Re: Some companies are just asking for it.
Steve Furlong wrote: On 6/24/05, Perry E. Metzger <[EMAIL PROTECTED]> wrote: For the record, the guys at Fidelity Investments have always seemed to me to have their act together on security, unlike lots of other A few years ago I did some consulting at Fidelity Investments, writing code to spider their own websites for, among other things, security. The fact that they were willing to pay for a few months of my time, plus the obscene markup for the company I billed through and putting me up in Boston, suggests they were serious about it. I can vouch on that level as well, unfortunately what I can vouch for is covered under NDA - but I can tell you they are very serious about addressing security - mind you, no one is perfect. -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Some companies are just asking for it.
On 6/24/05, Perry E. Metzger <[EMAIL PROTECTED]> wrote: > For the record, the guys at Fidelity Investments have always seemed to > me to have their act together on security, unlike lots of other A few years ago I did some consulting at Fidelity Investments, writing code to spider their own websites for, among other things, security. The fact that they were willing to pay for a few months of my time, plus the obscene markup for the company I billed through and putting me up in Boston, suggests they were serious about it. -- There are no bad teachers, only defective children - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Some companies are just asking for it.
"Perry E. Metzger" <[EMAIL PROTECTED]> writes: > Oh, and what companies are involved? The card is Fidelity branded, but > it is really an MBNA production, with online marketing and card > servicing (like this piece) being done by Individualized BankCard > Services. One would think that everyone in question would know better, > but sadly they don't. I got a very nice communication from a person at Fidelity Investments wanting to make sure that this was from the (unrelated) Fidelity Bank, and not something that they had done. It is indeed a Fidelity *Bank* branded credit card, not a Fidelity *Investments* card. The two organizations are entirely unrelated and just happen to share a name. For the record, the guys at Fidelity Investments have always seemed to me to have their act together on security, unlike lots of other places. They have excellent FAQs for their users on what is and what is not safe to do in a web browser, they only allow logins from pages that are downloaded with SSL, etc. The fact that someone there was worried when I sent out my mail and got in touch with me to check only confirms for me the feeling that they seem to try hard to do their jobs right... Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Some companies are just asking for it.
John Levine wrote: My girlfriend just got an (apparently legitimate from what I can tell) HTML email from her credit card company, complete with lots of lovely images and an exhortation to sign up for their new secure online "ShopSafe" service that apparently generates one time credit card numbers on the fly. John, I have some serious samples of "Consumer Mis-education" as it's been dubbed - I actually provided some of the samples in Aaron's report. Side note, not only are the emails confusing, but every email that I get from a consumer, so far I've gotten (the american express in the powerpoint especially is really screwed) ebay, amex, bank of america all had major vulnerabilities that allow cross-user attacks within them. Not only that, to add to his report, with cross-user attacks (I'm probably preaching to the choir but, it's still interesting) you can foil SSL connections with the lock by using what I call a "Mixed-SSL" attack, where you have multiple frame control with your valid certs, but the domain url is https://www.americanexpress.com. This in essence only indicates one SSL cert, that being the banks site that you have injected code into and by walking the DOM you essentially use your certs to maintain the secure frame objects. (For a demo of this contact me offline). There was a point - oh yes, with the emails - in most of these cases, there can be what I call a bulk mail "replay" attack. Assume a phisher has a "BofA" account, and receives the bulk mailings of the legitimate Financial Institution (FI). This is a safe assumption because in the past we have seen a phisher utilize a real BofA email and just replaced the links with poisoned links that used BofA's site to phish the user. So with some timing, a "replay" attack can be organized - since we establish that say "BofA" has some vulnerabilities in XSS (This is just an example, no offense to BofA), the phisher can wait for a commerical legitimate marketing campaign and then mix in his poisoned mass mailing within the same time frame as these are going out. This will not only confuse the customer, but when reported may get underestimated because the FI did in fact send out a mass-mail to their customers*. The poisoned URL with the real domain and real (SSL-MIX) lock at the bottom of the screen belonging to Bank of America (even though the phisher took over the site) could potentially increase ROI by inducing "misplaced trust" or cause severe lack of confidence within the already troubling concept of online banking. -Lance *Ironically, i did find a vulnerability previously in a certain FI mass mailing campaign that allowed me to arbitrarily subscribe anyone's email address to their campaign list and control settings for whether they get the "Solicited" Commercial Email. This adds to the effect since phishers can subscribe anyone, not just their customers. Shopsafe is rather nice. I use it all the time, and it's written in flash which works on my FreeBSD laptop. On the other hand, MBNA's mail practices would be laughable if they weren't entirely in line with every other bank in the country. If you read Dave Farber's IP list, a couple of days ago Bob Frankston sent in an alarmed note saying that some info from his Bank of America account had apparently been stolen and used in a phish, and I wrote to tell him that no, the mail was real, from the service bureau they use which has a name nobody outside the banking industry knows. Aaron Emigh of Radix Labs wrote to tell me about a talk he gave earlier this year at an Anti-Phishing Working Group earlier this year on this topic, which starts with a set of examples of real bank mail each of which looks phishier than the last. This is 30MB due to the voiceover, but if you have a fast web connection, it's worth running. It needs Powerpoint: http://www.radixlabs.com/idtheft/aaron-emigh-education.pps Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "I dropped the toothpaste", said Tom, crestfallenly. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Some companies are just asking for it.
