MasterCard SecureCode Scam

A forum member contacted me about what they suspected to be a fake communication regarding the SecureCode program from MasterCard. So I thought now would be a good time to do a refresher on how scammers use the name of this service to trick people.

MasterCard SecureCode exampleWhat is MasterCard SecuredCode? Well if you’re not familiar with it, this FAQ on MasterCard’s website will explain the service. But if you want the short and sweet version, it’s a passcode you create which then becomes required when your card is used at participating online retailers (so it’s an extra layer of verification necessary to make a purchase).

Even though this feature has been out for nearly a decade, it’s not all gravy:

  • It’s supported by over 400 banks and credit unions, but many of the biggest credit card issuers like Bank of America, Chase and Citi don’t support it (however some do like Wells Fargo, Capital One, and HSBC).
  • It only protects you at participating retailers online. So when you think about it, a crook would probably just go elsewhere to attempt a fraudulent purchase. Surprisingly many popular retailers, even the biggest like Amazon, don’t support SecureCode.
  • The authentication is done via a pop-up box, which sometimes makes it hard to tell if it’s coming from MasterCard or not.

As you can probably guess, the most common forms of the MasterCard SecureCode scam happen with the pop-up boxes. Phishers might use either malware on your computer or inject malicious code onto a website’s server, so that they can have their own [imitation] version pop-up on your screen to try and trick you into disclosing sensitive information.

The scam may happen a number of different ways…

MasterCard SecureCode scams

A box pops up on your computer with a fake MasterCard SecureCode registration screen, claiming it is required due to new FDIC rules or some other bogus reason.Remember this is an OPTIONAL feature from MasterCard (not “mandatory” or “required”) so if you see a screen like this, you almost certainly have malware on your computer.
You receive an email masquerading itself as being from MasterCard or a bank, and it is asking you to activate or confirm the SecureCode by clicking on a link in the email.Advice? Again, almost certainly a fake. Never login to a financial account by clicking a link in an email. Instead, go directly to your bank’s website by typing their URL into the address bar (i.e. After you get there, make the address bar displays https (the “s” means it’s a secure connection)
A less common form of the scam involves a fake store, with a fake MasterCard SecuredCard popup window. These are typically shut down pretty quickly though.There are more than 350,000 retailers participating in the SecureCode program but unfortunately, there is no website where you can search a list of who’s in the program that I know of. So encountering an imitation storefront might be a risk but when you think about it, this is no more risky than being duped into entering your credit card account number on a fake storefront.

Of course none of these scams are MasterCard’s fault. The guilty party is whomever is trying to trick you with their fake imitation, whether it be through your computer, an email, or a website.

While the SecureCode is marketed as being beneficial to consumers, ironically it’s of little value to us. Why? Because even if your credit card number is used fraudulently for online purchases, federal law limits the maximum liability for U.S. based accounts and often times, it will be $0 (for details read about the dispute process). Who the MasterCard SecureCode benefits most is actually the merchants, because it lowers the number of fraudulent transactions they get hit with.

The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
Efrain Gallardo

You can tell that the MasterCard pop-up box originates with a MasterCard-authorized source because it displays the countersign phrase you supplied MasterCard with when you signed up for the SecureCode service. SecureCode can thus protect you from fraud at the SecureCode merchant site you are using if you check your countersign phrase. Unfortunately, that same merchant can use your MasterCard number at another merchant that accepts regular MasterCard or can sell your information for other crooks to use elsewhere since your MasterCard is still good at any merchant that accepts regular MasterCard. So you only have protection if you are at an honest merchant site where you do not need protection anyway.

A PayPal account using a credit card-sized Symantec keycode generator card provides you with a unique, one-use code for each purchase and is secure because your PayPal account cannot be used again without a new keycode generated by the Symantec card for another purchase. Your PayPal account can only be used without a Symantec code if you have authorized PayPal as a continual or monthly payment source for a service like Netflix, Hulu, a utility, etc. That is a security hole but is ameliorated by your need to use a Symantec code to establish a continual or monthly payment in the first place, just not for the following automatic payments.

Sigh, beware! Indeed, it appears that the major boss hog of credit cards, Merchant Services, is not only victim to having their “fine” name drug through the mud, they literally support the fact of wolves online by failing to report the illegal use of their name! What is the good of BBB in pursuing a company that does not disclose they have been victimized by a scam in their name and fail to oublically acknowledge it has happened before me in order to maintain their “good safe secure” name? Yikes! Is this what is meant by the “Secure Code”?

How are consumers supposed to know, with certainty, that the pop-up asking for such critical information is even legitimate, or a phishing attempt?

This SecureCode idea seems fatally flawed!

Master Card Secure Code does not prevent fraud it is just another bad idea from Master Card. It removes even more responsibility from the merchant and transfers it to the card issuer. That is why large financial institutions rejected the so called “SecureCode”.

If MasterCard SecureCode is genuine, I think that my card suppliers would have contacted me direct some years ago.