Email Scams and Authentication


J

Jonathan

My bank (NatWest) and various other providers I have accounts with, are all
in a tizzy about "email scams" and how we should be aware of them etc.
NatWest have even suspended their online money transfer facility until
further notice because (presumably) the scams are working rather well and
there's a danger of fraudulent withdrawals.

But haven't the banks heard of server certificates and PKI? Why can't they
just give us a certificate to import into our browser that will authenticate
legitimate communications from them? Sure it won't stop complete idiots who
will click "proceed" even when they see a notice saying the site/cert is not
properly authenticated or whatever, but it sure would be a step in the right
direction.

On a similar note, a friend of mine got a call from his bank the other day
asking him to verify a couple of large purchases on his credit card. He
asked them how he knew it was his bank calling - and they didn't know what
to say. They were all ready with the "what's your mothers maiden name?"
stuff, but the call centre had no script for authenticating *themselves* to
the customer. In the end he had to call them, talk to a line manager, and
"share" the authentication questions (he told them his day of birth, they
told him his month, etc.)

No wonder these scams are working when there isn't even as basic attempt at
using any real authentication system!

Jonathan


PS: I received what was pretty obviously a scam pretending to be from
NatWest the other day, and looked at the source. All the links pointed to
legitimate NatWest (RBS) sites, but the main one you were supposed click on
looked like this:

http://www.nwolb.com:UserSession=2f4d0zzz899oakileikaiejs559875&userrstste=SecurityUpdate&StateLevel=CameFrom@64.148.18.13/

(note I've changed the above a bit to protect the innocent)

What's that all about then? The IP address traces back to a netblock owned
by "Brown And Toland" of 268 Bush St. #5000, San Fran. The NatWest logo
itself was served from a website whos IP is owned by "Eugene L Rowe" of the
same address. All the other assets referred to by the email were owned by
NatWest (RBS).
 
Ad

Advertisements

T

Tumbleweed

Jonathan said:
My bank (NatWest) and various other providers I have accounts with, are all
in a tizzy about "email scams" and how we should be aware of them etc.
NatWest have even suspended their online money transfer facility until
further notice because (presumably) the scams are working rather well and
there's a danger of fraudulent withdrawals.

But haven't the banks heard of server certificates and PKI? Why can't they
just give us a certificate to import into our browser that will authenticate
legitimate communications from them? Sure it won't stop complete idiots who
will click "proceed" even when they see a notice saying the site/cert is not
properly authenticated or whatever, but it sure would be a step in the right
direction.

On a similar note, a friend of mine got a call from his bank the other day
asking him to verify a couple of large purchases on his credit card. He
asked them how he knew it was his bank calling - and they didn't know what
to say. They were all ready with the "what's your mothers maiden name?"
stuff, but the call centre had no script for authenticating *themselves* to
the customer. In the end he had to call them, talk to a line manager, and
"share" the authentication questions (he told them his day of birth, they
told him his month, etc.)

No wonder these scams are working when there isn't even as basic attempt at
using any real authentication system!

Jonathan
You are dead right, indeed I think I read recently of a scam whereby someone
pretending to be the bank / cc company phones up, says that the card has
been cloned,gets some personal details, tells the person that they will
cancel it, and then of course goes ahead and starts using it fraudulently.
 
J

Jonathan

I'm glad you agree!

The issue of authentication and telling the real from the fake has
historically been a big problem (not just on the Internet) so most people
seem to accept it as being a fact of life - and in many spheres of life it
is I suppose. But we're so bloody accepting of the problem. I'm always
amazed at how often we see reports of Internet scams involving passing off,
fakery etc. but there never seems to be any discussion about how
comparatively easy it would be on the Internet to actually *prevent* the
problem in the first place.

I'm not saying that online fakery would disappear, but the use of digital
certificates in a simple PKI framework would make it far harder to forge an
email from a bank.

