Slashdot Mirror
Phishing Site Using Valid SSL Certificates
UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."
Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.
Did people honestly think that their techniques were going to get worse rather than better?
Ryan - http://www.thecosmotron.com/
If you get scammed on the intarweb, your intarweb license should be revoked.
If they rely on misspellings, they'll only catch the dumb phishers. They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.
Have you read my blog lately?
Proving once again the relative lack of worth of requiring SSL certificates to be signed. All it does is make a few companies rich.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
...and also why I hate html email and use pine as my mail client. Unfortunately, most people don't know enough to not click html links sent to their email account. As a result, this is especially worrisome because it looks legit.
Couldn't the SSL Certificate issuer just revoke the certificate of anyone using said certificate for malicious or illegal purposes? That would at least give some warning to uses with a bad or unknown certificate message.
A better link, with more screenshots:
Phollow the Phlopping Phish
---- join dshield.org Distributed Intrusion Detec
Soon all the good ideas will be taken and I'll be stuck selling penis pills again. Ugh...
The Internet Storm Center did a write-up on this case inclusing a hypothetical tale of Joe Sixpack trying to verify the phish, doing (almost) everything right -- typing in the address instead of clicking on the link, checking for an SSL certificate, checking who the cert is registered to, etc, and still getting caught.
The fatal flaw in the hypothetical course of action is trusting the non-standard domain name...but you can hardly blame Joe Sixpack for that one when so many financial institutions actually use one-off domains or partner sites. I was working on some phishing rules last year and counted something like 5 domains that Citibank used alone.
If I were the phisher, I'd ask for my money back - no-one cares about SSL certificates, so it probably won't make the phishing attempt any more successful!
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
These phishers are getting more and more sophisticated, but it's only a matter of time before they're caught. To get more sophisticated requires better services and equipment, which requires the phishers to either:
a) Give out their true information - name, address, etc, making for easier law enforcement tracking
b) Give out flase information - which may buy them some time, but will only cause the bite taken out of their ass by law enforcement to be that much bigger.
Even still, Valid SSL certificates and whatnot don't mean shit against a true savvy user who knows better. Any user who actually reads the warnings by their banks/credit card companies/etc will know that said companies will never send emails asking for credit card information.
Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
Beyond the cert saying the business was in Salt Lake City Utah, I don't really see how there was some big confidence broken here. The SSL cert was issued for "www.mountain-america.net". The bank in question is "www.mtnamerica.org". Whoever thinks that a signed SSL certificate is supposed to verify anything other than the person/entity asking for the cert is the same person who owns the domain is assuming waaaay to much.
In essense signed certs are only supposed to protect from a man-in-the-middle attack, not someone being fooled into going to a similarly named website. Why shouldn't I be able to get a signed cert for mountain-america.net if I own it? There's plenty of similarly named legit businesses that all have certs issued to them.
AccountKiller
1. Register the domain JFBVB.COM
2. On your own DNS servers create a record for EBAY.JFBVB.COM
3. Purchase a legit SSL certificate from RapidSSL on that domain for $69
4. Create your phishing site
5. (Illegally) profit!
Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.
So what is the alternative? Self signing? I can see obvious holes in that approach. *Someone* has to do the due diligence to identify legit from illegit. And that due diligence has some cost associated with it so nobody is going to do it for free(1). So who does it? And who pays for it?
While not perfect, I'd argue that the current system works pretty darn well. Obviously, improvements in due diligence are needed but on the whole, I'd wager there is fairly low SSL cert fraud out there. I say that because this is the first incident ever being reported where an SSL cert was obtained illegitimately.
You make a statement that signed SSL certs are worthless. Perhaps they are and perhaps they aren't. But since you already stated your position; what, kind sir, is your alternative solution? If all of the companies doing SSL certs are "getting rich", do you think perhaps, that their work has value? I'd say so. Otherwise, they wouldn't be rich would they?
note (1) I realize there may be some ppl who will do it for free or "just because". But not on the scale needed for true due diligence.
No, but a lot of people still have the silly idea that phishing is only as sophisticated as it was 2 years ago, back when it was plaintext, full of misspellings, and sent you to an IP or a GeoCities page.
Back then, it was hard to imagine people getting fooled by the crude "Send me yore passwerd" level of "attacks" -- and yet people fell victim to it just the same. These days, they're polished enough that you basically have to assume any email that claims to be from your bank is forged, then examine it and try to prove otherwise.
Did people honestly think that their techniques were going to get worse rather than better?
Just... just reply to this... please put your credit card number in... come on. please. i need this.
For those who really do read the certificates on the site they visit this is not that big of an problem but most people just look at the "padlock" symbol to assume they are secure on the bottom of the web browser this is now dangerous. Which makes me think something serious has broken down here if someone can "fake" an certificate and no one raised a red flag from the authenicating server to the browser then there is something wrong.
The fatal flaw in the hypothetical course of action is trusting the non-standard domain name...but you can hardly blame Joe Sixpack for that one when so many financial institutions actually use one-off domains or partner sites. I was working on some phishing rules last year and counted something like 5 domains that Citibank used alone.
I think you're absolutely right. The natural inclination of a lot of Slashdot users is to blame the idiot users. To a small degree that's true, but largely I think the banks are to blame here. The bank has decided to offer these services, but hasn't done a whole lot to protect its customers from fraud. There's very little way for Joe Sixpack to verify that the bank is who they say they are. I think banks are going to have to issue some kind of security device (smartcard perhaps) that both validates an encrypted connection to the bank, and verifies the user. Without that, these phishing attacks are only going to get worse.
AccountKiller
You have never truly had fun with the support staff at your bank/credit union/credit card/whatever until you have called and asked them to verify the thumbprint/fingerprint of their SSL cert for you.
