Email Scams and Authentication

My bank (NatWest) and various other providers I have accounts with, are all in a tizzy about "email scams" and how we should be aware of them etc. NatWest have even suspended their online money transfer facility until further notice because (presumably) the scams are working rather well and there's a danger of fraudulent withdrawals.
But haven't the banks heard of server certificates and PKI? Why can't they just give us a certificate to import into our browser that will authenticate legitimate communications from them? Sure it won't stop complete idiots who will click "proceed" even when they see a notice saying the site/cert is not properly authenticated or whatever, but it sure would be a step in the right direction.
On a similar note, a friend of mine got a call from his bank the other day asking him to verify a couple of large purchases on his credit card. He asked them how he knew it was his bank calling - and they didn't know what to say. They were all ready with the "what's your mothers maiden name?" stuff, but the call centre had no script for authenticating *themselves* to the customer. In the end he had to call them, talk to a line manager, and "share" the authentication questions (he told them his day of birth, they told him his month, etc.)
No wonder these scams are working when there isn't even as basic attempt at using any real authentication system!
Jonathan
PS: I received what was pretty obviously a scam pretending to be from NatWest the other day, and looked at the source. All the links pointed to legitimate NatWest (RBS) sites, but the main one you were supposed click on looked like this:
http://www.nwolb.com:UserSession/4d0zzz899oakileikaiejs559875&userrstste=SecurityUpdate&StateLevelÊmeFrom@64.148.18.13/ (note I've changed the above a bit to protect the innocent)
What's that all about then? The IP address traces back to a netblock owned by "Brown And Toland" of 268 Bush St. #5000, San Fran. The NatWest logo itself was served from a website whos IP is owned by "Eugene L Rowe" of the same address. All the other assets referred to by the email were owned by NatWest (RBS).
Reply to
Jonathan
You are dead right, indeed I think I read recently of a scam whereby someone pretending to be the bank / cc company phones up, says that the card has been cloned,gets some personal details, tells the person that they will cancel it, and then of course goes ahead and starts using it fraudulently.
Reply to
Tumbleweed
I'm glad you agree!
The issue of authentication and telling the real from the fake has historically been a big problem (not just on the Internet) so most people seem to accept it as being a fact of life - and in many spheres of life it is I suppose. But we're so bloody accepting of the problem. I'm always amazed at how often we see reports of Internet scams involving passing off, fakery etc. but there never seems to be any discussion about how comparatively easy it would be on the Internet to actually *prevent* the problem in the first place.
I'm not saying that online fakery would disappear, but the use of digital certificates in a simple PKI framework would make it far harder to forge an email from a bank.
For another example, take paedophiles in kids chat rooms. MSN recently closed all their chatrooms down because of issues to do with "grooming" and the like (well, that was the reason anyway). But how difficult would it have been to demand a digital certificate from people before they could participate in online chats? Something along the lines of Thawte's "Web of trust" system, for instance?
formatting link
Of course, it would take a degree of education about how the system of trust works (and proper support by software like Outlook etc.), but compared to the alternatives - e.g. my bank balance suddenly ending up in China or my daughter being abducted by nutter, I think that's a very small price to pay.
Jonathan
fraudulently.
Reply to
Jonathan
wrote:
UK banks also seem to allow access to transfer money using only a user name and password. This is unbelievable. People are using this in public internet cafes often small businesses. Have they never heard of keyloggers. I.e. record every key pressed. Extremely low tech way to get something as simple as a user ID and password.
I don't use them (UK banks - anyway they are more expensive) but instead use current accounts I have in Holland. One bank gives me a tiny machine which uses my card (must be present) and PIN code (I type the code to the machine). When I log in the server supplies a code which I put in the machine, the machine gives a code which I type into IE and the transaction is authenticated.
Another dutch bank uses something similar but much more basic. They supply me with a list of numbers. After logging in with user-password, I can get info but if I want to transfer I need one of the numbers from the sheet.
Both these are much more secure than the UK offerrings because they require multiple things all together before you can transfer. Obviously if I lose any of these physical things, it's unlikely whoever finds them will know the password and also I will hopefully notice - report the loss. And all this stuff is not exactly rocket-science. David.
Software author. (please edit my email addr. to prove you're not a dumb 'bot) Web Log Analyzer by Search Term
formatting link
Kybie GetEmAll - Make IE an offline browser
formatting link
Reply to
david
I bumped into this just now - pretty typical:
formatting link
Not a single mention of digital certificates, authentication systems or anything similar at all. Plenty of fear, confusion and doubt though.
Why?? It's not as if digital signatures and public key encryption are new technologies - they're decades old fer gawd's sake!
Jonathan
Reply to
Jonathan
"david" wrote in message news: snipped-for-privacy@news.teranews.com...
Arent some of the credit card companies coming out with a similar gizmo? Sure I read about that just this past week. main trouble is critical mass of users, and getting merchants to use it.
Reply to
Tumbleweed

