Tuesday, December 07, 2004

President's Choice Financial Sets It's Customers Up for Identiy Theft and Fraud

I've gotten my fair share of phishing attacks for American Banks that I'm not a customer of. They are easy to spot as I'm not a customer of these banks. I just delete them, no big deal. This email did catch my attention

Dear David King,

This email is to inform you that you have not logged into your President's Choice Financial MasterCard online account for 32 days. In order to ensure your online account status remains in an active state, please click here www.pcfinancial.ca or www.pcfinance.ca (for Quebec residents) and log into your account.

Customer Service
President's Choice Financial

It follows the classic Phising Attack Formula,

Dear Customer,

Due to [random technical reason] We ask that you to sign into your account, please click [url].

The only variant is that I do have a MasterCard with President's Choice Financial, so I called their 1-800 number from the back of my card. Turns out they do indeed send out these messages. This is just plain dangerous. They are setting up their customers to fall for Phishing Attacks.

Banks will tell you that they will never, under any circumstance, ask for your bank card PIN number. Anyone claiming to be from the bank and asking for your PIN is a fraud. It's a simple easy to understand rule.

The same logic should apply to emails asking you to log into your account. By sending out legitimate emails asking people to log into their account to keep them active President's Choice Financial is making fraud much easier. Ironicaly President's Choice attempte to warn it's customer about the dangers of Identity Theft.

I've tried to report the issue to Presiden't Choice with little success. The customer service people get very confused, one told me I needed to send a screen shot of the security issue.

Security needs to be more than 128 bit encryption and browser settings, it needs to be a culture.

- Peace


Richard said...

128 bit encryption with browser settings works fine if you convince the banks or whoever to use https to authenticate the client and not just the server. I feel like screaming in anguish every time I need to supply username and password over https.

I keep thinking: they should let me send them my public key once, they should then add that key to my customer info. That way the bank can be sure I'm me in addition to me being sure they are them. As a result, I never ever send out login credentials anywhere, my browser merely "answers challenges" and so if I fall for a scam, they do not get my login credentials.


Sigh. One of the most practical, useful, and peaceful applications for abstract mathematics reduced to a shadow of its true potential by big and stupid companies. I remember when people asked: "So what's abstract mathematics good for?" and I would cheerfully talk about asymmetric public key encryption. Now I guess the answer is "to give stupid corporation a precious gift that they will waste."

I suppose I should not get too upset because Jesus warns us not to cast our pearls before swine. And upon reflection, Our Lord gave us the precious gift of his very life knowing that people such as myself could waste it.

Dave King said...

I was thinking about the people getting ripped off after falling for a phishing attack; having been trained to respond by the bank. But clearly we should stop and think about those poor mathimaticians.

Is this why they seek math that can't be applied, cause mortals just mess it up?

- Peace