Unfortunately, it looks like Geotrust lost this round, and it probably would be considered good practice to actually do that from time to time. For the truly paranoid, remove all root certificates, and only after verifying the thumbprint proceed to install that cert into your cache. No more trust hierarchy.
the ssl cert companies don't verify who you are, just who you say you are
they're in it for the buck. why would they go that extra mile when it just cuts into their bottom line?
vodka, straight up, thank you!
If ever there was a good case for launching a cyber-squatting suit, I think this would be it.. I don't know who applied for mtnamerica.org, but mountain-america.net seems like a far better domain name. If you'd shown me both domain names, and I had no other infor, I would have guessed that mountain-america.net was the legitimate address.
Hopefully, this case would be a slam-dunk for the credit union.
Free Software: Like love, it grows best when given away.
You think you've got it bad? I learned about Lagrange Points from slashdot comments. Blech.
But to get back on-topic, "the oldest trick in the book" only lasts so long before it has to be retired. This is just the next logical evolution in social engineering methodology. And it's not nice. I hope something will come along soon that will put a damper on it.
And hey, isn't the CA supposed to revoke certificates used for crime?
You know, if that SSL certificate traces back to a valid human, then you can arrest him/her for phishing and they've provided all your evidence for you.
It's like leaving your digitally signed confession at the scene of the crime. No CSI team needed. Only the crooks know the corresponding private key.
If you can't trace that certificate it back to a valid human, than the CA needs to be beaten with a large stick.
...or maybe not.
after orders through MSN and my ISP. I have even less confidence for the last 4 digits of my account number.
And my experience renting a car last year on a Sears Mastercard [through Citibank] when the card worked
the first day but not the next, I have zero confidence in the lender (whose security department at the 800#
told me that my account number was sequentially one of 100,000 whose information had been released.
--
Maybe we should all start using
California mailing addresses as
to be notified by consumer law.
It amazes me that people forget that a banks job is to protect your money.
The phisher in the end shouldn't be able to get any money from this.
The banks should have in place a system that secures your money much better than this. It reminds me of the wild west where banks were robbed all the time.
Like, why do the retailers have to protect the banks? Why do they have to ask for ID when you already presented a valid banking card to them? Is this system insecure? Yes, and that's why they ask for ID. WTF?
People should consider this the same as a bank getting robbed over and over. If the banks got enough bad press from this then maybe they would do something about it.
But never forget, this is not money, it's currency backed by nothing of value and could become wortless in a day. People have been trying to tell you this for years, but you people won't read any simple banker history, it's too booring.
http://www.apfn.net/Doc-100_bankruptcy13.htm
http://www.federal-reserve.net/
http://www.converge.org.nz/pirm/fr_paul.htm
http://batr.org/verity/id6.html
Thank goodness that GoodLink will save us all!
Let's solve the spam/phishing problem by throwing large amounts of money at a technical problem.
I open and respond to every email that has my name in it.
Back to the shadows I go.
You mean people would never give out credit card numbers, when asked over the phone? I think you place too much faith in humanity.
Most people would agree it's stupid, and fewer people will behave stupid after an education campaign (or after being bitten in the ass). Scam artists may not bother anymore with a certain method. But not because it wouldn't work; but because they've moved onto easier methods, methods that (these days) give them more return for their effort.
For the same reason, e-mails with attachments like "Anna Kournikova.jpg.pif" will keep getting clicked on. You may think it's silly, but there's a new sucker born every day.And I'm sure it'll be like deja vu all over again once it makes the homepage of digg three more times, only with slightly different titles.
It's like sex, except I'm having it!
My question is: Did these dogs give equifax enough information for the cops to have some hope of tracking them down? I'm guessing that at least some of this information is faked, but if there's nothing here that the cops can use, then the identity information in SSL certificates is less than worthless.
Free Software: Like love, it grows best when given away.
Tom Liston, a handler at SANS ISC well known for his various takes on Malware problems has a good take on this entitled Phollow the Phlopping Phish on the ISC Handler diary. Covers what it looks like to a user, and why it all falls down.
To add to this craziness, the culprits behind these accomplishments, in this case certificate hacking of all things, are brilliant enough to get ultra-high paying jobs and hire a nude secretary. With this new age of cyber-terrorism threats, I gotta side with the pro-hacker mantras claiming that they help the world by exposing threats with mostly benign things like pbrushing a hitler mustache on Bush before the real bad guys, the ones who have similar high levels of expertise [though in bombs], figure out the holes. High five, 31337-speakers.
Do browsers check revocation lists? I didn't think so. Without reference to a revocation list, there is no way to tell if a cert has been revoked. It is either signed by a recognized authority or it isn't.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
(If someone is using a weak algorithm and a weak key, especially if the key is not random but based on knowable information, then it may be possible for someone with sufficient computing power to calculate a key that is functionally identical to the original.)
Signed certificates are fine, but they have to be done right, where "right" is in such a way that both the certifier and the certified can 100% guarantee that the certificate is utterly, unconditionally, totally proof against any viable attack. (I'll define "viable" as anything on-par with a full-scale quantum computer, or launching a full-scale military assault on the certificate holder and the signer(s).)
In my books, this would really require a web of trust, extremely tough security on all computers holding ANY data that could be used to derive part of the key used for signing OR be used to re-generate that key, plus a high level of validation at all points in the sequence. A "web of trust" is only valid if 66% + 1 of all members are absolutely on the level, as proven by the Byzantine General's Problem. Tough security would ideally mean that commercially sensitive data of that kind could not be accessed remotely at all and could neither be read nor written to directly by any user. The user doesn't need direct access to anything, they only need to call processes that can generate signatures and sign things. The actual data should be completely invisible to them. Further, the information used to generate keys should be purely random, no pseudorandom bullshit, and should not be retained. Further, the signee's Internet-connected machine should have mandatory access controls such that the certificate cannot be accessed by anything - anything at all - other than the code that is used to establish and maintain the secure connection.
