Heads-up: Phone scammers pretending to be JPMorgan Chase MasterCard security


Recently, a round of phone scammers have been dialing through our area with a caller-ID of (000) 000-0000, which should already raise suspicions.

When you answer, a synthesized voice says that they are calling from JPMorgan Chase MasterCard security. They claim that your credit card has been disabled due to suspicious activity, and in order to reactivate it, you need to enter your 16-digit credit card number.

I decided to see how far I could take the robot voice for a ride, so I entered 16 random digits. No luck, the robot voice knew about the checksum and asked me to enter it again. I did a quick search for fake credit card number and landed on this blog entry and entered the first fake credit card number on that page.

The robot voice accepted the credit card and proceeded to ask me for the card's expiration date (I made one up) and the PIN (I made one up). At that point, it reported that it had successfully verified the information and that my card had been re-enabled.

Of course, the joke's on them: The fake credit card I used wasn't even a fake MasterCard number. It was a fake VISA credit card!

By the way, don't read the comments on that blog entry if you want to retain any faith in humanity.

Comments (21)
  1. Jack B Nimble says:

    Those comments make me sad, but at least I got a credit card number out of it. Now if only I knew the security code…

  2. I recall wishing in the past for the next level of duff card numbers: not just non-functioning, but 'poisoned'. In the same way some websites have spamtrap email addresses like i-am-a-spambot-3439@example.com, where the '3439' will identify the 'user' who requested the page with that address on (giving the IP address and other details of the spider which harvested that address for spamming), a card number which would appear valid but flag anyone using it as being evil.

    Irritatingly, I have had several calls of this ilk from "Windows Technical Support", wanting control of my computer. No caller ID, and having played along a bit it seems the remote control software they use doesn't allow tracing of the far end without giving them control, either. (Perhaps next time I'll claim to be reliant on dial-up, so to get control he will have to call me on (insert premium rate number here) while I connect up the modem…)

  3. I should have heeded your warning.

    Now my brain is dripping out of my ears. :(

  4. phi says:

    Oh, a bot just succeeded in posting a blog in Raymond-style with a link to a webpage. I'm not going to fall in that trap.

  5. Those comments are amazing in a terrible kind of way. So funny how low people will sink in an attempt to get free stuff. Also love the catsluver555 cop.

    The real sad thing is people who fall for these kind of scams. Pretty much any time I get a call relating to my financial stuff, I look up the number while on the call. And then I'll hang up and go to the bank in person anyway because I'm not taking a chance over the phone.

  6. Jon says:

    I played along for a while with the windows support one too. He asked if I had noticed my computer was acting slow and it took him completely off guard when I answered "no". He said he knew I was having trouble because I used the "report problem to Microsoft" thing. When I told him I was running Linux he sounded confused, although he did tell me to open firefox to download the remote connection tool – he didn't even mention IE. The tool is through a third-party, and I asked him about the big red notice on the site warning about scam callers that have been telling people to use their tools and he said it was okay – he is from Microsoft. I think he gave up around the time I said it was going to be a 2 hour download. He never called back like he said he would, so I didn't get to see what he would do while remoted into the virtual machine I set up after the call.

  7. Henning Makholm says:

    As for faith in humanity, it's one of the Laws Of The Internet that as soon as 3 people in any given comment thread have missed a point in the same stupid and mildly amusing way, they will inevitably be followed by a legion of trolls who all actually know exactly what the mistake is, but (for some reason) think it will be hilarious to pretend they are committing it too.

  8. AK2 says:

    I think my favourite comment on the blog entry is "Wats the point if you can't buy anything with this?Like people actully want to test software."

  9. mikeb says:

    I'm pretty sure the median age of the commenters is probably around 12; I think the lack of critical thinking displayed is right about on target for that age group.

    What I'm curious about is what are all these surveys that people are taking that need a credit card number? Am I missing out on surveys that are so awesome that I'd want to pay to take them?

  10. Dave Totzke says:

    @mikeb I think the median maturity level is likely 12 but the actual median age is probably, dishearteningly and disturbingly many years higher than that.

    @Steven Don – That's just perfect :-)

  11. Troll says:

    My faith in humanity is lost once again when Ben fell to the trolls so easily.

  12. kbar says:

    Credit cards use a simple Luhn algorithm for the check digit. You can easily make up a number that will pass the check digit test.   CCV requires a lookup to the database. Check wikipedia for details.

  13. Larry Hosken says:

    I was dismayed when Ben suggested a security code the same as the combination on my luggage.

  14. Cheong says:

    ; so I didn't get to see what he would do while remoted into the virtual machine I set up after the call.

    Good idea. Nice thing to do when I feel boring next time.

    With procmon, I should have fun time tracing what he have done.

  15. steven says:

    I love how Raymond operates under the assumption that we actually *have* any faith in humanity.

  16. Peteris Ledins says:

    got the same scam call.

    The only problem – my keypad did not work.

  17. dave says:

    True story: I followed the link, and the link from there to the checksum algorithm, and went to pull my card out of my wallet to run through the checksum… and that slot in my wallet was empty.

    I used the card earlier this evening (and seem to have left it at the grocery store), and probably wouldn't've noticed it missing for at least another day or two had I not read this post tonight.  So it's a good thing I decided to verify the checksum and my card is now cancelled and not missing-and-live.

    Raymond provides awesome public service, even when he's not trying to.

  18. configurator says:

    We always used 4444-4444-4444-4441 where I used to work. And 111111112 for ID number, which uses a similar checksum.

    Also, @dave just reminded me that I left my credit card outside my wallet yesterday and almost forgot it today…

  19. Works in payment industry says:

    When you work on payment systems you lose faith in the entire industry.  I have seen some banks approve payments even when the CVV was wrong, they tell you the CVV was incorrect, but it is up to the merchant to decide to go through with the transaction or not.  Some payment systems don't even require the CVV.  Other systems just take card number and CVV without cardholder name, expiration date etc…  

  20. Christine says:

    This reminds me of the text message I got last week. It said my bank account was locked due to suspicious activities and that I needed to call a particular phone number to remove the block. But it wasn't from JP Morgan Chase. It was purportedly from my bank. However, I was skeptical and called my bank's toll-free hotline instead. And there, the bank rep confirmed that the message I got was a scam.

    So what I did was take note of the phone number and reported it to CALLERCENTER to raise a warning.

    [I tip my hat to whoever hacked the caller ID system so that it shows PHONE SCAM for a known scammer. I got this and was pleasantly surprised when my phone told me exactly what was going on. -Raymond]
  21. Marc K says:

    @Jon: I knew someone that almost fell for this.  The scammer opens up the Event Viewer and shows all the items that are marked as Warning or Error (probably with a filter excluding the Information entries).   Then they attempt to sell you a service to fix this for several hundred dollars.  I wonder if all they do is clear the event log.  It's a very smart scam because every Windows computer I've ever seen has many innocuous items marked as Warning or Error.

Comments are closed.