For another example, take paedophiles in kids chat rooms. MSN recently
closed all their chatrooms down because of issues to do with "grooming" and
the like (well, that was the reason anyway). But how difficult would it have
been to demand a digital certificate from people before they could
participate in online chats? Something along the lines of Thawte's "Web of
trust" system, for instance?

http://www.thawte.com/html/SUPPORT/wot/index.html

Of course, it would take a degree of education about how the system of trust
works (and proper support by software like Outlook etc.), but compared to
the alternatives - e.g. my bank balance suddenly ending up in China or my
daughter being abducted by nutter, I think that's a very small price to pay.

Jonathan
 
D

david

My bank (NatWest) and various other providers I have accounts with, are all
in a tizzy about "email scams" and how we should be aware of them etc.
NatWest have even suspended their online money transfer facility until
further notice because (presumably) the scams are working rather well and
there's a danger of fraudulent withdrawals.
UK banks also seem to allow access to transfer money using only a user
name and password. This is unbelievable. People are using this in
public internet cafes often small businesses.
Have they never heard of keyloggers. I.e. record every key pressed.
Extremely low tech way to get something as simple as a user ID and
password.

I don't use them (UK banks - anyway they are more expensive) but
instead use current accounts I have in Holland. One bank gives me a
tiny machine which uses my card (must be present) and PIN code (I type
the code to the machine). When I log in the server supplies a code
which I put in the machine, the machine gives a code which I type into
IE and the transaction is authenticated.

Another dutch bank uses something similar but much more basic. They
supply me with a list of numbers. After logging in with user-password,
I can get info but if I want to transfer I need one of the numbers
from the sheet.

Both these are much more secure than the UK offerrings because they
require multiple things all together before you can transfer.
Obviously if I lose any of these physical things, it's unlikely
whoever finds them will know the password and also I will hopefully
notice - report the loss. And all this stuff is not exactly
rocket-science.
David.

Software author. (please edit my email addr. to prove you're not a dumb 'bot)
Web Log Analyzer by Search Term http://www.1keytools.com/wlabstfeatures.htm
Kybie GetEmAll - Make IE an offline browser http://www.1keytools.com/offline_browser.htm
 
J

Jonathan

I bumped into this just now - pretty typical:

http://news.bbc.co.uk/1/hi/talking_point/2629697.stm

Not a single mention of digital certificates, authentication systems or
anything similar at all. Plenty of fear, confusion and doubt though.

Why?? It's not as if digital signatures and public key encryption are new
technologies - they're decades old fer gawd's sake!

Jonathan
 
T

Tumbleweed

david said:
UK banks also seem to allow access to transfer money using only a user
name and password. This is unbelievable. People are using this in
public internet cafes often small businesses.
Have they never heard of keyloggers. I.e. record every key pressed.
Extremely low tech way to get something as simple as a user ID and
password.

I don't use them (UK banks - anyway they are more expensive) but
instead use current accounts I have in Holland. One bank gives me a
tiny machine which uses my card (must be present) and PIN code (I type
the code to the machine). When I log in the server supplies a code
which I put in the machine, the machine gives a code which I type into
IE and the transaction is authenticated.
Arent some of the credit card companies coming out with a similar gizmo?
Sure I read about that just this past week. main trouble is critical mass of
users, and getting merchants to use it.
 
A

Andy

I don't use them (UK banks - anyway they are more expensive) but
instead use current accounts I have in Holland. One bank gives me a
tiny machine which uses my card (must be present) and PIN code (I type
the code to the machine). When I log in the server supplies a code
which I put in the machine, the machine gives a code which I type into
IE and the transaction is authenticated.
Fortis Bank in Belgium do the same, given that you can transfer money to
any account with this that is all well and good.

All this talk of UK banks surprises me though, I admit to only using the
Bank of Scotland but I have to set up a mandate (print it out, sign it and
post it back) before I can pay money out to any other account.

With Natwest and the like can you just transfer money out to anyone you
want ? Seems crazy to me.

Andy
 
T

Tumbleweed

Andy@nospam.co.uk said:
Fortis Bank in Belgium do the same, given that you can transfer money to
any account with this that is all well and good.

All this talk of UK banks surprises me though, I admit to only using the
Bank of Scotland but I have to set up a mandate (print it out, sign it and
post it back) before I can pay money out to any other account.