In practice, checks are all but non-existant. I believe one phisher was able to get hold of Microsoft's signing keys from Verisign at one point. To do so would require a total absence of security at so many levels. (Why on earth would you want 'cp' to have permission to read a key file, for a start?) Since that time, so many more signers have materialized, and it is doubtful in the extreme that even a fraction of those have any meaningful security policy at all.
Oh, and to top it all off, signature schemes are a one-way relationship. There is currently no way of taking a certificate that has the correct information in it, and signed by a valid signer, to determine if the correct signer has signed the certificate. The web of trust needs bi-directional links, to prove the complete relationship. I do not believe that there is any trivial way to do this with existing protocols and I'm 99% certain none of the certificate authorities provide a validation mechanism by which you could perform the check, even if you could implement one.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Doesnt this have antiphishing with the addressbar going red or blue or something to alert you to phishing? Has anyone tried to access this site with ie7?
I am just curious as to how ie7, which is supposed to be more effective at preventing phishing attacks with its "Check this site for phishing activity" would still work as effectively with the SSL cert being genuine.
Can someone quickly answer the following? 1) Why shouldn't you click HTML links, in general? 2) Why can't the certificate be revoked, since it is being used for fraudulent purposes? Thanks!
From the article: arrives in an HTML-based e-mail. When will people learn to REJECT HTML-based e-mail messages without exception? How many of these schemes do we need until everybody understands that there is something badly wrong with HTML-encoded mail messages?
so digg is kind of like slashdot, but with a bunch of dupes?
Badass Resumes
Just don't give the bank oyur email adress this elimantes the problem of having to tell real emails from fake. if the bank forces you to give an email address just make one up. I kind of feel sorry of all the email being sent to Miky@disney.com
Do browsers check revocation lists? I didn't think so
Yes. At least IE does. It slows things down if you're on an isolated network, so it's one of the first things I turn off on those machines.
you must be new here.
Badass Resumes
SSL doesn't prevent phishing. A signed SSL cert from a trusted Certificate Authority only assures the user that the information passing between the user and the domain is encrypted. SSL can't tell you if a site is "real" or not.
you say, eventually an old trick has to stop being used, I say read the following
http://www.historybuff.com/library/refbarnum.html
every day http://en.wikipedia.org/wiki/Special:Random
SSL certs are great for end-to-end encryption. They are not good for authentication, because people don't usually check on the certificate - however, here even a check wouldn't have done any good. I only buy SSL certs because people don't like the extra confirmation dialogue that comes with self-signed ones.
See also this ISC piece.
"It doesn't cost enough, and it makes too much sense."
They have your phone number.
They have your address.
They can send you a letter, they can call your phone. And their phishing rate would drop to almost zero.
Recently someone tried to send me an HTML-encoded mail message. The sender address was author@osti.gov. OSTI is an office of the Department Of Energy (DOE). Not just the crooks send HTML-encoded mail messages. The best thing was the name of the machine from where the mail was sent: dilbert.osti.gov !
Say no to HTML-encoded mail messages.
Touche', my friend. I knew it after I posted it that I'd get nailed on that one. But still - including all of the google searches you can do, SSL cert fraud ranks fairly low in terms of numbers. If you are objective about it, there just aren't a lot of cases where this happens.
I still go back to my original post. The system works fairly well right now so the GP posters suggestion that they are 'only getting rich' is not quite valid.
That was beautiful. I'd save your post, but without the context it would be less funny.
Have you ever tried this? I haven't had the nerve. Imagining that phone call is funny but the issue is real. The absence of a way to verify thumbprints is a procedural hole as gross as the fact that browsers don't check for revocation by default.
As a compromise, for a few critical sites I keep track of the thumbprint and see whether it's changed.
you spelled 'intarweb' right both times.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Stupid M$ making insecure, buggy software. It's supposed to know if it is a phishing site via the Artificial Intelligence kernel module.
But if they do that, then a whole bunch of certs immediately become untrusted, because those certs only have one signature: Equifax.
OpenPGP is better. In a world ruled by OpenPGP instead of X.509, people would go into their databases and set their "how much I trust Equifax" to a lower setting. Then if someone's identity was only certified by Equifax, they'd start to look iffy, but if someone has been certified by many CAs (in addition to Equifax), they'd still look ok.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
*shrug* it only needs to be retired until people forget about it, then it can make a comeback.
:)
Sort of like Pauly Shore, except more evil.
do you enjoy talking to yourself?
The biggest problem is the airbag factor. The more and more foolproof stuff gets, the more people rely on it and get caught unawares. People are more likely to drive like maniacs if they have a vehicle with airbags and ABS brakes than if they have one without. The AOL generation of internet users, whether using AOL or any of the mainstream services that try to mimic AOL to steal sales, are the ones who know nothing about the internet apart from a few anecdotal tips. Look at the "only open attachments from someone you know" teaching that went the rounds 5 or 10 years ago. Virus makers then wrote code to steal e-mail addresses from your contact list. Not because they were short on e-mail addys. They knew that's what mainstream e-mail users were being taught. Now everyone has the "if it has the lock, it's legit" thing in their head. Never mind checking the URL. Heck, how many people even have the address bar at the top of their browser? Many people have Yahoo as their homepage and type www.google.com in the search box... But checking a domain name? Knowing what a domain name is? That's too complicated for joe.public to comprehend. I don't know much about cars. But I know what makes them work, and I know how to check fluids and top them up. And I can replace windshield wipers and headlamps. And I know what the roadsigns mean and why they are there. The average computer user in 2006 just puts the thing in D and hits the gas.
