Slashdot Mirror
How the Phishing Biz Works
Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
Looks like I caught a big one! A 12-lb FP!
I think it involves 3. ??? somewhere
Will wash cars for karma
But not as prettyful as... This Technology
http://www.sandstorming.com
If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...
Remember that that cold soldering iron "Cold Heat" you see advertised on TV late night was invented by Romanian immigrants.
Yeah, and before you diss Americans, that "Pocket Fisherman" you see advertised on TV late night was invented by Americans...
What's your damage, Heather?
To state the obvious i'd suggest substituting "suckers" for "Americans".
Not trying to be funny, but it's people innocence/ignorance that causes these problems. You don't have to be American to be stupid (despite some peoples feelings on the matter).
Take the phrase "it's on the internet, it MUST be true" for example.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
I always thought that only old people would fall for these phishing and scam emails. The problem is, here in Brazil it's not like Korea: it is not so common to see old people using computers, specially for online banking. Then one day I met this beautiful, smart and young lady who lost a big sum of money when she got phished. I was surprised to see a real person that got phished. I think she could get it back from her bank, though. It was probably a national phisher, I don't believe it was a teenager from Romania.
"'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager"
A Romanian teenager is a typical movie style villain. Haven't they ever seen Blade?
Maybe you guys are getting these all the time, but i don't email much and just received my first phishing email. I never read or open anything if it looks even remotely sketchy, but this one was pretty good. i believed it for a few seconds, until i logged in to paypal through a separate browser and verified no changes had been made to my account. I then forwarded the email to spoof@paypal.com as paypal requests. they wrote back to verify that the email was a scam. Another giveaway was that every link in the email, including the phony email address, had the following url behind them (i never clicked it- don't know whats there): h t t p ://linux.fal.pt/fundicao/img/cmd/index.html
u n
original message (i added spaces to urls so they wouldn't be links):
From : PayPal Inc.
Sent : Tuesday, June 14, 2005 3:58 PM
To : my_email@hotmail.com
Subject : Unauthorized Access: (Routing Code: P101-K001-Q-P090)
You have added funstuff12@aol.com as a new email address for your
PayPal account.
If you did not authorize this change or if you need assistance with
your account, please contact PayPal customer service at:
h ttps://www.paypal.com/cgi-bin/webscr?cmd=_login-r
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
h ttps://www.paypal.com/.Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
in the PayPal URL every time you log in to your account.
PayPal Email ID PP1507
So those who don't know exactly how their highly-computerized car works should not operate one? Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care? Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
I wan' to see the IRC-network, wehre one can "post" things.....
You should know your enemy. http://honeynet.org/papers/phishing/
The point was that many of us get viruses in emails from random people who we have never heard of.
Go to the w3.org and put Slashdot.org through the validator.
Are you advocating ignorance?
Honestly give a deep look at what you're saying. You're saying people should buy 30,000$ cars without looking into them. They should spend 1000s of dollars on medical treatment without reviewing the facts....
What next, buy a $250K house without first stepping into it?
I think a little knowledge in the respective fields [even if just for the purchase] could be a very GOOD IDEA.
Besides, if you knew how your car works you'd probably get more out of it. For instance, what's the tire pressure of all four tires? What's your current highway mpg? What are your emissions ratings? Are there any dents or damages to the car? etc...
Why would knowing those things be a bad idea?
As for medicine, if you knew how nutrition works you'd probably live longer and better. You wouldn't be at the doctors as often, etc...
So what? Should we all eat bigmacs all day because "knowing things sucks".
As for economies, if you're investing money why not just give it to me. I'll handle it for you. Why bother doing research. Why bother supporting local economies over foreign ones [e.g. walmart], etc, etc, etc.
You're seriously sitting there and saying "knowing things is a bad idea"...
Tom
Someday, I'll have a real sig.
I would like to add, that in an increasingly complex world, it's becoming more and more difficult to be an informed consumer and citizen. The latter, I think, was the reason for AM radio's comeback. A lot of folks needed someone to boil the issues down to soundbites for quick consumption - like it or not.
As for me, I find that simplfying my life, as much as I can, is helping me to cope. It also helps me live below my means.
no, the problem is that when you put a person at a computer their intelligence drops 10 fold. they just seem to lose all common sense when a computer is involved.
for example, if a random stranger walked up to you on the street and said that they were a representative from your bank and said that they must verify your account information otherwise they will have to close down your account, you would tell them to fuck off, walk away, and maybe even call the police on them. now, that same person gets an email stating the same thing that the stranger on the street said, and suddenly they worry that "OMG i need to give this strange person all my data or they might close down my account."
they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.
I don't get your post.
... that's another story.
What I said is people who CHOOSE to be ignorant deserve what they get.
If you get ramrodded on some obscure piece of information that a reasonable person who attempted to cover their bases misses
If you're just too lazy to take a semester of "outlook for dummies" at your local state college... then why bother using a computer at all?
By your logic, anyone should be able to hop into a plane and fly around. Afterall, forcing training and knowledge on people is the act of a zealot crazy person.
Hell why stop there, let's give children weapons unsupervised because safety regulations [and knowing of them] is for chumps!
A lot of people simply are wilfully ignorant about how the tools they take for granted actually work.
What the fuck do they spend their time doing? I mean I go out and have fun [and do road trips, etc] yet I still managed to figure out how computers work.
I guess you're right, I must be a geniOUS.
Tom
Someday, I'll have a real sig.
It's one thing to insist that people bend over backwards to work within the constraints of poorly designed systems, but I think it requires a leap in logic to insist that the fault is entirely upon the user for not interfacing properly with those poorly designed systems.
People have difficulty learning technology because there is a tiered system of knowledge in anything computer/IT based, and understanding the technology at one level does not necessarily inspire one to learn the technology at a deeper level.
To use your analogy, there are users that know how to start and drive the car, there are users that know how to drive and also that they should be changing the oil once in a while, and finally there are users that can drive/race/fix/build their cars. The vast majority of the population would fall between the first two drivers. All know how to operate the vehicle, most probably know that they should be thinking about their oil, but about ¼ of them forget to do it on a regular basis.
There is very little encouraging the average driver to learn anything more about their engine then how to start it. The same is true in computers.
As soon as someone knows how to start up their PC, log-on to the internet and install applications, there isn't much need to dive deeper in the technology. The difference between a PC and a car is that the auto industry is required to provide easy to use protection to a driver. There is nothing similar in the PC world to protect Joe Average from himself and from others.
In my mind, this would be akin to auto-manufacturers requiring that a driver turn on their airbag every time they wanted to use it. It's just stupid design.
What the computer industry needs to realize is that they've got two choices in this scenario. They can take it upon themselves to provide active and easy protection to the average user on their own terms, or they can wait for the Government to mandate a solution.
With the rash of consumer data theft recently, it's obvious that vast expanses of industry are not protecting data to a satisfactory level. It's only a matter of time before the government starts throwing its weight around.
:::: the insomniac's digest
As for economies, if you're investing money why not just give it to me. I'll handle it for you. Why bother doing research. Why bother supporting local economies over foreign ones [e.g. walmart], etc, etc, etc.
You're seriously sitting there and saying "knowing things is a bad idea"...
The parent's point was that you don't need to know the intricate working details of everything in order to be able to effectively use it. That's the whole point of technology, we put enough layers on top of all the nitty-gritty so that what was once a complex task because simple.
You don't need to know how an internal combustion engine works to effectively drive a car. Someone purposefully put a lot of effort into making a car simple to drive so that almost anyone could do it without needing to be a mechanical engineer.
So, what we really have here is the original poster went a little too far with his hyperbolic examples, and you went too far the other way with yours.
Yes, knowing a little bit about what you are buying before you buy it is important, but you don't need to review the schematics and understand everything that went in to building it in order to use it. Otherwise, why didn't you just make it yourself?
What?
I hope you check replies to your posts. Your journal is archived, which is teh ghey, cause I have all the GIS episodes, including the supplimental ones. I'm currently 7-zipping them, and I'll upload them to my website soon, please check back.
If you need to get in touch with me re: this, you can email spam(a)dunnclan*net
sig?
I've always thought that we could use some sort of slashdot effect to curb phishing. When you get a phishing email, report it to some kind of website, once it gets verified as a phishing website, you can kind of just DDOS it. Maybe we could all help out by installing a folding@home type client where phishing urls are DDOSed by a bunch of people. With 100,000 people on such a network, each person would only need a to send out a few requests to each site to make it work. There would be problems with the network hacked for bad uses, but limiting the client to only listening to messages that are properly signed would be a good start.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.
Red Leader Standing By!
"The parent's point was that you don't need to know the intricate working details of everything in order to be able to effectively use it. That's the whole point of technology, we put enough layers on top of all the nitty-gritty so that what was once a complex task because simple."
... that's sad.
If you call knowing how to decode a URL "nitty-gritty"
"You don't need to know how an internal combustion engine works to effectively drive a car. Someone purposefully put a lot of effort into making a car simple to drive so that almost anyone could do it without needing to be a mechanical engineer."
That's a sales ploy. Having the average idiot drive a car is not a good thing. Look at all the morons on the road today. You think if they had some knowledge of how their cars worked and a working knowledge of the rules of the road w.r.t. safe driving that we'd see people doing 90mph on the Long Island expressway?
And I never said you have to look over the schematics.
But knowing how to use windows and email [e.g. why not to use HTML, how to decode a URL, etc] can let you make way better use of your tool. Let's not forget that computers are tools.
If you want something to make noise that is easy to use buy a furby.
Tom
Someday, I'll have a real sig.
Yeah, phishing scams sound surprisingly like wallet inspectors, only on the internet.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
This is a vast exaggeration. The image of an eastern europe, 'ragtag' social and economic infrastructure is, for example, in complete contrast to the well-dressed, hip, bling-bling superstars that make up my crew.
We call it Fly Phishing.
Canada has 40% unemployment?
/ lfs-en.htm
Do a google search you xenophobic fucking idiot.
http://www.statcan.ca/english/Subjects/Labour/LFS
Wow it's 7% in Canada.
What's it in the USA?
http://www.bls.gov/
It's 5%.
Yeah, we're SOOO WORSE off here in Canada....
Tom
Someday, I'll have a real sig.
Ok, here you go:
http://elvis.netmar.com/~will/geeks.7z
I can't host that forever, I do have a limit on my bandwidth, but I'll leave it there for a week or two. It's going to take about 35 more minutes to finish uploading, but it should be done by 10:30 EST June 20.
~Will
sig?
Why is this modded insightful?
No one would require that people understand all the ins and outs of a car before using one. But a TINY bit of knowledge would go a long way. Many people don't know that they need to change the oil in their car, many people don't know where to put windshield washer fluid in their car. (A friend of mine is a mechanic and he does see this kind of thing.)
The problem is a lack of basic knowledge, a few simple tidbits would go a long way. For many people the inner workings of their car, or computer, may as well be magic.
Cool number, I guess that would make the US's unemployment rate about 38%.
Take note, take note, O world,
To be direct and honest is not safe.
If the bank sends you a letter asking for personal account information, most people would follow up (especially if it contained bank logos and stuff).
And cluless people tend to associate email with letters. So its not unexpected that an email complete with official looking bank logos and graphics (and wording specifically designed to trick unsuspecting people into believing its genuine) would trick people into falling for it.
Here is a scheme that (if implemented) would almost completly stamp out phishing (for the bank that has implemented it anyway):
Each account that is enabled for online banking has a unique number generated for it, stored in the bank secure online banking database alongside the username and password. (call it S)
The customer is given a little device that would probobly look like a little calculator. This device contains an embedded copy of the number generated in step 1 along with simple logic to implement a hash algorthim and a keypad.
When you access the internet banking site, the bank displays the login and password prompt plus a randomly generated number and a box to put the output hash into.
The number is stored by the bank systems in a way that directly links it to the IP address of the machine logging in and also so that it is no longer valid after a very short period of time (e.g. 20 minutes or something). Refershing the login page would get a new different number.
You would input the number from the login page into your "calculator" thing which would combine it with the secret number inside the "calculator".
Then you input your username, password and the resulting hash into the login screen.
Assuming the hash generated by the "calculator" and by the bank (using the stored copy of the secret number) match, you would be allowed into the banking system.
The hash algorthim (call it F) would be chosen so that there is no number X such that F(S,X) = S for any significant number of values for S
If the "calculator" is stolen or lost or whatever, you could request a new one (with the old secret number being removed from the bank database for good)
Even if the fake login page talked to the banks servers and retrieved a real "challenge code" (to enter into the "calculator") it wouldnt defeat the system since it (and the resulting hash) would expire long before the phisher would actually be able to make use of it.
Another option would be one-time-use values that you get from your bank and use once to access online banking. Although this option would be less safe because of this:
Philsher makes fake login page
Bank customer goes into fake login page and types in username, password and one of their one-time-use values.
Bank customer gets message back saying "system is down". Now phisher has one of the one-time-use values (error message can be written so as to convince bank customer that the one-time-use value he just used is now "used up") and can grab contents of bank account.
Myself, if my bank (The National Australia Bank) implemented the "calculator" idea, I would accept it (even if it did mean more bank fees to pay for the "calculator" device)
If you look at a computer like any other tool, then you'd realize why people need to be trained to use them properly. You'd never see someone operating a chainsaw, an arc welder, or a jackhammer, in industry, without first taking the proper courses in safety and operation. A computer is many times more complicated than any of those tools. People need to understand how things work so that bad things don't happen to them.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
We destroyed their way of life
How so? Their way of life didn't work and the system imploded on itself. Granted we did all we could to speed the process, but we weren't the cause.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
No, I'm not.
You're saying that it's the car owner's fault if they get tricked into a repair that wasn't necessary on their vehicle. I say if someone tricks them into buying new tires when the current ones are fine, the owner should have known better. But if a mechanic tells me that my timing chain is loose, should I know better? Should I know exactly how much slack there should be in a timing chain? For that matter, should I know the difference between every belt and chain under the hood? No, of course not! That's what we pay other people for. It's not realistic to expect anybody to know everything about every topic.
I'm all for doing some research before having major medical procedures done. If someone talks you into having your appendix removed for a second time, then shame on the patient. But can you honestly tell me that every patient should be able to read an x-ray and tell the difference between bronchitis and an allergy-related cough? Again, of course not. That's why we pay doctors. It's not realistic to expect everybody to know every possible medical fact and procedure.
I'm not sitting here saying knowing things is a bad idea, but I am advocating being reasonable and what level of knowledge should be expected out of the average person, especially in fields outside of their "main field." Can you honestly tell me you feel differently?
Also i have to say i doubt the notion that there are "phishers 'r us" websites/ lists/ organisattions that can a). operate for any decent lengh of time before going down by infighting and b). stay out of the public eye for however many years now?
What i'd really like to see though, is an effort by governments to curb this kind of criminal behavior first, and then going after petty internet crime like music piracy et al. Hell, if they can bust a warez ring, a phishers ring with real, tangible damage to both banks and customers would be even easier. Especially if they (supposedly) already have leaks, like Mr. Incredible here who used his massive skills to write a vague article that really doesn't tell us much.
Will wank off Linus Torvalds for fame.
I'd say it's more analagous to calling people up and posing the same question. You don't expect your bank to accost you on the street so you're naturally suspicious of anybody who does so. A phone call is not uncommon, however, and people become significantly more trusting - proven many times over by social engineers.
Email has now become the new phone call...
Jw
I think you need to back off the elite attitude a little bit.
As far as driving goes, most of the "morons" I see on the road are those that think they know everything and they don't. (i.e., I'm the best driver in the world and everyone else is a moron). Their ability to actually handle an automobile has little to do with knowing how the innards work.
The point in computers is that they are supposed to be easy to use. While you might find it exciting to look at a URL and understand that it isn't actually pointing where you think it is, a good majority of "average" users, probably don't even look at the address bar a good majority of the time (possibly because they are so often bombarded with "junk" looking URLs, i.e. look at the average slashdot URL when browsing comments).
People want to be able to sit at a computer and have it do what they want it to do without having to worry about those mundane details. This isn't a user issue, it's a design issue. It is easy to sit around and blame stupid users, but they're only stupid because the design hasn't conformed to their needs.
Think of it in terms of Operating Systems and security. The OS should come configured to be secure already. The average user isn't going to know or want to know how to make it secure, they expect to already be secure. Are they "stupid" for not wanting to do that? No, it is the manufacturer's responsibility to make sure that takes place, so that the user doesn't have to worry about it.
We can either try to educate the world, or we can design products that conform to the world's "stupidity". The latter will probably be more successful.
What?
There are some very simple ways to solve this, en-masse...
Set up a milter that calls HTML::Strip to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.
Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).
Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.
Install and configure dspam. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.
Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.
I'm guessing he pulled that number out of the orifice where he keeps his brain.
Must be dark and smelly in there
"I'm not a procrastinator, I'm temporally challenged"
Here in Norway, I get to choose between one time login codes and the hashing "calculator"
Lucky me
The system had the verbosity of HTML combined with all the readability of compiled assembly viewed as bitmap images
"What I said is people who CHOOSE to be ignorant deserve what they get."
Then it's reassuring to know you'll get yours, unless you're honestly stating that you're fully aware and informed about every aspect of your life, including those aspects you're probably unaware of.
"If you're just too lazy to take a semester of "outlook for dummies" at your local state college... then why bother using a computer at all?"
Hahahahahahaha, that's funny. Really. Here's one for you: True or False, the PC Revolution would have happened if everyone had first been required to attend a semester course on PCs.
"By your logic, anyone should be able to hop into a plane and fly around. Afterall, forcing training and knowledge on people is the act of a zealot crazy person."
By your logic, everyone should be required to take a semester-long course before operating a PC. And only an IDIOT would compare operating a PC with operating a plane to make their point.
<snip a whole bunch of snide, logically fallacious garbage>
"I guess you're right, I must be a geniOUS."
No, but you are arrogant, aloof, spectacularly bad at creating metaphors and comparisons, and you misspelled retARD.
Chuck
A little bit of an addendum to this, in case it wasn't clear...
If you want to sell a product, you adapt to your target audience. If you make your product so that they have to expend too much effort versus the potential gain from using it, they're not going to use it.
It's Linux' fatal flaw at the moment (with the "target audience" variable being debatable).
What?
Whatever, you think learning is bad. I can't convince you otherwise.
...].
Should people take computer courses? Hell yes. Welcome to 2005. If you're not retired and plan to work for a living chances are you're gonna touch a computer.
You'll then tell me that many jobs don't use computers [short order clerks, clowns, prostitutes,
Well, they also don't use math.
Tom
Someday, I'll have a real sig.
We're hardly an empire (don't own any land that want's to be separate).
Stop thinking it's cool to trash America. Pick through the FUD, and you'll see blame lies on both sides of the line in almost any problem.
s/clerks/cooks/
Stupid replying to zealots is taking up too much time...
Tom
Someday, I'll have a real sig.
One day late last year, Mr. Abad was on the Internet Relay Channel, or IRC, a global online chat system that is best known as the lair of various digital bad guys.
I know i'm just being a nazi, but please can we not start to think of IRC as a place only for the bad? Next thing and you'll have the RIAA and MPAA trying to outlaw IRC (with an argument in the same context as BitTorrent.. 'it can, therefore it is').
Hey Tom... I think I know you from somewhere....
To Joe Computer User, looking at a URL that says something other than http://www.google.com/ might be considered "nitty-gritty." Just like to a heart surgeon picking the right knife to make that first cut with might seem to make perfect sense, I wouldn't have a clue what to do.
What?
Comment removed based on user account deletion
i find it amazing that with all the spam and viruses that spread through email, that people still trust it.
to strip out all HTML from email. I don't want my webpages on port 25,
And what is wrong with sending formatted text as email? Maybe all the HTML email you get is spam, but people actually use HTML email for real work (messages including tables, images, etc.). HTML email sure beats Microsoft Word attachments, which is what people would be using otherwise.
With a decent mail reader, this is not a problem either, since they disable remote images and render HTML in a way that prevents phishing attacks.
If we could replace most Word attachments with HTML mail messages, the world would be a lot better off.
and when was the last time someone stole your account information?
:-)
they haven't?
must mean it is working!
How is that "interesting" and not "-1 clueless?"
Communism did not work. Period. That's why it failed. It was our "way of life" because the alternative way of life was taken away. It was destroyed because it failed miserably. Actually, it destroyed itself. Yes, US probably helped (though proving it is hard), but the core reason why communism failed were its own inadequacies: if you destroy economic incentives, you are going downhill and there is no way around it. It does not necessarily mean the collapse of the system - you can vegetate for years on the substistence level (Cuba) or below it (North Korea). If you really helped us destroying our old way of life - big thank you, I am deeply grateful that you did so.
I don't believe the phrasing 'know exactly how [insert item] works' was ever used ... but I shouldn't have to read anything and understand before repying should I? (OK ... I'll stop being a troll/flamebait and answer the questions)
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No ... but they should not blame the doctor when they don't make any effort whatsoever to educate themselves, when they don't read literature given them or follow instructions given to them by their doctor. Who's generally healthier ... those who take time to understand something about the (their) human body and to provide for it properly or those who don't?
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
No .. but when things do not go as they expected, then maybe they will pay more attention.
Sure ... many of us don't read the manual when picking up a new gadget, but if I don't ... I accept the consequences that come with that behavior. I agree that things should be generally easy/intuitive to use. I also understand that I am ultimately responsible for myself, my accounts, information and property. Things may happen, out of my control, but that doesn't mean I should just give up and blame someone else for not making it 'easy enough'. More and more, people are looking to blame someone else for what went wrong and seeking some sort of 'insurance' so that they don't have to 'worry' about it.
I'm not saying that those that get phished 'deserve it'. I'm saying those that educate themselves some, are less likely to get phished than others.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
Communism did not work. Period.
So I guess you prefer the Absolutist way?
Here's the apple: Communist Russia was one of the global super-powers. You are suggesting they got to that status by using a flawed system of government? It's views like yours that START COLD WARS.
The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.
The dangers of knowledge trigger emotional distress in human beings.
I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:
Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.
Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.
Oh, you're mistaken. Our unemployment is higher because we actually KEEP TRACK of people not working. ;-)
Tom
[I'm just messing around here, no "wanna fight about it" please...]
Someday, I'll have a real sig.
mod CptTripps up, not OT. what does cold soldering have to do with phishing? that makes no sense. just pointing out that a large portion of phishers come from romania, that doesn't mean that every romaninan is being singled out.
I saw it on Slashdot, it must be true!
In Germany (doing an exchange year here), it seems to be different though. Most banks seems to use a system with one-time (paper) codes. Less security indeed - the one time codes don't have password protection on them...
I have a really elegant proof for Fermat's last theorem. If this sig was only a bit longer...
There's a much easier method (which I haven't seen anyone discuss, and which I describe on http://poromenos.blogspot.com/2005/06/authenticati on.html. It involves PGP/GPG to authenticate a user without having them send their password over the wire. It more or less involves the user just signing a random number the site gives him and sending it back to the server. The server then knows beyond a doubt that the person is the one whose public key they have, and the phisher can't steal their password (the person would know they're not supposed to give the password to any sites or anyone except PGP/GPG). Even if they stole one hash, it's still useless.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I got a phishing attack today. They ask me to log in to https://www.paypal.com/ Note the extra s. Non-obviously, it's fake. How does this redirection work?
Thing is, although there's plenty of that stuff around, not everyone gets it. Until a year ago I received no spam whatsoever, and I have yet to receive a mail virus. As for phishing, I just received my first one today.
There are plenty of people who'se inbox isn't totally bogged down and corrupted. It's those that still trust email.
Jw
Phish email schemes would not succeed if braindead email programs reported the ACTUAL source of the email, instead of the meaningless From line in the body of the email. If you knew that the source of the email you received was dialup.158.97.202.fai.ro and not accounting.citibank.com, wouldn't you be a tad more suspicious? Its in the headers. SPF would work for well-known sites, although changing one character in a domain name can still get by that.
Intron: the portion of DNA which expresses nothing useful.
How do you know they would still have collapsed if they weren't busy fighting an underground war and overt big-weapon contest?
I am trolling
Cuba is "vegetating" at a better level than the countries around it, and that's with an enormous embargo in place.
