Some companies are just asking for it.

Perry E. Metzger perry at piermont.com
Thu Jun 23 22:42:44 EDT 2005 

My girlfriend just got an (apparently legitimate from what I can tell)
HTML email from her credit card company, complete with lots of lovely
images and an exhortation to sign up for their new secure online
"ShopSafe" service that apparently generates one time credit card
numbers on the fly.

Here's the text:

> Your account has a free benefit that is better than ever! Shop  
> online as you normally would, but with the comfort of knowing that  
> nobody knows your account number.
>
> ShopSafeSM protects your real account number by generating a  
> substitute account number. Use ShopSafe just like a regular card  
> for your online purchases. It's free, easy and convenient. Get the  
> security and comfort that comes with knowing every purchase you  
> make is protected.

The sales pitch then invites you to click on the link in the email to
join.

> Ironclad credit card purchase protection is right here. Log in to  
> IBS Net Access to make your next purchase a safer one.

Clicking on the link, of course, asks you to enter information that
you should never, ever, EVER enter after clicking on a link you got in
email. So, here is official mail from a credit card company, actively
training its users to become future victims of phishing. The irony of
being exhorted to do this in the name of getting the "ShopSafe
service" is not a small one, either. I wouldn't be surprised if near
identical emails with the exact same pitch started showing up within
hours or days, only the site they link to may be a wee bit less
benevolent.

The security department and management at the firm responsible should
be taken out behind the shed and put out down, before they hurt anyone
else. The marketing department will, of course, demand to do stupid
things, but it is the responsibility of the security department and
management to tell them "No, we will not train our users to be raped
by phishers, no matter how many `click throughs' it generates."

Oh, and what companies are involved? The card is Fidelity branded, but
it is really an MBNA production, with online marketing and card
servicing (like this piece) being done by Individualized BankCard
Services. One would think that everyone in question would know better,
but sadly they don't.


Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list