Phishing scams have been using SSL in attacks since 2004. Last year Netcraft identified more than 450 phishing attacks that used SSL certificates in one form or another. However, the tactics seen in the Mountain America attack are more sophisticated than previous attempts. In many previous attacks the phishing crews have used an https URL with an SSL cert they know will trigger a browser alert, banking on the likelihood that many users will trust the padlock and ignore the certificate. This one is designed to fool more sophisticated users who actually check the certificate.
RichM
Data Center Knowledge
IE used to have a bug where they would check the revocation list for every domain except microsoft.com. Worked well until someone walked into VeriSign's office one day impersonating Microsoft and walked out with several signed certs for microsoft.com. Hee hee. I don't know when MS fixed this, but as I recall they weren't in a big hurry to issue a patch.
The main reason for a signed cert is for you to be sure the person presenting the cert is who he says he is. The cert issuing companies are supposed to do due diligence and investigate that the person requesting the cert actually represents the organization that is seeking the certificate. So if I try to setup a website called schwabb.com (note the mispelling of Schwab), try to pass it off as "Charles Schwabb" (sic), and try to get a signed certificate for it, Verisign (or whoever) is supposed to make sure I'm not trying to misrepresent myself as being part of Charles Schwab.
You can purchase a signed cert for JFBVB and create the subdomain site EBAY.JFBVB.COM, but the cert will say, "EBAY.JFBVB.COM". It won't say "eBay.com". I don't care what the website says, if the cert doesn't say the correct name of the company, I'm not buying.
The problem illustrated by the Washington Post article is that some CA's aren't doing their due-diligence; and issuing certs to phishers who are claiming to be from organizations they're not part of. That creates a credibility problem for certificate authorities and undermines the whole "trust" nature of the certificate system. They probably got away with it in this case because Mountain America is a small bank -- hopefully Chase Manhattan or Citibank certs get more scrutiny. But this should ring every CA's alarm bells.
Basicly, the email addresses attatched to these phishing scams are one of 3 things:
1.An address comming from a domain name owned by target (i.e. bank etc)
2.An address comming from a domain name that looks like its owned by the target (e.g. www.paypalsupport.com)
or 3.Something totally unrelated to the bank
If everyone (both the pishing targets and the email providers) implemented GOOD SPF record checking, it should stop point 1
Point 2 can be stopped by enforcing the trademark and forcing the domain name to be handed over to the trademark owner (who can then enforce SPF on it)
It wont stop all phishing scams (i.e. those that come from or something like that) but it will certainly help.
Unfortunatly, even the biggest phishing targets like amazon, ebay, paypal etc dont implement proper SPF records that say "These machines are the only machines to send email for this domain" (they implement a default "permit all" and not a default "deny all" unfortunatly)
Also, banks need to actually implement better security, if banks had decent security, phishing would be useless.
Here is a security model that would be very difficult for a phisher to defeat:
You open the webpage of your bank and go to the login page. The banks computers then calculate a random number and store it along with the IP address that made the request. The login webpage displays a box for the username, a box for the password and another box for a hash. You enter the random number the bank computer generated into a little calculator like device that contains another random number generated by the bank and stored in the banks computers as well as the device. Then, the device uses a hash algorithim (one designed so that there is no value of that will result in an output value of or that if one exists, it is different for each value of ) to combine the login page number and the stored number.
The result is entered into the login page along with the username and password.
The bank then pulls the secret device number from its database and checks that the hash matches. Also, if the IP address of the machine making the requests to the banks webpages doesnt match with the IP stored alongside the session ID, it will assume its fake and terminate.
Now, when you want to transfer money to someone not on your "approved payee" list or add someone to your "approved payee" list, you get another random hash which you have to enter into the little calculator. To prevent the phisher from simply tricking you into typing this second hash in (i.e. transfering all your money to them instead of transfering the amount you wanted to transfer to who you wanted to transfer it to), you would have to enter the amount being transfered into the calculator device too with it being used as part of the hash.
Anyone who is dumb enough to press "Funds Transfer" then then doesnt deserve to be using a computer, much less the internet.
A big education campaign by the banks would help too For example, include a phamphlet with the next bank statement or other junk mail that gives a clear warning about phishing scams and to never ever trust any email pretending to be from the bank no matter what. Also it would tell you to change your password or contact your bank if you think you have been hacked or phished.
If the phamphlet said in big bold letters something like "Warning: Your money could be at risk from hackers, read this to find out how to prevent it" and was sent out to every bank customer (or every bank customer with online banking enabled on their account), people would probobly read it.
I have nothing against Equifax, but I don't know them either. I don't know their policies, I don't know how they protect their signing key, and I don't know how they verify identities. Neither do you (well, ok, you know a little about their stated policies, because you RTFA). Neither does Joe Sixpack.
People are farming trust out to faceless strangers that they have never met. It's pretty insane when you think about it.
Who the hell is Equifax? Who is Verisign? Thawte? They're just names. I don't know anything about them, but somehow when I installed a web browser, it came with a database that says these companies should be trusted introducers. Why the web browser doesn't come with an empty database, I have no idea. Well, I'm lying, of course. I know why. Because people would stop and ask, "Hey should I trust Equifax?" and we don't want most people thinking about that. We just want them to buy stuff.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
- Open the preferences and go to "Advanced".
- Then click on "Security".
- Push the certificates button and then choose the "authorities" tab.
