I'm a U. S. Bank customer. I'm apparently signed up to receive mailings from them. Fine.
Here are some of the headers from one such email:
Received: from m1.usbank-email.com ([207.189.106.138])
by mc3-f28.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);
Fri, 27 May 2005 10:16:44 -0700
From: "U.S. Bank" <1800USBanks@usbank-email.com>
Isn't that special? The sender's domain is purportedly usbank-email.com.
Of course, the sender email address is trivially spoofed, so one should never rely on it anyway. But the fact is that the domain is neither usbank.com nor a subdomain of that such as email.usbank.com.
Domains that contain the institution's name but which aren't controlled by the institution are ideal for committing fraud.
So let's check out this IP address: 207.189.106.138. Can we tell if this is a bona fide U.S. Bank server?
A reverse lookup returns m1.usbank-email.com. So we know it's really associated with usbank-email.com.
So unless I somehow know the usbank-email.com is a legitimate U.S. Bank domain name, I can't verify this is a valid email, but is there some reason to think it's from a phisher?
Yes, there is. There are links in this email, which go back to the same usbank-email.com domain. Clicking on it results in a redirect to a page which displays usbank.com in the location field, but for all I know, that could be some sort of browser trick.
commentary
As it happens, usbank-email.com is a bona fide U.S. Bank-owned domain, used for mailings from @once ( http://www.once.com ) which is now part of Info USA Business Research ( http://www.infousa.com ).
How will banks ultimately protect themselves against frauds such as phishing?
Is there some technology that's going to prevent people from providing sensitive information to people who would misuse it? It's not obvious how you would do this. Anyway, such a change is not imminent.
The best solution we have for now is educating the public. It has its limitations. It's limited by the ability to educate the public.
In the case of businesses handling our financial accounts, phishing should be a very sensitive concern. Customers need to be able to verify that the message was sent from a legitimate source. This is effectively done by making sure that any emails clearly come from a well-known domain.
The underlying principal is that it should be possible to unambiguously associate that source with the bank or other financial institution. U.S. Bank has ignored this fundamental principle which would otherwise make it possible for a recipient of such messages to authenticate the source. They're clueless!
| Topic CluelessUSBank . { Edit | Ref-By | Attach | Diffs | r1.1 } |
|
Revision r1.1 - 28 May 2005 - 15:45 by EliMantel
Privacy Policy |
Copyright © 2000-2005 by the contributing authors.
All material on this collaboration tool is the property of the contributing authors. Collect email addresses here. Ideas, requests, problems regarding TWiki? Send feedback. |