A forum member contacted me about what they suspected to be a fake communication regarding the SecureCode program from MasterCard. So I thought now would be a good time to do a refresher on how scammers use the name of this service to trick people.
What is MasterCard SecuredCode? Well if you’re not familiar with it, this FAQ on MasterCard’s website will explain the service. But if you want the short and sweet version, it’s a passcode you create which then becomes required when your card is used at participating online retailers (so it’s an extra layer of verification necessary to make a purchase).
Even though this feature has been out for nearly a decade, it’s not all gravy:
- It’s supported by over 400 banks and credit unions, but many of the biggest credit card issuers like Bank of America, Chase and Citi don’t support it (however some do like Wells Fargo, Capital One, and HSBC).
- It only protects you at participating retailers online. So when you think about it, a crook would probably just go elsewhere to attempt a fraudulent purchase. Surprisingly many popular retailers, even the biggest like Amazon, don’t support SecureCode.
- The authentication is done via a pop-up box, which sometimes makes it hard to tell if it’s coming from MasterCard or not.
As you can probably guess, the most common forms of the MasterCard SecureCode scam happen with the pop-up boxes. Phishers might use either malware on your computer or inject malicious code onto a website’s server, so that they can have their own [imitation] version pop-up on your screen to try and trick you into disclosing sensitive information.
The scam may happen a number of different ways…
MasterCard SecureCode scams
|A box pops up on your computer with a fake MasterCard SecureCode registration screen, claiming it is required due to new FDIC rules or some other bogus reason.||Remember this is an OPTIONAL feature from MasterCard (not “mandatory” or “required”) so if you see a screen like this, you almost certainly have malware on your computer.|
|You receive an email masquerading itself as being from MasterCard or a bank, and it is asking you to activate or confirm the SecureCode by clicking on a link in the email.||Advice? Again, almost certainly a fake. Never login to a financial account by clicking a link in an email. Instead, go directly to your bank’s website by typing their URL into the address bar (i.e. wellsfargo.com). After you get there, make the address bar displays https (the “s” means it’s a secure connection)|
|A less common form of the scam involves a fake store, with a fake MasterCard SecuredCard popup window. These are typically shut down pretty quickly though.||There are more than 350,000 retailers participating in the SecureCode program but unfortunately, there is no website where you can search a list of who’s in the program that I know of. So encountering an imitation storefront might be a risk but when you think about it, this is no more risky than being duped into entering your credit card account number on a fake storefront.|
Of course none of these scams are MasterCard’s fault. The guilty party is whomever is trying to trick you with their fake imitation, whether it be through your computer, an email, or a website.
While the SecureCode is marketed as being beneficial to consumers, ironically it’s of little value to us. Why? Because even if your credit card number is used fraudulently for online purchases, federal law limits the maximum liability for U.S. based accounts and often times, it will be $0 (for details read about the dispute process). Who the MasterCard SecureCode benefits most is actually the merchants, because it lowers the number of fraudulent transactions they get hit with.