[HN Gopher] Thanks FedEx, this is why we keep getting phished
___________________________________________________________________
Thanks FedEx, this is why we keep getting phished
Author : ahonhn
Score : 1427 points
Date : 2024-02-23 10:26 UTC (12 hours ago)
(HTM) web link (www.troyhunt.com)
(TXT) w3m dump (www.troyhunt.com)
| bell-cot wrote:
| Suggest Law: If a company's electronic notification to you is so
| phishy that a "reasonable man" would have obvious cause to doubt
| its legitimacy, then all financial and legal consequences of
| ignoring it are _on the sender_.
|
| Edit: " _sender_ " here refers to the sender _of the electronic
| notification_.
| brntn wrote:
| In this case the consequence is that the Australian government
| agency collecting the import tax doesn't get paid. Which means
| that they don't release the package to FedEx, and that you
| don't get your package.
|
| FedEx needs to do a better job with these notifications. At the
| very least they need to hire a copywriter.
| Hamuko wrote:
| Our local FedEx once asked me for my details so they could be
| able to declare my package to the customs and in the SMS
| message they said that "The sender is paying all declaration
| fees." I sent them my info and got my package.
|
| Then about five months later, I got a bill from FedEx for
| import fees, tax and service charges. Had to fight with FedEx
| for some time about it but eventually they agreed to void the
| bill. At this point in time, I have no idea if I paid the
| taxes when I bought the stuff, if FedEx paid them out of
| pocket or if the sender paid them out of pocket.
| actionfromafar wrote:
| There are _more_ possible realities. You listed the 3
| first. There are more options, at least these:
|
| 4. You paid the taxes when you bought the stuff. Fedex
| wants the taxes anyways. They would have kept your extra
| taxes for themselves in the end.
|
| 5. You paid the taxes when you bought the stuff. Fedex
| wants the taxes anyways. They would have paid the extra
| taxes. The government kept them because, hey, they trust
| Fedex.
|
| 6. You paid the taxes when you bought the stuff. Fedex
| wants the taxes anyways. They would have paid the extra
| taxes. The government kept them but eventually returned
| them, because some kind of accounting kicked in.
|
| 7. You didn't pay the taxes when you bought the stuff. The
| sender didn't either. Fedex informs the sender and you.
| Fedex pays out of pocket. The sender pays out of pocket.
|
| Could have happened if you paid:
|
| 8. You didn't pay the taxes when you bought the stuff. The
| sender didn't either. Fedex informs the sender and you.
| Fedex pays out of pocket. The sender pays out of pocket.
| You pay out of pocket. Fedex keeps twice the taxes in the
| end.
|
| 9. You didn't pay the taxes when you bought the stuff. The
| sender didn't either. Fedex informs the sender and you.
| Fedex pays out of pocket. The sender pays out of pocket.
| You pay out of pocket. The fed. governemnt keeps triple the
| taxes.
|
| And many variations I can't think of right now.
| Hamuko wrote:
| I mean, either I paid the taxes when I bought the stuff,
| or I didn't. There's no reality where I "didn't pay the
| taxes when [I] bought the stuff" and also I "pay out of
| pocket", since I have not paid anything after placing the
| order. I guess there's also the possibility that I paid
| for the taxes but the seller ended up pocketing them,
| with FedEx footing the bill.
| actionfromafar wrote:
| Sorry, I was unclear.
|
| I mean in the general case - how much does FedEx win or
| loose from problems like this?
|
| If they win, do they exploit it, by design or
| incompetence?
| dijit wrote:
| Any time the law sets things like "reasonable" it's a quagmire.
|
| For every utterance of "reasonable" in law you can be sure over
| $1B of laywer fees have been (or will be) spent.
| bell-cot wrote:
| True, to a degree. But let's imagine that (1) FedEx felt that
| profits were more desirable than legal expenses, and (2)
| FedEx had some power over the sending and contents of the
| notifications. Might FedEx decide to start following well-
| regarded standards for writing and sending legit-looking
| electronic notifications? And iterate from there, as an
| ongoing strategy?
| Repulsion9513 wrote:
| I think the answer here is "don't do things that are
| borderline (un)reasonable"
| tialaramex wrote:
| You can spend as much as lawyer money as you want on arguing
| whatever nonsense you want, reasonableness is a common
| standard so sure, people will have spent lots of money
| pointlessly arguing about it but that's not a problem with
| reasonableness.
| MichaelZuo wrote:
| Sometimes the arguers win and set a new precedent... so it
| definitely creates a new problem with everyone who
| subsequently encounters the issue.
| tialaramex wrote:
| Sure, I'm certainly not going to pretend this is perfect,
| but it seems to be working basically fine and I don't see
| "reasonableness" - which actually _avoids_ a lot of
| wrangling - as a problem.
|
| Compare Legal Tender against an ordinary Reasonableness
| test. Legal Tender says that I _only_ have to accept
| payment of your debt in specific forms (the "Legal
| Tender") and I can refuse to accept other payment.
|
| So maybe our currency is Doodads, the Legal Tender law
| specifies that the 10 and 50 Doodad Coins shall be Legal
| Tender, and you owe me 15000 Doodads. You try to pay by
| card, I refuse. You try to write a cheque, I refuse. You
| try to pay with 150 of the 100 Doodad Coins, but again I
| refuse. Eventually I take you to court and... I win?! You
| did not pay your debt in the required Legal Tender.
|
| With Reasonableness the court _might_ buy that it was OK
| to refuse to accept the card (maybe I don 't have a
| merchant account) and maybe even the cheque too (but
| already by then I expect a judge to have a lot of
| questions about how I thought you would pay and I'd
| better have a really good answer) but the 100 Doodad
| Coins are clearly money, with Reasonableness as our
| standard it's obvious that I lose my case, there's no
| need to write a law saying "Yeah duh, the 100 Doodad Coin
| is money" because a reasonable person can see that.
| consp wrote:
| > then all financial and legal consequences of ignoring it are
| on the sender.
|
| They are, since non compliance will either result in
| destruction of the package or sending it back (differs a bit
| per country and type of goods).
|
| It's a bit sad there are no easy ways to prepay taxes and it's
| hit or miss if you get checked. I'm glad the EU figured it out
| and have almost no weird surprises any more, except from the
| Uniteds (states and kingdom).
| matsemann wrote:
| I almost got in some trouble because of that. A "bank" I wasn't
| a customer of kept sending me messages about "urgent, answer
| this form with your personal details or we will lock your
| account". Seemed quite scammy to me.
|
| Then I later got a physical letter in the mail about the same,
| and then I called the bank. Apparently I had some account there
| holding some pension stuff from a previous employer. Shrugs.
| j16sdiz wrote:
| The management will overreact by implementing 100-factor
| authentication, requiring 30 letter password with mandatory
| Unicode symbols
| bell-cot wrote:
| A bunch of extra authentication factors and a password sure
| sounds like phishing for sensitive PII to me.
| fma wrote:
| Maybe its just the hunan brain bad at perception, but I feel like
| there's some system compromised and info is leaked so scammers
| know when you are expecting a package because FedEx/USPS spam
| text increases.
| MattGaiser wrote:
| But in a modern day and age, when aren't you expecting a
| package?
|
| Nearly 100% of the time, I am expecting a notification from
| Canada Post or Amazon (FedEx less frequently, but still).
|
| Even outside of that, you can often predict when people are
| expecting a package. Christmas. After various sales weeks.
| latexr wrote:
| > But in a modern day and age, when aren't you expecting a
| package?
|
| When you're not constantly buying things online. Most people
| in the world aren't expecting packages "nearly 100% of the
| time".
| the_snooze wrote:
| These scammers probably aren't targetting specific
| individuals. They blast these messages out to a bunch of
| randos, and odds are very high that at least some of those
| _are_ expecting packages just by chance. The marginal cost
| of an added message is tiny compared to the reward of one
| successful scam.
| resolutebat wrote:
| In Australia, if you buy something off AliExpress and use
| the budget shipping option, it will take anywhere from one
| week to two months to arrive. Shop there a couple of items
| a year and you're always expecting something.
|
| What annoys me is that even the legit SMS notifications
| contain nothing identifiable about the package or sender,
| it's always "Your shipment #QWERTYUIOP is arriving by
| UnrelatedCourier between 1 AM and 11 PM today".
| joseda-hg wrote:
| If you buy stuff with long delivery estimates, you might
| very well be even with relatively low numbers, Electronics
| from China, Custom Comissions or things with waitlists
|
| Some of those can have over a month between purchase and
| reception, and might be shipped at arbitrary dates after
| purchase
|
| I'm not that big of an online shopper, but there's
| certainly people that are
| Denvercoder9 wrote:
| Maybe not in the world, but in my country (the Netherlands)
| in 2022 (last available data) there were 473 million
| packages send to 8.3 million households, which works out to
| a bit more than one package per household per week.
| Biganon wrote:
| Yeah, I feel like I'm taking crazy pills here
|
| Do these people need to buy shit constantly? I order maybe
| 5 packages a year, max
| thomastjeffery wrote:
| The presence of "most people in the world" really doesn't
| contribute to this discussion.
| cesarb wrote:
| > But in a modern day and age, when aren't you expecting a
| package?
|
| Some people still prefer to buy most things directly in
| physical stores. For me, would be easier to list the few
| times when I am expecting a package. And even then, I'm
| expecting the _package_ , not some random message about it;
| it usually arrives without any notification at all (and the
| tracking on the site is usually delayed).
| caddemon wrote:
| I would be curious if FedEx specifically has some sort of
| leak though, it's super anecdotal but I seem to get more
| FedEx phishing attempts when I'm expecting a FedEx package.
|
| You're right though that there are other mechanisms for this,
| it was around the holidays when this happened most recently.
| Plus humans tend to remember salient things and I probably
| more easily forget the ones that come when I'm expecting
| nothing.
|
| Anyway, if their systems were better it would be easier to
| avoid scams without stress. I've never had to rely on
| external info for Amazon and it's true I'm often expecting
| something from them.
| distances wrote:
| What are you buying constantly? Apart from food and hygiene
| items, I mostly shop online. I feel I do order too much
| already, but the parcels are one every 1-2 months. Any more
| than that and the apartment would start filling up, I
| imagine.
| MattGaiser wrote:
| Maybe FedEx sees better results and gets more payments from
| appearing scammy? Scammers seem to do alright.
|
| I know we tech people think this is type of messaging is
| ridiculous, but I'm constantly pulling less technical friends and
| family away from crap like this. Half a dozen have asked me about
| Elon Musk's crypto trading breakthrough.
