What, no direct link?

I want to secure my credit cards!

The reason that they don't usually register a domain is because then you can just do a whois:

WHOIS information for: secure-your-credit-card.com:

Domain Name.......... secure-your-credit-card.com
Creation Date........ 2007-12-19
Registration Date.... 2007-12-19
Expiry Date.......... 2008-12-19
Organisation Name.... Kirsi Yli-Kaitala
Organisation Address. P O Box 99800
Organisation Address.
Organisation Address. EmeryVille
Organisation Address. 94662
Organisation Address. CA
Organisation Address. US

Admin Name........... PrivateRegContact Admin
Admin Address........ P O Box 99800
Admin Address........
Admin Address........ EmeryVille
Admin Address........ 94662
Admin Address........ CA
Admin Address........ US
Admin Email.......... contact@myprivateregistration.com
Admin Phone.......... +1.5105952002
Admin Fax............

That looks like registration info for one of those companies that help hide the actual registrant's information for privacy purposes. Things like this are one of the reasons I oppose any hiding of the actual registrant's information in WHOIS records.

My Private Registration is a service offered by Melbourne IT: http://www.melbourneit.com.au/help/index.php?faqid=30

They seem have a proper lookup as well where you can look up true details http://www.melbourneit.com.au/help/index.php?questionid=50137

I work in Berkeley, adjacent to what we call Emeryville. But I'd love to visit the fictitious land of EmeryVille - it sounds rather quaint.

"The true purpose of the site is exactly the opposite of what is claimed."

I have to take issue with that. Obviously they're trying to do exactly what they say: namely, they're trying to secure your credit card. So that they can make fraudulent purchases with it.

Come on, have you looked at the site? They can keep you from "loosing" your money! I, for one, know that my money is already too loose, I need to tighten it up. It's Interpol and FBI approved, what could go wrong? I'll be back in three minutes...

Are they advocating a loose monetary policy?

I got a little teary-eyed when I got my first fully html Nigerian scam e-mail. They grow up so quickly.

Registered today, so it's almost certainly an example of Domain Tasting: http://en.wikipedia.org/wiki/Domain_tasting

The domain will be gone in a week.

I've heard claims that at any given time, the number of domains being 'tasted' is greater than the number of actual domains legitimately in use.

Gone in less then that.

Server not found

Firefox can't find the server at www.secure-your-credit-card.com.

A lot of the phish I get at (at least of the ones I actually look at) go to real domains. secure-ebay, various misspellings and extensions of bank names and such. This isn't anything new from what I've seen. Maybe you ended up on some different lists lately?

Sm fr m, Rb. vry rrly gt th gcts vrty, t's lmst lwys sm ctl dmn, smtms rltd t th scm thy'r pllng. frgt wht sm f thm wr, bt lng th lns f "pypy-scrty-ffc.cm" nd tht srt f thng.

Th gd nws s tht my gml ccnt fltrs t prbbly 99% f my spm. Sdly, my thr ml ccnts dn't fr s wll.

lk wht NG ds t hlp prvnt phshng. Whn y crt n ccnt wth thm, y pck pctr nd phrs nd nytm y g t lg n, thy shw thm t y. N phshng st s gng t hv *yr* pctr nd *yr* phrs s t's sy t knw f y'v bn msdrctd.

t wrrs m tht my rl bnk dsn't d ths.

h! Tht rmnds m.

Smn shld mk "phsh spmmr" prgrm. Whnvr smn snds y phshng scm, th y fd th wbst nt th prgrm nd t wll g crt hndrds f thsnds f bgs ntrs, thrby (dlly) rndrng th phshng st slss. Th d sn't t d DS, bt rthr, t fll thr phshng dtbs wth s mch jnk tht thy'd nvr fnd th rl stff, f thy dd ctlly trck smn.

d ths by hnd smtms, fllng t my srnm s "nctry" nd th psswrd s "yptz". t mks m hppy. 'd fll t t rptdly bt gt brd ftr 1. 'v nvr sn phshng wbst mply "bt prtctn".

RealCatholicMen:

Defeating that sort of security isn't too hard. When you connect to the scammer's website, a program running there connects to the bank's website, and when you enter your username, it is relayed to the bank website in order to receive the image and phrase. The scammer can also use this to check whether your password is correct, and therefore even seem to already know your password should you enter it incorrectly. I believe some banks have stated that such a trick wouldn't be possible, but they are wrong. A program that could do this could easily be made indistinguishable from a normal web browser, and a botnet could easily make IP-based tracking on the bank's part almost impossible.

In short, you don't need to be worried that your real bank doesn't do this, but you should be worried that ING believes it to be secure.

You can far more securely verify the identity of your bank via SSL certificates. Most scammers usually don't have valid certificates, and even for those that do, they won't be the same certificates as those that your bank uses.

RealCatholicMen:

If you're in the US, your bank is working on it. All banks have to implement multifactor authentication, and almost all of those solutions provide mutual identification as well. We just launched ours this week. It was supposed to go live back in July but it had some performance problems in our environment so we had to wait on fixes.

Personally, I like Chase the best. They send a text message to my cel phone with a PIN I have to type in to log in to their site. (they can also email or telephone). To the number I registered with them when I signed up. Which no fake website is going to have.

Realcatholicmen wrote: "Someone should make a "phish spammer" program..."

I did this a couple of years ago; it's called "Phish Phood" and so far I have used it to "pheed" bogus data to over 550 phishing sites. I haven't released it for public use because it requires occasional manual intervention, but more importantly it could be used maliciously by a spammer who wants to, say, fill in a form repeatedly with spam for their web site.

Realcatholicmen wrote: 1. I've never seen a phishing website employ "bot protection"."

Very few of them do. Some of them use various methods to ensure they're not being spammed by the same person. I won't go into details, but let's just say the majority aren't that smart.

You'd also be surprised what you can find by altering URLs of phishing sites. They aren't always so good at hiding things.

Phishers often use actual domains (rather than, say, dotted IPs, or subdirectories on hacked third-party websites). Some are hosted on 'botnets' - the phishing website is duplicated across dozens of infected Windows boxes - but others actually use regular hosting services. For instance, one persistent Amazon phisher keeps creating domains at an Italian hosting company called Technorail. WHOIS information for phishing domains is typically either forged, or hidden by a private registration.

I'd actually like to see sites like Amazon, eBay and banking sites discontinue the practice of including URLs in their emails. They should get users accustomed to typing the URL each time, rather than blindly clicking links.

Of course that's only helpful as long as the phisher doesn't have a trojan on your box that's intercepting name resolution requests. Once you can't trust DNS any more, all bets are off.