- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
And there was me thinking there was actually a formula for calculating if a card number is valid or not...
Admin
Dammit! My favorite pin (6969) is invalid.
I sure do love me some quintessence.
Admin
Well, duh. Malware has a long history of code being of questionable quality. Some of it is obviously written by careful people with a sense of pride in their craft, but a great deal of it has serious bugs. Back in the day, the DOS virus "Whale" was well-known for being unusually large (~9KBytes) and very buggy, and many viruses called the BIOS direct disk I/O functions using INT 13 rather than INT 13h.
Admin
you might want to erase the form action URLS to that some idiot doesn't actually use your copy of the form to send off any data, false or not.
Admin
Eh, I've seen worse.
Actually, that's kind of a scary thought in itself. There are places I've worked that could have improved their websites by hiring fifteen-year-old scam artists to replace their web programmers.
Admin
I find it nice that they didn't foresee more combination. I must think that someone was bored and gave up
Admin
Bah. Mostly that page just makes me wish that married couples really could file jointly in the UK (the bottom of the page asks you to specify how you are filing).
Admin
Someone tell me that 1112223344443231 is the 555 of card numbers.
Please.
Admin
Wow, that's horrid, and what if my pin really is 1234?
Admin
On an unrelated note, the page is not "optimised" (they used the appropriate en-GB spelling at least) for Opera, Konqueror or Chrome. Does that mean those users are too smart to fall for this scam? Either that or those browsers must simply be too secure for scam sites.
Admin
I would post you a link which has numbers used for testing credit card validation routines, but apparently I'm not allowed to.
However, the MasterCard ones are 5555555555554444 and 5105105105105100.
Admin
1234? That's the same combination as my luggage!
Admin
Did you by any chance work as a web programmer there?
Admin
Anotehr glitch on the web page:
It says "enter a credit card number to which 354.33 will be debited."
Shouldn't it say "Credited"?
Admin
It wouldn't be much of a scam if they were crediting people's accounts with 300 squids, would it? They should get bonus points for being honest.
Admin
You can't really tell if a CC number is valid or not by using just JavaScript - the best you can do is to filter out a few obviously fake ones, so this isn't really a wtf.
Admin
I'm not going to waste my time picking holes in phishing code. There has always been a rule here on TDWTF that if it's not in production it's not a WTF. Otherwise every 14 year old's personal home page would be up here as an example of bad code, which is hardly appropriate. Phishing code is no different - it's not production quality, it's not designed for production and it's not in production so it shouldn't be on TDWTF.
Just my 2p (and my 2nd submit attempt)
Admin
While this is really the least of this person's problems, has anyone noticed the fact that the browser test is for less than or equal to IE? Not IE 7, mind you, but IE in general. Is less than IE Netscape 5?
Admin
I just needed 3 attempts to submit. Something is going funny today.
Admin
I like how the webmaster is "smart" enough to use the onsubmit event on the form, rather than pushing an input button with onclick event.
And then I see the onsubmit handler:
<form ... onsubmit="if (Validate()==false) return false;" ...>Couldn't just use onsubmit="return Validate();" ?
But, TRWTF is very similar code is in the "Add a comment" page of thedailywtf (I suppose .NET's fault, but still...):
<form ... onsubmit="javascript:return WebForm_OnSubmit();" ...> [ ... ] <!-- function WebForm_OnSubmit() { if (typeof(ValidatorOnSubmit) == "function" && ValidatorOnSubmit() == false) return false; return true; } // -->Admin
Wonder whether the scammers bothered to recheck these things on the server side? I'd guess not (which would make filling their DB with crap really easy) but you never really know…
Admin
You can tell if it's physically possible for it to be valid quite easily - the majority of credit cards use a MOD 10 check digit.
captcha: Validus (Latin for "valid"?)
Admin
Admin
Offtopic:
Seeing as this is a website for information technology failures, and there are frequently code examinations, would it not make sense to "open up the code" on the site and let some of us fix the notorious "2nd / 3rd / 4th / nth attempt to post" issue?
Not that I don't appreciate the work that's gone on in the site, I'd just like to help make a site I enjoy that much better.
Admin
I love the random typos, all months having 31 days, the fact that that DiaplayAllOkayMessage variable is hardcoded in, yet its value is being checked for multiple cases (despite that fact that it isn't changed anywhere). Good stuff!
Admin
Good'un. I particulary liked the way they picked chunks of files from genuine organisations all round the world to try and make the web page look plausible.
IRS? Argos? Western Union (Irish branch)?
Admin
Admin
Admin
You should pass them to a gateway for verification, and not arbitrarily filter out sequences of numbers.
