Holiday Shoppers: Don’t Get Phished!

Don’t get phished this holiday season. Here are some common sense reminders.

CybercrimeAs we enter the holiday season, if you order online, fraudsters will be targeting you.  Many people will be easy marks, where their computers will become infected with viruses, and they will be victims of identity theft. Big online vendors such as eBay and Amazon represent big targets, but others will be targets as well.  Phishers will be sending out loads of poisonous messages, just hoping that a few people will mistakenly click on links to malware-laden web sites.  While big mail providers like Google and Yahoo! work hard to filter out such garbage, it’s unavoidable that some of dangerous emails will get through.  Preventing such thefts while shopping online can be tricky because fraudulent and legitimate messages look nearly identical. Fraudsters may know something about you, such as your name, your mother tongue, the region in which you live, and the names of some of your friends.  A competent fraudster will use the logos and have the same look and feel of a legitimate online vendor.

Some of my techie friends are probably snickering, saying “That couldn’t happen to me.”  It probably already has.

Here are a few common sense suggestions to keep you from becoming a victim:

  1. Here’s the obvious one: if you didn’t order something from a vendor, be highly suspicious of the email, especially with messages that claim to have order information or coupon offers.
  2. If you have ordered something, beware any message with a subject that is vague, such as “your order”.  A legitimate online vendor will somehow identify the order, either with an order number or with the name of the product you have ordered.  This may appear in the subject line or in the body of the message.
  3. No legitimate online vendor sends zip files in email.  Don’t open them.  The same largely holds for most other attachments.  If they can’t provide you necessary information in the body of the message, it’s probably not legitimate.
  4. Most online vendors provide you a means to log into their service to track orders.  If you are at all in doubt about whether a message is legitimate, without clicking on a link in the message, visit their web site, and log in to track the order.  If you need help, contact the vendor’s customer service.
  5. While banks may email you alerts of some form, it is still always better to go to their web sites without clicking on links in the messages.
  6. Unless you gave it to them directly shippers such as Federal Express do not have your email address.  No decent online vendor will share your email address with a shipper.

What happens if you do click on something you shouldn’t have?  There is no easy answer.  Unless you are using antivirus, you have to assume the worst.  This means that it’s important to maintain good backups.  That way you can reinstall from scratch.  Sounds painful?  Then don’t carelessly click on email links.

Want some more advice on staying safe?  Check out StaySafeOnline.org.

Wrap-up of this year’s WEIS

This year’s Workshop on the Economics of Information Security (WEIS2010) enlightened us about Identity, privacy, and the insecurity of the financial payment system, just to name a few presentaitons.

Every year I attend a conference called the Workshop on Economics of Information Security (WEIS), and every year I learn quite a bit from the experience.  This year was no exception.  The conference represents an interdisciplinary approach to Cybersecurity that includes economists, government researchers, industry, and of course computer scientists.  Run by friend and luminary Bruce Schneier, Professor Ross Anderson from Cambridge University, and this year with chairs Drs. Tyler Moore and Allan Friedman, the conference includes an eclectic mix of work on topics such as the cyber-insurance (usually including papers from field leader Professor Rainer Böhme, soon of University of Münster), privacy protection, user behavior, and understanding of the underground economy, this year’s conference had a number of interesting pieces of work.  Here are a few samples:

  • Guns, Privacy, and Crime, by Allesandro Acquisti (CMU) and Catherine Tucker (MIT), provides an insight into how addresses of gun permit applicants posted on a Tennessee website does not really impact their security one way or another, contrary to arguments made by politicians.
  • Is the Internet for Porn? An Insight Into the Online Adult Industry – Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel provides a detailed explanation of the technology used to support the Internet Porn industry, in which it claims provides over $3,000 a second in revenue.
  • The password thicket: technical and market failures in human authentication on the web – Joseph Bonneau and Sören Preibusch (Cambridge) talks about just how poorly many websites manage all of those passwords we reuse.
  • A panel on the credit card payment system, together with a presentation that demonstrated that even credit cards with chips and pins are not secure.  One of the key messages from the presentation was that open standards are critically important to security.
  • On the Security Economics of Electricity Metering – Ross Anderson and Shailendra Fuloria (Cambridge) discussed the various actors in the Smart Grid, their motivations, and some recommendations on the regulatory front.

The papers are mostly available at the web site, as are the presentations.  This stuff is important.  It informs industry as to what behaviors are both rewarding and provide for the social good, as well as where we see gaps or need of improvement in our public policies, especially where technology is well ahead of policy makers’ thinking.

Ole asks a great question

[not unusual for Ole, by the way.]

Why does security have to be so complicated?

Now knowing Ole as I do, this is of course rhetorical, but it does remind me of two conversations I’ve  had.  One was a long time ago.  A friend of mine was part of a cable start-up team.  Some of you will know who this was.  He showed up at a conference with his big financial backer, and then told me, “Eliot, I’ve created the perfect parental control system.”

