MasterCard SecureCode and securesuite.net

Today was my first time encountering MasterCard®SecureCode™ when making an online order. I honestly thought I was being phished. Here’s where I got redirected to.

Going to https://www.securesuite.net/ gives you a nice blank page. And here’s the whois information:

Registrant:
      cyota
      yaron shohat
      174 Middlesex Turnpike
      Bedford, MA 01730
      US
      Phone: +1.8665606153
      Email: 

   Registrar Name....: Register.com
   Registrar Whois...: whois.register.com
   Registrar Homepage: www.register.com

   Domain Name: securesuite.net
      Created on..............: 2002-08-23
      Expires on..............: 2012-08-23

   Administrative Contact:
      RSA
      Network Operations
      174 Middlesex Turnpike
      Bedford, MA 01730
      US
      Phone: +1.8665606153
      Email: 

   Technical  Contact:
      RSA
      Network Operations
      174 Middlesex Turnpike
      Bedford, MA 01730
      US
      Phone: +1.8665606153
      Email: 

   DNS Servers:
      pdns3.ultradns.org
      pdns4.ultradns.org
      pdns2.ultradns.net
      pdns1.ultradns.net
      pdns5.ultradns.info
      pdns6.ultradns.co.uk

Who’s cyota? Who’s yaron shohat? And what fucking moron at RSA thought this was a good idea? Here’s the Google results for securesuite.net phishing. Doing a search for Securesuite.net does not return Visa or Mastercard’s official sites…

Well, it turns out securesuite.net isn’t a phishing scam, after doing some Internet searching, digging up direct links from Mastercard.com, and calling MasterCard directly to get verbal confirmation and to give them a piece of my mind. It’s not a scam, it’s just moronic and a phishing scam waiting to happen.

  • Sad. For mission-critical domains like this, you'd think they will make sure it doesn't expire within a year and they'd put on the “clientUpdateProhibited” and “clientDeleteProhibited” statuses as well.

  • lhl

    Actually, I think you misunderstand. The domain is properly registered – MasterCard's “SecureCode” and Visa's “3D Secure: Verified By Visa” both use this system, which is run by RSA (which acquired Cyota back in 2005). It's legit, it's just horribly designed in a way both looks like a phishing site, and of course, encourages phishing (by asking users to enter super-personal information into almost completely unverifiable, totally fake-looking sites).

  • What I meant was that “high security” domains like these should really be managed properly. If you look up the whois for google.com, you'll find the clientDeleteProhibited, clientTransferProhibited, clientUpdateProhibited statuses. The server* counterparts are statuses placed onto the domain by the registry — Verisign in this case, as part of a special “registry lock” service. This gives you additional layers of security against some forms of attacks.

  • lhl

    Ah, gotcha. Many levels of fail apparently. 🙂

  • Dragonphantom

    I put in random info and got my card locked because i thought it was phising…

  • Jim

    Did the same thing – put in bogus info vs. banks real – critical info. Now I am locked out, without so much as being able to phone, speak with someone live, since our land line has been out for 3 days, due back up tomorrow once phone company repair comes. Meanwhile get this, I go to the bank to make sure the SecureCode “receipt” (limbo escrow on-hold) status for the order amount won’t block my reordering attempt. Meanwhile the merchants “order history”, “pending order” sections show no evidence of the order – nor do I get an email from the merchant nor MCSecureCode excpt to contact my “participating” bank. Wait it gets better. So I go to the bank and between two bank employees, neither had very much awareness that the bank was a participating institution. Even though the MasterCard Secure code site refers you to the participating bank for dotting all the I’s and crossing the T’s of straightening out multiple password username confirmations and the phony info I gave simply to get a feel of how legit they were at — how many fingers have to be in the pie — securesuite.net.

    No fluffing wonder a US dollar is now worth less than seventeen cents.

  • Eros Valentine

    I’m relieved that it’s not a scam but I’m still wondering if there’s a way to get rid of the securesuite password account hassle.

  • Erik Bray

    Thanks for the post on this. I ran into this recently and was similarly perturbed. Five years on and this still hasn’t been improved!