- Find equifax.
- Select all those entries.
- Push "edit", uncheck the checkboxes for each certificate.
Done, you no longer trust these folks.You must be new here also
IIRC, the patch explicitly flagged those certs as bad, it probably still doesn't check microsoft.com for validity.
Not Meta-modding due to apathy.
It's not as funny if you post as AC.
an error i noticed in the story is about credit card numbers. they claim the first 5 digits are all the same for the bank. this is possible however highly unlikely unless the bank only offers one type of card.
now from my years of doing customer service i've learned a few things in how they are numbered, well at least visa and mastercard, amex is still a mystery to me.
the first number in all three is the type of card
3 == amex and diner's
4 == visa
5 == mastercard
the second number is the country code possibly
the last 2 digits are the bank code
the fifth number in the sequence is the start of the card type
so all of them aren't the same unless the bank only has one type of card and that's what they stick to, so it possible but highly unlikely
You know, I hate hearing that anybody deserves the financial ruin that results from falling for one of these scams.
Well, there is more than one kind of "stupid."
Not knowing how to configure a router is one thing. Giving your financial information to a complete stranger that approaches you on the street is quite another.
It is not like it takes a degree to understand rules such as "If you get an email asking for your bank account number, don't respond to it." This is not difficult, computer-geeky stuff here. This is simple and basic stuff. This is the sort of stuff that anyone who is going to do business online should be smart enough to figure out.
So I will have to say that in this regard, people are being victimized by their own laziness.
If 80-year-old grandma can't figure this out because she is just too old, then she shouldn't be given a computer to bank on. If 25-year-old yuppie can't figure this out because he has made no effort to think logically or learn about the computers to which he is entrusting his financial information, then hopefully he will learn his lesson as he starts over.
Intelligence is important, and while not everyone should be expected to be brilliant, there is a base-line of it that one can reasonably expect from others. Those who make no effort to achieve that base-line are dangerous to themselves and to those around them, and as such they do deserve what they get.
Registrant:
Dugan, Gerald F
24 Tyler Road
Ithaca, NY 14850
US
Domain Name: MOUNTAIN-AMERICA.NET
Administrative Contact, Technical Contact:
Dugan, Gerald F geraldfdugan@yahoo.com
24 Tyler Road
Ithaca, NY 14850
US
607-257-2871
Record expires on 12-Feb-2007.
Record created on 12-Feb-2006.
Database last updated on 13-Feb-2006 21:46:44 EST.
Domain servers in listed order:
NS0.XNAME.ORG
NS1.XNAME.ORG 213.133.115.5
why are you looking at this?
With domain verification only certs (which are cheaper and easier to get) all that is checked is that you have access to the email address in the whois record and you can put whatever information you like in there.
That may sound bad but I'm not sure there's any practical difference. I've seen full certs issued from big name certifiers to companies in all sorts of odd countries with documentation that was largely manufactured. It's just too hard for them to say no to the money.
...it will start offering account notifications by email based on triggers I set up like wire transfers and such. Great.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
(on the other hand, my friend passed a final for a class he never took because of Star Trek, so I guess there's something to be said about TV...)
Remember, open source is free as in speech, not free as in bear.
In the mean time, just delete Geotrust's certificate from your browser. If the market makes their certificate authority worthless, then maybe they (and other companies watching the fallout from this) will get motivated to implement better procedures.
The whores get mad when the sluts give it away for free.
Let's quote what Geotrust says about relying on certificates:
GeoTrust's solution is that the browser should display ...
"The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."
We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.
Check here for settings.
Weaselmancer
rediculous.
For REAL!
Now THAT's a new Phisher Price Toy!
(Image Word: compass; and it seems the phishers found their compass...)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
This is why everyone should install the Netcraft Anti-Phishing Toolbar...unless they really know what they are doing (read IT professional)...
All of your users/customers should have this installed...besides rating the risk of the site based on previous reports, it would also have shown how long the site was registered...which even on this phishing site was probably a matter of days...as a matter of fact, I can see this as a good feature to include within Firefox...whenever you view the SSL certificate, show the domain registration info...
Looking at some of the domain registration info, it's obvious that including the DNS Admin, Organization, and Nameserver Organization, you would have easily identified a fake...
Even better yet, why not have a certification process for banks and such that could opt to have their ISP verify their identity...then when you visit their SSL site, your browser could display the verification info beside the "security lock"...
Of course, if you want to change the way the "Security Lock" works in browsers, in the US you could set something up with the FDIC that would use a DNS lookup similar to the way DNS Block Lists operate...only this one would tell you if the site was a valid banking site...I guess the "Lock" could change to a "$" or something if it was verified as a banking site...web sites could simply request the check in some way (HTTP header or something)...the header value could represent the type of site (US Banking Site...check with FDIC...)
SSL certs are not sold for domain names, just host names. They only work for ONE host. You can't buy a SSL cert for *.JFBVB.COM and setup EBAY.JFBVB.COM latter. You can only buy a cert for one host, say WWW.JFBVB.COM.
(on the other hand, my friend passed a final for a class he never took because of Star Trek, so I guess there's something to be said about TV...)
OOC...what class?
Twenties Retirement
This is likely due to the fact that you have not paid your phone bill. You may, using our new PayNow feature, pay your phonebill online right now!
Please enter your full name, phone number, credit card including name on card and expiration date, as well as the last 3 or 4 digits on the back in a reply to this post.
Thank you, and have a great day.
Phone Company.
We can argue all night about the level of security afforded by an SSL certificate. I think most people don't have a clue about http vs. https and just follow the links where ever they go. If the artwork looks good, the "rap" sounds good and offers something they would want, they just "give it up" without worrying about the little lock icon. If the phisher is good enough, they won't give it a second thought, even after being fished (e.g. "congratulations you have been enrolled in Verfied by Visa").
The solution to the whole phishing thing should be obvious to us in the technology world. Remember mutual authentication. Yes it still works. Bank of America let's you choose a 'picture' that they promise to always show you before you give up your password. The solution is marginal at present because you only know about it if you use their online services to start with. A serious mutual authentication scheme would involve printing every statement with this picture and drilling into peoples minds that - no picture, no password. It requires a serious PR campaign.
Right now I have no sympathy for the banks who get ripped off (mtnamerica.org - give me a break). I do have sympathy for the innocent people who fall victim to this and for the shareholders of banks who have to put up with the slow uptake on solutions to this problem.
OK. I get off soapbox now.
Cheers.
Honor's English I, freshman year. The test was over Greek & Latin roots.
Remember, open source is free as in speech, not free as in bear.
I think part of the problem is the push to pretend the internet is safe and perfect. Since when has anything in our world been safe for the ignorant? The reality of computers and the internet needs to be common knowledge that you can get into trouble, especially if you don't know what you're doing. If I jumped in a car and put the petal to the floor and wrecked would it be pontiac's fault or the department of transportation that a flawless safety net wasn't put in place? I'm not saying its ignorant computer users fault if they get scammed, but the bullshit promises that you can give out your bank account number over the internet without worry. I don't care how computer savvy you are, we've all had a moment where we were momentarily tricked, imagine somebody that has no idea. I mean remember, those AOL security commercials claim they have single handedly foiled hackers, spam, etc. Computer technology is too wild to pretend the good guys are always in control, lets be honest and admit if you connect to the internet you are taking a risk.
Who? Me?
I dont understand. Do they do anything more than an automated process to verify the integrity of the company? I used digicert (im not affiliated) for my company web site, and they made me fax in a copy of my llc registration.
Terrified though I am, I feel phishing would be more effective, if half the phishers had passed their high school grammer.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
I looked through the pics. Obviously the URL is a giveaway for most users. My first thought on how to check for validity if that wasn't the case was to give the wrong login / pass, but there's actually no guarantee the phisher will accept an invalid login. He could be checking the login using the real ebay, man in the middle-like.
These chimps at Geotrust claim that a human wouldn't have suspected there was anything wrong. How long does it take to type "mountain america" into Google?
Go on, try it. See the first hit?
How hard is it to do that for every application?
thanks!
Because people dont understand what they are. People dont check their content.
I'm not trusting Equifax, Verisign or any of the other big names delivering certificates. I've disabled all the root certificates in Firefox.
I want to be able to verify my bank certificate myself. I should be able to go into my local branch or call their number and verify their certificate fingerprints.
Before the internet, how did we trust businesses? We knew people, who knew people who knew the business. The more closely you are related to somebody the more you'll trust. You might trust them because they are member of some other organization you trust, but today's model of centralized trusted third parties does not allow you to set your own trust levels and trust networks.
The PGP idea's of Web Of Trust is so much better, why is it not being used for securing the internet ?
Phishing Site Using Valid SSL Certificates.
Most 9/11 attackers had valid IDs.
News at 11.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Check out the Firefox Petname extension for a solution. This lets you mark the sites you trust, then checks that their cert fingerprint hasn't changed. So it also traps MITM and DNS poisoning threats.
So rather than depend on an external service to black-list all fraudsters, and do it accurately and promptly, this lets you white-list the small number of sites that matter to you.
Andrew Yeomans
Just FYI, the site accepted any username and password combination I tried. And while the URL was the clear giveaway for me (and the HTML is also formatted, whereas the eBay HTML emails usually aren't) most users just don't get that. I typically run into coworkers and parents who just think of the address bar as "that stuff up there". When it becomes complex, they think of it as simply some computer stuff that they don't understand and thusly should ignore.
It's an unfortunate reality, and it plays right into phisher's hands.
Sure, the paper trail might lead back to him, but if you're going to buy an SSL cert, either you don't care or you've already got someone else's credit card number
IS the certificate not just saying: I vouch for this user that he really is "mountain america". But then it seems that there is not a valid address at all in the whois and the ssl details. Shouldn't they at least verify that there is a good physical address availble? SO they are accountable for what is going on?
I've never programmed Ruby specifically, but wouldn't "while 0" evaluate to false and hence not execute the block? In any other language, it'd be "while 1".
This will not change until we go back to a simple ASCII-based solution, without any encoding scheme.
This comment shows you don't understand the mechanics of email. ASCII *is* an encoding, and a very limited one at that. What would you have people that don't speak English use? ASCII provides little to no support for international characters. This problem is more than a technical one, and can't be solved by the naive suggestions you propose.
I get quite a little legitimate email written in English, so the combination of English subject & English sender name alone makes my finger hover over delete key, ready to proceed immediately if the subject does not sound something actually relevant. If the subject is about "credit card", "account" or something like that, I almost automatically dismiss the message as phishing.
Last month, I got a message from PayPal that said that my credit card is about to expire. I thought "some phishing again, but may be I'll open and see this one just for some amusement". So I did open it, and red through. Then I realised that first, it was all text, didn't include any URLs, but told me to go to the PayPal site by manually typing the URL instead. Only then I recalled that my credit card actually was just updated and the old is about to expire. I then went to paypal.com, logged in and updated the expiration date.
Afterwards, this made me think what kind of idiots they are at PayPal; instead of asking about the expiry date during my next payment, they sent me an (unencrypted and unsigned) e-mail, which should be more verboten than anything in the online banking business. Of course, had I actually deleted the message, the damage would have been tiny and I would have realised my error later, but this is just something that teaches people to bad habits; that it might be a good idea to trust at least some of those emails, while it actually isn't.
