Internet scams, cyber security and Paypal

 I think just about everyone with an e-mail account has, probably on a weekly basis if not daily, seen one of those scam e-mails from Nigeria, Ghana, Benin, etc. telling them there is a huge sum of money waiting for them, either from an inheritance or a settlement or simply from someone needing help to secretly move cash or to engage in philanthropy. Usually, on followup, it ends up with a demand to send money via Western Union or Moneygram. Another type of internet scam is an email purporting to be from a bank or some other institution where you may have an account, telling you there is a problem with your account and asking you to log in to correct the problem. The email then directs you via a hyperlink which actually takes you to a spoof website(one that is made to look like the original) where you are asked to enter your login ID and password, and sometimes other details such as your mailing address, your account number, your secret answers, and so on. These are referred to as phishing scams, as in "phishing" for information.

 One way I deal with the Nigerian-type scams, also known as 419 scams for the Nigerian penal code law which deals with cheating, if I don't delete them right away, is to sometimes play along up to a point, getting them to reveal information about themselves or elements of their operation. In the past couple of weeks, I have had three websites shut down along with numerous e-mail accounts, after gathering enough information to present to web registrars and e-mail providers. With phishing scams, I trace their links, gather registration information, and then notify the appropriate entities. I do this for free, when I'm bored or just irritated at the number of these e-mails I receive. But what prompted me to blog about this is the response I received from Paypal, when I notified them of a spoof website which was gathering login IDs and passwords of their customers.  I reproduce below the last e-mail I sent to Paypal's "cybersecurity team":
 
   *******************************************************************

Begin

On ......................... spoof@paypal.com wrote:

Dear xxxxxxx,
  Thanks for taking an active role by reporting suspicious-looking emails.
Although we've determined that the email you forwarded to us is not a
phishing attempt, our security team is grateful for your concern.

You're kidding, right? The e-mail comes from Brazil, the header says "YOUR MARCH ACCOUNT STATEMENT FROM PayPal IS READY TO VIEW" and the body says "YOUR FEBRUARY ACCOUNT STATEMENT FROM PayPal IS READY TO VIEW"(indicating that this has been going around for at least a month), the login link points to http://www.jarlsalomonsen.no/ez/home/ and you still think this is not a phishing attempt?
Seriously, I have to question your competence when it comes to security.


The other links in the message(in source mode) I sent to you:

Review your February PayPal Account Statement today.

PayPal      view online http://www.jarlsalomonsen.no/ez/home/


*Log in to view now* http://www.jarlsalomonsen.no/ez/home/

   CONFIRM YOUR MOBILE NUMBER http://www.jarlsalomonsen.no/ez/home/

    
 Accept Payments http://www.jarlsalomonsen.no/ez/home/        
Purchase Protection http://www.jarlsalomonsen.no/ez/home/ 
 PayPal App http://www.jarlsalomonsen.no/ez/home/        
Fees http://www.jarlsalomonsen.no/ez/home/        
Help http://www.jarlsalomonsen.no/ez/home/        
PayPal Shopping http://www.jarlsalomonsen.no/ez/home/

Moreover when visiting the website http://www.jarlsalomonsen.no/ez/home/, you should have clearly seen that the Paypal website had been spoofed.  Now, unless the Paypal homepage has been moved to http://www.jarlsalomonsen.no/ez/home/ , this was without question a phishing attempt. I see that Microsoft has blocked the site in IE as a phishing threat, which means at least they are more competent than your people. You should have moved to shut down this site immediately after I reported it on your website more than a week ago, which means more of your customers' information may have been compromised due to the delay. I entered fictitious information in all the requested fields which was accepted, and then I was redirected to the actual Paypal homepage, which means information must certainly have been collected from some of your customers unaware that this was a phishing attempt. Please, don't try to tell me again that "we've determined that the email you forwarded to us is not a phishing attempt"! If your "security team" cannot differentiate between a phishing e-mail and a genuine communication from Paypal, just how secure is your system? 

