“We’ll never call or text for ID Code 1234567. Please use only to complete your purchase with Ticketmaster for 339.22 USD using card ending in 9876”
The text purported to come from the credit card company where I actually have a card ending in 9876.
I called the number on the back of the card and (after satisfying the AI/Voice Tree) managed to get a person who said (of course), “Card cancelled immediately, new card and number on the way.” We verified that there were no pending transactions on the card and that the last one was valid.
But it raised questions that the front line CS person couldn’t help me with:
How would a scam like this work? I’ve never, ever been challenged to make a purchase involving a texted code from the credit card company. (I’m U.S.-based if that matters.) Frankly, I think I would be inclined to terminate any purchase that asked me to read them a code I got from a bank or credit card company.
I know that it’s possible to spoof a phone number but this came in as an SMS short code (5 or 6 digits instead of a whole 10 digit number) that had been used by the named credit card company in the past. Can you spoof short codes too?
In the time it took me to cancel the card, I had no other interaction. No (spoofed) phone calls. No further text messages. No emails. Thus, what was going on? How would me getting a code that no one asked me for help someone run a scam? (Yeah, pretty much the same question as #1 but with a slightly different focus.)
Anecdotally I have been fighting an ID theft issue for the past several weeks, so I pulled my 3 main credit reports after cancelling the card. There was nothing out of the ordinary going on–which is a relief after the last several weeks. A pox upon scammers. And BTW, did you know that you should have a credit freeze at each bureau? You did? Good. Did you know that if someone has enough of your personal information they can lift that freeze by phone without talking to a person? And they can change your email address and phone number for fraud alerts? They can. Yeah, that surprised me, too.
Do you have a Ticketmaster account with that CC saved? It looks like this was from someone who logged in to your Ticketmaster account and was trying to buy tickets. If it was a scammer, they would have had info for you to call them back. As you describe it, it sounds like the normal 2-factor verification that Ticketmaster has for regular ticket purchases.
Yeah, what filmore said. Someone tried to use your CC on a device never before used by you, so to verify it, the CC company sent you a 2 factor code. I have had something similar when my spouse uses my CC to buy something with her phone.
My exact scenario - spouse used my CC to order food from a chain restaurant using HER phone, but the security code was sent to MY phone to verify the transaction
I seriously doubt that. I have never received a 2FA code that included an actual purchase amount in the text and I don’t think I’ve ever had a legitimate charge listed as “USD.” No way was that actually from Ticketmaster.
Any text/email about a large purchase listed with USD screams fake scam.
Probably the next step the scammer wanted you to take is to reply to the text, then they’d send you the link to enter in the code and then you’re off on whatever scammy site they’ve got going.
That was where it fell apart then, as I didn’t do anything except call the issuer and pointed out that the card must be compromised if they had the correct last 4 digits. Not sure when that would have happened as that particular card hasn’t been used for over a month and then not at a place where the number could have been swiped.
It sounds like it’s something Ticketmaster calls 3D Secure
So the text is not from Ticketmaster itself, but rather from your CC bank. The link with the info is a .fr url, so it might be someone in France tried to use your CC info and the French Ticketmaster server triggered the secondary CC verification.
That explains the source of the message. FTR I’ve not been prompted to ever link my card to a mobile phone number although they have my number on file.
I tire of having to keep going to the well to prevent these attempts on my identity/credit. I double down on my request for a pox.
I am grateful that there are some security procedures in place and that they work to the extent they do, though.
It’s not just Ticketmaster, actually… 3D-secure is a whole credit card industry initiative that tries to dynamically evaluate your risk profile on a per-merchant, per-purchase basis: 3-D Secure - Wikipedia
When a purchase is attempted, merchants using this system can send some of the transaction info to the card network (Visa/Mastercard), which can then communicate with your issuing bank, and together they will run automated checks on your identity and whether this purchase matches your previous usage. If the automated checks determine it’s likely OK, the transaction successfully processes without further input from you. If something looks suspicious, they may send you a 2FA code, even if you never explicitly opted into it.
I sometimes buy sketchy shit online (like fake video game money) and that always triggers one of these codes. It’s the only time I get 2FA for my credit card purchases that’s not directly from my bank (which texts me as the bank, or notifies me in the app), but from some other shortcode.
It’s annoying, but it might’ve actually protected your card from an unauthorized transaction in this case.
On top of that system, some merchants will also try to opt you into a separate Click to Pay system that replaces your card details altogether with code-based 1FA (they just send you the code via email or text): Buy online even easier with Click to Pay | Visa Sometimes the “use Click to Pay for now on” checkbox is automatically checked and you might opted in by accident.
Seems like they could get that much info just from your mail – most of my credit card bills now don’t list the whole card number, just say ‘the account ending in 1234’. So they know your name & home address, the credit card issuer, and the last 4 digits. And looking at the bill will tell them the kind of businesses you buy from.
Plus they can stuff the bill back into the envelope, seal it up, and toss it into the mail again. Then they have a few days to try something with that info before you ever get the bill. And probably longer – most people aren’t attentive to when their bill normally arrives, so won’t even realize that it was delayed by this interception.