“Wait for Hurd if you want something real” –Linus
The trouble with cacert and other similar web-of-trust schemes is that
they confuse different sorts of trust. Even if ten or even a thousand
people have checked that someone claiming to be Dr Evil really is Dr
Evil, it doesn't follow that Dr Evil's claims about the identity of
another individual should be believed.
Web-of-trust schemes which do not recognise this distinction will be
vulnerable to an exploit whereby "verified-identity" can be elevated
to "presumed-reliable-authenticator".
The bottom of this page from CAcert's FAQ seems to admit that
their scheme is vulnerable to such an exploit.
Same thing happened to me when I charged a semester of college for my daughter. I also hung up on them. They are just rude as hell anyway.
I emailed a complaint about it; they said it actually was their security department. The charge went through anyway without further contact. Who knows, maybe they're just checking to see if you're smart snough to be trusted. There was no issue for the next semester.
Most people don't even think inside the box.
I like the ebay attempts. In the last 3 days I have gotten half a dozen of the latest attempt, something about an ebay user wanting to ask me a question about an item I am selling. I havn't used my ebay account in about a year at least. The emails lead to obviously fake sites, and often enough, if I am bored, or have been drinking...I go to said site...and just refresh over and over 'logging in' with garbage, and strings of explatives :) I know one night me and a buddy who had quite a bit to drink already, sat at one of those scam sites for a good 20 minutes finding creative ways to fill out their fake "ebay user details" form.
The only change I can believe in is what I find in my couch cushions.
It sounds FTA like this phishing team got a company to falsely issue a certificate, which says the phishers are associated with the bank. Couldn't a lawyer of even marginal competence make a case that doing so make the "big company" legally liable for consequential damages? Voila, one set of deep pockets to go sue. Perfect for those who fell for the scam, the lawyers for those who fell for the scam, and for scaring every other certificate company into taking due dilligence of certification seriously.
Meanwhile, how do I go about forcibly removing the Geotrust root certificate from all of my computers?
//Information does not want to be free; it wants to breed.
This company CertAlert http://www.certalertsoftware.com/ was presenting to my team about their SSL Certificate management solution. They were saying that they are trying to gain access to the list of registered certs from the CA's to provide third party external authentication checks. IE - their theory was that an organization would likey have people and processes in place for brand management type activities and that this is an extension of that. However, best I understood, the CA's do not offer that list to anyone public or private.
Kinda like finding the safe open and nothing inside but a card: "burgled by John Smith, 123 Miscreant Lane, Your Town. 555-1212. Thursdays."
GeoTrust sells low assurance SSL certificates. The only thing they validate is that you "control" the domain (which usually means that they just send you "confirmation" email to whois address. Anyone with stolen credit card can register a domain, and get the certificate, while staying untracable.
7 .aspx
Most other CA sell High Assurance certificates, that require validation of
entity ownership of the domain
the fact that person ordering ssl for the domain has the right to do so.
This is done via checking bunch of details, such as departement of state database, whois record, company records, etc, etc, etc. You have to be officer of the company or have notirized permission from the officer of the company to request ssl certificate for the domain. The whois record for the domain must match details from the state database.
When taken all thouse checks together - it alows to prevent fraudster in most cases (you cannot prevent them all the time, not in real time).
GeoTrust "pioneered" low assurance certificates (and basically destroyed credibility of padlock), that bypass all thouse checks and go after domain control only. It created this mess. The "give away" that certificate is low assurance is that "Organization" field of the certificate holds domain name instead of company name. No real bank would go for that.
This is one of the reasons opera displays the company from the certificate field right next to the URL.
This is also the reason microsoft plans to differentiate between "high assurance" and "low assurance" certificates
http://blogs.msdn.com/ie/archive/2005/11/21/49550
You've got to be kidding! I'm going to go out on a limb here and say that the bulk of the money floating around the tech sector comes from businesses, governments and universities - not Grandma buying an eMachine at Circuit City.
People like Grandma are often not even worth dealing with from a purely economic standpoint. Any profit an independent PC tech stands to make servicing their machines is eaten up by the hours and hours of free tech support these people expect because they paid you to install their printer back in 2001.
Computers are becoming more and more necessary for everyday life. Sure, you can get by without one, just like some people get by without a telephone or a car. But it sure does make life difficult, and most people aren't going to make such a sacrifice. So it's them who need us, not the other way around. And despite our best efforts to grit our teeth and smile politely when Joe Dumbass clicks "yes, please God, install this malware!" for the seventeenth time this month, we geeks are occasionally going to let a little hint of elitism. I think we're entitled.
I was having a discussion with someone at work not too long ago about this. She was bitching that techs like me are unreasonable to expect everyone to know what they're doing. She said, oh so cleverly, "But can you fix your own car!" Ooh, yeah, ya got me there, I'm not a mechanic (yet, anyway)! But I'm not expecting the average user to be a hardcore geek. To use the car analogy, I don't expect anyone to be a mechanic, I just expect them not to drive around plowing into other vehicles or the occasional stationary object and expecting me to repair their car every time. Well, and maybe to use their goddamn turn signal once in a while.
I use the petname firefox extension to help guard against these attacks. I believe it would have foiled this attack. It puts an extra "petname" bar in the corner of your browser. On non-SSL sites it is white and says "untrusted." On SSL sites that you have no relationship with, it is yellow and says "untrusted." If you want to begin a relationship with an SSL site, you type in a petname for it. Now it marks your petname with the fingerprint of the SSL cert and shows a green bar with the petname you typed in. When you return to the site, if the SSL cert fingerprint matches what you previously named, it again displays green with the petname. If the cert does not match, it displays yellow with "untrusted."