| labster wrote:
| I doubt FedEx's customer engagement increased by sending a
| query string with no domain or protocol. Someone's asleep at
| the wheel here.
| tomschwiha wrote:
| Well theoretically they force people to Google FedEx which IS
| a strong signal for google people are interested in the FedEx
| Brand. Doubt however that's the reason.
| tomashubelbauer wrote:
| I know this comes down to institutional incompetency, but at some
| point there was a singular human person putting the template
| content the SMS message in question was generated from into some
| computer system somewhere and I genuinely wonder what was going
| on in their head that made them string the words together in this
| way. You'd have to give it a true, earnest shot to make it worse.
| MattGaiser wrote:
| You assume it is a singular person.
|
| Could easily be one person writing the message. Another who
| demanded partial edits in a Jira ticket. But then the data
| types didn't match up with what the writer requested and then
| the dev didn't want to deal with it and just shipped it.
|
| Or it could be that the message is made with a bunch of
| disjointed and constructed if statements and only the final
| output is piped to the customer. I have seen some very terrible
| log messages like that as nobody is looking at the entire
| message, just the little bit in the conditional they are
| editing at that point.
|
| As an anecdote, I once worked on code that generated these very
| detailed error messages about why something went wrong. I
| discovered most never made it to the customer as someone later
| down the line reassigned a variable rather than +=. Piles of
| support tickets could have been avoided.
| sverhagen wrote:
| "The words" are probably nested templates so that at the level
| of input it's hard to really understand what the completed end
| result looks like. Also, there's many well-intentioned people
| in tech doing stuff that's just a tiny bit too complex for them
| to execute by themselves without a buddy or a reviewer. There
| are also whole teams and departments at big enterprises where
| someone might not be doing it alone, and they might also not be
| completely incompetent, making them the star engineer on the
| team, while everyone else wisely keeps their mouths shut since
| they surely don't have anything to contribute to the process.
| All the really good people that worked there, were snatched up
| by some fancy, greenfield project, on another floor, or got a
| position on some elite "refactoring team", surely not wasting
| their time on updating templates.
| MichaelZuo wrote:
| Someone, a single concrete specific individual, must actually
| sign off on it and/or authorize it with the SMS service
| provider.
| andrewaylett wrote:
| Not everywhere requires bulk SMS to use an authorised
| template.
| MichaelZuo wrote:
| Everywhere that I know of requires a real, specific,
| individual to sign off on the purchase order, charge it
| to their card, send the bill to accounts payables, etc...
| malfist wrote:
| That's not what GP was saying?
|
| Whether or not the provider makes the customer pay with a
| credit card has no impact on if the provider requires
| templated SMS messages.
| nonrandomstring wrote:
| > I know this comes down to institutional incompetency
|
| "Incompetency" is an interesting word.
|
| The old maxim about incompetence versus malice suggests a
| binary choice.
|
| I prefer the more nuanced take that there is a spectrum of
| positions between the two, and other dimensions that describe a
| cluster of intents, both conscious and unconscious.
|
| Take the UK Post Office scandal where we see incompetence
| layered on top of malice, layered on top on incompetence. In
| some organisations obviously deliberately harmful positions are
| written into "policy". Often this comes under "PR" [fn:1]. More
| and more "AI" will be used to disguise malintent and deflect
| scrutiny.
|
| In the final episode of the ITV dramatisation [0], Alan Bates
| (played by Toby Jones) delivers an absolutely shocking, knock
| down line. When talking about incompetence and evil he says:
| "They're the same thing" At some point there is no difference
| between incompetence and evil. For a deeper psychological
| discussion of that listen here [1].
|
| [0] https://en.wikipedia.org/wiki/Mr_Bates_vs_The_Post_Office
|
| [1] https://cybershow.uk/episodes.php?id=23 (from 39:20)
|
| [fn:1] Edward Bernays seminal definition of public relations
| outlines a creed of deception, manipulation and disinformation
| which is antithetical to security [2].
|
| [2] https://en.wikipedia.org/wiki/Public_Relations_(book)
| yura wrote:
| Some say scammers are very smart, and that they deliberately
| use every trick in the book to tap into our psychological
| weaknesses and make us act irrationally. But I have the feeling
| that, 90% of the time, scammers are just told to write an
| "official-sounding" message - which is the same thing that the
| hypothetical human who wrote this template was trying to do:
| that's why the result is so similar. No doubt the use of the
| word "urgent", or capitalizing the words "Duty" and "Taxes",
| come from this attempt at making the message sound more formal
| and official, from someone who is definitely not a skilled
| writer.
| notahacker wrote:
| Yep. It's a bit like the theory that scammers mention they're
| from Nigeria because they're ingeniously weeding out all the
| people who've heard of the scam before, and not because _they
| need an excuse for people to send money to Nigeria_ (and with
| their culture and education level the ALLCAPS and religious
| references look very official and honest indeed), and if the
| cost of that is that 99.99% of their emails don 't get
| delivered due to automatic filters protecting even the most
| gullible of recipients, well that's probably not something
| they've given much thought to.
| chuckadams wrote:
| I've read one interview with a scammer who mentioned that
| the initial pitch is deliberately written that way to
| screen for gullible people, and I've read extended email
| exchanges with Nigerian scammers where their broken English
| becomes flawless after the initial reply. 419eater.com was
| a treasure.
|
| These days though, like most scams the 419 scams have been
| taken over by organized crime and worse. The average
| Nigerian scammer nowadays is probably doing it because Boko
| Haram will kill their family if they don't.
| chb wrote:
| Not that I'm endorsing the use of smart phones, but FedEx does
| have a mobile application. Why not just use that for
| notifications regarding deliveries?
| consp wrote:
| The FedEx one is meh and does afaik, but some (looking at you
| dhl) are almost useless as they provide little information
| (tracking info is hidden sometimes), sometimes do not allow you
| to add the parcel as it has a tracking code from a foreighn
| service which you cannot use and you have to figure out the
| local one, are full of "news" also known as ads and do not
| allow you to select the dropoff location closest to you (go
| ups!). Sorry, /rant.
| lobsterthief wrote:
| I feel like DHL is the "YOLO" of delivery companies. My stuff
| always arrives, somehow, despite the entire process seeming
| archaic.
| genman wrote:
| You mean everyone should install a piece of software from a
| company that appears to be ignorant about security?
| dotancohen wrote:
| And buy a very expensive tracking device with frequent
| security issues?
|
| I am lucky to live in a country in which a large religious
| population eschews the smartphone, so saying "I don't have
| one" is acceptable and common here. But I have colleagues who
| tell me that they are expected to have a smartphone from
| everything to banks to government services to simple small
| restaurants.
| RugnirViking wrote:
| interesting. Where is that? I would like to know more
| risfriend wrote:
| And where is this?
| nonrandomstring wrote:
| Was also thinking, cool, where is this place, and how do I
| sign up?
|
| But then I remembered, I already belong to a religion that
| makes the ownership of a smartphine quite unconscionable to
| me.
|
| Indeed I wrote about how even a religious objection is
| unnecessary when there's a knock-down argument on the
| grounds of what is merely patently unethical.
|
| > are expected to
|
| I find these "expectations" come from those who didn't read
| Dickens.
|
| [0] https://news.tuxmachines.org/n/2023/03/06/Microsoft_is_
| Not_a...
| DharmaPolice wrote:
| Installing an app for every courier firm you might receive a
| parcel from seems a bit much.
| e40 wrote:
| Yet another reason why I will try to never use FedEx. UPS is so
| much better.
|
| Banks do similar dumb things. I once vented to a a Wells Fargo
| security manager about a similar issue. They had no defense at
| all.
| nonrandomstring wrote:
| Your security is increasing at risk from organisations and
| corporations whose own grasp of security is appalling. Because
| instead of dealing with it they externalise risks and
| consequences onto the public and customers.
|
| Even worse, is where attempts to query that security is _actively
| punished_.
|
| This is typical now. Listen here (at 42:20) with an example
| regarding the UK NHS whose incompetence plays directly into the
| hands of cybercriminals.
|
| [0] https://cybershow.uk/episodes.php?id=24 (time:42:20)
| corndoge wrote:
| Since the link to this podcast is in your profile, you're
| affiliated with it, right?
| nonrandomstring wrote:
| Yes
| em-bee wrote:
| _Even worse, is where attempts to query that security is
| actively punished._
|
| like this case: https://news.ycombinator.com/item?id=37250024
| nonrandomstring wrote:
| Excellent example em-bee, thanks! I'm writing up a blog post
| on this subject, so more examples welcome plz.
| gpderetta wrote:
| My UK bank semi-regularly cold-calls me and ask me to
| authenticate by providing personal information. When I
| decline they readily tell me instead to call some number
| available on the bank website. So they not only are
| incompetent, they actually know it.
| em-bee wrote:
| why? isn't getting the number from the website the right
| action? you can verify that you have the bank website, get
| the right number, and i presume even go to the bank branch
| to get the number in person, and then save the number as it
| should not change.
|
| or are you referring to the call itself? i wonder why they
| need to do that.
| gpderetta wrote:
| It is the right action, and they should say exactly that
| when they call: we need to talk to you so call us at the
| number in our website.
|
| Instead they try to do the wrong unsafe thing, but when
| pointed out they switch the script. So they can't even
| claim ignorance of basic security .
| gregoryl wrote:
| Ahh yes, the FedEx GST payment system is wonderful!
|
| You can find that number in the sms on an official FedEx page
| somewhere or other - I ended up using that as enough evidence to
| trust and call.
|
| I get the feeling this system as a whole doesn't see much use -
| from a FedEx perspective, the vast majority of people paying duty
| will be via some specialised importer, not b2c direct.
| hubraumhugo wrote:
| I found a Reddit post today about a German bank mailing USB
| sticks containing their new general terms and conditions:
| https://www.reddit.com/r/de/comments/1ax7ky3/milde_interessa...
|
| You can't make this up.
| tux3 wrote:
| I will simply refuse to believe this is real. As a
| psychological defense mechanism.
|
| What the hell.
| __jonas wrote:
| Clearly the safer option is sending the terms via CD
|
| https://t3n.de/news/sparkasse-digital-strategie-cds-per-
| post...
|
| Since no-one has a CD drive in their computer anymore, the
| security risk is negligible
| lifestyleguru wrote:
| The CD contains PDF with scanned terms and conditions?
| paulmd wrote:
| Since nobody has cd drives anymore, I don't think it
| functionally needs to? You could save on shipping costs
| by just mailing blank disks instead, plus hey free disks!
| It's like aol all over again.
