Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Why Phishing Will Remain Lucrative For The Foreseeable Future

  • Comments 8
  • Likes

Today I received a message that purports to be from Discover regarding a 5% cashback program on gas purchases on that card. (For the non-American readers, Discover is a credit card widely used in the U.S.). The e-mail had a couple of links to click, both of which were disabled by Outlook since the e-mail was classified as junk mail 

The e-mail contains no information to verify that it is indeed from Discover. The links are disabled for security reasons by Internet Explorer and Microsoft Outlook. In fact, there is not even a plain-text link in the e-mail that you can copy and paste. You would have to know to view the source code for the e-mail to see the URL. If you go to the site that is linked to in the e-mail you find that it does not use HTTPS, but plain HTTP. That site eventually forwards you to the "Account Center" which presents a logon page that is plain HTTP, although the form gets submitted to an HTTPS site. In other words, you cannot verify the identity of the site you are submitting your logon password to, even though it will actually go encrypted across the wire. Once you log on, assuming you trust the site enough to do that, there is no mention of this offer. In short, there is no way I could find to to verify the authenticity of this e-mail.

In this day and age of credit card spoofing, how is a customer supposed to verify that the mail received is actually from Discover when there is no information on how to do so, and the security verifiers are hidden? This is sad, given how many fake messages of this nature most of us get every day. One would hope that credit card companies would start making it easier and more obvious to verify that what they are sending is indeed legitimate.

Comments
  • I have a similar gripe to this: My phone company calling me and then asking me to verify my identity, before they proceed with the call, by asking for my account password; this is done, supposedly, to protect my privacy (just in case some stranger has answered my phone).

    I insist that I have no way I verifying who they are & refuse to provide my password.

    I've twice rung my phone company to complain about this process, but they do not see it as being a problem & insist they are doing it to protect me.

    A nice solution would be some form of mutual authentication whereby I setup two passwords/passphrases with my provider... when they call me, they could provide password (1) before asking me for my password, i.e. password (2).

  • Adam, kudos to you. You are giving them the exact right answer. Perosnally, I cancelled my home phone, which was a convenient way to solve this problem.

  • Jesper, this is off topic, but do you have any stroke with the Microsoft Passport folks to get them to increase the password length.  I get really irritated because I can't use my pass phrase.

  • Stephen, I can certainly pass it on. How long do you want to make it? I don't recall the max length off the top of my head.

  • If they follow the banks follow these simple rules.

    1. All financial instututions must deliver messages to a mailbox in their bank account view. When the user logs in, the message is displayed. No message delivery to email only.

    Users read the mail, if the consider it important can verify by logging into the bank account.

    2. All messages delivered to emails, should not contain any links, even though the links may be disabled by mail clients. These messages are restricted as alerts.

  • Right now it's limited to 16 characters.  That's long enough for a password, but certainly not a decent pass phrase.  Why don't you make it the same length as whatever is allowed in Server 2003 (I don't know how long that is, but it's long enough!)

    BTW, our company has recently started enforcing our new password policy which has a min length of 15 characters.  We explained the pass phrase concept, and while people were down on it to begin with, after they made they change, they've said it's actually easier to remember and they like it!

  • Stephen,
    I would worry about alternative methods of password compromise (i.e. keyloggers, non-https authentication, exploits, over the shoulder peeking, etc etc) before believing that making your password over 15+ characters would make you that much more secure. Just my two pennies...

  • Credit card company sent me a letter saying my card had been locked, and that I should call a free-rate number to have it unlocked.

    I called and I apologised that I had no way of validating their identity, so I couldn't help them.

    They agreed, and suggested that I instead call the (local-rate) number on the back of my card to sort it out.

    I felt that the a number printed on my card should be suitable security, and called that instead.

    Was I being scammed? Unlikely. But unless we as consumers care about this stuff, credit card companies and phone companies will not.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment