lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050623221626.D44038@ubzr.zsa.bet>
Date: Fri Jun 24 04:17:20 2005
From: measl at mfn.org (J.A. Terranson)
Subject: [SOT] Some companies are just asking for it. (fwd)


Germane to recent threads...

---------- Forwarded message ----------
Date: Thu, 23 Jun 2005 22:42:44 -0400
From: Perry E. Metzger <perry@...rmont.com>
To: cryptography@...zdowd.com
Subject: Some companies are just asking for it.


My girlfriend just got an (apparently legitimate from what I can tell)
HTML email from her credit card company, complete with lots of lovely
images and an exhortation to sign up for their new secure online
"ShopSafe" service that apparently generates one time credit card
numbers on the fly.

Here's the text:

> Your account has a free benefit that is better than ever! Shop
> online as you normally would, but with the comfort of knowing that
> nobody knows your account number.
>
> ShopSafeSM protects your real account number by generating a
> substitute account number. Use ShopSafe just like a regular card
> for your online purchases. It's free, easy and convenient. Get the
> security and comfort that comes with knowing every purchase you
> make is protected.

The sales pitch then invites you to click on the link in the email to
join.

> Ironclad credit card purchase protection is right here. Log in to
> IBS Net Access to make your next purchase a safer one.

Clicking on the link, of course, asks you to enter information that
you should never, ever, EVER enter after clicking on a link you got in
email. So, here is official mail from a credit card company, actively
training its users to become future victims of phishing. The irony of
being exhorted to do this in the name of getting the "ShopSafe
service" is not a small one, either. I wouldn't be surprised if near
identical emails with the exact same pitch started showing up within
hours or days, only the site they link to may be a wee bit less
benevolent.

The security department and management at the firm responsible should
be taken out behind the shed and put out down, before they hurt anyone
else. The marketing department will, of course, demand to do stupid
things, but it is the responsibility of the security department and
management to tell them "No, we will not train our users to be raped
by phishers, no matter how many `click throughs' it generates."

Oh, and what companies are involved? The card is Fidelity branded, but
it is really an MBNA production, with online marketing and card
servicing (like this piece) being done by Individualized BankCard
Services. One would think that everyone in question would know better,
but sadly they don't.


Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@...zdowd.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