| cesarb wrote:
| And even if you do have a CD drive in your computer, the
| risk is still lower than a USB stick. A CD contains only
| data, it cannot do things like emulating a keyboard. The
| worst it can do is shatter when your high-speed DVD-ripping
| drive spins it up a bit too fast.
| scns wrote:
| Install a rootkit?
|
| https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_ro
| otk...
| kibwen wrote:
| CD drives may not be able to emulate a keyboard, but they
| can certainly install software. You might not click on
| any system popups that appear after inserting a malicious
| CD, but the sort of people who plug in random USB sticks
| likely wouldn't bat an eye.
|
| _" The Sony BMG CD copy protection scandal concerns the
| copy protection measures included by Sony BMG on compact
| discs in 2005. When inserted into a computer, the CDs
| installed one of two pieces of software that provided a
| form of digital rights management (DRM) by modifying the
| operating system to interfere with CD copying. Neither
| program could easily be uninstalled, and they created
| vulnerabilities that were exploited by unrelated malware.
| One of the programs would install and "phone home" with
| reports on the user's private listening habits, even if
| the user refused its end-user license agreement (EULA),
| while the other was not mentioned in the EULA at all.
| Both programs contained code from several pieces of
| copylefted free software in an apparent infringement of
| copyright, and configured the operating system to hide
| the software's existence, leading to both programs being
| classified as rootkits._"
|
| https://en.m.wikipedia.org/wiki/Sony_BMG_copy_protection_
| roo...
| extraduder_ire wrote:
| I think windows has moved away from executing autorun
| exes from discs by default a few versions ago. But back
| in the day it would prompt you what to do when you insert
| a USB storage drive, and just run whatever's set as the
| autorun if it's on a disc.
|
| The common way to get USB malware to install
| automatically those days was to modify the USB drive to
| appear as a virtual disc drive, which worked.
| Fanmade wrote:
| I am currently sitting at my gaming PC, which does have a
| Blu Ray drive. I use it about one or two times a year.
| Just today I threw in a CD with the driver of my newly
| installed tp-link AXE5400 (WiFi PCIe adapter), because it
| wasn't detected on my PC and I didn't have internet
| without Wi-Fi. I immediately got a prompt if I want to
| run the "autorun.exe" on the disc. So that is still there
| (Windows 22635.3209, Windows-Insider Beta Chanel).
| vel0city wrote:
| But back in the day, popping the disk in the drive would
| have just executed the autorun without even prompting
| you. Put the disk in the drive, suddenly new application
| running on your box as you (and generally, back in the
| day, as local admin). Not even a chance to say no.
| malfist wrote:
| A USB stick only contains data too.
| yjftsjthsd-h wrote:
| No, that's specifically the problem - that's not
| necessarily true. You're talking about a small plastic
| box that contains a USB port and some electronics. You
| have absolutely no way of telling what those electronics
| will expose to the USB port. It's possible that they only
| expose some persistent storage, true, but it's equally
| possible that they expose an emulated keyboard, or just
| the good old https://en.wikipedia.org/wiki/USB_killer
| NegativeK wrote:
| There's a reason why infosec is hard and why there's a hiring
| shortage.
| macintux wrote:
| Hiring shortage? I guess I should brush up on my security
| skills, because I can't get an interview anywhere to save
| my life.
| Kwpolska wrote:
| There's an EU law demanding such documents to be delivered on a
| "durable medium". Some banks and financial institutions may
| have a strange approach to those, even though email attachments
| seem to be enough for others.
| yau8edq12i wrote:
| I've never heard of this "EU law". Which one are you talking
| about? I live in the EU and my bank pretty much only contacts
| me through email.
| Repulsion9513 wrote:
| https://eur-lex.europa.eu/legal-
| content/EN/TXT/HTML/?uri=CEL...
| ar0 wrote:
| I do not read this court decision like that at all: the
| point of contention there seems to be that the customer
| was just sent a _link_ to a webpage (where the
| contractual terms can be changed from under him at will
| by the company, thus this not being durable). The court
| makes it pretty clear in my (non-lawyer) opinion that
| attaching a PDF to the email would have been fine.
| actionfromafar wrote:
| I was prepared to disagree with you, but I now have the
| same interpretation you have. Durable medium can be email
| - but the example seems a little fuzzy, for instance a
| durable medium is definitely when the email is stored on
| a HDD on a customer device. But is it still durable
| medium if the email only exists in a webmail? Probably
| yes, but maybe no. So the conservative approach would be
| to send paper for some things. (Or in this case,
| stupidly, USB devices. Banks, don't do that, please.)
|
| _Ramble Edit:_ it 's unfortunate IMHO that there is no
| "read only" medium anymore. Not sure what it would look
| like now when USB-C is taking over the world, and that
| ship probably sailed, but it would be really cool and
| useful to have the option of a "data only" USB.
|
| Maybe computers could have one USB port marked as "ROM".
| Or a switch or LED symbol indicating "ROM safe" mode.
|
| When using such a ROM port, anything USB inserted there
| would only look like a DVD reader. A USB drive would get
| its files "mirrored" into a virtual ISO filesystem. Any
| other devices, such as keyboards etc would be just
| ignored and not connected to at all.
| jimktrains2 wrote:
| That doesn't fix the issue though. The issue is a killer
| USB or a virus on the disk. Being able to only read an
| infected file still allows it to be read.
|
| Also, this is only a software solution as the USB
| protocol would require bidirectional transmission.
| actionfromafar wrote:
| It doesn't fix the issue vs paper.
|
| But it would bring us back to being as safe as a CD or
| diskette was.
|
| I was thinking a special chip, talking bidirectionally
| both ways, pretending to be a PC host to the USB drive,
| and pretending to a DVD-ROM to the actual PC.
| dfox wrote:
| Most USB flash controllers support being read-only by
| either just being read-only or emulating optical drive.
| Obviously for the WORM usecase this is only an software
| solution inside the controller configuration as the
| underlying medium is still writable/erasable flash. In
| theory one could replace the flash with some kind of mask
| ROM with NAND-like interface and make it truly read only,
| but the cost makes that impractical for most
| applications.
|
| Then there are LTO tapes that have WORM version, which is
| notionally not overwritable, but that is IIRC also only
| enforced by software (of the drive).
| yau8edq12i wrote:
| Putting aside the fact that the conclusion of this text
| is not at all what GP said... You do realize that this is
| not a law, not even a court decision, but that it is a
| prosecutor's opinion / suggestion to the court??
| Kwpolska wrote:
| https://eur-lex.europa.eu/legal-
| content/EN/TXT/?uri=CELEX%3A...
| verticalscaler wrote:
| Haha, nice try!
| pornel wrote:
| It defers to a repealed 97/7/EC, replaced by 2011/83/EU:
|
| > Durable media should enable the consumer to store the
| information for as long as it is necessary for him to
| protect his interests stemming from his relationship with
| the trader. Such media should include in particular
| paper, USB sticks, CD-ROMs, DVDs, memory cards or the
| hard disks of computers as well as e-mails.
|
| USB sticks are on the list, but so is paper and e-mail.
| _This USB stick could have been an e-mail_.
| yau8edq12i wrote:
| Putting aside the fact that the conclusion of this text
| is not at all what GP said... You do realize that this is
| not a law, not even a court decision, but that it is a
| prosecutor's opinion / suggestion to the court??
|
| Yes, if two people are going to answer with the exact
| same link and nothing else, I'm going to answer both with
| the exact same comment.
| Kwpolska wrote:
| It is a court decision. Citing the actual law and context
| for it.
| actionfromafar wrote:
| For some things, you must use paper (or as it turns out,
| USB).
|
| Why the bank decided to use USB for this purpose, instead
| of paper, is very strange.
| TeMPOraL wrote:
| Here in Poland, I've already had several banks and at
| least one insurer send me CD-ROMs. Never heard of anyone
| sending USB sticks before, but I'm not surprised. The
| problem is, approximately no one owns a CD/DVD reader
| anymore, and there are no modern read-only physical
| media. With SD cards also going the way of the floppy,
| USB stick is just about the only medium you can hope most
| customers have means to read.
| actionfromafar wrote:
| SD cards are really neat. Theoretically they could have
| been made with a fixed notch so they would always present
| as read-only.
| 01HNNWZ0MV43FF wrote:
| Since SD cards and USB sticks are both just computers you
| plug in to a network port on your computer, they could
| definitely make write-once SD card controllers.
| TeMPOraL wrote:
| AFAIK notch is just declaration of intent, like with
| floppies and magnetic tapes - it's politely asking the
| reading device to not write to the medium, and it's up to
| the device to respect it (or up to user to not bridge the
| notch with a piece of tape).
|
| Still, actual write-once (or read/write until hardware
| fuse is triggered, read-only afterwards) SD cards should
| be possible to make.
| vel0city wrote:
| It depends on the card. Sometimes it is just a suggestion
| to the firmware, sometimes it physically prevents writes.
|
| I've definitely encountered read-only SD cards which I
| couldn't figure out a way to set it back to RW mode.
| Symbiote wrote:
| Danish institutions (including banks) seems fine with
| PDFs.
|
| I think that's shown by the post statistics: around 25
| letters received per resident, per year.
|
| I can't remember the last letter I received which only
| contained papers.
| Denvercoder9 wrote:
| > For some things, you must use paper
|
| Do you have a source backing that up?
|
| Aside from the local tax collector, which insists on
| snailmailing me a copy of all correspondence even though
| they also sent everything to me digitally, I can't even
| remember the last time I received any documents on paper,
| and I'm in the EU.
| evandale wrote:
| 5 words: Google search eu durable medium.
|
| https://www.fca.org.uk/firms/durable-medium
|
| https://www.lexology.com/library/detail.aspx?g=788714a1-d
| 7b6...
|
| Why did you need a source for this?
| oittaa wrote:
| From your link
|
| "A PDF can therefore meet the definition of a durable
| medium."
| Denvercoder9 wrote:
| Neither of those sources back up your claim that _paper_
| (or a USB drive, for that matter) is required in certain
| cases. The court case cited in your second link even lays
| out the conditions under which a website can be
| considered to satisfy the requirements.
| yau8edq12i wrote:
| I'm asking for a source. You're just reformulating the
| statement I asking a source for.
| drooopy wrote:
| Likewise. I have multiple accounts across different
| EU/Eurozone states and with the exception of the original
| contracts that I've had to sign to open said accounts, I've
| never had to deal with anything other than e-mail or in-app
| communication.
| evandale wrote:
| If you've never heard of it why not Google "eu durable
| medium"? Looks like the claim is true and I didn't need to
| ask for a source to figure it out.