I am trolling
This scam is huge. It got me. Not sure if you'd call it phishing, maybe just unscrupulous activity by the shopping cart provider, but this will rob you just by supplying an email address. http://adam.rosi-kessel.org/weblog/the_man/webloya lty_aka_wli_reservations_is_a_scam.html
I purchased movie tickets from Fandango.com two years ago. Evidently a popup appeared after my transaction offering a discount for filling in a survey (must have been using the girlfriend's Windows box w/ IE). I gave my disposable email address and that became authorization to start charging me a monthly fee. I did not provide my credit card number, other than to Fandango to buy movie tickets. Fandango was nice enough to forward my credit card to this company Reservation Rewards aka Webloyalty. That's all it took.
Read the link above. It's unbelievable that this kind of thing could happen, but these crooks are operating to this date. They have quite a few other names. I've called, complained, and in theory I'm getting completely refunded. When/if I do, I'm going to contest the last two monthly charges ($7 each) and see if I can make them eat a service charge. Just getting my money back wouldn't be enough because probably only a small percent catch what this company does, and those who do may not catch it quickly. If you're the type who doesn't scrutinize your debit card transaction statements, they might be robbing you. At $7 per month, this amount is small enough that it could fly below the radar.
I wonder if http://www.webloyalty.com/ could withstand the slashdot effect? These people need it bad.
I received a very clever phishing email the other day. It was good enough to make one want to click the link and make sure everything was OK. I receive lots of email from the "admins" of eBay concerned that someone is using my account nefariously. Those are always bogus, so not a problem. This one, however, had the following text (I saved it cause it was that good :):
"Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
Thank you,cowboyup618"
Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."
If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.
As phishing emails go, it was a pretty good try.
The NSA: The only part of the US government that actually listens.
"Hello, I am a Nigerian 'phishing' hacker who steals money. But I have no way to withdraw the money from the accounts I've collected. I will give you an account number containing $50,000 in exchange for $1000 pre-paid into my account. Once I verify the money is in my account, you will receive instructions for how to access the $50,000."
E pluribus unum
Sorry replying to stupid people make my brain hurt and do stupid things.
And im a Physicist not a damned dirty Writer.
Huh? All you need to do is write a cgi script that grabs the random number from a bank login page and displays it as part of a fake login page, then uses the response the mark puts in while redirecting them to a "failed" page.
I am trolling
What if I told you that those semester long courses wouldn't teach you jack shit? Or you would be left behind quicker then you raise youre hand.
I don't quite think so ... to quote ... from the original reply ...
It's just like the occasional garage or two that will break or "fix" additional things to raise up the bill just because the average car user doesn't know **** about how a car works let alone the current state of their car.
Being ignorant by choice is not intelligent. Sure you can't learn everything there is but honestly how much training does it take to learn how to use a web browser effectively [e.g. learn how to properly login to a website and check a CA cert]....?
I don't see anyting about it being the owner's faultseem to want to flag me as advocating ignorance
I never said people shouldn't learn something. I'm simply saying that it's not reasonable to blame the average person for not knowing everything about topic X.
See .. that's the issue though ... everyone is worrying about 'blame' (or not worrying/acting on something at all), instead of their own accountability, actions and the final results. That's why we vote against candidates instead of for them. That's why folks don't actually take time to learn something and be responsible themselves. That's why people pay for rental car insurance even though their company credit card already covers that.
It's also about "I don't have time for that" syndrome. I had a faculty member tell me that the other day ... and "that" was going through a proper security measure to secure his data. Guess what ... if you admit you don't have time for it and you have been given the opportunity .. you still maybe don't 'deserve' to get phished or cracked ... but it's a lot likelier to happen. I think that's what the original post you were replying to meant.
We don't have time to learn about everything. But this is obviously a big enough issue in our society. If you choose to ignore it and not edcuate yourself ... well .. it was your choice.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
I don't think it is fair to just pick on the Romulans...wait a second...this isn't the STNG forum? What the hell are ROMANIANS anyway?
Interestingly, Derren Brown, a fellow specialising in psychological manipulation and stuff like that, did a stunt in a seaside resort (the clip isn't to be found at the link I gave unfortunately) where he 'simply' went up to people, asked them for directions to somewhere, and then asked them for their wallet/purse.
He was successful about 60% of the time (IIRC) and walked off with the person's cash. The victims all then stood about a little while later, wondering if something wasn't amiss, and then, realised something and chased Derren down (who had only sauntered a little distance down the road) to ask him if they hadn't given him their cash.
One poor chap was given his wallet back, and then Derren took it away from him again, there and then!
Don't be too sure that the internet is to blame. People have been conned in the real world since time began.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
much like the RSA device that updates a pass based on the time of day ...
....
a more primitive aproach is what my bank uses:
they gave me a sheet of 50 loooooong passwords that are used for transfers.
I can access my banking with one passwords, see transactions, or even generate a online only mastercard (up to $500) but any major xfers need the looong passwords, that are associated with a number
How the hell the parent got moderated as insiteful I don't know...
So those who don't know exactly how their highly-computerized car works should not operate one?
I haven't noticed many cases of car computers steering you into the path of oncoming traffic automatically. However, to operate a motor-vehicle in most countries they do tend to require this thing called a "license," for which you must first prove that you have an adequate amount of knowledge and training/experience in the use of said motor vehicle. Gee, imagine that.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care
Well, if the internet were a passive receiving medium you could compare there. However as the internet is a bidirectional medium this would be more like saying that anyone who can get a checkup should also be able to whip out a scalpel and give the guy next door his vasectomy. Hmmm... I think doctors generally need licenses and training too.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
To some extent this might be true. You can buy milk at the nearby store, but this doesn't mean you'd be well off to start your own store. Generally even if you do local regulations will help restrict you from doing anything that hurts people other than yourself, not so online...
Comment removed based on user account deletion
These are some other names Webloyalty operates under: Reservation Rewards, WalletShield, Travel Values Plus, and Buyer's Assurance. http://www.webloyalty.com/success_stories.asp These are some companies that they deal with: 1-800-flowers.com, americangreetings.com, classmates.com, coolsavings.com half.com (part of eBay), hotels.com, joann.com, kingsizedirect.com, lillianvernon.com, movietickets.com, myfamily.com, onetravel.com, orbitz.com, priceline.com, riverdeep.com, smartbargains.com, webstakes.com, Brylane Home, Chadwick's, Lane Bryant, MapBlast, MyLotto, MyPoints, SandBox, Time-Life, Walter Drake, ZDNet.
