Monthly archives of “July 2014

comment 0

Who are you trusting online?

Trusting in an online world

When you get behind the wheel of your car, and hit the road–you’re implicitly trusting ever other road user to play by the rules.  You trust no one will go out of their way to crash into you, or that no one would swerve into you for an insurance claim, you even trust that pedestrians won’t hijack your car as you stop at the red light.

Sometimes you mitigate these risk, by locking your doors and keeping your distance, but fundamentally you’re placing a lot of trust on your fellow road-user. You have no way of knowing for sure that they’ll be good boys and girls–but you go about your daily car ride trusting that they’ll do what is right. In cases where you don’t trust anyone, you don’t use the road. I know a lot of people who won’t drive in India because they don’t trust road users there–and some foreigners refuse to drive in Malaysia for the same reason.

Society works on trust, and without it–society just wouldn’t work.

Think about it–you might not trust the restaurant waiter with your credit card–but you just ate at the restaurant without viewing the kitchen. Dying from poisoned food is far more serious than credit card fraud, yet you’ve trusted the restaurant not to poison you, but not with 16 digits from your bank. Sometimes you’re trusting people without even knowing it.

And the same is true for the internet, The Internet Protocol(IP) that governs the whole internet till this day, is a highly ‘trusting’ protocol that prioritizes speed and simplicity over security and privacy. In much the same way that it’s faster and simpler just to trust the restaurant not to poison you than it is to inspect the kitchen and verify the ingredients–the Internet Protocol accepts everything as true and routes data accordingly. Other protocols like SMTP and POP3 that are used for email employ the same levels of trust, that’s why you can never trust an email–it’s just too easy to spoof.

Essentially everyone on the internet trust everyone else to play by the rules. For example when Pakistan decided to block youtube in their borders, a mistake made by their local telecoms managed to take youtube down for several hours worldwide simply because everyone trusted the information Pakistan was sending them. Nowhere else in the world does such a high level of trust exist as on the internet–and nowhere else is it more dangerous.

comments 3

RHBNOW Email: Intricate details of a Phishing scam

Last month alone I’ve received 6 phishing emails asking me to change my RHB banking password. I always wondered what would happen if I’d actually clicked on one of the links in the email–and today I did just that. Immediately I was transported to a dodgy world of sophisticated deception, and soon realized this was far more complicated that I initially expected.

Before I proceed a friendly word of caution–Kids don’t try this at home–the scam is an elaborate ploy geared towards robbing you of your cash, and if you’re not sure what you’re doing–chances are you’ll be a victim yourself. The simplest way to avoid a scam like this is to never click on an email from the bank–regardless of how genuine it looks. Banks never send you email–so don’t expect one from them. Not even a Christmas card.

But if you’d like to see what happens when you click on one–read on:

Step 1: The email from RHBGroup.com

Email from RHB Group

 

First there’s the email, it was (supposedly) from [email protected]. Quite deceptive, and if you visit rhbgroup.com you’ll find that it’s the legitimate RHB Bank website. So it appears this email from rhbgroup.com would be legitimate as well.

Except it’s not.

Email is a remnant of the internet past–it was created at a time when security wasn’t a priority, hence Emails lack any form of authentication (validating whom the email is from) which allows them to be easily forged. This inherent insecurity is what Emails should never be trusted, especially when those emails come from external sources like a bank.

That’s why your bank will NEVER send you an email. It’s too easy to forge. So rest assured that every email you receive from the bank is a fake (there are exceptions of course, like transfer notice etc, but those emails don’t require any action from your end)

Analysing the email further, I find the first victim of the scam. A website called pjpan.co.uk, a pajama-store (of all things). The website url was all over the email-header, which just like every other aspect of the email could be spoofed. Why the scammers chose to us pjpan.co.uk was beyond me, but they did. In any case the email was sufficiently obfuscated that trying to determine its origin would be difficult and probably pointless as well.