
Is My Credit Card Stolen? (A ruse to educate people about phishing) - AngryParsley
http://ismycreditcardstolen.com/
======
generalk
Interesting concept!

I'd remove the negativity from the start. Putting "This is a test, you have
failed it" right in front of folks is an _instant_ turn-off, and might lead
people away from your page instead of to the helpful content below.

More bullet points. There's not a whole lot of text there now, but anything
you can do to get the message across with fewer words is a win, especially
when dealing with non-technical folks.

Under "look at the address bar", you have: _A common phishing trick is to have
a domain like amazon.com.not.ru, which steals your credentials when you try to
log in. The actual domain in this example is "not.ru," but people often only
check to see if the string "amazon.com" is anywhere in the address bar._

I'd change that to not use the word "string" since non-tech-folks don't parse
that very well, and maybe include screenshots of an address bar containing the
real Amazon.com and a phishing site disguised as Amazon.

Still though, good idea!

~~~
AngryParsley
Thanks for the suggestions. If you want to make changes, you can fork
<http://github.com/pquerna/darwintest> .

Edit: I used the "you fail" message because I think it makes people more
likely to remember it. I wanted to say something like "your credit card has
been stolen. kthxbye." but that would have caused some false alarms.

It's hard to have a memorable message without it causing offense or panic.

Also on my TODO: add a counter for those who put 16 digits in the credit card
field.

Extra edit: nfriendly: Thanks for the styling suggestion.

~~~
nfriedly
On the same vein as the post above, a little vertical spacing between the
bullet points would go a long way toward improving readability:

    
    
      li { margin:12px 0; }

------
batiudrami
"If asked for your password, do not give it out. Real websites will never ask
you for your password. (Login forms excepted, of course.)"

This is confusing, in my opinion. It's hard to explain the difference between
a login form and a page asking for your password, so it's probably worth just
leaving this out. Any phisher worth his salt makes the page asking for a
password look like a login form anyway.

~~~
AngryParsley
You're right. It will be fixed whenever pquerna gets back from the Cassandra
get-together.

------
mahmud
1) Create an online form that doesn't take input, and call it "educational".

2) Get a bunch of educated people to review it for 3-5 days and approve of it.

3) Wait until the educated people send links of this to their non-internet
literate friends, for education, shits and harmless giggles.

4) Switch to a live form that _captures_ data.

~~~
AngryParsley
Clever idea, but it's not hard to find out the identities of those behind this
site. They'd get busted for fraud pretty quickly.

------
rlpb
Could you perhaps write some Javascript to check the check digit and submit
just whether it was correct or not? Then you could have some stats on how many
people are gullible vs. just curious.

------
ROFISH
You know what, this is a phisher's dream. Even if we could trust this website
for not saving the data, the connection is a regular non-secure connection, so
all somebody would have to do is catch some open wireless connections or
similar.

~~~
AngryParsley
View the HTML source. The credit card inputs aren't part of the form. They're
never sent across the wire.

~~~
rlpb
This doesn't matter. If the connection is intercepted, the credit card inputs
suddenly can be part of the form.

~~~
AngryParsley
That's true for any non-https site. They could inject stuff into
wellsfargo.com or whatever.

------
m0tive
The site's started to hit Firefox's "Reported Web Forgery!" page...

"This web page at ismycreditcardstolen.com has been reported as a web forgery
and has been blocked based on your security preferences."

------
ck2
How responsible is this if you allow the domain to expire someday - or your
email gets hacked and a foreign party takes control over your domain name?

------
daleharvey
I havent particularly been following it, but is there any real solution to
phishing? with punycode domains and arbitrary tld's, along with characters
that look the same in a lot of fonts, l and I, people need a cs degree to
figure out if they are being phished.

I guess paypal and a small number of verified payment processors, (or real
online banking) are about the only option.

~~~
neurotech1
Yes, Use bookmarks on a trusted computer or better yet type any sensitive
domains. Typing www.paypal.com is easy.

------
abentspoon
Last week, I posted something similar to proggit using the youtube redirect
exploit.

During its three-hour run, nearly 6000 people (20%) tried to give me their
google account credentials.

[http://www.reddit.com/r/programming/comments/bpy7h/think_you...](http://www.reddit.com/r/programming/comments/bpy7h/think_youre_immune_to_phishing_attacks_see_if_you/)

------
jcooney
This is remarkably similar to the site my friend Leon set up, which he
artfully called "Creditcardology" - see <http://secretgeek.net/cco/CCO.HTM>

------
kunley
They are banned now...

So anti-phishing folks got accused for phishing. Looks it was technically nice
idea but terrible user experience.

Unless of course there WAS a hidden agenda here.

~~~
goodmitton
Okay, that explains why I couldn't understand what you guys were talking about
and all I got was a "Warning: Suspected phishing site!"

------
sbov
I submitted no data and it still said I failed the test?

~~~
iaskwhy
I guess you're not supposed to submit these kind of forms, even if empty.

~~~
AngryParsley
Nah, I'm just lazy and didn't write any JavaScript to validate the inputs.

Edit: yeah I would normally never use JS for validation.

~~~
rlpb
You rely on JavaScript to validate your inputs?

Edit: although I suppose you can have an exception in this case :-)

------
jxcole
I tried to find a way to pass the test and couldn't. Could someone explain to
me how to pass?

~~~
trjordan
A strange game. The only winning move is not to play.

------
dzh
Aha! Online credit-card-information catcher?

------
mixmax
I'll mail this link to my mom right away.

------
alexkay
The meat of the site is this page:
<http://ismycreditcardstolen.com/check.html>

