probably get away with it.
Local? Just local?
I'd be as noisy about it as I could, and I would have informed the people who's info had been compromised as to just what the bank said when you offered them a list of compromised accounts.
Wouldn't you want to be informed if your bank was intentionally leaving your personal info and financial well-being at risk?
There's usually a procedure for reporting lost cards which results in immediate blocking, if you really want to secure those numbers. In Lloyds it's actually pretty strict - I found some wallet one day on a street but without any contact information - called up the bank responsible for the card so that they can contact the owner with my phone number, but they wouldn't proceed before cancelling that person's card. On on hand side I can understand that action, on the other I feel bad for causing that person to request a new card when I was already standing on the street he lives on.
You could have copied the card and months later charged something on it. Someone else than the owner was in possession of that card, it was the right thing to cancel it.
Like I said - I understand why it's done and it seems to be a method of forcing some cards to be blocked ("I found cards with those numbers..."). Unfortunately it causes some issues if you actually intend to return the wallet/card to the owner.
I decided to contact the bank. After filling in the form for contact on their web site giving all the details of the site, I did get an email back and eventually I got someone on the phone. This person (who said they were in charge of bank computer security) thanked me and said that they were going to try to deal with it (I had also contacted the school district whose computer was hosting the site to get it shut down).
I then told this person that there were real account details on the phisher site and would they like the list of people's account numbers so they could inform their customer/shut down their debit card etc. The bank officer replied, "No." As far as they were concerned the people who were that stupid got what they deserved.
I was flabbergasted, but couldn't do much to make the bank do something.
So, using the names and addresses of the people from the phishing site I managed to track a couple of them down (they were small businesses whose business addresses were available on the web) and phoned them up so they would be alerted. They took it pretty well considering that some weird British guy was calling them from France to tell them their US bank account details were at risk.