Admin
Actually, not necessarily. The meaning of 'credit' and 'debit' interchange depending on whether you are talking about a credit or debit account, which usually depends on your perspective.
A 'debit' account is an account where the balance is the amount of money you owe somebody else. A 'credit' account is one where somebody (or something, accountants aren't fussy) owes you. Crediting is always a positive increase, debit is always a negative increase, so debiting a liability account (debit) is actually a gain for the holder of the account.
Or something like that. Not being an accountant, I always get the terms mixed up.
And we programmers think we have issues with poor naming conventions. At least we haven't codified them ;)
Admin
No the best you can do is to find a java script Luhn (I think it's called that) algorithm to validate it. Credit card numbers adhere to a pattern with check digits to validate them against to help prevent mistakes from double key presses and other common mistakes.
Admin
But you can improve detection, basic Mod 11 test at least.
Admin
There used to be a time when they were just scammers and swindlers. Now everyone is some kind of "artist". phhh...
I am sure its not long before "Coding artists" replace today's programmers.
That'll be the beginning of the end...they'd start teaching programming in art school... You'd get courses in color-coding-coding and exhibitions showing inexplicable perl expressions in galleries all around the world. Writing code would become "cool", and all the nerds will have to find something else to do...
Admin
[quote user="Finance"][quote user="scamz"][quote user="gus"]Anotehr glitch on the web page:
It says "enter a credit card number to which 354.33 will be debited."
Shouldn't it say "Credited"?
[/quote]
It wouldn't be much of a scam if they were crediting people's accounts with 300 squids, would it? They should get bonus points for being honest.[/quote]
Actually, not necessarily. The meaning of 'credit' and 'debit' interchange depending on whether you are talking about a credit or debit account, which usually depends on your perspective.
A 'debit' account is an account where the balance is the amount of money you owe somebody else. A 'credit' account is one where somebody (or something, accountants aren't fussy) owes you.
[/quote]
So why is a credit card called a credit card? I wish the balance on my card was what they owed me...
They are definitely being incompetently honest here; no 'not necessarily about it.
[quote user="Finance"][quote user="scamz"] Or something like that. Not being an accountant, I always get the terms mixed up. [/quote]
Well, you got something right...
Admin
(OK, so I'm hardly perfect either with ****ing up the formatting...)
Admin
Blast! You beat me to the punch line!
Admin
Minister of Revenue HM Revenue & Customs 100 Queen Street Binghamshireton, England 1G3A8-G1
Dear Minister Bolton,
I recently submitted a request for a tax refund of 327.54 L's on your web site. Unfortunately, the web site would not take the number of my Royal Express card: 1111-2222-3333-4444. In addition, my PIN number of 1234 was not accepted either!
When you get the opportunity, could you please repair your web site so that I may apply for my refund?
Thank you,
Jameson Q. Kinglingston 12 Ogden Heath Yorkshire Puddington, RQ A8ADI-7A
Admin
It's good to know that two of my cards' PINs are not valid... and in case you're wondering... no, I haven't changed them myself.
Admin
Anyone else think its funny that they are using the US IRS's stylesheets and 1x gifs?
Admin
Admin
TRWTF: IE7, which renders the "text source" as HTML.
Admin
Important: The tax law imposes heavy penalties for giving false or misleading information.
Admin
TRWTF will be how many users submit the form they got from TDWTF with correct data....
Admin
You've gotta give the scammer credit for at least trying to decrease the number of invalid entries he's going to have to sift through in order to swindle someone. Hey, his time is valuable too.
Admin
Considering they're only 4 digits, that pretty much applies to all PINs.
Admin
Fair enough.
Captcha: iusto - Iusto love her, but it's all over now
Just enter your Credit Card number and Pincode here and we'll refund you your 2p.
Admin
Mathematicians have proved that 3529 is the only safe pin. Bugger! We'd better move to 5-digits.
Admin
Actually, the wording I saw was:
Please enter your exactly credit card information where the 327.54 GBP will be debited.
Nice English there. I think it should be "credited" too. Even if it's a credit card (as opposed to a debit card), it's a credit to the card holder. Or rather, it would be if it wasn't a scam.
Another odd thing I saw was that it apparently includes the css and some images from irs.gov even though it pretends to be from the UK. They probably had a US one first.
Admin
Admin
I did a little work on their intranet at times, mostly to fix stuff the 'real' web developers broke. Like the javascript Y2K bug I cleaned up in 1999 ... on a page that had been created in 1998. If I had that code, I would so submit it to this site. I never was able to figure out what the original designer was thinking, but I bet one of the regular commenters here would have found a way to justify it.