Showing posts with label phishing. Show all posts
Showing posts with label phishing. Show all posts

28 March 2009

Phished by Visa

This is utterly scandalous:

Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders - by training them to expect a process in which there’s absolutely no way to know whether you are being phished or not. Even more astonishing is that this seen as a benefit!

...

Craziness. But it gets better - obviously not everyone is pre-enrolled in this stupid scheme, so they also allow for enrolment using the same inline scheme. Now the phishers have the opportunity to also get information that will allow them to identify themselves to the bank as you. Yes, Visa have provided a very nicely tailored and packaged identity theft scheme. But, best of all, rather like Chip and PIN, they push all blame for their failures on to the customer

I've instinctively hated these "Verified by Visa" ever since they came out, and tried not to use them. The fact that they are not just inherently insecure, but encouraging merchants to use this in the most insecure way possible, is astonishing even for an industry as rank and rotten as banking.

The one consolation has to be that Verified by Visa is so demonstrably insecure that it should be easy to challenge in court any attempts to make customers pay for the banks' own stupidity.

Follow me on Twitter @glynmoody

24 October 2008

Verified by Visa - As Valueless

I, too, have noticed the insidious spread of Verified by Visa (VbyV), and thought it looked well dodgy, but I couldn't quite put my finger on it. Here's the problem:

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

The easiest way will be for a compromised site to push you to a false login and obtain your magic password. You won't be able to prove it, of course, and so the danger is that you will end up the bill for fraud.

This is a disaster waiting to happen, and lots of people are going to get burned if we don't manage to get some sense into the banks soon. The only way to do that is to get the story out - please pass it on.... (Via Kim Cameron's Identity Weblog.)

04 July 2007

DomainKeys Identified Mail: A Certain Thing

I'm amazed it's taken so long to come up with this:

DKIM uses digital signatures to authenticate messages. These signatures allow you, or your e-mail service provider, to verify that a message claiming to be from your bank is really from your bank. Without authentication, if I receive an e-mail saying that my account has been compromised and requesting me to verify my personal details, it's a pretty good bet that I should ignore the message. But if I receive the same message and I can prove to my own satisfaction that it came from my bank, then I should probably pay serious attention.

DKIM can offer this proof, and it has just been published by the Internet Engineering Task Force--the group responsible for technical standards on the Internet--as an official Internet standard.

30 May 2007

IE Indeed

Sigh. Tell me again why people are still using Internet Explorer:

It turns out the link installs a malicious post logger that transmits all information submitted through Internet Explorer to a website controlled by the attackers.

After reverse engineering the rogue browser helper object that attaches itself to IE (the malware doesn't work on other browsers), Stewart says he was able to locate a site that stored detailed information on some 1,400 executives who fell for the scam.

When will they learn? (Via Mobile Open Source.)

12 January 2007

Firefox 3: the Great Paradise?

It's been hard to say until now, when Firefox 3 was more a hope than a project. But behold the Product Planning Doc for:

Firefox 3, code-named "Gran Paradiso", presently under development with an expected release in Q3 2007.

The salient bits of which are:

High-Level Feature Plan

The proposed major theme for Gran Paradiso is “improved information and content management”. This is the area that we’ll do the most innovation in. Gran Paradiso will continue to improve in areas where we’ve traditionally been strong in: security, usability, extensibility and customization, performance, web standards and compatibility.

Features for Gran Paradiso will fall into one of the following categories.

For Users

* Information Management includes Bookmarks, History, Content Handling, Content Editing, Printing and Microformats
* Security including Privacy, Phishing Protection, Addons and Password Management
* Usability/UI Improvements including Search, Tabbed Browsing, OS Integration & Accessibility
* Customization - ability to discover and manage addons
* Performance - how fast Firefox operates
* Localization - operating in non US English
* Installation & Auto-Update
* Support & Help

For Developers

* Web Standards & Compatibility (e.g. ACID2, CSS2.1, SVG via Gecko 1.9, EV certs, etc.)
* Web Developer Tools
* Extension Developer Tools

To say nothing of the cool name. (Via Read/WriteWeb.)

07 November 2006

You Know Second Life is Real...

...when they start phishing for your passwords to steal your virtual money.