|
| https://www.fca.org.uk/firms/durable-medium
|
| https://www.lexology.com/library/detail.aspx?g=788714a1-d7b
| 6...
| lifestyleguru wrote:
| Some German banks created paid storage service with multiple
| plans available. They are required to deliver documents to
| their customers but managements have massive brainfuck about
| the requirement and the most absurd solutions and ideas are
| being sold to them.
| k8sToGo wrote:
| My bank offers that and I use it to store backups of
| important files.
| lifestyleguru wrote:
| What makes bank a relevant or suitable service provider to
| store my "important files"? To store any files whatsoever
| other than those they're obliged to deliver to me?! "upload
| your testament, passport, and id documents here, you can
| trust us we are A BANK".
| hayyyyydos wrote:
| It's the electronic version of a safe deposit box
| OJFord wrote:
| I can understand that marketing message making sense and
| appealing to.. some people; I am surprised to see it on
| HN though.
|
| This is like buying vegetable & olive oils from BP or
| Shell because they're oil experts looking for new income
| streams as we shift away from petroleum.
| jimktrains2 wrote:
| Without knowing the details, one difference from your
| hypothetical could be ease of access to 3rd parties,
| especially after death.
| lifestyleguru wrote:
| When shit hits the fan the bank will be like: "The
| storage was actually a service we nearshored to Romania
| and Belarus. Part of your stuff is lost, part of it had
| leaked. We can offer insurance lump sum of EUR3.64 for
| your loss. You consented to all the risks on the page 475
| of T&C which we sent by post".
| PKop wrote:
| Perhaps this was the point of your comparison, but it's
| funny because "safe" deposit boxes aren't safe[0]
|
| https://archive.is/63xoB
| em-bee wrote:
| i love this comment:
|
| _ich arbeite als (externe) CyberCyberCyber Nase in einer
| Organisation irgendwo in der Sparkassengruppe. Ich kann dir
| versichern, dass niemand, der auch nur im entferntesten was mit
| InfoSec in der Bank zu tun hat, von dieser Marketing Idee
| erfahren hat._
|
| "I work as an (external) CyberCyberCyber nose in an
| organization somewhere in the Sparkassen-group. I can assure
| you that no one who is involved even the slightest with infosec
| at the bank, has heard anything about this marketing idea."
| jowea wrote:
| Hey at least it's 100% safe from a hacker who has broken
| SSL/TLS altering the terms and conditions on the wire.
| Aldipower wrote:
| Man, this is just a marketing gimmick. I am always short in USB
| sticks. So, could have gotten another one.. How about a little
| bit more of humor?
| romwell wrote:
| If you give me your mailing address, I'll arrange it that the
| bank will mail you one, too.
|
| Just be sure to use the included NOTVIRUS.EXE viewer for best
| experience.
| marcosdumay wrote:
| Just set it to autorun. I'm sure anybody you mail it to
| will just confirm running it without even looking what they
| are doing.
| Aldipower wrote:
| In your fantasies. It is of course in the responsibility of
| the bank to check if this is virus free. I am using Linux
| anyway.. No autorun.exe here. Is this still a thing with
| Windows?
| NegativeK wrote:
| The problem isn't the bank verifying that the USB stick
| is clean; the problem is that the bank is distributing
| info in the exact same way that APTs would try to
| compromise an important target.
|
| Hyperbole, but it's like a bank employee calling you from
| an unknown number and asking for your email password so
| they can make sure their communications about your
| mortgage application don't go to the spam folder.
| praptak wrote:
| German IT is weird, German bank IT doubly so.
| vgalin wrote:
| (translation provided by ChatGPT)
|
| > Terms and Conditions, Price and Service List, Conditions.
|
| > Dear customer,
|
| > our price and service list, our terms and conditions, as well
| as further conditions which will come into effect on May 1,
| 2024, can be found on the USB stick.
|
| > With kind regards,
|
| > The Sparkasse Bremen AG
| grishka wrote:
| At least you get a free USB stick!
| arkitaip wrote:
| > What makes this situation so ridiculous is that while we're all
| watching for scammers attempting to imitate legitimate
| organisations, FedEx is out there imitating scammers!
|
| Hah!
| urbandw311er wrote:
| Wow. Just wow. Troy Hunt does an incredible job of calling out
| this utterly piss-poor performance from FedEx. Shame it needs
| somebody with a platform like this to draw attention to it. They
| should find a way to make them somehow more liable for fraudulent
| losses.
|
| It's gotten to the point now where it sometimes actually is
| impossible to speak to a human being in customer service - the
| thick layers of chat bots, deliberately gated 'contact us' pages
| and "why not use our app" nags.. ..if you're savvy enough to know
| already that only a human can resolve your particular query,
| getting hold of one can become a time consuming and sometimes
| traumatic experience. (only slightly tongue-in-cheek, I do
| actually believe this affects mental health)
| nonrandomstring wrote:
| What concerns me is that this mentality of erecting infuriating
| barriers will eventually lead to direct in-person stalking of
| staff.
|
| If anyone has honest anecdotes around this I'd love to hear
| from you (maybe privately is best if its detailed accounts)
| franze wrote:
| The Booking.com scams look better than the actual "Self check and
| pre payments solutions" links send via the Booking hotels.
|
| 1 time I was right it is a scam, 2 times it was wrong.
|
| Booking.com should make a proper report payment circumvent button
| and kick out all hotels who do it.
| throwaway290 wrote:
| How do those booking.com scams work?
| fmobus wrote:
| In a case I read (can't remember where), reservation data was
| somehow leaking (either from booking or from hotels), and
| scammers were sending messages purporting to be the hotel
| saying the room was cancelled or mischarged or something like
| that.
| zapu wrote:
| It's even worse than that. Scammers are sending messages
| through booking.com, so you get a message from the hotel,
| in your booking.com inbox, with a link to a payment site
| that just makes a payment to the crooks. The root cause is
| either hotel employees installing session-stealing malware,
| either accidentally or by being part of the scam.
| franze wrote:
| https://amp.theguardian.com/money/2023/oct/23/bookingcom-
| cus...
| omar_alt wrote:
| One out of ~10 international shipments of records I had in the
| last year one was from FedEx and they sat on it in their out for
| delivery warehouse in a nearby town for two months with the usual
| pass the buck/pillar to post treatment. The extra fees plus
| customs they put on added up to 40% of the value of the items as
| well. DHL and UPS arrive within a week and are normally no higher
| than 25%
| caddemon wrote:
| FedEx seems to be the worst option domestically too. Maybe it
| depends on your location but they're the only service that
| somehow fails to deliver signature required packages to my mail
| room. I've also tried to have them contact me directly while I
| wait at home and I've tried to waive the signature requirement
| online, but they still just say "delivery attempted" for 3
| consecutive days and then hold stuff at their warehouse.
| Happened to me twice recently. I now try to avoid buying
| anything expensive that uses FedEx to ship.
|
| A funny thing I discovered in this process is that "delivery
| instructions" are shared for all packages to a given address
| regardless of the associated name, and never flushed unless you
| go in and do it manually on their website. I found the name and
| contact information for the prior tenant of my unit on the
| FedEx site with no other info besides 1 tracking number to the
| address (it also let me change the delivery instructions with
| said info). Potentially they were still calling that person
| when they tried to deliver initially, though I have other
| reasons to doubt they actually came to the door that day.
| hnfong wrote:
| My best theory is that FedEx outsourced the process of sending
| these SMS notifications to some external contractor.
|
| Of course, the scammers already have the scam systems in place,
| so they can win the bid on price :D
|
| I know this sounds ridiculous, but I doubt anything will make
| better sense than this :P
| sebtron wrote:
| A few months ago I got an email from the IT center of the company
| I work for that was dodgier than any phishing email I have ever
| received:
|
| - Coming from a domain that looks nothing like the official
| domain of the company, rather some generic @itservice.com or
| something. - Subject: "URGENT: your account is expiring soon". -
| Multiple links provided in the email body, all illegible and
| multiple lines long, none of them from a domain that I can
| immediately link to the company. - No alternative way of
| resolving the issue is provided other than clicking on one of
| those links (no "go to your account settings", "contact your line
| manager" or so).
|
| And still, it turns out it was real.
|
| ~100k employees company btw
| Rygian wrote:
| Did you click on the "Report Phishing attempt" button installed
| by your IT center in your mail client?
|
| Sorry for the probable sarcasm. In a company that size, if the
| IT center does not provide a means to report phishing attempts
| then there are more serious problems than a dodgy email
| campaign.
| sebtron wrote:
| I wanted to, but I could not find it. It turn out I could not
| see the "report phishing" button because of an Outlook
| glitch. Thanks Microsoft.
| lrem wrote:
| Forward the email to your security org?
| alistairSH wrote:
| This. We have a dedicated phish/scam/it-sec channel in
| Slack for this (in addition to an embedded "report this
| email" plug-in in Outlook).
| sebtron wrote:
| I did end up forwarding the email to another IT service
| address (one that I knew was legit). They thanked me for
| the feedback and said they would improve the message.
| TeMPOraL wrote:
| FWIW, I did exactly that a few times where I was 90% certain
| the e-mail is legit, but it still looked like a phishing
| attempt. The IT department needs to learn to do better, this
| is inexcusable, _especially_ in a corporation with otherwise
| restrictive policies that waste ridiculous amounts of money
| and effort (think: Windows Defender real-time "protection"
| on developer machines, with no way to exclude your repos).
| natebc wrote:
| This is even worse in companies that have security offices
| actively sending out phishing emails worded as internal
| emails from your company that shame you if you click any of
| the links in them.
|
| email is well and truly dead.
| dunham wrote:
| That reminds me that we had a "chief architect" who sent
| out his fairwell email with a link to his linked-in page in
| the footer, but the link actually went to a certain music
| video on youtube.
|
| I suppose, if you want to train people to not click on
| links, that's a fun way to do it.
| ano-ther wrote:
| It's a good idea.
|
| I am usually a bit pessimistic about it though. If their SOP
| doesn't account for "looks like phishing but is from internal
| sender" then chances are that nobody connects the dots and
| informs that sender.
|
| The intelligence of a small and motivated IT team seems
| difficult to scale.
| lobochrome wrote:
| Our IT did the exact same thing with expiring m365 passwords.
| They weren't using the corp domain, typos all over and the URL
| was obscured using a bizarre link shortener.
|
| The same guys also force us to change our passwords every 6
| months and block the last twenty. Passwords we have to enter in
| systems that can't pull directly from password managers and
| thus have to type 10-20 per day. Guess the average strength of
| an employee password!
|
| I think IT incompetence should lead to audit fails or even
| better delisting from exchanges.
