Friday, May 21, 2010
Eppicard
EPPICards are a popular tool in most States for paying such things as unemployment insurance and other social welfare checks. They function much like a debit card, each one attached to an individual person, and to an account with a certain amount of money in it. When the State pays the unemployment insurance, it is placed directly in the account and the amount of money available via the EPPICard increases.
As safety goes, the EPPICard itself is not inherently deficient. Both from a technology and security standpoint, it is in line with the industry standards for credit and debit cards, and has no obvious flaws for scammers to exploit. In fact, the EPPICard is usually a generic debit card, such as a Visa, and its only distinguishing feature is that it is not linked to a normal bank account, but to an EPPI account. Of course, no system is totally secure. The one thing scammers can, and do, exploit is the fact that the vast majority of EPPICard users are relatively uneducated about con artists, and will not recognize “phishing” attacks on the computer when they see them.
A phishing attack is an email attack that relies not on a virus, but a message. It might say, for example, “It has been 90 days since you last reset your EPPICard PIN number. Click on the link below to go to our website and reset your PIN number to keep your account safe.” Of course, the link does not actually take the user to www.eppicard.com, instead it takes the user to a website that looks identical, but has some change in the web address. The user then unwittingly gives away his or her username and password information to log in, and then types in the PIN number and a new one to “reset” it. The next day, the scammers have stolen all the money from the account.
There is a similar attack that occurs over the phone, or by way of snail mail. The user is told that “Your account has been shut down due to suspicious activity. Please call 123-456-7890 to reactivate your account.” When the user calls, he or she must offer personal identifying information—maybe a username and password, maybe a social security number, so that the scammers can “identify” the user as the person he or she claims to be. Again, upon logging in to check their balance, the user finds that all of the money has disappeared.