Fortis Bank in Belgium do the same, given that you can transfer money to any account with this that is all well and good.
All this talk of UK banks surprises me though, I admit to only using the Bank of Scotland but I have to set up a mandate (print it out, sign it and post it back) before I can pay money out to any other account.
With Natwest and the like can you just transfer money out to anyone you want ? Seems crazy to me.
Andy
Reply to
me
With both systems you can just transfer money out to anyone you want. It's only the type of authentication that differs. It would be a lot easier to copy my signature than to access my account online.
Reply to
Mike Barnes
Efforts to make online accounts harder for unauthorised access obviously have a down side of inconvenience, and in a crowded online banking marketplace, having a flexible, easy-to-use system is a good selling point.
For my part, I am perfectly happy that NatWest allows me to transfer money to anyone I want immediately. That's what I was looking for when I chose their system in fact. I am also confident that I can keep my passwords safe. I used to use a system of numbers with a bank as well, but they were time-limited, and applying for a new set was a big hassle.
My point was a wider one though: why is it that the issue of proving online identity isn't discussed more? More importantly, why aren't digital certificates and public key infrastructures used more widely given the concern about identity theft, passing off and other issues of fakery on the net?
Jonathan
"david" wrote in message news: snipped-for-privacy@news.teranews.com...
formatting link
> Kybie GetEmAll - Make IE an offline browser
formatting link
>
Reply to
Jonathan

I can transfer to anyone immediately too, from RBS. Authentication involves logging in with an easy-to-remember 8-digit user id, together with a random-order selection of 3 digits from a 4-digit PIN. That lets you view the account, but to make extrernal transfers you need a 2nd step authorisation by giving 3 characters from a separate password.
They are in the process of merging the passwords and so there will be no need for 2nd level authorisation.
Good question. It seems PIN technology has been deemed good enough.
I suspect the government(s) are unkeen on strong encryption technology being widely used in civilian life. They doon't want snooping on us to become too difficult. We're all potential terrorists, drug dealers, and child molestors, after all.
Reply to
Ronald Raygun
wrote:
You are safer when you always use the system from home or on your own PC. Still not safe though.
If someone 1. hacks into your ISP (difficult and illegal) 2. and diverts requests for URL for natwests login page to their server (very easy) 3. copies natwest login page but modifies copy so it saves your user-password (easy) 4. after you hit login it sends you to usual natwest login URL (easy)
Then that someone - will have your user-password - probably will have prevented you noticing - will have committed a serious offence but since when did that stop crims stealing money - can steal all the money in your account and as much as you're allowed to go overdrawn - will cause you major hassle even if the bank covers the cost (which mostly they don't have to according to their TOS) - will cost you if the bank doesn't want to cover the cost. If someone doing this ripped off a few hundred thousand accounts overnight having spent months collecting user-passwords, would the bank cover the potentially huge loss purely for goodwill or dump it's online banking and require customers to take the hit? Your guess is as good as mine.
It's a disaster waiting to happen and I hope some banks are reading this and taking note (AND ACTION). They can do much stronger things to protect their customers. The methods I described don't involve major hassle for me. I can and do transfer immediately. I just have to have my little pin machine with me and type a few numbers. I would be prepared to do this from an email cafe if I had to. It's still safer from my own notebook. David.
Software author. (please edit my email addr. to prove you're not a dumb 'bot) Web Log Analyzer by Search Term
formatting link
Kybie GetEmAll - Make IE an offline browser
formatting link
Reply to
david

That's not as secure as it might sound. It is probably pretty easy to reverse-engineer the machine, especially as you have physical access to it. Once that is done, it would appear that this system offers no security whatsoever.
Reply to
Jonathan Bryce
In message , david writes
Perhaps thats why all three of my online banks ask different questions each time you log on, asking for, say, the third and fifth digit of the password and the first and second of the PIN one time and different digits for each of them the next. One has just introduced a second level password (using digit selection) for certain transactions. So a 'key logger' would get nowhere.
Ahhh! That'll be why you dont know how they work then!
Reply to
john boyle
In message , " snipped-for-privacy@nospam.co.uk" writes
The Dutch guy doesnt now how they work in UK, its better than he makes out.
Reply to
john boyle
In message , Jonathan Bryce writes
If we could find a German U Boat and nick their decoding machine and book we'd have cracked it !!!!!!!!!!!!!!!!!!!!!!
Reply to
john boyle
I'm not saying you've missed the point, because the "strength of the lock" is related to this discussion - but only maginally.
My original point, which most respondents on this thread don't seem to be addressing at all, is that it's not about how difficult it is to access the account online, it's about how users know they are accessing the right site in the first place!
Does your pin machine validate the site's certificate for instance, so that even if you weren't logged in to the account, you would be protected from a confidence trick asking you to send in your pin machine and card to an address for "re-registration" or something?
That's what I'm getting at, not boring old discussions about the strength of locks on doors.
Jonathan
"david" wrote in message news: snipped-for-privacy@news.teranews.com...
formatting link
> Kybie GetEmAll - Make IE an offline browser
formatting link
>
Reply to
Jonathan
But encryption isn't the same as authentication. You can sign a document (or other thing) digitally, you don't have to encrypt it.
Given the current gung-ho about ID cards, I would have thought the goverment would be talking up personal certificates like crazy. They accept them on the "government gateway" site as part of their single sign-in system, but they don't do much more than that.
Jonathan
Reply to
Jonathan

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.