I hope no one has posted this yet, but The University of Phoenix Online now has a one year introductory course on phishing (along with 739 other degrees in great careers.) A Master's program will be introduced next year if there is enough interest!
"But officer, he just died. Sure, I did everything I could to speed the process, but he was going to die anyway."
I read the article with interest, hoping to find an account of how the Romanian teenagers organized themselves into a sofisticated network of phishers. Instead all I found was a reference about how the typical phisher is Romanian but without any explanation of how they arrived at this conclussion. So why Romanian? I guess it sounds exotic and that's enough to make it interesting. Another load of crap about chat rooms, following other articles with IRC==bad && foreigners==scary in the subject line. How about some info describing what level of sofistication can be achieved in a country where dial-up is the norm and moving out of the city means not having a landline at all, hence no Internet.
keyboard not found! press any key to continue...
It is just one country that imposes the embargo (eg. European countries trade with Cuba), but it sure is convenient have a scapegoat for the problems of the system. You also seem to be ignoring how much Soviet Union helped Cuba in the past.
No, no, and....no
There are limits. To drive a car, you need a license. To practice medicine, you need a license. To run a business, you need a license.
Same should be with a computer (IMHO).
Every phishing scam I've received has been either for a bank or service I've never used or sent to an account I've never used for the service in question. I rarely use eBay and when I do, I use an email address I reserve for that purpose only. I've never received a phishing email at that address, but I receive at least 10 a week at addresses I've never used at eBay. Same thing for PayPal. I've also received many for banks I've never heard of. At least they could try to target the scams a little better, like sending one for a service I actually use and to the email address I use for that service.
BTW, you should also add a fingerprint or retina scan.
authentication:
Something you know: Your password
Something you have: Your secret key
Something you are: Your fingerprint/retinal blood vessel pattern.
The technical aspects of security are not the problem. They've been solved many times in many ways long ago. The problem is getting people to follow good security practices.
It's not going to happen to me.
Even if it does, the consequences won't be that great.
It's too much trouble to protect myself.
Solve those problems and you'll have information security. Don't and you won't.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
How do you know they would have collapsed if they weren't waging an underground war and overt big-weapon contest?
I am trolling
Comment removed based on user account deletion
-notext-
Please, for the good of Humanity, vote Obama.
And yeah i use the product it beats the shit out of older soldering irons.
No it doesn't. The 'Cold Heat' iron passes current though the work, so it'll fry any solid-state electronics that you're trying to solder.
So those who don't know exactly how their highly-computerized car works should not operate one?
I don't know if you're noticed, but approximately everyone is a terrible driver. The world would be a better place if people understood at least a little about how their cars work.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
You should know enough to not go to some quack. If Dr. Stupid tells you that he's going to remove your liver-bone and you just nod your head in agreement, then you are the victim of your own ignorance.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
Maybe people should understand a little more than they do? Then, perhaps, the businesses of spammers wouldn't be sustained by people who actually buy their products.
Any other dumb questions?
Phishing is a job? Wow, finally a new sort of tech job and it is immediately shipped oversees.... can't even buy a break these days.
True. But one reason I don't drive is because I haven't yet gotten round to learning how to fix a car. I only use a computer because at least I know how to fix it when it gets borken (let's say, by reinstalling). OTOH when our cellphone breaks, I know the only fix is to buy a new one.
I'm a sci-fi vegan: I don't want the aliens to think we have as much right to live as the fried chickens we eat.
You're equating knowing how to drive well with knowing how your car works, and you have the nerve to call my questions dumb?
Although I doubt they would be able to deduce the algorithm, they would be able to perform a Man-in-the-middle attack and get the user to decrypt the bank's generated number and send it back to them, effectively logging them on.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Your money is fine until the banks and credit card companies give it to someone they are not supposed to. Security is the vendors responsibility.
They could provide you with endless measures to secure their systems. But because they are big and powerfull, they have convinced the people that they are the ones that have to "monitor their credit". Thats ridiculous!
When was the last time your bank or credit card company offered you special security features? Like the ability to restrict your account from access from WesternUnion. I never use that, so I would like to blacklist that from accessing my account. Some chance of that!
Or they could create a callback system that would ring your phone when a charge came through. Automated, it would say press one to approve and two to cancel. Three would say, this is a trusted vendor and you dont need to call me back for purchases made here.
Anyone wanna try to make their bank do that? Of course not. They dont have to do anything...Where else are you going to keep your money?
But that's distorting the argument a little bit. Having a working knowledge of something is not the same as being an expert in it.
No, you shouldn't be expected to know the slack of your timing chain, but you should know how to operate your wipers, turn signal, proper pressure of your tires, what the warning lights mean, road signs, etc.
Similarly, using a computer does not mean you need to know how to program a database, or set up an authentication relay to a secondary domain. But you should know the peripheral functions of the tools you use everyday. And you should be familiar with the safegaurds that ARE in place to protect you, imperfect as they may be. I don't think there is a way to prevent scamming other than educating the user (security holes are another matter entirely).
Slashdot: News for nerds. Stuff tha-- MICRO$OFT IS THE DEVIL!!1
It's probably more true to say that in many ways the way of life of Eastern European people has been largely unchanged over centuries - I dare say that under communism there were occasional sunny days, that people went to the beach, raised families and were sometimes happy, sometimes sad & stuff. What "democracy" has given Eastern Europe is the influence of the west and of companies who want to sell more mobile phones into emerging markets. Globalisation may be to the advantage of countries where labour is currently cheap & skills undervalued.
As far as "stealing from our grandparents" is concerned, this is simply a matter of the internet empowering petty criminals to operate internationally, same as it has empowered everyone else to operate internationally. That's what the article is about! The matter of Eastern European criminals preying on Western folks is simply explained by the fact that poorer Easter European criminals have more to gain and, because of the difficulties of international enforcement, less to lose than Western criminals.
Tell me: when a member of the Native American community steals your car, do you remark on the irony of that? Is that somehow like Black Elk's revenge?
[1] and under other feudal systems regionally
You're equating knowing how to drive well with knowing how your car works, and you have the nerve to call my questions dumb?
Precisely correct. I don't think I've ever known a very good driver who didn't also have a pretty good idea of how a car works. I realize that's only anecdotal evidence -- I also present some questions that, if people were able to answer, would lead to a better driving experience:
Why it it bad to 'ride' the brakes when descending a hill?