| jraph wrote:
| > The same guys also force us to change our passwords every 6
| months and block the last twenty
|
| It's good we have 26 letters, that comfortably leaves you a
| margin of 6 combinations :-)
| pjc50 wrote:
| > I think IT incompetence should lead to audit fails or even
| better delisting from exchanges.
|
| Fear of policy is why you get things like "force us to change
| our passwords every 6 months and block the last twenty".
| Getting a central arbiter of IT competence is a _hard_
| problem.
| Thorrez wrote:
| Is blocking the last 20 passwords a bad thing? I agree the
| other stuff is bad, but to me, that part doesn't seem bad.
| pflenker wrote:
| It leads to less security as it is more likely that the new
| password will just be an old one with an incremented number
| at the end.
| cobbaut wrote:
| And unless there is a minimum password age some people
| will just change it 20 times and then back to the same
| password.
| Workaccount2 wrote:
| Myself and most people keep our login passwords written
| on paper in our desk because of this stupid practice.
| Can't use previous passwords and new password every 90
| days. This is on top of 2FA.
| thesuitonym wrote:
| The worst part is it actually leads users to boasting
| about how they `beat the system', essentially telling
| their coworkers what their pattern is, making the
| password easier to guess.
| macintux wrote:
| I have long felt that organizations that require password
| rotation for employees should, when the users are
| changing their passwords, record and post the old
| password to an internal site (without any identification
| of the user) for educational (and mockery) purposes.
| pama wrote:
| Even if this rule technically seems benign, together with
| the forced change it encourages users to game the system
| leading to predictable patterns, eg adding a rotating
| letter or digit combo at the end of a same password.
| meindnoch wrote:
| Forced password updates are a bad thing.
|
| If your company does forced password updates, they are not
| following the NIST recommendation:
| https://pages.nist.gov/800-63-FAQ/#q-b05
|
| If your company is not following the NIST recommendation,
| they are incompetent, and will be held liable in case of a
| breach.
| ixwt wrote:
| The company I work for had a ransomware issue, so they
| got more zealous about security.
|
| They require us to change our passwords every 45 days
| now. When I pointed out the NIST recommendations of not
| rotating passwords, they say they are following the
| guidance of the response team that helped them recover
| from the ransomware. And that the NIST doesn't actually
| deal with the real world.
| bbarnett wrote:
| _If your company is not following the NIST
| recommendation, they are incompetent, and will be held
| liable in case of a breach_
|
| This is a stretch. Liable? Please show the case law, or
| the legislation.
|
| (My statement has no relevance to the validity of NIST's
| recommendations)
| bluGill wrote:
| Not directly. However NIST is admissible in court and so
| if someone sues there is now evidence that they should
| have known better.
| bbarnett wrote:
| Anything is admissible in court, the judge merely has to
| allow it.
|
| There are 1000s of such organizations, and many conflict
| with each other.
|
| My point is, it's inaccurate to say you are liable for
| not following NIST. I could easily say you could be
| liable, for not following me.
|
| Does that make it so? No.
| SAI_Peregrinus wrote:
| NIST SP 800-63B is informative, not normative. It
| codifies existing industry-standard best-practice, but is
| not in itself law. However, not following best-practices
| may be argued as negligence if it leads to a breach or
| decrease in shareholder value.
| internet101010 wrote:
| Internal password resets are a bad thing. It has its
| place in document sharing/collaboration platforms not
| connected to AD as an additional layer of revoking access
| when people leave a company.
| alistairSH wrote:
| In combination with forced changes, it leads to...
|
| Password1
|
| Password2
|
| Password3
|
| Etc
| bluGill wrote:
| I'm closing in on password100... It is the only sane
| thing to do, a good password is hard to memorize.
| (passphrases are must better, but hard to type correctly
| first thing in the morning and take too long when I need
| to type my password a dozen times a day)
| pierat wrote:
| The one I see that stays updatable is:
|
| PasswordFebruary2024!
|
| Where month and year update on the date of forced
| password change.
| alistairSH wrote:
| Oh, that's a good one. <runs off to update corporate
| logins>
| Karellen wrote:
| ITYM
|
| hunter3
|
| hunter4
|
| hunter5
| swozey wrote:
| I mean it's great for 99% of your passwords and pretty much
| forces people into using randomized generated passwords..
| but I still have to remember at least ONE password by
| heart. Whether it's 32 characters or 16 or what not, I
| still need SOME way to get into my password manager to even
| get to my passwords. So what, I'm going to make my password
| tacokissies69 and.. what, add a 0 every 6 months so I pass
| the 20 password minimum?
|
| So a hacker can infer that my password is tacokissies69000
| of some sort..
| swozey wrote:
| I forget who puts that stuff out NIST/STIG(?) but IIRC in the
| recent few years they determined that rotating passwords like
| that was basically security theater and wasn't worth the
| damage to the staffs productivity
| user3939382 wrote:
| NIST, whose guidelines, somehow, even other federal
| departments and agencies usually don't follow.
|
| NIST has very good password complexity and management
| guidelines. Just USE THEM! It's not that hard!
|
| How do you have billion dollar companies that can't RTFM.
| bluGill wrote:
| NIST whose guidelines are admissible in court and a
| competent judge will take over expert testimony. (an
| expert witness who says something that contradicts these
| guidelines is guilty of perjury, though good luck
| persecuting that)
| Zak wrote:
| Perjury is lying under oath, not disagreeing with
| government guidelines.
| bee_rider wrote:
| On one hand, I agree that just disagreeing with a
| guideline isn't perjury. Especially in a case like this
| where lots of the industry still uses the old (bad, imo)
| plan.
|
| On the other, an expert witness has specifically
| represented themselves to be an expert. Is there any
| level of incompetence that raises to the level of perjury
| in that case? IMO there ought to be.
| dmorgan81 wrote:
| That would be argued in cross-examination. A witness can
| be shown to be not a good witness. Perjury is very
| specific to knowingly lying while testifying under oath.
| We really don't want to expand it to areas of ignorance
| or disagreement; that way would stop people from
| testifying entirely.
| bluGill wrote:
| An expert is someone who claims to know though, and thus
| if they say something that contradicts established facts
| they are lying under oath.
| singleshot_ wrote:
| This is not even near the truth. An expert (under
| Daubert) is someone who convinces the court they can say
| something relevant and reliable based on a technique that
| passes a test concerning:
|
| Whether the technique or theory in question can be, and
| has been tested; Whether it has been subjected to
| publication and peer review; Its known or potential error
| rate; The existence and maintenance of standards
| controlling its operation; and Whether it has attracted
| widespread acceptance within a relevant scientific
| community.
|
| The expert does not "know." The expert is the only
| witness who can give an opinion, more or less. Because
| the opinion is backed up by something, the court
| considers it useful.
|
| The technique they use is what's important, not whether
| their opinion contradicts a fact. I think you will find
| in many expert trials, two experts get the same facts and
| come to two completely contradictory opinions, neither of
| which is perjury.
| bee_rider wrote:
| Are there any examples of the former that you know of? Or
| is this just optimism?
| singleshot_ wrote:
| The rules of evidence govern what is admissible in court
| and I don't recall any rule pertaining to NIST
| guidelines. I think what you might mean is that the
| guidelines are a learned treatise which, while it would
| be hearsay for me or you to quote as a fact witness, is
| nevertheless something an expert witness can refer to.
| spott wrote:
| NIST, but they required password rotation up until very
| recently, against their own advice.
| marcosdumay wrote:
| They decided it was useless security theater decades ago.
| What happened recently is that they discovered that they
| rule they used to actively push causes severe harm to
| security.
|
| Now there's a positive rule about not doing it.
| throwway120385 wrote:
| Yeah when I was a shipping clerk, we had a pile of
| usernames and passwords for the Census Bureau's Automated
| Export System on sticky notes next to the shared computer
| because the password rotation and complexity requirements
| made it impossible to remember our passwords.
| marcosdumay wrote:
| Oh, there are many fun games from the 90's where you must
| infiltrate some place and every computer has some version
| of "due to the password rotation requirements, this
| week's password for the South-East door is 1-2-3-4,
| effective from Monday" pasted into it.
|
| When the NIST added the bad rule into their ruleset (it
| was mostly a collection of bad rules at the time), it was
| already widely mocked in popular culture (well, within
| the target population).
|
| I now wonder if that ruleset (the original one, that
| basically mandated you copy every flaw on Windows NT) was
| honest.
| Terr_ wrote:
| > there are many fun games from the 90's where you must
| infiltrate some place and every computer has some [sticky
| note]
|
| "Come to think of it, it's about time to replay Deus Ex
| again..."
| danaris wrote:
| > The same guys also force us to change our passwords every 6
| months
|
| While I know this may be fruitless, it might be worthwhile to
| point out to them that the official guidance from NIST and
| similar organizations is now _not_ to do this.
|
| The IT department where I work required yearly password
| changes up until I brought this change to their attention, at
| which point they changed to simply recommending a password
| change if you have reason to believe it might have been
| compromised.
| gnfargbl wrote:
| The lack of use of a non-corp domain, the typos and the use
| of shortened links does sound like a form of incompetence,
| probably at the management layer.
|
| However, the password rotation requirement was until
| relatively recently something that many IT auditors would
| actually _recommend_ , even though it leads directly to bad
| user password choices. In fact I wouldn't be at surprised to
| learn that was still the case in a lot of places.
| bluGill wrote:
| Fortunately NIST has specific advice that recommends
| against that which is admissible in court (in the US). I'm
| not sure how to work through the bureaucracy to do this,
| but your company should sue them in court for incompetence
| to get their money back.
| Kye wrote:
| I've seen multiple accounts from IT/security people who
| discovered something like "this could get the company in
| legal trouble" with links to details was exactly what got
| an otherwise intractable issue resolved.
| flatline wrote:
| Two then-current NIST standards (62 and 71?) side by side
| gave contradictory advice. It is a step forward though
| for sure.
| k8svet wrote:
| Yeah, define recently.
| homeyKrogerSage wrote:
| It is. I work as an IT tech at a military defense
| contractor and they require regular recycling passwords,
| with a decent number of passwords remembered. They at least
| have complexity requirements applied so not 100% bad, but
| still archaic
| withinboredom wrote:
| Heh. I just increased a number in my password for my
| passwords. Then just repeat. So "CompanyName[00]" meets
| almost all complexity requirements and all I have to do
| is increment the numbers.
|
| Note: I only do this when I have these requirements and I
| can't use a password manager.
| mondobe wrote:
| Sounds like a certain BOFH story... have you ever thought
| about just adding another "s" to the end of your password
| instead?
