Slashdot Mirror
Phishing Site Using Valid SSL Certificates
UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."
No, but a lot of people still have the silly idea that phishing is only as sophisticated as it was 2 years ago, back when it was plaintext, full of misspellings, and sent you to an IP or a GeoCities page.
Back then, it was hard to imagine people getting fooled by the crude "Send me yore passwerd" level of "attacks" -- and yet people fell victim to it just the same. These days, they're polished enough that you basically have to assume any email that claims to be from your bank is forged, then examine it and try to prove otherwise.
It amazes me that people forget that a banks job is to protect your money.
The phisher in the end shouldn't be able to get any money from this.
The banks should have in place a system that secures your money much better than this. It reminds me of the wild west where banks were robbed all the time.
Like, why do the retailers have to protect the banks? Why do they have to ask for ID when you already presented a valid banking card to them? Is this system insecure? Yes, and that's why they ask for ID. WTF?
People should consider this the same as a bank getting robbed over and over. If the banks got enough bad press from this then maybe they would do something about it.
But never forget, this is not money, it's currency backed by nothing of value and could become wortless in a day. People have been trying to tell you this for years, but you people won't read any simple banker history, it's too booring.
http://www.apfn.net/Doc-100_bankruptcy13.htm
http://www.federal-reserve.net/
http://www.converge.org.nz/pirm/fr_paul.htm
http://batr.org/verity/id6.html
Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one.
They do this all the time. Just last week, Discover called and left a message on my machine "This is the security department, we have a question about the activity on your account, please call 800-###-#### to ensure continued service." When I called that number, they started off saying "Please tell me your card number, your mother's maiden name, etc." all to "confirm my identity" I of course refused, hung up, and called the 800 number printed on my credit card. They were understanding, but never acknowledged that they were essentially asking me to give all my personal information to a random person who called my home phone number.
Do browsers check revocation lists? I didn't think so
Yes. At least IE does. It slows things down if you're on an isolated network, so it's one of the first things I turn off on those machines.
you say, eventually an old trick has to stop being used, I say read the following
http://www.historybuff.com/library/refbarnum.html
every day http://en.wikipedia.org/wiki/Special:Random
I got exactly the same here in the uk unless that instead of stopping immediatly I do like any joe user I called back the number, gave my credit card number, birth date but before answering for my mother maiden name, I just realised what I was saying and felt the little tickling in the belly meaning stress ...
... the number was not even close to any number used by the bank. I googled the number, nothing ... ( arghhhh )
... she took less than 2 min ( from my point of view, a very big value of 2 ) to find out that this number is not in the bank private directory either...
:-) ) ...
I asked the women on the other hand what was that about - why I need to give this info?
She told me she need 'security check - blabla'
I asked why they asked me to call and where I was exactly she just told me the name of the bank (thanks,easy) but she needed the security check to give the reason of the call (best excuse ever)...
I hang up - ( I start to sweat ) - I went straight to the website to find the number I just called in the bank public phonebook but nada
I called the bank, this time I have to give the security ID again ( after the previous experience, even if you pick the number yourself in your monthly statement, you really feel uneasy )
I asked the girl what was this number I just called, and what I'm suppose to do know
Hopefuly the girl ring herself to the mysterious number and found out that it was only a number setup for the billing departement ( yeah I missed a payment
They had a valid reason to contact me, I had an urgent action to take but why in hell do they use the same trick the spammers use?
They use an unknown number not even known from the bank employees ?
If I did as we are told in the security leaflet given by the very same bank, I should have called the fraud departement of the bank to report the phishing attempt instead of ringing back!
Why can't banks use a similar system to the "mother's maiden name" to prove who they are? You tell them three pieces of information, and then when they call you can ask for any one of them (They may need to prompt you first).
How many people can read hex if only you and dead people can read hex?