Tag Archives: security

Data Protection Muppets

I’ve mentioned this topic on my blog before with regard to the Royal Bank of Scotland and Intelligent Finance but this time it was related to an insurance claim. The insurance company put me in contact with a company that would do the repairs and all they had to do was arrange a time and date. However, it wasn’t that simple.

Initially things seemed to be going well until the company in question phoned me to change the date because they wouldn’t have the materials in time. However, first they wanted to go through security screening.

Now, the conversation to this point had gone something like this:

Me: Hello
Them: Hello, is that Colin Mackay [pronounced kae – I HATE that!]
Me: Mackay [pronounced correctly – its a diphthong, a sliding or gliding vowel that goes from ‘ah’ to ‘ee’] Yes.
Them: This is Martindales. We just need to ask you some security questions before we proceed.
Me: How do I know you are who you say you are?
Them: We are Martindales, your insurance company has appointed us…

The conversation went from bad to worse as I tried to explain that what they are doing is socially conditioning people to hand out sensitive information and was then told that they “had to” ask these questions because of the data protection act. The act makes no such requirement. What they have to do is ensure that they are speaking to the correct person so they don’t divulge potentially sensitive information to the wrong person. However, the way they are going about it, while technically in line with the act, is most certainly not within the spirit of the act.

What made it worst was that when I was asked how they could continue the conversation and I gave the solution they had to ask me no fewer than 3 times how they were going to continue the conversation even although I had given them a solution. After that incident they decided they must not have like my simple solution and refused to communicate with me at all for a while.

My solution, incidentally, was this. They would phone me and indicate that they need to speak to me. I would then get the phone number from existing documentation (i.e. a trusted source) and phone their switchboard and ask to be put through to the person that needed to talk to me. They can then go through the security questions as I will then know I am talking to the correct party. When they phone me I have no way of knowing who I am talking to. They could be making it up. If they give me a phone number to use I won’t use it. I will only use trusted sources like documentation from my insurance company, or from the booklet that the insurance assessor left me.

Anyway, Martindales eventually decided that they did need to communicate with me about yet another change in date and sent me a letter. Pity it didn’t arrive until two days after the guy was supposed to show up. In fact he did almost arrive, and I only knew about it because they phoned me just to say that he was running a little late. Muppets!

 

Aye! Right!

I just got this email purporting to be from PayPal. I don’t believe the email.

Dear valued PayPal member:

It has come to our attention that your PayPal account information needs to be
updated as part of our continuing commitment to protect your account and to reduce
the instance of fraud on our website.  If you could please take 5-10 minutes out
of your online experience and update your personal records you will not run into
any future problems with the online service.


However, failure to update your records will result in account suspension.
Please update your records on or before July 06, 2007.

Once you have updated your account records, your PayPal session will not be
interrupted and will continue as normal.

To update your PayPal records click on the following link:
http://72.189.180.57/updateusersonlinesecurity.html



Thank You.
PayPal UPDATE TEAM

What makes me think it is a fake? The URL does not contain PayPal’s domain name. It is a simple IP address.

So, who owns the IP Address?

OrgName:    Road Runner HoldCo LLC
OrgID:      RRSW
Address:    13241 Woodland Park Road
City:       HerndonState
Prov:       VA
PostalCode: 20171
Country:    US

And what about the real PayPal. Their IP Address is 216.113.188.64.

Also, the email didn’t have my address in the “TO” box (So I’m guessing all the recipients were BCC’d into the list) and the reply address is no-reply@google.com.

I have sent an appropriate email to Road Runner letting them know that someone is using their servers to host phishing sites. Hopefully it can be taken down promptly to prevent any less savvy people falling victim to this really quite amaturish attempt at a phishing scam.

Tags:

Screensavers that attack spammers

While I hate receiving spam, I feel that the latest offering from Lycos to try and tackle spam by hitting Spammers where it hurts – Right in the bandwidth – is highly irresponsible.

If you are not aware of what I am talking about then I am talking about the Make Love Not Spam[^] website by Lycos. It offers you a Screensaver to download which, while running, will hit spammers’ websites. It works by the screensaver requesting from a central database a spammer to attack. The central system monitors the spammers website so that it isn’t completely disabled (how thoughtful) and if one site is getting near the brink will instruct the screensavers to go elsewhere. It doesn’t take too much of the user’s bandwidth as it only sends the request and then ignores the response.