My response was simply, “Are you now – are you now or have you ever a child?”  Nearly any child who is motivated enough will get around just about any parental block.  Kids are smart.

The same is largely true with security.  A former boss of mine once put it succinctly, that it’s either sex or money that motivate people, and that bad guys tend to use the former to get the latter.  A great example are the miscreants who give away free porn by typing in CAPTCHA text, so they can get around some site’s security.  I think it’s a little more than just those two motivations, but the point is that computers didn’t create crime.  Crime has existed since Eve gave Adam the apple.  The FaceBook scam occurs every day in the physical world without computers when eldery are taken advantage of in person.  Computers simply provide a new attack vector for the same types of crimes.

Bad guys are as smart as good guys, but their best is probably no better than our best.

Paypal follow-up

Some people wonder whether the situation with PayPal is that bad.  Well, at least the phishing part is.  Today’s mail included this little gem from points unknown pretending to be PayPal:

Attention! Your PayPal account has been limited!

[…]

[Link to a phishing site]

This is the Last reminder to log in to PayPal as soon as possible. Once you log in, you will be provided with steps to restore your account access.

[…]

How did I know this was a forgery?  Let’s take a look at the email headers:

Return-Path: <paypal@service.com>
Received: from mail.realinterface.com (mail.cecreal.com [66.101.212.157])
	by upstairs.ofcourseimright.com with ESMTP id n9GAJ9h3022332
	for <lear@ofcourseimright.com>; Fri, 16 Oct 2009 12:19:31 +0200
Received: from dynamic.casa1-15-233-12-196.wanamaroc.com ([196.12.233.14]) by
         mail.realinterface.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Fri, 16 Oct 2009 06:32:45 -0400
From: "PayPal Services" <paypal@service.com>
To: "lear" <lear@ofcourseimright.com>
Subject: Your PayPal account has been Limited
Date: Fri, 16 Oct 2009 10:18:53 +0000
Organization: PayPal
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"
Message-ID: <RI1BvDvIMYk5XYA4IyF00002a42@mail.realinterface.com>
X-OriginalArrivalTime: 16 Oct 2009 10:32:45.0859 (UTC) FILETIME=[00099730:01CA4E4C]

The first thing we note is the From: line.  While this line can be easily forged, in this case, the miscreant forged not paypal’s domain but service.com‘s.  Well, that’s not PayPal.  This one was easy to establish as a fraud.  But had we any doubts we would need look no further than the previous two lines (the last Received: header).  If we look at the address 196.12.233.14, which is claimed to be dynamic.casa1-15-233-12-196.wanamaroc.com, we note that the name it has begins with “dynamic”.  That name, and the numbers that follow in it, indicate that this is probably someone’s house or office PC, and not paypal’s email server.  Note I’ve highlighted to “To” line, with the address lear@ofcourseimright.com.  But that is not the address I’ve given PayPal.

What’s more, I happen to have an actual paypal.com set of headers to compare against.  Here is what it looks like:

Return-Path: <payment@paypal.com>
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])
	by upstairs.ofcourseimright.com (8.14.3/8.14.3/Debian-6) with ESMTP id n9E8KIwI026171
	for <xxx@ofcourseimright.com>; Wed, 14 Oct 2009 10:20:39 +0200
Authentication-Results: upstairs.ofcourseimright.com; dkim=pass
	(1024-bit key; insecure key) header.i=service@paypal.ch;
	dkim-adsp=none (insecure policy)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=paypal.ch; i=service@paypal.ch; q=dns/txt; s=dkim;
  t=1255508439; x=1287044439;
  h=from:sender:reply-to:subject:date:message-id:to:cc:
   mime-version:content-transfer-encoding:content-id:
   content-description:resent-date:resent-from:resent-sender:
   resent-to:resent-cc:resent-message-id:in-reply-to:
   references:list-id:list-help:list-unsubscribe:
   list-subscribe:list-post:list-owner:list-archive;
  z=From:=20"service@paypal.ch"=20<service@paypal.ch>
   |Subject:=20Receipt=20for=20Your=20Payment=20to=XXX
   |Date:=20Wed,=2014=20Oct=202009=2001:20:17=20-0700|
   |Message-Id:=20<1255508417.22290@paypal.co
   m>|To:=20Eliot=20Lear=20<paypal@ofcourseimright.com>
   |MIME-Version:=201.0;
  bh=q82fwVBPBq26WHflKsNcdbCIf3Vcc5wRznZ9tfI8+8k=;
  b=OPyR7evc/VcnTZyDZSlYCh9oLm+vmKt8qsocqMrAr7y/kg3P5+DhO3mB
   UDbhkCvqu+owm45X1te+PxoREXR9aMEuuD20ltP2B5f5JWf/MjICk6zc6
   gYv6pY6ZRFKclXFGvtViJwv0LsW8N7uaoiZCAh5mxrjfuJaF+SmNyX23c
   I=;
Received: (qmail 22290 invoked by uid 99); 14 Oct 2009 08:20:17 -0000
Date: Wed, 14 Oct 2009 01:20:17 -0700
Message-Id: <1255508417.22290@paypal.com>
Subject: Receipt for Your Payment to XXXX
X-MaxCode-Template: email-receipt-xclick-payment
To: Eliot Lear <xxx@ofcourseimright.com>
From: "service@paypal.ch" <service@paypal.ch>
X-Email-Type-Id: PP120
X-XPT-XSL-Name: email_pimp/CH/en_US/xclick/ReceiptXClickPayment.xsl
Content-Type: multipart/alternative;
  boundary=--NextPart_048F8BC8A2197DE2036A
MIME-Version: 1.0