John Levine <[EMAIL PROTECTED]> writes: > On the other hand, MBNA's mail practices would be laughable if they > weren't entirely in line with every other bank in the country. The fact that others do laughable things doesn't make their practices any less laughable. Stupid things remain stupid no matter how widespread the stupidity might be. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Some companies are just asking for it.
>My girlfriend just got an (apparently legitimate from what I can tell) >HTML email from her credit card company, complete with lots of lovely >images and an exhortation to sign up for their new secure online >"ShopSafe" service that apparently generates one time credit card >numbers on the fly. Shopsafe is rather nice. I use it all the time, and it's written in flash which works on my FreeBSD laptop. On the other hand, MBNA's mail practices would be laughable if they weren't entirely in line with every other bank in the country. If you read Dave Farber's IP list, a couple of days ago Bob Frankston sent in an alarmed note saying that some info from his Bank of America account had apparently been stolen and used in a phish, and I wrote to tell him that no, the mail was real, from the service bureau they use which has a name nobody outside the banking industry knows. Aaron Emigh of Radix Labs wrote to tell me about a talk he gave earlier this year at an Anti-Phishing Working Group earlier this year on this topic, which starts with a set of examples of real bank mail each of which looks phishier than the last. This is 30MB due to the voiceover, but if you have a fast web connection, it's worth running. It needs Powerpoint: http://www.radixlabs.com/idtheft/aaron-emigh-education.pps Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "I dropped the toothpaste", said Tom, crestfallenly. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Some companies are just asking for it.
My girlfriend just got an (apparently legitimate from what I can tell) HTML email from her credit card company, complete with lots of lovely images and an exhortation to sign up for their new secure online "ShopSafe" service that apparently generates one time credit card numbers on the fly. Here's the text: > Your account has a free benefit that is better than ever! Shop > online as you normally would, but with the comfort of knowing that > nobody knows your account number. > > ShopSafeSM protects your real account number by generating a > substitute account number. Use ShopSafe just like a regular card > for your online purchases. It's free, easy and convenient. Get the > security and comfort that comes with knowing every purchase you > make is protected. The sales pitch then invites you to click on the link in the email to join. > Ironclad credit card purchase protection is right here. Log in to > IBS Net Access to make your next purchase a safer one. Clicking on the link, of course, asks you to enter information that you should never, ever, EVER enter after clicking on a link you got in email. So, here is official mail from a credit card company, actively training its users to become future victims of phishing. The irony of being exhorted to do this in the name of getting the "ShopSafe service" is not a small one, either. I wouldn't be surprised if near identical emails with the exact same pitch started showing up within hours or days, only the site they link to may be a wee bit less benevolent. The security department and management at the firm responsible should be taken out behind the shed and put out down, before they hurt anyone else. The marketing department will, of course, demand to do stupid things, but it is the responsibility of the security department and management to tell them "No, we will not train our users to be raped by phishers, no matter how many `click throughs' it generates." Oh, and what companies are involved? The card is Fidelity branded, but it is really an MBNA production, with online marketing and card servicing (like this piece) being done by Individualized BankCard Services. One would think that everyone in question would know better, but sadly they don't. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]