Tag Archives: Phishing

Banks to tighten the rules on refunds?

ATM keypad

The Daily Mail has recently run a couple of interesting reports, detailing how banks such as Santander and HSBC, among others, are tightening up the security obligations they place on their customers. These obligations are meant to ensure that customers adequately protect their personal information, reducing their risk of falling victim to fraud, but of course there are two sides to every story they also leave the door open for banks to refuse compensation payouts in cases where the customer is deemed to have fallen foul of the new rules.
Among the customer responsibilities that the financial institutions will now insist on are:

  • Use a separate PIN for every bank card
  • Ensure that no one can watch you at an ATM or hear your phone conversations with the bank
  • Shred your bank statements and receipts
  • Never click on links in emails received from your bank.
  • Lock your mobile device with a PIN if it is used for banking

While much of this is entirely sensible in terms of personal security, some of it could prove to be counter-productive and much if relates more to problems that would be best solved by the financial institutions themselves rather than pushing the obligation to the customer.
If you would like your customers to use a distinct PIN for every bank card, then simply withdraw the function that allows users to change their passwords. Oh and while you’re at it, please make cards that support longer PIN length and enforce it. Of course making this change will have the unfortunate side effect that many customers will resort to writing down their PINs in order to keep track of them all…
If you want to make it difficult for others to see PIN details being entered at ATMs, then redesign your ATMs! They are currently operated in full public view with no shielding whatsoever over the PIN entry pad.
If you want to reduce the risk associated with telephone banking being overheard, then allow all sensitive information to be verified using the keypad of the telephone and do not allow your customer service team to ask for that information to be given verbally. It makes me uncomfortable that I am divulging it to anyone at all, let alone that someone might overhear.
If paper statements pose a risk, then stop issuing paper statements, if a customer is obliged to shred them anyway then they serve very little purpose. If receipts pose a risk, then ensure that no sensitive information is contained on them. Shredding receipts suddenly doesn’t seem so clever when you have to return faulty goods.
Never click on links in mails from your bank. This is absolutely correct, but wouldn’t it be nice if your bank actually stopped sending you mails with links in them? Are you listening Marketing departments?
Finally, mobile banking… This one’s quite a can of worms. Over the years, banks have steadily introduced more and more security mechanisms to counter online account fraud; first it was username and password in full, then it was selected characters, then on-screen keyboards, then 2nd factor authentication tokens, now some banks have thankfully introduced transaction verification technology. All because they recognise the risk from fraud. However, now banks are introducing mobile payment apps and mobile banking apps, how are these secured? Simply by entering a PIN in full to unlock the app. How have all these important authentication lessons been forgotten?
When you consider that it only takes about 13 minutes to get past a 4 digit PIN on most mobile devices then it’s apparent how woefully inadequate this device PIN should be seen for protecting access to your bank account and we all know the perils of entering a password in full, anywhere.
While the guidance given by banks is entirely reasonable it seems that there is much more that banks could and should be doing to assist their customers in remaining secure through changes to in-house procedure and technology.
In the case where your bank refuses you compensation for fraudulent transactions, remember this, the bank is obliged to investigate every claim of fraud individually. They must provide you with any evidence of negligence if they are refusing your claim and they must prove that you are at fault in order to be able to refuse.
Image Credit: redpotted’s Flickr photo stream, used under Creative Commons

Phishing for Apples in the Cloud

Apple customers in the UK and Australia are being targeted in a convincing-looking phishing scam with a cloudy twist.
Criminals are sending out targeted emails promising a “Discount Card” as a “reward to long-term customers“. This non-existent card supposedly offers £100 or $100 of credit at any Apple store, for the low-low price of just £9. As you can see below, the email contains enough location and currency specific information to make it more credible.

Phishing mail out to steal your personal info

Of course the card does not exist and will never be delivered. Instead of a link to a phishing site, the mail contains an html attachment, again convincing looking, using Apple style sheets. The criminals ask for a slew of personal and financial information including name, address, drivers licence number, date of birth, credit card number, expiry date, security code and sort code. Quite enough for some serious financial fraud.


Instead of this stolen information being directly uploaded to a criminal or compromised server, the big blue Submit button POSTs the data to a server in Amazon’s EC2 cloud as shown below with dummy data. Once the data has been successfully sent to the criminal server, the browser is redirected to the official Apple web site.

Captured traffic from the phishing attack

This cleverly crafted and targeted attack may well be enough to fool the unwary, and it’s abuse of commercial cloud infrastructure will make it much more likely to overcome URL blocking security mechanisms.
I have informed Amazon of this abuse of their services, but in the meantime remember, there’s no such thing as an “Apple Discount Card”.
Never respond to unsolicited email, never open files attached to unsolicited email and never enter personal data on anything other than an SSL encrypted web site (one where the address starts with “https://“). If you do receive an email making you an offer you can’t refuse, do not follow links in the mail, but contact the vendor directly either by typing in their web address or using the good old telephone.

Data mining for bad guys

My notification mail from Hilton HHonors

Over the past three days many of us have woken up to an unwelcome sight in our email inboxes. A notification that your email address was among those exposed in what may be the biggest data theft of its kind,  the data breach at the “database marketing vendor” Epsilon. Today I got my first one and I’m far from alone.
The list of companies affected by this intrusion is already long, but seems to still be growing. The notification mail I received  was from Hilton HHonours, the loyalty scheme for Hilton hotels. Other affecetd companies include: American Express, BestBuy, Borders, Capital One, Citibank, Disney, The Home Shopping Network, JP Morgan Chase, Marriott Rewards, Ritz Carlton, TiVo, US Bank, Verizon & Visa, to name but some.
No details have been made available regarding how the data was accessed beyond the initial statement made on the 1st April by Epsilon and the breach notification mails continue rolling in to affected individuals.
Epsilon state that the “unauthorized entry into Epsilon’s email system” affected just 2% of their customers and that they comprise only a subset of the clients to whom Epsilon provide email services. Given the list of names of affected institutions known thus far then, you have to wonder if the attackers were able to browse the entire database at will and extract only what they considered to be the most valuable information.
Every notification email and also the public statement from Epsilon reassures us that “only” names and email addresses were “obtained” (read stolen) and that no other information, financial or otherwise is at risk. Unfortunately, this downplays the level risk to customers and is also misleading.
Not only do the criminals know your name and email address, they know where you go shopping, where you bank, which hotels you stay at and much more. If you are unfortunate enough to have received multiple notifications, just imagine what kind of profile is now in criminal hands.
The risk from spear-phishing (highly targeted phishing) is hugely increased as a result of this data breach and people should be more vigilant that usual when receiving emails from affected institutions that may request personal information.
It is important to remember though, that phishing is not the only criminal activity facilitated by this fraud. This gold mine of information makes credible malicious mails much more simple to design. An email may appear to come from from an organisation or shop of which you are known to be a customer. It will be designed solely to get you to click on a link. In the complex world of online crime you are often only one click away from compromise and infection without any user interaction beyond that first click. If a criminal can own your PC, they don’t have to ask your for your personal details, they can simply take them, and much else besides.
So, for those affected by this breach, (note to self):

  • Pay careful attention to emails your receive in the coming months, perhaps years.
  • Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
  • Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
  • Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
  • To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.