Comments on: Banks don’t help fight phishing

By: hater

hater — Sat, 08 Dec 2007 19:24:35 +0000

All marketing people should be summarily executed. They are a waste of oxygen on the planet and contribute to global warming every time they open their mouths to speak. They contribute to the downfall of civilization through subterfuge, obfuscation and deceit. They dilute the human spirit by pouring trite, token-filled lies en masse into the ether. They are the molesters of childhood’s mind. The only lower form of life than marketing people are bankers and and the rats (lawyers) that support their rapacious ways. Dump them into the Horse Latitudes.

By: Francis

Francis — Sun, 09 Apr 2006 09:40:17 +0000

About a week ago (mar 30) I noted on my work blog another way that insecure banking sites help phishers.

It seems that JP Morgan Chase makes absolutely no check for the referer field when serving up images via HTTPS. As a result a phishing sites can quite simply paste genuine JPM pages with genuine images and scripts on their own pages

By: Light Blue Touchpaper » Fraud or Feature?

Light Blue Touchpaper » Fraud or Feature? — Thu, 30 Mar 2006 13:02:15 +0000

[...] A second example is how the waters in which internet phishermen angle for account details regularly become muddied by the marketing departments of enterprising banks. Every once in a while, these chaps manage to send out genuine emails entreating the user to click on the link in the email, or to navigate to a site not clearly part of the bank’s site, then provide their personal details. [...]

By: Nick Towner

Nick Towner — Mon, 13 Mar 2006 13:43:45 +0000

Wildcards in certificates will probably soon become popular (if the price is right, of course). It will be interesting to see if this helps or makes the problem worse.

RFC2595 (IMAP/POP3/ACAP over TLS, proposed standard) allows only names beginning with “*.” while RFC2818 (HTTP over TLS, informational) allows more. This discrepancy and implementation differences will give their own problems.

How long before someone manages to forge a certificate for http://www.*.com ?

By: Richard Clayton

Richard Clayton — Sat, 11 Mar 2006 23:40:24 +0000

Regrettably, this isn’t at all new.

As Kuchinskas pointed out back in 2003, it is not uncommon for organisations to use “cutesy” domain names for marketing reasons. The example she cites is particularly interesting. She found that online marketing for Citibank’s credit cards directed you to citicards.com. This, she says, displays a page from the http://www.citibank.com website.

However, it is STILL (in 2006), even more complex than she portrays. citicards still sends you to citibank. But, because Citibank is regularly subjected to phishing attacks if you go to the main page for Citibank and follow the link to “contact us” then click on the link about “suspicious emails” you get a pop-up page from http://www.citi.com that recommends sending email to emailspoof@citigroup.com!

In fact CitiBank provide a list of the 18 domain names they are currently operating for banking services… it doesn’t include citigroup.com because of course that’s just corporate.

Anyway, I’m sure providing the list will fix their problem

By: Markus Kuhn

Markus Kuhn — Fri, 10 Mar 2006 23:12:26 +0000

Surely all due to some marketing-obsessed boss deciding in the last minute that the new web page absolutely must have a level-two DNS entry of its own, rather than using the existing, well-established, well-known namespace of the organization …