To me this smacks of vigilantism. While some people welcome that someone is “finally doing something” the problem is that it is unregulated. Some might argue the case that it is just an “eye for an eye and a tooth for a tooth”, but many vigilantes end up hurting their targets or innocent bystanders more than the vigilante’s target ever inflicted on others.

I don’t know what the law is in your part of the world, but I would like to warn anyone in the UK that use of this screensaver may be illegal (I want to emphasise MAY BE illegal – I am not a lawyer). I am referring specifically to Section 3 of the 1990 Misuse of Computers Act.

To quote from guidance from the Home Office website[^]:

Section 3 – Unauthorised modification of computer material
Where a person does any act that causes the unauthorised modification of the contents of any computer a section 3 offence is committed. There must have been the intent to cause the modification and knowledge that the modification has not been authorised. The offence does not have to be preceded by a section 1 offence. This offence covers the introduction of harmful worms and viruses to a system, and denial of service attacks. The offence is punishable on summary conviction for a term not exceeding five years.

While the Lycos screensaver does not completely disable a website it does cause “modification” to the service by slowing down the servers almost to the point of breaking. Any user of Lycos’ screensaver does so with the knowledge that their actions are “harmful”

The advice goes on to say that an offence is committed when the person committing the offence is in England, Wales, Scotland or Northern Ireland at the time of the attack, or that the target computer was in England, Wales, Scotland or Northern Ireland. So, potentially even people outside the UK who hit a spammer’s website that is located within the UK may be convicted under this law.

Finally, let me remind you that I am not a lawyer and this is just my interpretation of the law. If you want to use the screensaver then that is up to you.

NOTE: This was rescued from the Wayback Machine. The original was dated Monday, 29th November, 2004.

Sony DRM Hides Trojan

Further to my post last week about Sony’s malware disguised as DRM it seems that a trojan is now taking advantage of the Sony malware.

From The Register: “This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit,” warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro.

The full story can be found here: First Trojan using Sony DRM spotted

This was rescued from the Google Cache. The original date was Thursday 10th November, 2005.

Tags:

To be scammed, or not to be scammed

A little while ago I wrote about the poor security procedures that some banks had in place. The BBC have an article on today’s edition of their news website about tactics scammers use called “How to stay off the suckers list“. The common theme is that you have to be constantly vigilent about the situation or the scammers will get away with your money or belongings. However, how do you tell the difference. One reader summed it up succinctly:

The thing that always amazes me is when your bank rings up and asks you to answer some security questions. They could be anyone, and yet they always seem surprised when you ask them to prove who they are.
John James, London

And another wrote:

A further bit of advice when checking oseut credentials is not to ring the number on the ID card shown but to get the official number via the telephone book.
Peter Lockwood, Loughborough

I totally agree with both these sentiments. As I mentioned previously when my bank’s fraud department rang, I verified the phone number left in the voicemail message and when I couldn’t correlate it to any existing correspondance I had with my bank I phoned their customer service department. I spoke at length about the security implications of what they had done, but despite the assurances of the person I spoke to, I still have the nagging feeling that it wasn’t going to be taken any further.

NOTE: This was rescued from the Google Cache. The original was dated: Tuesday, 7th February 2006.

Tags:

Original comments:

We got cold-called today by some kind of business directory company. I didn’t talk to them, my colleague did. Towards the end of the conversation, as a ‘security question’ he got asked his place of birth. He refused to give it. The telesaleswoman said that she calls 400 people every day and he’s the first to refuse. He refused again and asked why she needed it. Allegedly it was to confirm to her supervisor, should he call, that she had indeed spoken to us.

In the end to get rid of her he simply lied.

My dad says that for his online bank account, he actually hasn’t answered any of the questions as stated. Instead he’s supplied other information which he can remember based on the information he was asked for. I’m not that smart – I couldn’t even remember the right answers to some of the questions (e.g. ‘memorable name’ – clearly not that memorable!)

2/7/2006 10:48 PM | Mike Dimmick

I completely agree with John James’ comments too about two way verification. If I get called by my bank, telco etc, I always request certain information from them to make sure they are who they say they are. It absolutely works both ways. I am also always surprised when they do not expect it. Recently, BT receoved a call from my partner to report a fault on our line. She is not the account holder, nor is she documented anywhere as living there (apart from council tax, data BT does not have access to) however BT were more than happy to disclose details about my account and even went so far as to divert calls to her mobile number (big security risk – what if I was having an affair or what if she wasn’t indeed my partner – easy trick to pull off!!!). Obviously, this is all going in my letter to them (they finally managed to fix my fault after 6 weeks).
Anyway, back to work for me.
Thanks Colin for the SQL injection attacks article on codeproject.com

2/10/2006 4:16 PM | Andrew Lewis

Banks need to get more serious about security

I promised a couple of months back that I’d blog about a “security incident” with an agent of my bank once the transition was complete. Well, the transaction completed last week and then something similar happened with my credit card company. Anyway, I’ve calmed down now so here’s what happened….

