I think just about everyone with an e-mail account has, probably on a weekly basis if not daily, seen one of those scam e-mails from Nigeria, Ghana, Benin, etc. telling them there is a huge sum of money waiting for them, either from an inheritance or a settlement or simply from someone needing help to secretly move cash or to engage in philanthropy. Usually, on followup, it ends up with a demand to send money via Western Union or Moneygram. Another type of internet scam is an email purporting to be from a bank or some other institution where you may have an account, telling you there is a problem with your account and asking you to log in to correct the problem. The email then directs you via a hyperlink which actually takes you to a spoof website(one that is made to look like the original) where you are asked to enter your login ID and password, and sometimes other details such as your mailing address, your account number, your secret answers, and so on. These are referred to as phishing scams, as in "phishing" for information.
One way I deal with the Nigerian-type scams, also known as 419 scams for the Nigerian penal code law which deals with cheating, if I don't delete them right away, is to sometimes play along up to a point, getting them to reveal information about themselves or elements of their operation. In the past couple of weeks, I have had three websites shut down along with numerous e-mail accounts, after gathering enough information to present to web registrars and e-mail providers. With phishing scams, I trace their links, gather registration information, and then notify the appropriate entities. I do this for free, when I'm bored or just irritated at the number of these e-mails I receive. But what prompted me to blog about this is the response I received from Paypal, when I notified them of a spoof website which was gathering login IDs and passwords of their customers. I reproduce below the last e-mail I sent to Paypal's "cybersecurity team":
*******************************************************************
Begin
On ......................... spoof@paypal.com wrote:
Dear xxxxxxx,
Thanks for taking an active role by reporting suspicious-looking emails.
Although we've determined that the email you forwarded to us is not a
phishing attempt, our security team is grateful for your concern.
You're kidding, right? The e-mail comes from Brazil, the header says "YOUR MARCH ACCOUNT STATEMENT FROM PayPal IS READY TO VIEW" and the body says "YOUR FEBRUARY ACCOUNT STATEMENT FROM PayPal IS READY TO VIEW"(indicating that this has been going around for at least a month), the login link points to http://www.jarlsalomonsen.no/ez/home/ and you still think this is not a phishing attempt?
Seriously, I have to question your competence when it comes to security.
The other links in the message(in source mode) I sent to you:
Review your February PayPal Account Statement today.
PayPal view online http://www.jarlsalomonsen.no/ez/home/
*Log in to view now* http://www.jarlsalomonsen.no/ez/home/
CONFIRM YOUR MOBILE NUMBER http://www.jarlsalomonsen.no/ez/home/
Accept Payments http://www.jarlsalomonsen.no/ez/home/
Purchase Protection http://www.jarlsalomonsen.no/ez/home/
PayPal App http://www.jarlsalomonsen.no/ez/home/
Fees http://www.jarlsalomonsen.no/ez/home/
Help http://www.jarlsalomonsen.no/ez/home/
PayPal Shopping http://www.jarlsalomonsen.no/ez/home/
Moreover when visiting the website http://www.jarlsalomonsen.no/ez/home/, you should have clearly seen that the Paypal website had been spoofed. Now, unless the Paypal homepage has been moved to http://www.jarlsalomonsen.no/ez/home/ , this was without question a phishing attempt. I see that Microsoft has blocked the site in IE as a phishing threat, which means at least they are more competent than your people. You should have moved to shut down this site immediately after I reported it on your website more than a week ago, which means more of your customers' information may have been compromised due to the delay. I entered fictitious information in all the requested fields which was accepted, and then I was redirected to the actual Paypal homepage, which means information must certainly have been collected from some of your customers unaware that this was a phishing attempt. Please, don't try to tell me again that "we've determined that the email you forwarded to us is not a phishing attempt"! If your "security team" cannot differentiate between a phishing e-mail and a genuine communication from Paypal, just how secure is your system?
End
***************************************************************Now, I know Paypal is owned by eBay, and is now a major payment processor for a substantial amount of e-commerce, particularly between individuals and small businesses. It's even being used to collect unemployment benefits and pensions. So security is a big deal. How Paypal's "security team" could not perceive what clearly is a phishing scam is beyond me. I was utterly livid when I got their response that "we've determined that the email you forwarded to us is not a phishing attempt". Cyber security is not to be taken lightly, especially when you own responsibility for financial transactions, and my first inclination was to let Paypal handle the process of shutting down the domain. As it turned out, I had to do it myself because the idiots who comprise Paypal's "security team" could not differentiate between a clear phishing attempt and a legitimate e-mail from Paypal. Furthermore, they didn't have the elementary competence to investigate the links contained within the e-mail. Now, if I were a Paypal customer, given this experience I would be very hesitant to open an account with them, or indeed to keep an account open. Remember that Paypal is linked to your bank account or credit card, and money can literally instantly be siphoned out of them if somebody manages to steal your login ID and password. And sometimes, with a little help from the sloth and incompetence of Paypal's "security team", they can keep doing that for an extended period of time.
_______________________________________________________
A footnote: I find that many companies, including banks, as well as other organizations such as school districts and manufacturers, make it difficult to report abuse of their systems. Indian banks are among the worst at this. Often, I have to really dig through their sitemap, or get the relevant contacts from whois queries. I think these "people", aka corporations/businesses, have an obligation to protect their customer/employee information. In order to do that, they need to make it easy to report violations/intrusions/abuse, and have a competent security team to look into them and take action. I see the current state of online financial security as similar to the credit card business: at first they got you to sign up by claiming that they took the utmost care to protect your information, then they began selling that information without your consent, and finally they became so lax in keeping your information secure (going after customers to pay fraudulent charges, for example, which was their fault through inadequate security measures) that people began to buy expensive subscriptions to "identity theft" programs which essentially monitored your credit information, a job incumbent on the very people who took that information from you as a business need: the banks and the Big 3 credit bureaus.
I remember, back in the 80s, that the system was so lax that, as a customer of TRW(now TransUnion), I had the access to basically create identities with fake social security numbers and add in just about any type of credit information I might want to put in. If you entered "John Q Public" and a made-up SS number, their system would create that identity, which you could then enhance through various inputs, including addresses, fictitious employers and credit line information. I didn't actually do it, of course, but I found out that it was possible when my potential customers gave me false information(yes, it happens more often than you would believe!). I can't imagine how long it took them to fix that, and of course TRW didn't say a word in public.
And when was the last time you used a charge card, and the clerk checked your photo ID? The electronic "signature pad" is so useless- deliberately so, since I can't think of any reason why it should be- that even a straight line is accepted as your signature. Try it. So now, not only do they profit from your custom and from reselling your data to the highest bidder, but they have palmed off the security aspect to you and make additional profits "protecting" and/or "monitoring" your data, which is their obligation to begin with. It's like putting your money in the bank, and the manager telling you that if your money is stolen, it's not their responsibility, and that you need to stand guard or hire someone to do it for you. Good grief! It's time these folks were held 100% accountable for breaches in the security of your data and accounts. Only when it hits them where it hurts will they up their game and make the necessary changes.
No comments:
Post a Comment