08 Mar 2007
License to Phish
Phishing (where fraudsters create imitation emails and sites to extract personal details from users) and identity theft are pretty serious problems online, and the clueless behaviour of many companies isn’t helping.
For example, TalkTalk lets you register online to manage your account via their site. Instead of simply emailing you to let you know when a new account statement is available, they send out the whole thing as an attached HTML file, complete with your name, address, phone number and account number. OK, that’s not much more than what Amazon includes in a dispatch notification, but what makes it amusing/disturbing is the first line of the email:
Your latest bill is now available to view online. Don’t worry it’s from TalkTalk.
No, I didn’t make that up. Also, the return address is
@f-eds.com rather than
@talktalk.co.uk, and the address mentioned in the email for enquiries uses
@cpw.co.uk, so they’re introducing 2 extra domains the user may not be familiar with.
But phone billing is relatively low-risk, so consider a banking example.
Alliance & Leicester uses
www.alliance-leicester.co.uk. The emails they send out about credit cards are from
@mbna.co.uk and direct the user to
www.aandl.com, which redirects to
wwwa.applyonlinenow.com, leading through to
www.bankcardservices.co.uk for existing customers. So simply by dealing with your credit card you’ve encountered 4 additional domains that you have to trust are legitimate.
That kind of behaviour is crazy, and makes it impossible to educate users to trust only a small number of specific domains. Companies that aren’t keeping things simple, consistent and transparent have to take some of the blame for social engineering fraud.