A few things to note: first, there my own mailer adds an Authentication-Results header, and in this case you see dkim=pass.  It’s done that by looking at the DKIM-Signature header to determine if Paypal really did send the email.  This is a strong authoritative check.  Knowing that PayPal does this makes me feel comfortable to discard just about any email from paypal.com that lacks this header.  Also, this email was addressed to the correct address (I’m not actually showing the address that I use).  Not every site uses dkim and that’s a pity.  One has to know in advance when to expect dkim=pass and one has to look at the headers to check.

Just by comparing email headers we can see that this is a poor forgery.  And yet it takes time and effort for people to determine just that.  And this is the risk that we consumers face.  If one decides that any email one wasn’t expecting from PayPal is in fact a forgery, then should someone break into one’s account, one may not notice that there is a problem.

Summarizing, here are the things that I’ve done to limit the chances of something bad happening:

  1. I use a single email address for PayPal that forgers are unlikely to know about.
  2. I look for the Authentication-Results header.
  3. Even if I think this is an authentic email, I will not click on links, but instead go to PayPal.com.

But it’s not all that easy for me.  It certainly isn’t easy for those who haven’t been paying attention to all of this stuff as part of their job.

A lesson in transitive trust

CybercrimeGrowing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred.  There just was so much of it.  Even when I lived in California, while a murder would make the local news, it wasn’t something that would shake the community.  A murder in the Zürich area, however, is rare.  Maybe it’s because everyone has a gun, as my friend Neal might say.  Who knows?  The point is that people here are not inured to that level of violence.

Now we are discovering the online version of that.  When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do.  Since then, it has been widely reported that 10,000 Hotmail account passwords were stolen.  But they weren’t the only ones.  Many of the people who use Hotmail accounts also have GMail and Yahoo! accounts, and many of those passwords are the same.  Why?  Because humans don’t like having to remember lots and lots of passwords.  And of course, if you were one of those people who used the same password between both and linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well.  And that means that your friends may have been attacked, as we previously discussed.

How could this be worse?  Let’s add Paypal into the mix.  If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account.  Had Paypal implemented an OpenID consumer for login, an attacker wouldn’t even need your password.

Now let’s aggregate all of the people who do that.  The popular OpenID providers include Google, Yahoo, and Verisign.  As the number of providers increases, the concentration of risk of any one single failure decreases.  Concentration of risk is a fancy way of saying that one is putting all of one’s egg in one basket.  On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.

This leads to a few conclusions:

  • A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.
  • The insurance and credit industries can’t manage concentrated risk.  We’ve seen what happens in the housing market.  The Internet can reproduce those conditions.  Hence, there will be limitations on transitive trust imposed.

Conveniently, you are not without any protection, nor are the banks.  There are large federated market places already out there.  Perhaps the two biggest are eBay and Amazon.  Amazon has the advantage of requiring a physical address to deliver to, for most goods, the exceptions being software, soft-copy books and downloadable movies.  In each of these cases, the transaction value tends to be fairly low, and the resale value of most of these items is 0.  It’s the resale value that’s important, because the miscreants in this business don’t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.

Paypal is another matter.  If someone has broken into your Paypal account, here is what they can do:

  • Empty it of any credit it might have;
  • Charge against your credit cards; and/or
  • Take money from your bank.

If you’re paying attention and act quickly, you might prevent some of these nasties from happening.  But first you will have to read a tome that is their agreement.  In all likelihood you have no recourse to whatever final decision they make.  If you’re not paying attention, your account and those associated with it become an excellent opportunity for money laundering.  What does it mean to pay attention?  It means that you are receiving and reading email from paypal.com.  That means that they have to have a current email address.  When was the last time you checked that they do?  Assuming that they do, it also means that you have to read what you are receiving.  Now- I don’t know about you, but I’ve been spammed to death by people claiming to be PayPal.  Remember, how this posted started by talking about being inured to crime?  Well, here we go again.