I re-mortgaged my house in order to (1) get a better deal and (2) free up some of the equity so I could do some improvements. The improvements have started – I’m repainting some rooms and at the weekend I ordered the new carpets.

My new mortgage provider, lets call them Intelligent Finance (because that’s their name), said that they’d have a firm of surveyors call me to arrange a time to come and value the property. A couple of days later the company phoned me. The woman who I spoke to said she was from the surveying company and she’d called to arrange a time and would I give her my credit card number so that the survey would be paid for in advance.

I didn’t know who this person was. They could have been anybody who might have happened to find out I was re-mortgaging – it wasn’t exactly a secret that I was doing that. So I said that given that I wasn’t able to verify that she was who she said she was I wasn’t going to hand over my credit card details to some one who phoned me.

This is an issue I feel very strongly about. Despite what many people believe, it is well known that one of the least safe credit card transactions are over-the-phone “Cardholder not present” transactions. I’m not keen on giving my card details over the phone when I’m initiating the call, but when someone calls me and I have no way to verify who they are then I will never give out any details.

So, I phoned IF to get the phone number of their surveyors and said how disappointed I was in the complete lack of security. I phoned back the surveyors  with a number that I knew came from a trusted source (my bank) and paid for the survey.

Now that my re-mortgage is through, I stated to buy the things I wanted for the home improvements I was doing. So, I went to buy a new carpet for my lounge, hall and bedroom. I was asked to pay a deposit (if you can call 80% a deposit) and the card had to be authorised over the phone with the bank. When I got home there was a message waiting for me on my voicemail to say that my card had been used in an unusual transaction and could I call my bank’s fraud department.

This bank, lets call them The Royal Bank of Scotland, ask in the voice mail to call their fraud department on a specific phone number. So, I look on my card to verify the number. It isn’t there. I look over my old statements to verify the phone number. It isn’t their either. I cannot verify that the phone number given to me belongs to the bank. So I phone their customer services department to say that I apparently had a call from their fraud department but I wasn’t able to verify that it really came from the RBS or not. The woman I spoke to confirmed that it was them that had phoned.

Now, there are many vulnerable people out there who don’t take security issues all that seriously and would blindly call a phone number like that thinking there was something wrong. I suggested to the person that I spoke to that a better message might be to say to phone the phone number written on the back of the card or written on the credit card statements. If people start getting messages like this that are genuinely from their bank then they become desensitised to the potential security risks and are more likely to give out their credit card details to the wrong people without realising or even thinking about it.

The excuse by the RBS was that they ask very specific security questions. Really? How is the average consumer meant to know that? How is the consumer meant to verify that the person asking these questions is, in fact, an authorised employee or agent of the bank? In order to carry out a malicious transaction all a con-trickster need to know is the credit card number, expiry date and the 3 digits on the signature strip. If they want to know more they can ask the most common security questions like: What is your mother’s maiden name? What is your Date of Birth? What was the name of the first school you attended? If they know the bank’s procedures well enough they can be quite convincing by asking other security questions related to that bank.

I think that on the whole banks are taking security seriously – However there still remains the issue of trust. How can the consumer trust that the person who phones them is a genuine agent of the bank who is authorised to carry out the task at hand?

NOTE: This was rescued from the google cache. The original was dated Tuesday 10th January 2006.

Tags:

Moving Databases

If you ever move a database from one SQL Server to another you may come across the situation where the logins no longer map to the users in your database (and that’s assuming that the SQL Server you’ve moved the database to has the same logins).

If the new SQL Server does have the same logins then you can fix the mapping by using sp_change_users_login. The neat thing is that if the user and login names already match then there is an “Auto Fix” setting. And if you just don’t know what is mismatched there is a “Report” option too.

NOTE: This was rescued from the Google Cache. The original was dated Saturday 1st July, 2006.

