Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [SOT] Some companies are just asking for it. (fwd)

from [J.A. Terranson] Network Security [Permanent Link]
Subject: [Full-disclosure] [SOT] Some companies are just asking for it. (fwd)
Date: Thu, 23 Jun 2005 22:16:51 -0500 (CDT) 

Germane to recent threads...

---------- Forwarded message ----------
Date: Thu, 23 Jun 2005 22:42:44 -0400
From: Perry E. Metzger <perry@piermont.com>
To: cryptography@metzdowd.com
Subject: Some companies are just asking for it.


My girlfriend just got an (apparently legitimate from what I can tell)
HTML email from her credit card company, complete with lots of lovely
images and an exhortation to sign up for their new secure online
"ShopSafe" service that apparently generates one time credit card
numbers on the fly.

Here's the text:


Your account has a free benefit that is better than ever! Shop
online as you normally would, but with the comfort of knowing that
nobody knows your account number.

ShopSafeSM protects your real account number by generating a
substitute account number. Use ShopSafe just like a regular card
for your online purchases. It's free, easy and convenient. Get the
security and comfort that comes with knowing every purchase you
make is protected.


The sales pitch then invites you to click on the link in the email to
join.


Ironclad credit card purchase protection is right here. Log in to
IBS Net Access to make your next purchase a safer one.


Clicking on the link, of course, asks you to enter information that
you should never, ever, EVER enter after clicking on a link you got in
email. So, here is official mail from a credit card company, actively
training its users to become future victims of phishing. The irony of
being exhorted to do this in the name of getting the "ShopSafe
service" is not a small one, either. I wouldn't be surprised if near
identical emails with the exact same pitch started showing up within
hours or days, only the site they link to may be a wee bit less
benevolent.

The security department and management at the firm responsible should
be taken out behind the shed and put out down, before they hurt anyone
else. The marketing department will, of course, demand to do stupid
things, but it is the responsibility of the security department and
management to tell them "No, we will not train our users to be raped
by phishers, no matter how many `click throughs' it generates."

Oh, and what companies are involved? The card is Fidelity branded, but
it is really an MBNA production, with online marketing and card
servicing (like this piece) being done by Individualized BankCard
Services. One would think that everyone in question would know better,
but sadly they don't.


Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [SOT] Some companies are just asking for it. (fwd), J.A. Terranson <=
Previous by Date:  [Full-disclosure] iDEFENSE Security Advisory 06.23.05: RealNetworks RealPlayer RealText Parsing Heap Overflow Vulnerability, iDEFENSE Labs
Next by Date:  Re: [Full-disclosure] Windows IPSec Vulnerabilty - still exist, offtopic
Previous by Thread:  [Full-disclosure] iDEFENSE Security Advisory 06.23.05: RealNetworks RealPlayer RealText Parsing Heap Overflow Vulnerability, iDEFENSE Labs
Next by Thread:  [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities, Przemyslaw Frasunek
Indexes:  [Date] [Thread] [Top] [All Lists]