| resfirestar wrote:
| The same NIST document (800-63) that recommends against
| password expiration also recommends against complexity
| requirements, instead organizations are supposed to
| develop a list of bad passwords that would likely be used
| in an external dictionary attack.
|
| People understandably get really fired up by the idea of
| not having to change their password every 90 days, but
| forget that the guidelines are a package that contains a
| lot of "shall"s (no password expiration is a mere
| "should") that would be more painful for organizations
| stuck with a lot of legacy software, like the requirement
| to use two authentication factors and the use of secure
| authentication protocols.
| DarkGauss wrote:
| Yep. That leads directly to passwords like:
|
| ReallyLongP@assword$01, ReallyLongP@assword$02,
| ReallyLongP@assword$03, and so on.
| M95D wrote:
| > have to type 10-20 per day
|
| Same problem here. My solution: Get a mouse with internal
| memory for macros, such as Natec Genesis GX78 (old, no longer
| available, but this is an example). Program your new password
| on one of the unused mouse buttons or in a different profile.
| Use the mouse to type the password.
| reaperman wrote:
| Might be a good product to app-ify. Maybe a USB dongle that
| acts like a keyboard and controlled by your phone. Give it
| some sort of 1Password / Bitwarden integration.
|
| Could make it double as a YubiKey.
|
| Surely this exists already?
| f3d46600-b66e wrote:
| Yubikey supports this already, but without the phone
| part.
| mikepurvis wrote:
| I should do this for ssh password entry. Running ssh-
| agent is still 90% of the story, but it comes up often
| enough that I'm on a terminal in a remote machine or
| inside a screen session or something that it would still
| be awfully useful to be able to just autotype it.
| reaperman wrote:
| Does it require installing 3rd party software on the host
| machine? This might not work great for this kind of
| "shadow IT" application in all environments, whereas one
| that acts as a USB keyboard might be more versatile.
| organsnyder wrote:
| Only to configure it. It presents as a USB keyboard
| (among other device types).
| reaperman wrote:
| How do you tell it which password to type? I haven't seen
| yubikeys with physical interfaces to select a particular
| password.
| aidenn0 wrote:
| Does it require installing 3rd party software on the host
| machine?
|
| No, it identifies as a keyboard. It also defaults to
| generating a password that will use the same scancodes on
| (most?) western keyboard layouts so that computers
| configured to default to e.g. QWERTZ or AZERTY will still
| result in the same password.
| reaperman wrote:
| How do you tell it which password to type?
| aidenn0 wrote:
| IIRC there is a maximum of two; one on short-press and
| one on long-press.
| Terr_ wrote:
| Separately from the password aspect, consider how
| convenient it may be to use your smartphone as a kind of
| re-reified "clipboard": Use the camera and on-device OCR
| to copy text, then "paste" it as a virtual keyboard
| connected over USB.
|
| It's very niche, but in those rare situations it'll be a
| big time-saver compared to human transcription or the
| rigamarole of setting up some other kind of data channel.
| Grazester wrote:
| Yubikeys can do this.
| eropple wrote:
| It can, and I tried this, but in practice we have to
| change our passwords at my current employer so frequently
| that I got more irked changing it on the Yubikey (not the
| least hassle-free of processes, as I couldn't install the
| Yubikey software _on the work machine_ ) than just typing
| the thing.
| abustamam wrote:
| I had a similar experience at an old company that used M365.
| YMMV but with Bitwarden I generate passphrases like Pregnant-
| Guppy-Skateboard9 and it made it tons easier for me to type
| 20x a day than &7UoTod#$7OOD
| aaronharnly wrote:
| My work password now has an "18" embedded somewhere in the
| middle of it thanks to my autoincrement approach to handling
| that kind of obnoxious policy.
|
| Then I became CTO and retired the policy to align to modern
| NIST recommendations, so that "18" is in there forever :)
| WorldMaker wrote:
| I've noticed that Microsoft themselves aren't helping this
| right now. M365 seems to default to using random-tenant-
| guid.onmicrosoft.com for a lot of these transactional emails
| like password changes _even though_ the official
| account.microsoft.com is fully multi-tenant aware and _most_
| Microsoft guidance tells you to always go directly to
| account.microsoft.com. These transactional email mistakes
| seem like another case of Microsoft accidentally exposing
| problems in their org chart to external customers. I imagine
| it has something to do with the wild rewrites from old Azure
| AD to new "exciting brand" Entra ID and other such
| shenanigans _combined_ with Microsoft 's willingness to bend
| over backwards to bad IT administrators and letting them set
| bad defaults (such as "just us the .onmicrosoft.com GUID
| instead of a real domain"), because companies love to pay
| them good money for the "control" to do stupid things in
| Group Policies and corporate configuration.
|
| Combined with the fact that the largest single source of spam
| I'm seeing right now is also coming from random tenant GUIDs
| .onmicrosoft.com (is Azure really missing that much SMTP
| security for random M365 tenants?) and this sort of corporate
| anti-training users to follow bad transactional email links,
| it certainly feels like we are in a perfect storm of M365
| phishing.
| Fogest wrote:
| The whole Microsoft Office suite online just feels like
| hacky code on top of more hacky code. And combine with how
| your account can also be signed into your PC, and then also
| signed into applications. I have a work email, and two
| personal emails that all make use of Microsoft products.
| What a mess it is managing the accounts and the different
| systems. The business emails and accounts just seem sloppy
| and seem to work different than personal accounts.
|
| Overall when compared to Google's suite of products, M365
| just seems so sloppy.
| dimask wrote:
| Add to this the different varieties of their apps. The
| whole MS thing is a mess imo also because it cannot
| decide if it is for enterprise or for personal use. Some
| colleagues had to reinstall outlook, and after that
| things did not work properly. What actually happened was
| that they had googled and downloaded "outlook" from
| microsoft's website, instead of installing the m365 suite
| version. Which is basically a different application or
| version or whatever, but sharing the same name and app
| icon.
| iamthirsty wrote:
| The Walt Disney Company did exactly this when I was there,
| and everyone dreaded it. Did nothing but waste time.
| dimask wrote:
| > Guess the average strength of an employee password!
|
| It is interesting how sometimes creating "more secure"
| measures results on less security. Our IT department decided
| that using 2fa for vpn is not enough, we should also extra
| 2fa for connecting to the webmail even through intranet or
| vpn. Guess who stopped using the vpn.
|
| Meanwhile, one can set up and use our email through any email
| client app on desktop or mobile without any 2fa at any step.
| Go figure.
| bombcar wrote:
| Healthcare companies in the US send the most scammy looking
| links for payment processing you've ever seen - things like my-
| healthcare-billing.net
|
| It's insane.
| mnau wrote:
| Our government uses equivalent of www.mydatabox.cz (real one
| is mojedatovaschranka.cz).
|
| Literally a domain that looks like from teaching material for
| phishing, no databox.gov.cz or something like that.
|
| The domain is for an official legal documentation
| communication with government and has same legal weight as
| letter that was person delivered and recipient was checked
| against ID.
| philsnow wrote:
| I'm supposed to pay my semi-annual property taxes (on the
| order of ~thousands of USD) on a site that ends in .org
| instead of .gov, and nobody apparently sees anything weird or
| wrong with it.
| bombcar wrote:
| Now that I think of it, I'm not sure I've ever seen a
| government payment site hosted on .gov; usually .com.
| 01HNNWZ0MV43FF wrote:
| You can tell it's legit if they charge you $2 extra for a
| credit card instead of a bank transfer lol
| bombcar wrote:
| Most have gone that way, but a few were still letting you
| put your entire property tax on credit card _with no fee
| whatsoever_ as recently as last year.
|
| Woohoo free miles! Sometimes the fee is so low that even
| when they _do_ charge it, it 's worth using the credit
| card.
| JoshTriplett wrote:
| Yeah, I've encountered sites that charge a 1% fee for
| using a credit card, but I get 1.5% cash back.
| kube-system wrote:
| Some places in the US outsource not only payment
| processing, but the entire tax collection process to the
| private sector. I've heard stories of people living in
| Pennsylvania who have gone years without filing their local
| tax return because they thought the tax form was spam.
| Nope, that sketchy looking mail from some random business,
| with the .com address is the legally designated tax
| collector.
| 15457345234 wrote:
| id.me
|
| Still can't believe it
|
| Best hope the government of Macedonia remains friendly I
| guess
| pakyr wrote:
| *Montenegro
| sgerenser wrote:
| Yeah I got a text from one of these a couple years ago.
| Something like. "You have an overdue doctor bill of $183.56,
| please kindly pay immediately at this link: http://my-
| doctorpay.net/defintelylegit123. Thx!" Didn't even include
| the name of the doctor or office, but after calling the only
| doctors office I had used recently it was apparently legit. I
| let them know whatever company handles their billing is
| completely incompetent.
| sneak wrote:
| What incentive do they have to change it? People will still
| click and still pay, and if they don't, they'll refer it to
| collections and ruin their credit. As long as the billing
| office gets the money, in their view, the bar for
| "competence" is passed.
|
| This is something that only people like us can see. The
| rest of the world doesn't care about the problem, and even
| if they did, they have zero incentive to fix it.
| avarun wrote:
| > People will still click and still pay, and if they
| don't, they'll refer it to collections and ruin their
| credit.
|
| Healthcare has one of the lowest payment collection rates
| of any consumer industry. And as of a couple years ago,
| medical debt under $500 can no longer go on your credit
| report even after going to collections. States have
| passed even more consumer-friendly versions of this law,
| like NY where no amount of medical debt can affect your
| credit score.
|
| So actually medical billers are directly hurting
| themselves with their incompetence in this and many other
| departments.
| jameshart wrote:
| The US healthcare billing model's total lack of
| authentication and disconnection from point of service
| means that it's broadly plausible you do owe some random
| provider money at any time up to several years after your
| last doctor visit.
|
| Send someone an official looking piece of paper telling
| them they received $394 worth of in office medical
| laboratory service from Tristate Medical Partners Inc in
| August last year, that insurance paid $374 and that they
| just owe you a $20 copay, and I think a lot of people will
| just go to the online bill pay site and hand over the
| money.
| bluGill wrote:
| Worse every doctor/lab sends their own separate bill with
| their own separate account numbers and URLs. You could
| probably make a ton of money just a bill to every address in
| your city, so long as the amount is around $50 many will not
| question it anymore as they get so many of those things.
| bonton89 wrote:
| Lets not forget all the typosquatting looking domains
| Microsoft uses. It almost seems like they bought them up to
| protect users, forgot why they did that and said "hey we have
| all these domains, lets use those?"