Tags:

Claiming my blog in technorati

Now that I’ve moved to this new blog I want to claim it with technorati. My previous blog was claimed relatively easily as I recall. However this time there is a new “Quick Claim” feature. I don’t want to use the “Quick Claim” feature because it requires that I tell technorati my blog’s user name and password and quite frankly I don’t care about their assurances in their privacy policy I’m not handing over that information.

If companies start asking for usernames and passwords to other services a person uses it will desensitise them to the practice and make social engineering easier for the fraudsters. There was a study done about a year ago that showed that many people will hand over passwords for a bar of chocolate. So, perhaps the damage is already done.

Curiously, when I go to make my claim it asks me to chose between different methods of making a claim. Sounds okay. But it only offers me one option. And that is “Quick Claim”.

Any which way you want to look at it. I ain’t handing over that information for what ever reason. Not even for a bar of chocolate.

Tags:

Spam Scams

Today I received an email apparently purporting to be from the “The UK. Natioal Lottery” (I think they meant “National”). However, I didn’t pick up that it was a scam immediately from the subject and name (I didn’t spot the obvious spelling error immediately). Normally that sort of thing would have raised my suspicions immediately. However, not today. Today is the last EuroMillions lottery before Christmas. Normally I don’t normally enter the lottery at all. I pay a pound a week to the office syndicate and that is it. But I do enter the lottery at Christmas time for a bit of a laugh. I know the odds are stacked heavily against me which is why I only enter once per year.

Back to the scam. There are a number of things that you can look out for in a scam email. Bad spelling is just one of those things. But there are cultural markers too.

However, there are some things that make it seem genuine. The address is given as “The U.K. National Lottery, Online Lottery Promo Dept., Customer Service., PO Box 1010, Liverpool, L70 1NL United Kingdom.” and if you look on the internet you’ll see that this is, more or less, the real address.

The date of notification is one the date of a lottery draw. It talks about an online lotto draw. And Friday’s draw is indeed an internet draw.

It gave some results numbers, presumably to make it appear genuine.

Luckily there are pointers to show that it is a fake.

For a start the email arrived before the actual draw took place.

Next it talked about “online lotto draw” – but Friday’s draw is the “EuroMillions” draw.

It also said the draw was “conducted from an exclusive list of 50,000 e-mail addresses of individual and corporate bodies picked by an advanced automated random computer search from the internet.” Why would it pick email addresses from the internet? You have to pay to enter a lottery draw. You don’t just get entered randomly.

It goes on to tell you your prize – and if you read the National Lottery’s real guide they will tell you that they will never tell you that you’ve won in an email, let alone the actual prize amount.

When it talks about money it says “Great British Pounds” but it isn’t a term I’ve ever heard used. There is of course the standard abbreviation “GBP” that is used in text only financial systems but if you were to say the name of the currency in full in a formal document you’d give it the proper title. (“Pounds Sterling” – if you didn’t already know)

Then there is some fluff about the history of the prizes giving various fake names such as the “Big Game Mega Millions”. Curiously the amounts it gives as highest and lowest historical winnings are wildly out. Obviously the person putting together the scam didn’t do enough research.

They then tell you that “For security reasons, be advised to keep your winning information from public notice until your claims is processed and your prize money remitted to you as required in this grand category “B’ terms and conditions of claims. This is a part of our precautionar y measure to avoid double claiming and unwarranted abuse of this program by non winners.”. So more bad spelling, punctuation and even American spelling to show this one up. The more interesting thing here is that “for security reasons” don’t tell anyone about this until we’ve scammed you. Nice!

Then it goes on to tell you how to contact “Phil Smith” to process your claim. E-mail: ph_smith@post.com

For more information about how to spot fraudulent emails purporting to be from the UK National Lottery look at this guide to spotting a fake from the National Lottery website. They also tell you in the FAQ on the site what the actual procedure for making a claim is.

Bottom line is, if you didn’t enter a lottery, then you can’t win it. As the advert for the real National Lottery goes “You’ve got to be in it to win it!”

For your delight and reading pleasure here is the full text of the email:

The U.K. National Lottery
Online Lottery Promo Dept.
Customer Service.
PO Box 1010
Liverpool
L70 1NL United Kingdom.

Date of Notification: 22-12-2006

Ref N0: KPL/09-002/JA.

Attn: Winner.

We happily bring to your notice the results of the
U.K. National Lottery annual draw held on the 20th
December 2006 in London. The online lotto draws was
conducted from an exclusive list of 50,000 e-mail
addresses of individual and corporate bodies picked
by an advanced automated random computer search from
the internet.

