funsec mailing list archives
Re: Is it phish, or is it Amex?
From: "Aryeh Goretsky (home)" <goretsky () gmail com>
Date: Wed, 04 Nov 2009 23:49:32 -0800
Hello, Best of luck reporting the issue. http://catless.ncl.ac.uk/Risks/22.85.html#subj13 Regards, Aryeh Goretsky At 09:37 AM 11/4/2009, you wrote:
Content-Transfer-Encoding: 7BIT
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>
Precedence: list
MIME-Version: 1.0
Cc: customerservicecanada () service americanexpress com,
infosecbc () yahoogroups com, AmericanExpress () welcome aexp com
To: funsec () linuxbox org
Date: Wed, 4 Nov 2009 09:32:12 -0800
Reply-To: rmslade () shaw ca
Message-ID: <4AF14A1C.5495.525B7F@localhost>
Content-Type: text/plain; charset=US-ASCII
Subject: [funsec] Is it phish, or is it Amex?
Message: 10
I am a bit freaked.
Last month I received an email message from American Express. I very nearly
deleted it unread: it was obviously phish, right? (I was teaching
in Toronto that
week, so I had even more reason to turf it unread rather than look at it.)
However, since I do have an Amex card, I decided to at least have a
look at it,
and possibly try and find some way to send it to them. So I looked at it.
And promptly freaked out.
The phishers had my card number. (Or, at least, the last five digits of it.)
They knew the due date of my statement. The knew the balance amount of my
last statement.
(The fact that this was all happening while I am aware from home
wasn't making
me feel any more comfortable with it ...)
So I had a look at the headers. And couldn't find a single thing indicating
that this wasn't from American Express.
(I had paid my bill before I left. Or, at least, I *thought* I had. So I
checked my bank. Sure enough, that balance had been paid a couple of days
before. However, I guess banks never actually transfer money on the
weekend or
something ...)
A couple of days later I got another message: Amex was telling me that my
payment has been received. That's nice of them. They were once
again sending,
in an unencrypted email message, the last five digits of my card
number, and the
last balance paid on my account.
Well, I figured that it might have been an experiment, and that
they'd probably
realize the error of their ways, and I didn't necessarily need to
point this out.
Apparently I was wrong on all counts, since I got another reminder
message today.
Have we got any Amex contacts in here?
Are these people completely unaware of the existence and risk of
phishing? Are
they so totally ignorant of online security that they are encouraging their
customers to be looking for legitimate email from a financial
institution, thus
increasing the risk of deception and fraud?
Going to their Website, I notice that there is now an "Account
Alerts" function.
It may have been there for a while: I don't know, since I've never
used it. Since
I've never used it, I assume it was populated by default when they
created it. It
seems to, by default, send you a payment due notice a week before
the deadline, a
payment received notice when payment is received, and a notice when you
approach your credit limit. (Fortunately, someone had the good sense not to
automatically populate the option that sends you your statement balance every
week.) These options may be useful to some people. But they should
be options:
they shouldn't be sending a bunch of information about everybody's
account, in
the clear, by default.
(There are, of course, "Terms and Conditions" applicable to this
service, which
basically say, as usual, that Amex isn't responsible for much of
anything, have
warned you, and that you take all the risks arising from this
function. I find this
heavily ironic, since I knew nothing of the service, don't want it,
and got it
automatically. I never even knew the "Terms and Conditions" existed, but in
order to turn the service off I'll have to read them.)
(In trying to send a copy of this to Amex, I note that their Website
only lists
phone and snailmail as contact options, you aren't supposed to be
able to send
them email.)
====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
Patriotism, is when love of your own people comes first;
nationalism, when hate for people other than your own comes first
- Charles de Gaulle
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 04)
- Re: Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 05)
- Re: Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- <Possible follow-ups>
- Re: Is it phish, or is it Amex? Aryeh Goretsky (home) (Nov 05)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 04)