It's more complicated to explain than it actually is to use. The website has a much clearer explanation with pictures and a whitepaper explaining more of the theory of petnames.
Check it out... a decentralized trust scheme that overlays on SSL: http://www.waterken.com/dev/YURL/ There's a mailing list devoted to these topics too: http://www.eros-os.org/mailman/listinfo/cap-talk
I've seen stories about identity theft scams within the last year which used this same simple technique. One of them was apparently calling people during the middle of the night to catch people while sleeping, and off guard. They would claim to be from the card vendor's security or fraud department, and to have detected unusual spending patterns, etc. During the course of the call they would "verify" the customer's information, getting sometimes basically whatever information they asked for.
Although some people probably have the message, they keep making more people. Many young credit card holders today were not bombarded with these awareness campaigns during the early 1990s.
If you mod me down, I shall become more powerful than you could possibly imagine.
There are several issues with this system, however. The biggest one seems to be that it requires the customer to remember still more crap... ^h^h^h^h
Another issue is that several times a year now online shoppers are faced with learning entirely new paradigms and associated rules for how to know if they are being scammed. It's hard to keep up with this stuff when it's your full time job to do so let alone as a casual internet shopper. (That's the same issue you say? One, there is One big issue! I'll just go out and come back in...)
Another recent example is the Verified by Visa program which has recently been levered to provide a new social engineering angle for a phishing scam. I predicted this a few months ago when I was first exposed to the Verified by Visa system, but I just got around to blogging about it only ten days ago. (see: Verfied by Visa (Veriphied Phishing?) for a description of my unsettling first exposer to this major security initiative from Visa.) I wish I had blogged sooner, I need more points to get my "fortune teller" merit badge!
More fodder:
Joris Evers of CNet blog on SiteKey with links to stories and discussions
Slashdot discussion on SiteKey
By the way, have you noticed that the time horizon for "recent" is now minutes and hours. I can remember a time when it used to be at least weeks.
If you mod me down, I shall become more powerful than you could possibly imagine.
The issue isn't what the certificates do and do not mean, the issue is the ethicalness of these companies issuing any kind of certificate at all to criminal enterprises in return for money,
How do you propose Verisign discern whether or not a company is a "criminal enterprise?" Should it be a question on the application form? Do the CEOs of "criminal enterprises" always wear black? Walk around petting hairless cats named "Mr. Bigglesworth?"
To take a more serious tone, how can anyone tell the difference between a legitimate small business and a "criminal enterprise" that hasn't broken any laws yet?
and their failure to instantly revoke the certificates as soon as it becomes clear that the site is being used for criminal purposes.
I'm not sure what neck of the woods you're from, but around here, we have a legal construct known as "due process." Innocent until proven guilty. How would you propose to define when it has "become clear" that the site is being used for criminal purposes? As soon as the media publishes allegations? When the authorities begin investigating those allegations? When the authorities lay charges? At what point has it become "clear" that what the company is doing is illegal?
Not everything is as black and white as you seem to believe.
Like woodworking? Build your own picture frames.
...they implemented it like boneheads. If you're logging on from a different computer, or have cleared your cookies, you are REQUIRED to enter your card number and pin at the first screen -- sans SiteKey.
Once they see that you've set up SiteKey, they do as you described. They show the picture you picked and the phrase you typed in - AND THEN MAKE YOU ENTER YOUR PIN AGAIN.
I get around this by entering my card number in the main page and an invalid pin. THEN it shows me my sitekey based on my card number, and I can enter my PIN, secure in the thought that this is the site I think it is.
It's a good shot, and certainly a better attempt than I've ever seen before, but they REALLY need to:
1. NOT require that you enter your friggin bank card number and PIN BEFORE seeing your SiteKey. Duh. This leads to #2:
2. NOT require that you enter your friggin bank card number EVER. Besides being insecure, it's a huge pain in the butt to have to type in my credit card number as a userID when I set my browser to clear cookies after the current session.
While I can get around the problem of entering my PIN before the SiteKey by entering a bogus PIN in the field, I'm still forecd to use my bank card number so they can retrieve the SiteKey. Ugh. Never heard of usernames, apparently.
Bank of America, if you're reading this, be advised that you are in need of a security and usability manager with an ounce of common sense. I can bill highly enough that you should be comfortable hiring me, and I work in New York, where I'm sure you have office space. Drop me a line, and we'll work something out.
You don't need an introducer. All banks and credit unions should be using self-signed certificates. They should print the signing key's fingerprint at the bottom of each statement. They should have it on a poster in the lobby. You don't need Equifax or anyone else to cert your bank for you, because you will certify them yourself.
Get with it, banks.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
but it also used a valid SSL certificate for its domain name. SSL has been used for sooo long, not amazing that finally it shows its weaknesses... I'm still buying thingies on the internet ... but shouldnt we use AES-256 now ? or something like this ?
When fiction hits reality, dreams have no air-bag.
In reverse russian roulette, most of the time you get nothing, poison, or sedative, or a mix of poison or sedative, and sometimes you get something good with a dose of antidote or stimulant. The trick to getting people to continue playing reverse russian roulette is to get the people who get the good dose to say how great it is, while keeping everyone the rest of the time from saying anything, which isn't that hard to do because of the clever way they've been not only incapacitated but tricked into contributing to their own incapacitance.
Congratulations! Looks like you just happened to get that rare good dose.
That's not gonna work, since bankers, bureaucrats and lawyers don't have mums.
Defining Statistics and Social Research