| __float wrote:
| Do you have any examples? I'm largely out of the Microsoft
| ecosystem these days, aside from the occasional Xbox usage.
| bombcar wrote:
| Office.com redirects you to login.microsoftonline.com
| which isn't horribly bad, but is starting to get there.
| Now you have microsoft365.com and friends, too.
|
| At least when things were login.microsoft.com you could
| apply the "last part is definitive" now that heuristic is
| pretty useless. And if you watch the actual DNS requests
| during a login, whew.
|
| CDNs make it even worse, here's a few VALID requests from
| my DNS cache:
|
| store-images.s-microsoft.com-c.edgekey.net
|
| www.msftconnecttest.com
|
| 123499-ipv4v6.farm.dprodmgd103.aa-rt.sharepoint.com
|
| download.windowsupdate.com.edgesuite.net
|
| At least _some_ end in apparently legitimate domains, but
| sheesh, that last one looks like something straight out
| of 2000s era scams.
| WorldMaker wrote:
| Also Azure AD and Entra ID and other parts of Microsoft
| 365 all use onmicrosoft.com, too. A fun bonus to that
| particular domain is the random meaningless to people
| GUID-derived tenant IDs in the second level. Knowing what
| is legitimate, and what is tied so a specific corporate
| tenant, seems impossible. Certainly helps Microsoft
| themselves avoid XSS problems, I'm sure, but greatly adds
| to the confusion of what is a legitimate M365 URL.
| chuckadams wrote:
| To be fair, US healthcare billing companies aren't very far
| removed from scammers in the first place. Except most
| scammers are more ethical.
| silverquiet wrote:
| Regarding the external domain thing, I can say that dealing
| with domains in a big company gets about as bureaucratic and
| terrible as just about everything else; I experienced this
| myself - at a youngish company when I needed a new sub-domain
| off the big official domain, it was just talk to $dude on the
| DNS team and he'll help you out. And he did. A few years later
| once things had "grown up" a bit, I needed to update a record
| and I asked the same guy. He told me I needed to fill out a 25
| question form and they'd review it. I about half copy and
| pasted it from another team member's project and they accepted
| it.
|
| Obviously it doesn't excuse the practice, but I can see why
| people use alternative domains to get things done. The above
| anecdote was also purely within the company; I'm sure that if
| you add in a partner/managed service, it only amplifies the
| complexity.
| walrus01 wrote:
| If I saw one of those in a 100k employee company I'd first just
| assume it's a phish-test email and that anyone who clicks on
| any URL in it is going to get put in the list for remedial
| training.
|
| There are, of course, a whole plethora of services that a CTO-
| type person can hire to phish test your employees. Some of them
| even have _several hundred real domain names_ with live MX on
| them that you can add into your office365 /gsuite mail flow
| permit-list controls, as an admin, to ensure that the phish
| test arrives correctly in peoples' inboxes.
| joezydeco wrote:
| I love how those emails have extra metadata in the headers
| like "X-Phishing-Test: True"
| walrus01 wrote:
| Indeed, though the sort of person who knows how to read and
| understand mail headers is probably pretty unlikely to fall
| for a real phish.
| Marsymars wrote:
| I have an Outlook rule to redirect these to junk.
| WorldMaker wrote:
| I wish I could do that, but then that would impact my
| "scoreboard" on the anti-phishing tool and they would
| yell at me or send me to remedial "training" too. They
| really like to see that useless button pressed that just
| patronizingly tells me "Yes, this was a training
| exercise".
|
| At the moment in my current corporate email address this
| the number one source of spam, just all the internal
| phishing testing emails. It feels like the attempted cure
| is worse than the disease and I hate getting so much
| useless trash.
| Marsymars wrote:
| > I wish I could do that, but then that would impact my
| "scoreboard" on the anti-phishing tool and they would
| yell at me or send me to remedial "training" too. They
| really like to see that useless button pressed that just
| patronizingly tells me "Yes, this was a training
| exercise".
|
| It's actually even a worse than that for our anti-
| phishing tool, somehow Outlook's processing triggers the
| tool to think that I've interacted with the email, but
| after several rounds of "our tool says you clicked a
| link" and my reply of "I 100% didn't, let me see some
| logs", they now seem to ignore notifications of me
| clicking on phishing test links. So a win for me, I
| guess?
| sokoloff wrote:
| I report those as phishing in order to get the feedback to the
| IT team who sent them from their colleagues in infosec. (I
| often have had IT and infosec reporting to me, which makes this
| even more effective of a feedback mechanism. :) )
| Macha wrote:
| Yeah, was working for a (then) 15k employee company and got an
| email "You have expenses due". Blank content, PDF attachment. I
| hadn't initiated any payments (but it later turned out the bank
| had just charged the annual tax on my corporate card account)
|
| Ignored it.
|
| Later got my manager asking as the expense team had been
| chasing down managers of people with overdue reports.
| anonymous_sorry wrote:
| My company's security training tells me to carefully verify any
| URLs in received emails, but then they have some security
| software that rewrites all the URLs in incoming emails -
| presumably as a way of screening them themselves.
|
| This might be a reasonable trade-off for centralising
| monitoring, but it significantly hampers the ability to judge
| the legitimacy of emails myself. At least update your training!
| lhamil64 wrote:
| My company does that too, it's really annoying. They also
| sometimes send out mass emails for things like surveys but
| link to some third party service. I've even seen them put, in
| the email, things like "the link goes to a trusted third
| party and is perfectly safe". Why should I trust that if I'm
| already suspicious of the emails legitimately?
| ToucanLoucan wrote:
| Our last round of security training was roundly mocked by our
| software division, especially around the subject of one of
| the rules emphasized over and over being to "never click URLs
| in emails" and the sign-in process for the website alongside
| the distribution of lessons was done _exclusively_ through
| magic links... in emails.
|
| Our CEO is actually a developer himself on our core product
| (and a bit of a paranoid fella on the cybersecurity front to
| boot) and he was absolutely furious about this vendor being
| chosen...
| dormento wrote:
| On our company (hosting & PaaS), I was contacted on our
| internal messenger by a person I've never seen before, asking
| me to "please" run some commands as root and send back the
| results. After the initial shock (and due infosec diligence) I
| found out it was just "the new guy", needing to collect info
| about our systems for equipment inventory purposes. Since they
| didn't have access to our networked management tool yet, and
| didn't know the finer points about how running `curl ... | sh`
| randomly is not a good idea, they thought it would be ok to get
| that information piecemeal directly from people.
|
| It happens.
| from-nibly wrote:
| I flip tables when people make offhand requests like this.
| Infra teams are not keyboard monkeys with admin creds.
| chuckadams wrote:
| When I worked at Sun Microsystems, they had a clever launcher
| shell script dealie for things like StarOffice documents that
| did usage tracking, portability fixes (usually setting
| obscure environment vars), and of course downloading and
| opening the actual document. Then they started sending those
| shell scripts as email attachments. One day they sent out an
| email telling people to not open executable email
| attachments: the full memo was a SO document wrapped in one
| of these scripts.
|
| To their credit, after the inevitable replies to that email
| they never used that wrapper again (they moved the launchers
| to the centralized NFS install where they always should have
| been)
| bnralt wrote:
| Banks do this as well. I made a purchase, and within minutes
| got a very scammy looking e-mail from them - low quality gifs,
| asking me to click on links to a random non-bank
| website(something like purchase-verification-
| users.net/235532/confirm.html, and the site wasn't coming up on
| any searches). At the same time I get a call from a random
| number asking me to go over some purchases - I looked up the
| number, and it's none of the ones listed for my bank.
|
| So I hang up and call my bank directly. I spend 10 minutes
| going through the phone maze to talk to someone. Finally I get
| to them, and they confirm that is a number that they use to
| contact people. How come when you list numbers on your website
| you don't list this one? Well, they said they often call from
| numbers they haven't listed online. How about that e-mail, do
| you send those? Well, we sometimes contact people by e-mail, if
| it says it's from us in the from: line you can click on it. Did
| you guys send that one? I don't have that information; don't
| click on it if the from: line isn't us, but if it is, go ahead.
| xur17 wrote:
| > Well, they said they often call from numbers they haven't
| listed online.
|
| Worth noting - do not trust the incoming callerid number.
| This is trivial to fake.
| SilasX wrote:
| Similar unforced error: I got emails from healthcare.gov for
| required actions on the site's marketplace. But the links used
| the lnks.gd shortener, hiding what domain you were actually
| going to end up at! They're encouraging people to blindly click
| on links with no idea where it takes them!
|
| What's worse, you can't even go to the lnks.gd root to check
| where a shortened link is going. And the "shortened" link was
| actually longer, with all the payload crap they rolled in. They
| could have just used the normal url plus small internal
| identifier of which email it was if they needed to track it,
| and it would have been shorter.
|
| There was no reason to use a shortener, let alone such a shady
| one!
| starky wrote:
| The company I work for has a service that sends phishing test
| emails to everyone that you are supposed to report. I take
| great joy in reporting every legitimate email that is at all
| sketchy just for the inevitable email back from the security
| team informing me that they reviewed my report and it was
| indeed a legitimate email.
| Havoc wrote:
| Corporates are shockingly incompetent at this sort of stuff.
|
| Seriously just use your main domain for URLs. For me at least
| that clears up 99% of this.
|
| I dont want to memorise a list of valid mystery domains for each
| shipper. Is that really too much to ask?
| jiggawatts wrote:
| It is.
|
| If they use their main domain, their normal corporate email
| will get blocked by anti-spam filters.
|
| So everyone uses a different, unrelated domain for bulk mails.
| Sophira wrote:
| Okay, but this isn't a bulk email. It's a very specific
| situation personal to the receiver and will never be sent to
| anyone else. (Obviously the _template_ will be used for
| multiple emails, but that 's not what defines a bulk email,
| even though bulk emails can also be defined using a
| template.)
| thomastjeffery wrote:
| So use a different domain for corporate email. The only
| reason not to is if you are prioritizing the identifiability
| of your corporate email over the identifiability of your
| _actual customer-facing operations_.
| wccrawford wrote:
| When I bought a car once, I received an email a few months later
| saying I hadn't proven I had obtained insurance on it, and the
| bank wanted me to visit a domain that wasn't theirs to provide
| proof.
|
| The email I got looked like a badly-scanned letterhead and was
| very, very fishy.
|
| After I received a few of them, I finally contacted the bank and
| it was _legit_.
|
| I tried telling the office person (not just a clerk at the
| counter, someone with their own desk) about the situation and
| they couldn't understand why it was bad.
|
| I soon paid off that loan and got away from that bank.
