| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 24 04:17:20 2005 From: measl at mfn.org (J.A. Terranson) Subject: [SOT] Some companies are just asking for it. (fwd) Germane to recent threads... ---------- Forwarded message ---------- Date: Thu, 23 Jun 2005 22:42:44 -0400 From: Perry E. Metzger <perry@...rmont.com> To: cryptography@...zdowd.com Subject: Some companies are just asking for it. My girlfriend just got an (apparently legitimate from what I can tell) HTML email from her credit card company, complete with lots of lovely images and an exhortation to sign up for their new secure online "ShopSafe" service that apparently generates one time credit card numbers on the fly. Here's the text: > Your account has a free benefit that is better than ever! Shop > online as you normally would, but with the comfort of knowing that > nobody knows your account number. > > ShopSafeSM protects your real account number by generating a > substitute account number. Use ShopSafe just like a regular card > for your online purchases. It's free, easy and convenient. Get the > security and comfort that comes with knowing every purchase you > make is protected. The sales pitch then invites you to click on the link in the email to join. > Ironclad credit card purchase protection is right here. Log in to > IBS Net Access to make your next purchase a safer one. Clicking on the link, of course, asks you to enter information that you should never, ever, EVER enter after clicking on a link you got in email. So, here is official mail from a credit card company, actively training its users to become future victims of phishing. The irony of being exhorted to do this in the name of getting the "ShopSafe service" is not a small one, either. I wouldn't be surprised if near identical emails with the exact same pitch started showing up within hours or days, only the site they link to may be a wee bit less benevolent. The security department and management at the firm responsible should be taken out behind the shed and put out down, before they hurt anyone else. The marketing department will, of course, demand to do stupid things, but it is the responsibility of the security department and management to tell them "No, we will not train our users to be raped by phishers, no matter how many `click throughs' it generates." Oh, and what companies are involved? The card is Fidelity branded, but it is really an MBNA production, with online marketing and card servicing (like this piece) being done by Individualized BankCard Services. One would think that everyone in question would know better, but sadly they don't. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@...zdowd.com
Powered by blists - more mailing lists