With Natwest and the like can you just transfer money out to anyone you
want ? Seems crazy to me.

Andy
Is that a one-time deal for each new person you'd pay?
 
M

Mike Barnes

In said:
All this talk of UK banks surprises me though, I admit to only using the
Bank of Scotland but I have to set up a mandate (print it out, sign it and
post it back) before I can pay money out to any other account.

With Natwest and the like can you just transfer money out to anyone you
want ? Seems crazy to me.
With both systems you can just transfer money out to anyone you want.
It's only the type of authentication that differs. It would be a lot
easier to copy my signature than to access my account online.
 
J

Jonathan

Efforts to make online accounts harder for unauthorised access obviously
have a down side of inconvenience, and in a crowded online banking
marketplace, having a flexible, easy-to-use system is a good selling point.

For my part, I am perfectly happy that NatWest allows me to transfer money
to anyone I want immediately. That's what I was looking for when I chose
their system in fact. I am also confident that I can keep my passwords safe.
I used to use a system of numbers with a bank as well, but they were
time-limited, and applying for a new set was a big hassle.

My point was a wider one though: why is it that the issue of proving online
identity isn't discussed more? More importantly, why aren't digital
certificates and public key infrastructures used more widely given the
concern about identity theft, passing off and other issues of fakery on the
net?

Jonathan
 
R

Ronald Raygun

Jonathan said:
For my part, I am perfectly happy that NatWest allows me to transfer money
to anyone I want immediately. That's what I was looking for when I chose
their system in fact.
I can transfer to anyone immediately too, from RBS. Authentication
involves logging in with an easy-to-remember 8-digit user id, together
with a random-order selection of 3 digits from a 4-digit PIN. That
lets you view the account, but to make extrernal transfers you need
a 2nd step authorisation by giving 3 characters from a separate
password.

They are in the process of merging the passwords and so there will
be no need for 2nd level authorisation.
My point was a wider one though: why is it that the issue of proving
online identity isn't discussed more?
Good question. It seems PIN technology has been deemed good enough.
More importantly, why aren't digital
certificates and public key infrastructures used more widely given the
concern about identity theft, passing off and other issues of fakery on
the net?
I suspect the government(s) are unkeen on strong encryption technology
being widely used in civilian life. They doon't want snooping on us
to become too difficult. We're all potential terrorists, drug dealers,
and child molestors, after all.
 
A

Andy

Tumbleweed said:
Is that a one-time deal for each new person you'd pay?
Yes, not very convenient but combined with the passwords pretty secure.

Andy
 
D

david

Efforts to make online accounts harder for unauthorised access obviously
have a down side of inconvenience, and in a crowded online banking
marketplace, having a flexible, easy-to-use system is a good selling point.

For my part, I am perfectly happy that NatWest allows me to transfer money
to anyone I want immediately. That's what I was looking for when I chose
their system in fact. I am also confident that I can keep my passwords safe.
I used to use a system of numbers with a bank as well, but they were
time-limited, and applying for a new set was a big hassle.
You are safer when you always use the system from home or on your own
PC. Still not safe though.

If someone
1. hacks into your ISP (difficult and illegal)
2. and diverts requests for URL for natwests login page to their
server (very easy)
3. copies natwest login page but modifies copy so it saves your
user-password (easy)
4. after you hit login it sends you to usual natwest login URL (easy)

Then that someone
- will have your user-password
- probably will have prevented you noticing
- will have committed a serious offence but since when did that stop
crims stealing money
- can steal all the money in your account and as much as you're
allowed to go overdrawn
- will cause you major hassle even if the bank covers the cost (which
mostly they don't have to according to their TOS)
- will cost you if the bank doesn't want to cover the cost. If someone
doing this ripped off a few hundred thousand accounts overnight having
spent months collecting user-passwords, would the bank cover the
potentially huge loss purely for goodwill or dump it's online banking
and require customers to take the hit? Your guess is as good as mine.

It's a disaster waiting to happen and I hope some banks are reading
this and taking note (AND ACTION). They can do much stronger things to
protect their customers.