Congratulations!

Your e-mail address attached to the Batch N0:P2/0056
with Serial number: 06/1055 drew 20th of December 06
[5] [11] [13] [17] [14] [48] [25], which subsequently
won you a prize in the category "B". You have
therefore been approved to claim a total sum of
?1,500,000.00 (One Million , Five Hundred Thousand
Great British Pounds) in cash credited to file Ref N0:
KPL/09-002/JA.

This prize is from a total cash prize of
?4,500,000.00 (Four Million, Five Hundred Thousand
Great British Pounds) shared amongst the first Three
(3) lucky winners in this grand category 'B'. This
year Lottery program Jackpot is the largest ever for
the UK National Lottery. The estimated ?35,000,000.00
(Thirty Five Million Great British Pounds) jackpot
would be the sixth-biggest in the U.K. history next
year (2007).

The Lowest was the ?4,000,000.00 (Four Million Great
British Pounds) jackpot that was shared between Four
(4) lucky winners in January 2005 draw of the Big
Game Mega Millions' predecessor.

For security reasons, be advised to keep your winning
information from public notice until your claims is
processed and your prize money remitted to you as
required in this grand category "B' terms and
conditions of claims. This is a part of our
precautionar y measure to avoid double claiming and
unwarranted abuse of this program by non winners.

Please note that, your lucky winning number: [5] [11]
[13] [17] [14] [48] [25] falls within our European
Booklet representative office in London as indicated
in our play Coupon. In view of this, your
?1,500,000.00 (One Million, Five Hundred Thousand
Great British Pounds) would be released to you by our
affiliate bank.

Our approved agent, Mr. Phil Smith will immediately
commence on the processing of your claims, to
facilitate the release of your Winnings to you as
soon as you make contact with him.

Please be advised as follows: To file for your claim,
kindly contact our certified and accredited claims
agent with the information below:

***********************************************
Name: Phil Smith
E-mail: ph_smith@post.com
Claims processing agent
For: The U.K National Lottery.
***********************************************
You are advised to provide him with the following
information:
Names:
Telephone/Fax number:
Nationality:
Age:
Occupation:

Note that, all claims processes and clearance
procedures must be duly completed early to avoid
impersonation and or double claiming.

To avoid unnecessary delays and complications, please
quote your Reference and Batch numbers in any
correspondences with our designated agent.

Congratulations once more from all members and staff
of the UK National Lottery Promo.

Yours Faithfully,

Mrs. Patricia Spencer.
Online Co-ordinator
UK National Lottery Promo

NOTE: This entry was rescued from the Google Cache. The original date was Saturday, 23rd December, 2006

Here are the original comments for this entry:

i just got that e-mail, i had mixed views on it i thought it was to good to be true but also thought that maybe it was the real thing, so i went searching anyway this information was easy to find now i know its a fake, any1 out there plzz don’t get involved in it.

12/27/2006 4:05 PM | sukhy

That guys thinks that everyone is a fool. I receive the same letter today. Thanks God we can search to find information like these.

We have to be carefully on these days of such frauds.

Queen fron El Salvador

3/20/2007 9:28 PM | Delcy

I got too.
what is this e.mail?
it,s a fake?
plz tell me more.
thanks a lot.

5/8/2007 1:25 PM | A

Additional: I was actually surprised that people commented thanking me for telling them it was a fake. I would have thought it was obvious. But I guess not, which is why many people still get taken in by this kind of thing.

Just remember the golden rule: If it sounds too good to be true it most probably is.

Tags:

Not the Way to Complain About a Bank

I recently read a blog post from a guy that was irritated with the customer service from his bank. And that is a fair thing to blog about. If you don’t think you are getting a good service from a company, blog about it, let the world know. Others with a similar experience will probably comment and share their experience. This publicity can often be the start of a very bright and uncomfortable light shining on the organisation in question which can lead to improved customer service.

However, if you are going to post such a thing, or comment on someone else’s blog post then please do not post copies of letters you sent to the bank containing all your financial details. That way madness (and identity fraud) lies.

If you think I’m making this up then go and read this: http://www.arjunprabhu.com/blog/archives/2005/04/27/icici-bank-a-bad-experience-for-many/

If that is their attitude to their own financial safety and security then I just hope none of these people are responsibly for any of my off-shored financial information.

NOTE: This post was rescued from the Google Cache. The original date was Wednesday, 27th December, 2007.