End 

***************************************************************

 Now, I know Paypal is owned by eBay, and is now a major payment processor for a substantial amount of e-commerce, particularly between individuals and small businesses. It's even being used to collect unemployment benefits and pensions. So security is a big deal. How Paypal's "security team" could not perceive what clearly is a phishing scam is beyond me. I was utterly livid when I got their response that "we've determined that the email you forwarded to us is not a phishing attempt". Cyber security is not to be taken lightly, especially when you own responsibility for financial transactions, and my first inclination was to let Paypal handle the process of shutting down the domain. As it turned out, I had to do it myself because the idiots who comprise Paypal's "security team" could not differentiate between a clear phishing attempt and a legitimate e-mail from Paypal. Furthermore, they didn't have the elementary competence to investigate the links contained within the e-mail. Now, if I were a Paypal customer, given this experience I would be very hesitant to open an account with them, or indeed to keep an account open. Remember that Paypal is linked to your bank account or credit card, and money can literally instantly be siphoned out of them if somebody manages to steal your login ID and password. And sometimes, with a little help from the sloth and incompetence of Paypal's "security team", they can keep doing that for an extended period of time.

_______________________________________________________

A footnote: I find that many companies, including banks, as well as other organizations such as school districts and manufacturers, make it difficult to report abuse of their systems. Indian banks are among the worst at this. Often, I have to really dig through their sitemap, or get the relevant contacts from whois queries. I think these "people", aka corporations/businesses, have an obligation to protect their customer/employee information. In order to do that, they need to make it easy to report violations/intrusions/abuse, and have a competent security team to look into them and take action. I see the current state of online financial security as similar to the credit card business: at first they got you to sign up by claiming that they took the utmost care to protect your information, then they began selling that information without your consent, and finally they became so lax in keeping your information secure (going after customers to pay fraudulent charges, for example, which was their fault through inadequate security measures) that people began to buy expensive subscriptions to "identity theft" programs which essentially monitored your credit information, a job incumbent on the very people who took that information from you as a business need: the banks and the Big 3 credit bureaus.

I remember, back in the 80s, that the system was so lax that, as a customer of TRW(now TransUnion), I had the access to basically create identities with fake social security numbers and add in just about any type of credit information I might want to put in. If you entered "John Q Public" and a made-up SS number, their system would create that identity, which you could then enhance through various inputs, including addresses, fictitious employers and credit line information. I didn't actually do it, of course, but I found out that it was possible when my potential customers gave me false information(yes, it happens more often than you would believe!). I can't imagine how long it took them to fix that, and of course TRW didn't say a word in public.

And when was the last time you used a charge card, and the clerk checked your photo ID? The electronic "signature pad" is so useless- deliberately so, since I can't think of any reason why it should be- that even a straight line is accepted as your signature. Try it. So now, not only do they profit from your custom and from reselling your data to the highest bidder, but they have palmed off the security aspect to you and make additional profits "protecting" and/or "monitoring" your data, which is their obligation to begin with. It's like putting your money in the bank, and the manager telling you that if your money is stolen, it's not their responsibility, and that you need to stand guard or hire someone to do it for you. Good grief! It's time these folks were held 100% accountable for breaches in the security of your data and accounts. Only when it hits them where it hurts will they up their game and make the necessary changes.

There's gotta be a better way!

From my very first days in the US many, many monsoons ago, I began hearing a uniquely- in my experience- American phrase: "There's gotta be a better way!". In many ways, it epitomizes the spirit of American inventiveness and problem-solving. When Americans find something cumbersome, or dissatisfying in result or output, it's an automatic thought. I was reminded about this today, when I opened my windows to take advantage of a brief cooling in the aftermath of a thunderstorm. I unlocked and pushed out the windows, and then had to wiggle my rather large hands through the metal grille to latch the window open. Later, when the humidity level proved too oppressive, I decided to close the windows and run the air-conditioning for a while. Hand through the grille again to unlatch the window, and then I had a really difficult time closing the window because it required that I push my hand way out to grab the frame of the window and swing it back in again. Looking at the welts on my hand and wrist, I said to myself, "There's got to be a better way!".

 And that got me thinking both about the problem and about how ordinary day-to-day problems and hassles simply don't impinge on the Indian mindset. We just go on, putting in the extra effort, tolerating the unnecessary inconveniences, and barely even notice them, simply dismissing them as facts of life. It's little wonder, then, that we don't have a track record of inventiveness. Philosophy, yes, we're up there with anything anyone else has. But philosophy is not a sport, it doesn't require movement, it doesn't even matter if you don't have a formal education. Look at the records which Indians hold in the Guinness Book of World Records: they are mostly for lack of grooming, lack of activity and, if I may say so, for sheer laziness! The longest hair, the longest fingernails, the longest toenails, the longest time spent sitting/standing in one place, the longest time spent standing on one foot on a rock in the middle of a river pointing at the sun, the most people gathered in one place sitting in the lotus pose or something, and so on. Lately there have been some efforts at creating records involving slightly more activity: most people simultaneously playing a musical instrument, or most people simultaneously chanting shlokas or something similar. You don't see Indians in the GBWR for running the fastest mile, or building the longest suspension bridge or anything that might require strenuous activity. It's not that we aren't- with a little prodding and some proper nutrition- capable of at least attempting some real records. What holds us back is a cultural stew of negativity, of saying "It's good enough" when it's not, or "That's coolie work" to deprecate working with your hands, or simply "What for?", expressed in that ubiquitous Hindi phrase "Chalta hai!", or the Kannada "Yaako, sumne bidi!"(What for, just leave it alone!).