While slowing down (when approaching a stop light, etc.), is more fuel saved by shifting to neutral or leaving the car in gear?
How does ABS work?
What are the problems caused by under- or over-inflated tires?
There are a lot of reasons to know more about your car.
Here's the WebLoyalty online demo.. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.
The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ:
And there you have it, the world's most successful phishing scam, run by a Harvard MBA.
If you need to sue those guys, look them up at the Secretary of State of Connecticut , web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."
Nodding like an idiot while your doctor or auto-mechanic baffles with his trades' jargon is one extreme. Garnering the knowledge of their trades is another.
A wise man questions what he does not understand and keeps his bullshit detector turned on...
Hell, my 70+ YO mom knows how to look at email headers and recognize bent URLs. It's not rocket science. I mean, if a chicken can learn to play the piano, why can't an old geezer remember to look at an email header?
Congratulations! You just re-invented two factor authentication! Of course, what you're proposing is nothing as elegant or simple as market leader RSA's SecurID solution
And a good number of banks offer the use of two-factor authentication to protect your money, including the mid-sized midwestern financial institution where I currently work.
---------
There is no try at jedinite.com
Yes, there are plenty of reasons to know more about how your car works. And exactly how does knowing the answer to any of the above questions keep you driving at or lower than the speed limit, maintaining a proper following distance, obeying all traffic signals, merging correctly in construction zones, and not driving on the sidewalk? I think you're confusing being an efficient driver with being a good one. Both are important, but one does not have the slightest thing to do with the other.
No, not at all. Step right in, drive with your parking brake on, don't ever change oil, etc. If the car fails, it's not your fault.
Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care?
No, of course not! Go on, smoke your favorite cigarettes, eat whatever you like, drink as much as you want. If you get sick, it's not your fault.
Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?
Absolutely not! Vote for any candidate that appeals to you based on his looks or on the amount of advertisement he puts on TV without trying to understand his message. If the government fucks up it's not your fault.
See, it's your responsibility to learn at least the basics of how things work before you try to use them. After all, it's your own survival at stake.
You clearly didn't read the post I replied to. If you require verifying the recipient you need a full keyboard, not just a calculator. And it would quickly become too annoying for people to use.
I am trolling
It's their nearest and wealthiest potential trade partner. It does have a big impact.
I am trolling
I'd be quite surprised if the large banks in conjunction with large ISP's (and other owners of very big dynamically assigned IP address blocks) aren't doing this already. If nothing else, the phishers might start preferentially ignoring submissions from those IP blocks because of the likelyhood they contained poisoned data which would lite up a law enforcement alarms if ever used.
Comment removed based on user account deletion
The proposed scheme, along with all two factor authentication methods, only strengthen the identity of the visitor. Plus the scheme is overly complicated for the users-base. It would require them to do business from only one machine, and would cause problems with people accessing the sight through load-balanced proxies, or other configurations that result in a dynamically assigned IP address.
/ is a much better approach to the problem. It uses an encrypted image to prove the site is authentic. This way sites can protect their customers against phishing attacks.
The unique thing about this product is that because the sight's authenticity can be checked visually,it is much harder to trick the average person. Also, Acutrust does not require the user-base to install any special software it is 100% browser based.
Acutrust FAQ http://www.isblanket.com/services/online/acutrust/ faq/
What is needed is two-way authentication.
Acutrust http://www.isblanket.com/services/online/acutrust
that one's easy:
do not retrieve the challenge code
accept anything as a challenge code
newbie user logs in and it succeedes first try
it might cut a bit in victim numbers, but still
Artists against online scams http://www.aa419.org/
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The Romani have already made a name for themselves.
And exactly how does knowing the answer to any of the above questions keep you driving at or lower than the speed limit, maintaining a proper following distance, obeying all traffic signals, merging correctly in construction zones, and not driving on the sidewalk? I think you're confusing being an efficient driver with being a good one.
You've just selected aspects of driving that don't show any overlap between "being a good driver" and "being an efficient driver". There are, however, lots of apsects that do show this overlap. For example, you shouldn't brake hard at the last second when coming up to an intersection. Doing so will (a) make people waiting at the intersection nervous because it's hard to determine your intentions, and (b) wear your brakes much faster.
There are other examples, too. People in areas with frequent flooding often stall or hydrolock their engines because they don't understand how intake and combustion work (so they'll try to ford a washed-out road or something; no pun intended.)
About adhering to the speed limit: I think you'll agree that staying around the speed limit is something a 'good' driver does, but it's also something an efficient driver does. Speed limits are typically close to the point where the efficiency of a car's engine and the aerodynamics of a car's body come into balance and the best fuel mileage is attained.
As for maintaining the proper following distance, I think it's pretty clear that people wouldn't gas-brake-gas-brake-gas-brake 15 feet behind the car in front of them if they knew that the material their pads and rotors are made from will last only a fraction as long as if they followed at a distance where they didn't need to use them.
The basic functioning of cars is really pretty simple. It's not a lot to ask to throw a few technical how-it-works questions on the written portion of the driver's exam.
Don't blame this sort of thing on computers. This kind of social engineering scam has been around forever. Old people are especially vulnerable. Little old ladies are talked into withdrawing their life's savings and handing it to a complete stranger in order to help apprehend a crook, only the would-be law enforcement agent never returns.
Gary Dunn
Open Slate Project
Would be so much more effective if they made a concerted effort. I receive 2 or 3 emails a day from people claiming to be ebay's account verification department or similar. Problem is they're all so different in appearance, from address, language and everything else - It's just laughable. Or maybe that's just me.
they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.
The main identifying feature that people use when someone would come up to them on the street is how they appear. How they come across to the person being targetted, which may be heavily based on first impressions.
If this looks legit, (just like an email might look legit) then the target may well think, "well, he looks like the right person", and hand over what is being asked for.
Then again, if they guy is standing there in the fake plastic glasses, big nose and moustache and the person still hands over the info, well, people still need to take responsibility for their actions.
Common sense isn't.
no you dont.
You wouldnt have it that you verify the recipient, just the amount.
So if you want to transfer $100 to someone, you would input 100 and some other number from the "I want to transfer money" page into the calculator and then the results back into the "I want to transfer money" page.