The methods I described don't involve major hassle for me. I can and
do transfer immediately. I just have to have my little pin machine
with me and type a few numbers.
I would be prepared to do this from an email cafe if I had to. It's
still safer from my own notebook.
David.

Software author. (please edit my email addr. to prove you're not a dumb 'bot)
Web Log Analyzer by Search Term http://www.1keytools.com/wlabstfeatures.htm
Kybie GetEmAll - Make IE an offline browser http://www.1keytools.com/offline_browser.htm
 
J

Jonathan Bryce

david said:
I don't use them (UK banks - anyway they are more expensive) but
instead use current accounts I have in Holland. One bank gives me a
tiny machine which uses my card (must be present) and PIN code (I type
the code to the machine). When I log in the server supplies a code
which I put in the machine, the machine gives a code which I type into
IE and the transaction is authenticated.
That's not as secure as it might sound. It is probably pretty easy to
reverse-engineer the machine, especially as you have physical access to it.
Once that is done, it would appear that this system offers no security
whatsoever.
 
J

john boyle

david said:
UK banks also seem to allow access to transfer money using only a user
name and password. This is unbelievable. People are using this in
public internet cafes often small businesses.
Have they never heard of keyloggers. I.e. record every key pressed.
Extremely low tech way to get something as simple as a user ID and
password.
Perhaps thats why all three of my online banks ask different questions
each time you log on, asking for, say, the third and fifth digit of the
password and the first and second of the PIN one time and different
digits for each of them the next. One has just introduced a second level
password (using digit selection) for certain transactions. So a 'key
logger' would get nowhere.
I don't use them
Ahhh! That'll be why you dont know how they work then!
 
J

john boyle

In message said:
Yes, not very convenient but combined with the passwords pretty secure.
The Dutch guy doesnt now how they work in UK, its better than he makes
out.
 
J

john boyle

david said:
3. copies natwest login page but modifies copy so it saves your
user-password (easy)
4. after you hit login it sends you to usual natwest login URL (easy)

Then that someone
- will have your user-password

The methods I described don't involve major hassle for me. I can and
do transfer immediately. I just have to have my little pin machine
with me and type a few numbers.
I would be prepared to do this from an email cafe if I had to. It's
still safer from my own notebook.
David.

As already said, this is the reason they dont ask for your full
password.
 
J

john boyle

Jonathan said:
That's not as secure as it might sound. It is probably pretty easy to
reverse-engineer the machine, especially as you have physical access to it.
Once that is done, it would appear that this system offers no security
whatsoever.
If we could find a German U Boat and nick their decoding machine and
book we'd have cracked it !!!!!!!!!!!!!!!!!!!!!!
 
J

Jonathan

The methods I described don't involve major hassle for me. I can and
do transfer immediately. I just have to have my little pin machine
with me and type a few numbers.
I'm not saying you've missed the point, because the "strength of the lock"
is related to this discussion - but only maginally.

My original point, which most respondents on this thread don't seem to be
addressing at all, is that it's not about how difficult it is to access the
account online, it's about how users know they are accessing the right site
in the first place!

Does your pin machine validate the site's certificate for instance, so that
even if you weren't logged in to the account, you would be protected from a
confidence trick asking you to send in your pin machine and card to an
address for "re-registration" or something?

That's what I'm getting at, not boring old discussions about the strength of
locks on doors.

Jonathan
 
Ad

Advertisements

J

Jonathan

I suspect the government(s) are unkeen on strong encryption technology
being widely used in civilian life. They doon't want snooping on us
to become too difficult. We're all potential terrorists, drug dealers,
and child molestors, after all.
But encryption isn't the same as authentication. You can sign a document (or
other thing) digitally, you don't have to encrypt it.

Given the current gung-ho about ID cards, I would have thought the goverment
would be talking up personal certificates like crazy. They accept them on
the "government gateway" site as part of their single sign-in system, but
they don't do much more than that.

Jonathan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Nationwide Email Scam 0
Nationwide email scam 11
Natwest email scam 11
authentication 0
Sick of these internet banking email scams 0
Hardware Authenticator 33
Is this a scam? 16
Scam 32 0

Top