- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Wed, 14 Mar 2007 10:29:56 -0400
- To: Timothy Hahn <hahnt@us.ibm.com>
- CC: public-wsc-wg@w3.org
That's interesting; while it's theoretically possible to steal someone's identity with just a name and address, I'm not aware of any phishing scams that do that (besides, if you were going to steal just names and addresses, there are much easier ways of doing that). I think this just goes to show how the current SSL model is failing: just because a site claims to have SSL doesn't mean it can be trusted, and a site that doesn't use SSL or has SSL incorrectly set up shouldn't automatically be distrusted. serge Timothy Hahn wrote: > > Hi all, > > Here's an interesting one I stumbled upon yesterday. I'm posting it > here for folks to consider, comment, and possibly help us in building > the various recommendations we're starting to build. I have tried to > obfuscate the specific companies involved, but I suspect you may wind up > seeing through it anyway. > > I received a notice that the battery in my notebook computer may be > recalled. It had a link in it for the company's support site. (e-mail > message came from IBM support - seemed to have all the right icons - > looked like a Notes ID sent it, not a Internet mail address) > > At the company's support site, I was prompted for my battery serial > number - I provided it since this isn't information that identifies me > personally and I can understand needing this information to help me out, > and then was told that yes, indeed, my battery was being recalled. > > To get the replacement, I was dropped into a page (SSL-protected) to > enter my name/address info for shipping purposes. Here's where it got > interesting. > > On page load - Firefox popped up a message telling me it didn't like the > company's Server certificate!!! So I investigated. The indication was > that the cert was signed by an unknown signer. So I looked at the > signer information. It said "Verisign Class 3 ..." from "Verisign. Inc.". > > So I looked at my set of known CA signer certificates ... I have 3 > (count 'em 3) Verisign Class 3 CA signer certificates known to my > Firefox install. > > So how could it be that I don't have the "right one"? (actually, I know > how it could be - Verisign created a new one, and I didn't know I was > supposed to go out and get it ... or I have a Firefox install that > hadn't had the right CA signer's update applied). > > Everything looks right ... even to my eyes which ought to know better > ... what could possibly be the issue? > > I went back to the site this morning to try and re-create but alas, it > won't let me enter the same battery serial number twice so I can't get > to the page. > > Bottom line - even after doing everything I thought I should do to > check, I was still dumbfounded as to what the problem/issue was. And > yes, sad as it sounds, I boldly accepted/closed the pop-up boxes and > entered my address anyway. After all, I don't want my battery to melt > my kitchen table so I had to tell them my shipping address. > > Was it a configuration issue or did I just get phished? ... and how > would my mother know the difference if it was her trying to figure it out? > > I'm looking forward to your comments on this. How would we tell end > users, server site administrators, help desk personnel, and others how > to address such a situation? Who could be considered to be "at fault" > (if anyone)? > > Regards, > Tim Hahn > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Wednesday, 14 March 2007 14:31:52 UTC