When the phishing site retrieves the random number, that random number would only be useable for the IP address that retrieved it (the phishing site web server) and would only be useable for a limited time period (i.e. 20 minutes).
Plus, as others said, you need to do another hash input when you want to transfer money to someone not on your "approved payees" list (or when you want to add someone to that list)
no they wouldnt, the hash value (and results typed in by the user) would time out and be useless very quickly. Plus (as others have said) you would need to use it again to transfer money to people not on your "approved payee" list (or to add people to that list)
This scheme wouldnt require any special software (the "calculator" would be a physical device with a number pad, small solar panel for power and small LCD display a bit like a typical 4-function calculator today) and everything else would be browser based.
And it wouldnt be locked to one machine. Basicly, when the bank gives you the random number to feed into the calculator, it associates that number in its database with the IP address of the machine that retrieved the login page. If the IP address it stored doesnt match with the IP address that submits the login form (or if the timeout of 20 minutes has elapsed since the login form was retrieved), it would reject the login.
Banks and credit card companies could do a much more effective job of faking the data - they can set up their own bogus accounts that are flagged as fraudulent, so when the phisher tries to spend the credit card at a store they get busted, or when they try to use a fake ATM card they get photographed and located (and the card gets eaten if it's the kind of machine that you put your card into.) At minimum, the phisher's transactions get rejected.
EBay and PayPal could do some of the same thing, though they don't have a mechanism to do more than trace the IP and mailing addresses of the perp. The IP address isn't very reliable, since it could easily be a zombie (though at least it can cut down on the less intelligent eBay phishers and help locate and blacklist some zombies.) Mailing address requires a bit more work for eBay to fake, and it's likely to be some maildrop somewhere, but they could do it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
So? You just have to have the cgi script do what you want to (transfer $1000 to a numbered swiss account or whatever) automatically within the 20 minutes.
I am trolling
I'll be damned. After complaining to Webloyalty last week, I actually got a complete refund this morning ($175). I guess if you complain a little, they reimburse the last month, but if you're a real pain in the ass, they actually do the right thing and reimburse all charges--probably to keep that squeaky-clean image with BBB. I still think they need to be punished, but I'm not sure how...
The thing that gives most of these fishing emails away are the egregious spelling errors. I mean, I know the Citibank call center is run by sub-literate Indians these days but I at least expect their emails to be in English.
The BBC Money Program went on the trail of phishers and botnetters last week. Only they seemed to be in Russia. One guy phoned up the institution he was attacking taunting them about how he was out of reach in Russia.
Next thing he knew Scotland Yard and Russian Spetznatz troups were kicking his front door in, lobbing in a few stun grenades and restraining Ivan by standing on his throat. They didn't give details of how they tracked him down.
Hey anal twat, people use different phrasing, so just typing in the plain sentence without quotes (and avoiding boolianising like hell) does a reasonable job.
besides how often do you look past page ten anyhow?
Life is like a box of chocolates, you never know when your gonna get food poisoning.
I don't, but capitalist countries were fighting the same underground war and overt big-weapon contest and managed just fine with it. We even had enough resources lying around to waste them on big ass football stadiums and other such entertainment.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
Webloyalty sent me an example survey/charge authorization as a Word document. I'd like to post it, or paste the text here, but haven't yet been able to copy the text. I may resort to manually transcribing it as a separate post. This particular example seems to make it pretty clear that your credit card information will be exchanged for your e-mail address and that opting out before 30 days will prevent the charges. So I guess if you pretend this is a brick-and-mortar store, it's like a store allowing parking lot vendors soliciting your e-mail address and presenting you with fine print saying that your e-mail address will be exhanged for your credit card number from the store you just walked out of. ............
I really don't see this as a service or convenience for the victim/customer. In general, when providing your email address (your junk email address at that), you don't expect that action to result in charges, just more spam for breast enlargement/penis enhancement/etc. To continue my analogy, it's like a business' land owner requiring them to allow parking lot salespeople hiding behind fine print to access their customer information. Not all web merchants (the brick and mortar store, in this example) are even aware of the agreement and are not aware that their customers' credit card information is being accessed like that. Apparently some are and share in the recurring revenue. ..................
To summarize, giving out your spam e-mail address after an online purchase is like giving your phone number to that ugly chick at the bar just to get her off your ass. Except that she doesn't have a cute friend (and she has herpes). They both have your phone number.
On second thought, this is Slashdot...we don't have social lives and meet actual chicks.
Here is the letter I just received:
We are sorry if you experienced concern about the Reservation Rewards membership offer as we strive to make our offer clear and informational to consumers. I have attached a copy of the offer page to demonstrate that we provided full disclosure of the offer details.
If you review the attached screenshot of the offer, you will see that we allow the consumer to make educated choices regarding the products and services they purchase. For this reason, we put the most significant details of our offer in a prominent location - immediately next to the acceptance button (so that a consumer will have those details in front of him or her before joining the service).
Moreover, we go an extra step and also require consumers to provide us their email address twice, to make them pause and take the time to read and understand our offer. To accept the Reservation Rewards trial membership registration we require a consumer to enter their email address into two required fields on the trial membership application page and then click the "Yes" button (see attached Exhibit One - this is the form of the page responded to). Immediately above the boxes where a consumer would enter their email address is the statement:
"By entering my email address and clicking YES, I have read and agree to the Offer Details and authorize Fandango to securely transfer my name, zip code and credit card information to Reservation Rewards for benefit processing."
The offer for a $10.00 Cash Back Award and a Reservation Rewards trial membership is meant as a bonus to Fandango's valued customers. Even if a consumer accepts the trial membership and then cancels the membership, the $10.00 Cash Back Award is still redeemable.
When a misunderstanding such as this one occurs, we willing to cancel the membership and provide a refund to the consumer as we have done for you. As you requested, your Reservation Rewards membership is cancelled and we have issued twenty-five refunds of $7.00 each for the membership fees incurred. These refunds should appear as credits in your account.
I hope this letter answers your questions about the Reservation Rewards offer and also assures you that there was no unauthorized billing to
In any case: shoot for simple outcomes. 'Funny' mods should cancel down mods. -25 on a single post is so obviously unfair that it really shouldn't happen.
Wikileaks, no DNS