I often enter false data into phishing sites when I am bored -- in fact, I've even knocked up a little utility which generates plausible fake card numbers with valid check digits.

Perhaps I ought to learn how to write a Firefox extension, so more people can do this more easily!

I'd pay for it! LOL

This is actually a really sensible idea, instead of getting the phishing warning stuff in firefox when you visit a site, say it sends in about 10,000 fake card details silently behind the scenes, now if the number of respondents (idiot clickers) in other browsers is less than 1/10000*the number of respondents in firefox, then the majority of the data in their collection system is going to be bogus. Therefore they'll eventually just give up on that method of phishing.

This is similar to but most likely more effective than the LAD Vampire thing which exceeds the bandwidth of phishing sites.

The idea reminds me of that WW2 comic about poisoning the water supply of ze germans with thallium. phish poisoning eh, could it catch on?

Yes, you ought to.

Although I don't receive phishing mails, and the few that ever reach my mailbox get nuked by the smtp or spamassassin, I could put a FF plugin to good use.

Off to work with you :p

when your little app accidentally comes up with someone's REAL number, you'll be reimbursing them will you?

Sheesh...

Not a bad idea. If enough people got the habit, we could swamp the phishers.

0.1% valid response to phishing = nice profit.

0.1% valid response + 5% spoofs = a hell of a problem for them.

Brilliant idea, A J -- 'cept some idiots will start using it on legit web sites and get themselves into a bunch of trouble for interrupting commerce. Next we'll see some article interviewing security experts telling us that we really should not be taking the law into our own hands and other such annoying pedantic tripe.

Better that you call your local law enforcement agency next time you see nefarious web activity. They'll hop right on it.

I'll be happy to provide a Web site for your anti-phishing plugin, if for some reason SourceForge declines. One of my sites is http://castle-anthrax.us - you can contact me at the domain registrant's address.

Most of these sites also try to load trojans. I use a sacrificial machine to visit them and you'd be surprised, no, shocked, at the amount of software some of these sites try to load. I went to one site that had apparently become 0wn3d by someone else, as it had two trojans and two smtip servers and two comms tools, all going to radically different locations. The hackers who attacked the criminals weren't smart enough to clean things up. What a bunch of t00ls.

It's also fun to watch these sites break when I visit on a Linux box or, even better, my HP-UX box. Some of these sites are so poorly designed that they fall over.

Hobbes: The likelyhood of that happening is quite low, as the 16 digit card number is required, plus the issue number, plus the start date, plus the expiry date, plus the security code. Oh, and don't forget the name and address too! :P

Summa: Feeding bad card details into legit sites will only cause them to be validated as incorrect, as legitimate sites tend not to store your card data. On a phishing site, your entered details will usually go directly to a database, to be perused over and sold later.

Ah those phishers. ... I remember getting an obvious eBay phishing scam (obvious as that e-mail was sent to an acct. that I hadn't even registered with eBay) and gave them my "login" detail as f***you and "ijustcalledthefbi" as password.

I found it funny though, that they actually check if your CC number is valid, I was denied the pleasure of giving them George Orwell's Credit Card. Heh.

> Perhaps I ought to learn how to write a Firefox extension

By the sounds of it, that wouldn't harm the hobbies section of your CV.

" when your little app accidentally comes up with someone's REAL number, you'll be reimbursing them will you? "

Like what Andrew Bell said, the chance is exceedingly small. And if credit card companies were to get into the act by providing known false numbers for our fictional firefox extension, so much the better.

Hmm. Suppose these fakes were tripwires. Whenever a credit card company got these numbers, not only would it be denied, the response would be akin to the 'take card'-- "This guy's not a bad entry, it's one likely from a phishing site. Keep an eye on him."

Yes, some idjit will start using these for real, but here's where it gets better. Say John Joker starts using them on Amazon. Amazon gets the flags back from the credit card company, and shuts John Joker's account down. But the Jokers are a tiny minority of the credit cards processed.

Now Phisher.com starts getting credit cards. With a firefox extension like that, most of the cards will be tripwires. MasterCard at first will warn Phisher.com that the cards are invalid, so Phisher marks those off and knows which ones are legit. But after the first thousand or two where the majority of cards have been tripwires, MasterCard shuts down Phisher.com's account appropriately.

Issues remaining: The phishing checks would be by zombies, so IP tracing won't help. Phisher.com would most likely not check in the first place, or would go through a third party. And if they do check, they'd pepper the checks with enough known goods to possibly not trip Mastercard. Hmm.

The real money is just doing a man in the middle online banking scam. You pass on the details entered by the user onto the banks site in real time, and then log them into the account once you verify you can log in. They get to bank as normal and you can sell the account to market pre tested.

Bot nets probably allow you a 10 thousand attemps assuming the bank don't ban you on if you make a couple of mistakes, as real people often do.

But like the comment above, if the banks were to monitor false details injected intot eh scam they could take down phishers really fast.

I guess the record high of card fraud using Chip & Pin is the same man in the middle where 200 petrol stations just grabbed the pin and card details while allowing the transaction to go through as normal.

So its the chance that you have a number, name and sortcode that match despite being randomly generated.

I'll go with those odds.

OK, everyone -- You're On!

I've decided, I'm going to jump in at the deep end and write my first Firefox extension. Thanks to everyone for the words of encouragement!

You can read up on how and what I'm doing, at the following address:

http://phishbait.earthshod.co.uk/

I'm still hard at work reading "howto" documents at the moment. Anything I do manage to come up with will be posted at the above address.

Maybe a short list of "good" numbers on your site to give us a starting point until the extension is available

this has potential to be a GREAT idea. Anything that disencourages phishers and the like is good for the web and commerce. Someone commented it might be good CV experience - maybe the credit card companies could hire you to do it in partnership with them?

Comments noted. As the original was written in Perl, I've simply stuck the necessary wrapper code fore and aft to turn it into a CGI script, and made it output batches of 20 bogus credit card numbers at a time. Next step: redo the same algorithm in javascript, which is the language in which Firefox extensions are written.

Phishers beware :D

Not one phishing email since reading your web page. Way to go AJ