 And so we use the inventiveness of other peoples, and claim them as our own because, hey, "We gave the concept of Zero to the world", or "We were living in sophisticated cities when the white man was swinging on trees in Europe" , or "We invented algebra and trigonometry and astronomy and plastic surgery and....". But heaven forbid you say anything to the effect of what matters is where we are at now, and that it's not where we should be. The response to that, predictably, is "We were looted for the last 1000 years by the Arabs and the Europeans!". Well, that's just victimhood. Plenty of people have been looted. The Europeans used to loot each other, and were looted by peoples from across the Urals. And they weren't living on trees when cities were being built in India, they were building their own cities and ships and foundries and canals and castles and irrigation systems. It's a typically defensive Indian reaction to place all our woes on someone else's head. I was looking today at some pictures of the city of Cotonou in Benin(yes, that city infamous for its internet scammers). Benin is a poor country, with a per capita income lower than India. It used to be the "Slave Coast" of Africa, and was for almost two decades until 1990 a Marxist country. Yet, for all that, the city of Cotonou, the most populous in Benin, is remarkably clean when compared to any Indian city. And I mean any Indian city. It's downtown area has clean, well-laid sidewalks and kerbs, and well-maintained buildings. Why is that? It's not that they have more money, or more resources. Compare it to Bangalore's "upscale" downtown of the Commercial Street-Trinity Circle-Richmond Circle triangle, which is a stinking, decrepit, pot-holed eyesore, despite the new steel-and-glass buildings, despite the fact that businesses throughout the entire area make fortunes. There's no excuse for that, save the pervasive apathy of the Indian mindset.

 During my childhood in India, it was common to have two varieties of the same product: the regular one and the "export quality". By definition, "export quality" was destined for markets which had an inexplicably higher standard than Indians, who- one presumes - could, should and would be happy with anything which doesn't fall apart or stop working in under a week. I dealt with this mindset in another post. When I was in my teens, I saw that there was a problem with shampoos and hair oils in glass bottles, which had a tendency to slip and shatter on the floor, often causing injury. Even vitamins came in glass bottles. I attempted to have major manufacturers replace their glass bottles with the by-then ubiquitous(in other countries) food-grade plastics, but ultimately failed because they would lose their coveted ISI stamp(remember that? I think I only see it on helmets now) if they used non-ISI-approved packaging. I visited a major plastics manufacturer who claimed to be making food grade plastics. They told me they had previously applied for ISI-certification, but had not been able to get it. I visited ISI, and they told me that while the plastic might very well meet their own published standard for food-grade plastic(simply a metric copy of US standards), they were unwilling to certify in case some problem arose in the future as a result. More than likely, they had the standard on the books, but no means of certifying compliance to it. After running around for months, I finally gave up on it. Now, of course, the MNCs operating in India have made food-grade plastic the de facto standard of food, cosmetic and pharmaceutical packaging. But did it have to take foreigners to come and do it for us? Was it that Indians were so apathetic to each other that they would live with the potential for injury without demurring? That we place more value on views and opinions which come from a westerner rather than an Indian? Could our own manufacturers not see that glass breakage was a serious hazard and that "there's gotta be a better way"?

Not a day goes by without my encountering some new instance of inconvenience, poor design, procedural inefficiency, or other irritant which could not be either eliminated or substantially abated with just a modicum of commonsense application. Whether it is the commonsense that is lacking, or the will to apply commonsense, I am still at a loss to discern. As an Indian myself, I hope the problem is the latter, but am not convinced that it couldn't be the former. Seriously, if Indians don't incorporate problem-solving into their everyday thinking and embrace it as a good thing, it's not going to be a better tomorrow, at least for those of us unfortunate enough to live outside of the western-inspired insular communities popping up all over suburbia.