Pages

2010-08-12

Bank security case study: Why is financial fraud so easy in America?

Because legitimate telephone transactions with a bank can be 100% indistinguishable from fraudulent transactions with scammers.

Here is a common scenario:

You recently traveled or made a large purchase and your credit card company leaves a message like this on your home phone answering machine: "Hello Mister Entriken, recent purchases on your credit card account ending in 2203 appear to be unusual and we would to confirm that they are legitimate. Please reach us at 520-838-4877". Then you, being the savvy Privacy Log reader that you are, use Google to see if 520-838-4877 is a legitimate phone number for your bank, here are the results:


  1. 520-838 / (520) 838

    ... 520-838-2425; 520-838-5680; 520-838-8012; 520-838-6519; 520-838-0005; 520-838-5912; 520-838-0761; 520-838-1355; 520-838-5297; 520-838-4877520-838-1905 ...
    mrnumber.com/1-520-838?page=5 - Cached

  2. 520-838 Telephone Lookup AZ

    520-838-9590 520-838-9933 520-838-4877 520-838-9935 520-838-3657 520-838-2835 520-838-7683 520-838-3981 520-838-8131 520-838-7452 520-838-7277 520-838-5327 ...
    telephonelookup.net/520-838-telephone-lookup-az - Cached
  3. All Phone Numbers for Area Code (520)-838 // PhoNumbrs

    520-838-4872 · 520-838-4873 · 520-838-4874 · 520-838-4875 · 520-838-4876 · 520-838-4877 · 520-838-4878 · 520-838-4879 · 520-838-4880 · 520-838-4881 ...
    www.opportunitymart.com/520-838 - Cached

  4. 520-838-9995 / 5208389995 1/6

    I just got a call from them too.. I don't answer numbers I dont' know.. So I didn't pick up.. but no message.. just trying to figure out who they are. ...
    800notes.com/Phone.aspx/1-520-838-9995 - Cached - Similar

  5. (520) 838-6552 | WhitePages (5208386552)

    ... (520) 838-4800; (520) 838-4816; (520) 838-4826; (520) 838-4848; (520) 838-4852; (520) 838-4864; (520) 838-4874; (520) 838-4877(520) 838-4886 ...
    phones.whitepages.com/520-838-6552 - Cached
What do you conclude? Nothing, the bank called you from a call center without a well known number. So you put up your defenses and dial the number, then it comes "for account security purposes, please tell me your full account number, mother's maiden name and billing zip code". The banks are training you to answer the phone from unverifiable phone numbers and spit out all the information an attacker needs to use your account.

(Of course the only thing to do at this time is: explain what you are doing, hang up the phone and call the number that is listed on the back of your credit card.)

Whenever a bank or other entity calls you and needs personally identifiable information, they should tell you to hang up and call them back at a well known number for that entity.

Sample message, is this legitimate? https://www.google.com/voice/fm/13391585335464009546/AHwOX_AZSPLaDLFLfu5k0MEmIllpEX7kx595xuNZx9HotwnKnKoWhc0uhSXwHj8SODYfyoWY7lTCZU7JM1_IQWkDKiU1NDxgc8RNUxzIn63MqUorkUeYBFL8USe-b5faNZqX9-mraNKxFoCNn6I_LYzMpIAFeasabQ

2010-08-02

Firefox security case study: Mozilla's CSS :visited solution is still vulnerable


Javascript running on browsers that implement W3C standards today can allow the present page to find pages the user has previously visited. This would be very useful as part of a XSS attack where you needed to know if the user has already authenticated against a login system.

Since this information is very useful to an attacker, Mozilla is preparing to break compliance with APIs to stop this vector:
  • getComputedStyle() et al. will not leak information about page visited status
  • Differences in styling for visited links versus styling for unvisited links will be restricted against changes in opacity, visibility, and many other ways
  • These rules propagate and are immune to CSS tricks like combinators and nesting
These are detailed at http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/
But this issue is too big to settle for a "solution" that breaks the API, does so ungracefully, and still does not solve the problem. Here is a demonstration that will still work if Mozilla goes through with this cowboy (read: Microsoft) attitude to web standards. The first one tells you if you visited purple.com before and the second one tells you if you have logged in to Zecco.com:

Click for free wallpapers  here (you didn't visit purple.com before)
Click for free wallpapers  here (you visited purple.com before)

Click for free wallpapers  here (you didn't visit zecco.com before)
Click for free wallpapers  here (you visited zecco.com before)

You could probably do a better job than me of styling these elements, but either way, the attack vector still exists.