funsec mailing list archives
Re: Is it phish, or is it Amex?
From: "Aryeh Goretsky (home)" <goretsky () gmail com>
Date: Wed, 04 Nov 2009 23:49:32 -0800
Hello, Best of luck reporting the issue. http://catless.ncl.ac.uk/Risks/22.85.html#subj13 Regards, Aryeh Goretsky At 09:37 AM 11/4/2009, you wrote:
Content-Transfer-Encoding: 7BIT From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca> Precedence: list MIME-Version: 1.0 Cc: customerservicecanada () service americanexpress com, infosecbc () yahoogroups com, AmericanExpress () welcome aexp com To: funsec () linuxbox org Date: Wed, 4 Nov 2009 09:32:12 -0800 Reply-To: rmslade () shaw ca Message-ID: <4AF14A1C.5495.525B7F@localhost> Content-Type: text/plain; charset=US-ASCII Subject: [funsec] Is it phish, or is it Amex? Message: 10 I am a bit freaked. Last month I received an email message from American Express. I very nearly deleted it unread: it was obviously phish, right? (I was teaching in Toronto that week, so I had even more reason to turf it unread rather than look at it.) However, since I do have an Amex card, I decided to at least have a look at it, and possibly try and find some way to send it to them. So I looked at it. And promptly freaked out. The phishers had my card number. (Or, at least, the last five digits of it.) They knew the due date of my statement. The knew the balance amount of my last statement. (The fact that this was all happening while I am aware from home wasn't making me feel any more comfortable with it ...) So I had a look at the headers. And couldn't find a single thing indicating that this wasn't from American Express. (I had paid my bill before I left. Or, at least, I *thought* I had. So I checked my bank. Sure enough, that balance had been paid a couple of days before. However, I guess banks never actually transfer money on the weekend or something ...) A couple of days later I got another message: Amex was telling me that my payment has been received. That's nice of them. They were once again sending, in an unencrypted email message, the last five digits of my card number, and the last balance paid on my account. Well, I figured that it might have been an experiment, and that they'd probably realize the error of their ways, and I didn't necessarily need to point this out. Apparently I was wrong on all counts, since I got another reminder message today. Have we got any Amex contacts in here? Are these people completely unaware of the existence and risk of phishing? Are they so totally ignorant of online security that they are encouraging their customers to be looking for legitimate email from a financial institution, thus increasing the risk of deception and fraud? Going to their Website, I notice that there is now an "Account Alerts" function. It may have been there for a while: I don't know, since I've never used it. Since I've never used it, I assume it was populated by default when they created it. It seems to, by default, send you a payment due notice a week before the deadline, a payment received notice when payment is received, and a notice when you approach your credit limit. (Fortunately, someone had the good sense not to automatically populate the option that sends you your statement balance every week.) These options may be useful to some people. But they should be options: they shouldn't be sending a bunch of information about everybody's account, in the clear, by default. (There are, of course, "Terms and Conditions" applicable to this service, which basically say, as usual, that Amex isn't responsible for much of anything, have warned you, and that you take all the risks arising from this function. I find this heavily ironic, since I knew nothing of the service, don't want it, and got it automatically. I never even knew the "Terms and Conditions" existed, but in order to turn the service off I'll have to read them.) (In trying to send a copy of this to Amex, I note that their Website only lists phone and snailmail as contact options, you aren't supposed to be able to send them email.) ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org Patriotism, is when love of your own people comes first; nationalism, when hate for people other than your own comes first - Charles de Gaulle victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 04)
- Re: Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 05)
- Re: Is it phish, or is it Amex? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 04)
- <Possible follow-ups>
- Re: Is it phish, or is it Amex? Aryeh Goretsky (home) (Nov 05)
- Re: Is it phish, or is it Amex? Rich Kulawiec (Nov 04)