How Couriers Help Scammers

Bruce Schneier talks about how to get around blocks on U.S. eretailers refusing to ship to Russia: put the correct address but the wrong country (in this case Canada.)

Indonesian credit card fraudsters have long been doing this, usually putting the country as Singapore. I suspect they still do it.

Of course it’s a reflection of both the professionalism and the lack of thought of couriers. On the one hand they try to serve the customer; on the other hand they fail to recognise the scam that’ they’re unwittingly aiding. I was always amazed at how little they seem to consider their customer’s interests in this.

clipped from www.schneier.com

What happens next? The parcel travels to Canada, to the area to which the specified ZIP code belongs and there postal workers just see it’s not a Canadian address but Russian. They consider it to be some sort of mistake and forward it further, to Russia.

How Couriers Help Scammers

Bruce Schneier talks about how to get around blocks on U.S. eretailers refusing to ship to Russia: put the correct address but the wrong country (in this case Canada.)

Indonesian credit card fraudsters have long been doing this, usually putting the country as Singapore. I suspect they still do it.

Of course it’s a reflection of both the professionalism and the lack of thought of couriers. On the one hand they try to serve the customer; on the other hand they fail to recognise the scam that’ they’re unwittingly aiding. I was always amazed at how little they seem to consider their customer’s interests in this.

clipped from www.schneier.com

What happens next? The parcel travels to Canada, to the area to which the specified ZIP code belongs and there postal workers just see it’s not a Canadian address but Russian. They consider it to be some sort of mistake and forward it further, to Russia.

The Autorespond Trap

I’ve written before about the general dodginess of “away notification emails” automatically set up to respond to incoming emails. Such messages usually go along the lines of:

I will be out of the office from 12/08/2006 to 13/08/2006 hunting gazelle in the Liposuction Basin.

For urgent matters, pl contact Ms Elbowgrinder/ Mr Headstrong at Tel 689023 during office hours.

Why are these a bad idea? Well, you’re basically broadcasting to anyone who sends you an email that you’re

  • on vacation, and therefore leaving a presumably empty house
  • details of when they won’t be around
  • giving large amounts of useful information to identity thieves or social engineers wanting to steal your password
  • clogging up people’s inboxes with more information than they are likely to need (if they don’t know you’re on holiday you’re probably not that close).

Anyway, I couldn’t help but be amused by a recent announcement on a security mailing list (which shall remain nameless; I don’t want to compromise security further) which prompted more than 30 autorespond messages informing senders that the recipients were on holiday/maternity leave/trips/the moon. Leaving aside the security lapse that allowed such messages to go to all recipients of the mailing list, I was surprised that these people, all of them apparently in the security field and in government, were broadcasting their movements and absence from the office. Who’s to stop someone from using this information to call up their secretary/stand-in and socially engineering their way into some lucrative information? My advice: Don’t use these autoresponds unless you don’t mind telling all and sundry about your movements.

Oh, the original mailing list email that prompted this deluge of autoresponds was one announcing details of an upcoming information security & hacking conference. No, I’m not going to say which.