funsec mailing list archives

RE: bankone/chase non-scam

From: Drsolly <drsollyp () drsolly com>
Date: Wed, 29 Nov 2006 18:14:49 +0000 (GMT)

On Wed, 29 Nov 2006, Larry Seltzer wrote:

We (PCMag) tell them if they get an e-mail from a vendor or a bank

or

whatever and they're curious about it to go to the site through

their

Not good enough. You're putting the burden on the user - you're 
expecting her to be curious about it, and why should she?


They're really separate issues, aren't they? The question is what does
the user do if a suspicious e-mail makes it through to their inbox. They
have to make a decision.


There's this question - how does a user decide whether an email is 
suspicious?

normal bookmark or by typying in the URL and to check their account

on

the site that way.

That's good advice. Do you also tell them, if that doesn't reveal a 
problem, that they shouldn't then click on the link in the email? Or 
do you regard that as too obvious to mention?


We say never click on links in e-mails from merchants/banks, etc.
Instead go to the web site through your bookmarks, etc.


That's good

You might be able to ascertain that with 99% certainty, but Aunty Gi 
can't. She should tell her bank that all communications with her

should be on paper.

The problem is, the banks aren't sophisticated enough to use computers

to

communicate with their customers.


Aunty Gi may end up not being able to access her accounts online for a
few days because of such a policy.


I would tell Aunty Gi, not to access her accounts online.

There are things banks can do to authenticate themselves in e-mail. A
message I got from Bank of America last night, notifying me of a direct
deposit into an account, was individually addressed to me by name and
e-mail address, identified the account by the last four digits of the
account number, and all of the information in it could be confirmed by
logging into the account through other means. There were no links in the
message except to standard landing pages like www.bankofamerica.com.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: bankone/chase non-scam, (continued)
- - - RE: bankone/chase non-scam Gadi Evron (Nov 28)
    - RE: bankone/chase non-scam Larry Seltzer (Nov 28)
    - RE: bankone/chase non-scam Gadi Evron (Nov 28)
    - RE: bankone/chase non-scam Larry Seltzer (Nov 28)
    - Re: bankone/chase non-scam Dennis Henderson (Nov 28)
    - RE: bankone/chase non-scam Drsolly (Nov 29)
    - Re: RE: bankone/chase non-scam Valdis . Kletnieks (Nov 29)
    - Re: bankone/chase non-scam Paul Vixie (Nov 29)
    - RE: bankone/chase non-scam Drsolly (Nov 29)
    - RE: bankone/chase non-scam Larry Seltzer (Nov 29)
    - RE: bankone/chase non-scam Drsolly (Nov 29)
    - RE: bankone/chase non-scam Larry Seltzer (Nov 29)
    - RE: bankone/chase non-scam Drsolly (Nov 29)
    - RE: bankone/chase non-scam Gadi Evron (Nov 29)
    - RE: bankone/chase non-scam Larry Seltzer (Nov 29)
    - Re: RE: bankone/chase non-scam der Mouse (Nov 29)
    - Re: bankone/chase non-scam Paul Vixie (Nov 29)
    - RE: bankone/chase non-scam Nick FitzGerald (Dec 10)
    - Re: bankone/chase non-scam Brian Loe (Dec 11)