| dudul wrote:
| Happened to me with my mortgage. Got this very weirdly phrased
| letter about how my homeowner insurance info needed to be
| updated/confirmed and that I had to go to <random website> to
| clear it out.
|
| I called my insurance broker and yes indeed it was legit. I
| also tried to explain to them how this letter was a few steps
| removed from a Nigerian prince scam based on all the red flags,
| but i don't think it made a big difference.
| judge2020 wrote:
| The national insurance providers are often pretty slow or
| shady when it comes to claims, but I've never had a bad
| experience with Allstate or State Farm when it comes to their
| cybersecurity and domain experience. Allstate's frontends
| (web and app) sometimes feel more clunky but their APIs feel
| good enough and sites seem to follow good design practices.
| lifestyleguru wrote:
| Phishing and workflows like this are handled by the same profile
| of employees. Low paid, outsourced, hating their job, doing the
| least possible. That's why they're indistinguishable. Reliable
| workflows, record profits, high salaries and bonuses for
| executives - pick two.
| anonymous_sorry wrote:
| In a Blackhat talk several years ago Adam Shostak had a clever
| term for companies interacting with you in ways that were
| indistinguishable from scammers.
|
| But I can't remember what the memorable term was.
| nonrandomstring wrote:
| Anyone found this? Can you remember the episode?
| anonymous_sorry wrote:
| Found it here.
|
| https://i.blackhat.com/us-18/Wed-August-8/us-18-Shostack-
| Thr...
|
| He used the term "scamicry": legit communications that mimic
| scams. For example when a company calls you directly and asks
| for your security details, but offer you no way to verify who
| they are first.
| nonrandomstring wrote:
| You star! Thank you anon.
| seb1204 wrote:
| I have received SMS mostly a day after I ordered something of
| Amazon. I'm not often ordering something, so sometimes I go weeks
| without scam SMS.
| hugoromano wrote:
| DHL, FedEx, and UPS are experts in overcharging to process a form
| and not caring about customers. Duty and VAT are usually low
| compared to this processing fee, and shipping has already been
| paid. Here is the catch in the EU, this simple duty form can be
| processed by the receiver, an agent (some related to the
| carrier), or an attorney-in-fact of the receiver. The big three
| carriers (and many others) threaten you if you refuse to use
| them.
|
| At the end of the day, they don't care if we get phished or
| scammed; it is all of customs confusion. Next time process your
| customs form, you will realise how much money you will save, and
| the form only has less than 8 fields, the Union Customs Code is
| easy to read.
| JackMcMack wrote:
| I've often felt frustrated by the processing fees. Can you
| elaborate on handling this yourself? Which EU country are you
| based in?
| AnssiH wrote:
| Does not answer your question, but related:
|
| In Finland you can declare DHL/UPS/Fedex packages yourself
| with customs and pay directly to them, with no fees to
| carrier (it took a Finnish Competition and Consumer Authority
| decision in 2017 to get rid of the fees, though). But this is
| a bit different as it is not a hidden option but standard
| procedure (though you still get the option of paying the
| carrier to declare, instead).
|
| Declaring inbound packages to Customs by yourself was already
| the standard here for postal parcels even before Customs
| internet services, so this was not a completely new way of
| working.
| dddddaviddddd wrote:
| Same in Canada, though, if I understand correctly, you have to
| visit a customs checkpoint in person to make a declaration:
| https://goingawesomeplaces.com/how-to-avoid-paying-ups-broke...
| dghlsakjg wrote:
| The processing fee is as high as $35 when the taxes are as
| low as $10, and then you get charged tax on the fee too!
|
| CBSA should require affirmative opt-in to use the shipper as
| the broker, and allow you to file the paperwork yourself on
| their site.
| bradley13 wrote:
| This. They have been paid to ship an international package.
| Billing the _recipient_ for delivery is just dishonest. I
| assume they do it, to make their price for the shipper look
| artificially low.
|
| For this reason, whenever possible, I choose delivery through
| the post office.
| dghughes wrote:
| Obviously just call the totally normal support number shown 1 800
| 111 112 /s
| cbolton wrote:
| This fits nicely with my experience of FedEx. They sent me a bill
| 7 months after I had received the package. A few days later I get
| a reminder that doesn't include the necessary information for
| payment, which seems rather lazy and stupid since an unpaid bill
| might well have been lost. It refers me to www.fedex.com where
| I'm told to create an account. I do that only to find it doesn't
| know anything about my bill. By chance I do find the original
| bill shortly afterwards. Turns out this bill sent 7 months late
| had very small text saying "to be paid immediately", the first
| time I see that on a bill (it's usually 30 days in my country).
| Of course they sent me a second reminder 10 days after I paid.
| proaralyst wrote:
| I've had this, but the first thing I heard was that my customs
| charge was sent to collections. Cue lots of scary messaging
| about debt collection, none of which said anything other than
| this was for a FedEx parcel of some kind
| tome wrote:
| Why didn't he email the address provided in the SMS, which will
| obviously go nowhere else other than to FedEx?
| nmstoker wrote:
| Reminds me of the mess that the LTA are in the UK regarding
| getting Wimbledon tickets.
|
| Over the years they've changed domains several times, had a
| breach, reset passwords multiple times, and now do part of their
| login via a random third party site (but to make it worse they
| push you to sign you up to a second form of account which logs in
| separately!)
| albert_e wrote:
| The biggest banks and brands in India as well as the government
| organizations do this type of poorly thought communications all
| day.
|
| The other day an email from the oldest and biggest bank of India
| landed in my inbox
|
| Truncated Subject line on mobile said "Cash Withdrawls made ..."
|
| My heart skipped a beat because I did no such thing with my
| account.
|
| Turns out it is a marketing mailer with subject "Cash Withdrawls
| made Easy!"
|
| Facepalm.
| fmobus wrote:
| Well, the marketing person who came up with message can pat
| themselves in the back because you bet the engagement on that
| one was thru the roof.
| dwighttk wrote:
| So far every time I've gotten dodgy AF texts or emails I've been
| able to verify at the real site... crazy that FedEx doesn't have
| the info attached to the tracking.
| krisoft wrote:
| > crazy that FedEx doesn't have the info attached to the
| tracking
|
| It is crazy how much the "paying duties at the border"
| situation feels like an afterthought for all currier companies.
| It is almost as if it was not really their design they just
| tackled it on later.
|
| I wanted to send a present to my brother in an other country
| using DHL Express. It was impossible to convince them that I
| would like to pay duties. Not a thing. Can't be done.
| gpderetta wrote:
| They get a significant markup for providing this "service" to
| the receiver, so it is not in their interest to help the
| sender. More charitably the actual duties to be paid might
| not be known until the package reaches the border at
| destination.
| krisoft wrote:
| > They get a significant markup for providing this
| "service" to the receiver, so it is not in their interest
| to help the sender.
|
| I understand. It is a service, and I am willing to pay for
| it. The alternative is that I don't send presents with
| them. "Happy birthday! Quick pay 20 bucks before you can
| get your present!" is not really a good experience.
|
| > More charitably the actual duties to be paid might not be
| known until the package reaches the border at destination.
|
| I understand that too. That is why they are sending the
| request for the duties only once the package is at the
| border. But why can they send the request towards the
| recipient and not towards the sender?
| naruhodo wrote:
| There really needs to be some kind of cryptographic
| authentication system for text messages and caller ID that gives
| the recipient absolute certainty about the identity of the
| sender. Registering a name in this system should require real-
| world proof of identity including a business address and the
| contact information of real people. There should be serious
| financial penalties for identity fraud. It should be an open
| standard that can be implemented in open source software. And all
| the big phone manufacturers should be legally compelled to use
| it.
| chatmasta wrote:
| This will never work as long as calls and SMS messages are
| routed over the existing telecom networks. The infrastructure
| is simply too insecure to enable this kind of scheme.
|
| If calls are routed over internet then it becomes more viable
| but obviously there is still a large coordination problem and
| misalignment of incentives.
| zokier wrote:
| BS. Many countries have successfully implemented SMS sender
| registration/verification schemes. See for example here for a
| list: https://support.sms.to/support/solutions/articles/43000
| 56265...
|
| The details differ per country, but either all non-registered
| senderids will be blocked, or registered senderids will be
| allowed only from authorized sources. The degree of
| mandatoriness varies also, in some places its mandatory for
| telcos to comply, in other places it is some voluntary
| cooperative scheme.
|
| But despite such details, the problem is clearly not
| completely intractable.
| zokier wrote:
| Relevant as article was about Australia:
| https://www.acma.gov.au/articles/2024-02/five-telcos-breache...
| emilecantin wrote:
| Canada Post actually does something good here: you can pay from
| the tracking page. And they don't add any fees, you just pay the
| duties and taxes.
| Majromax wrote:
| > And they don't add any fees, you just pay the duties and
| taxes.
|
| Are you sure about this? Canada Post's webpage
| (https://www.canadapost-
| postescanada.ca/cpc/en/support/articl...) says:
|
| >> We apply a handling fee of CAN$9.95 per dutiable or taxable
| mail item.
| emilecantin wrote:
| I might misremember the last time I had to pay duties, then.
| Still, 10$ is much more reasonable than UPS's 70$ plus taxes!
| noirscape wrote:
| Here dutch customs doesn't even send you links for this stuff
| over SMS due to all the spam.
|
| They tell you to look up the package tracking number on the
| PostNL (the national universal delivery company) where you can
| pay for it. All you get over SMS is a heads-up to check and the
| ID to enter (you need to combine it with your zipcode).
| sureglymop wrote:
| At my company, they announced that in the upcoming month there
| would be an internal phishing sensibility campaign. Then, in the
| same month, they started sending out incredibly dodgy looking
| emails to "security training" provided by an external website. Of
| all emails, those looked the most like phishing but they are not.
| I decided that I refuse to do this training completely because to
| me it seems crazy how that was coordinated. I would never lose my
| job over this but it is amusing that I get an "Urgent: security
| training still outstanding" about once a week which just goes
| straight into the trash.
| dghlsakjg wrote:
| My company uses an outside vendor for security training that
| requires us to login using company credentials.
|
| The outside security vendors also run phishing security
| campaigns that they send out from their own domain, and that
| have "phishing" URLs that point to the same domain we do the
| training on.
|
| I got reported as being phished for following a link that goes
| to the SAME domain as our required security training. Our
| security compliance team got my point when I reported every
| required training reminder as coming from a known phishing
| domain.
| ilogik wrote:
| Text message from my mobile carrier:
|
| Be careful! Never click on links received in messages from
| strangers. Learn more at www.....
| axelthegerman wrote:
| The other thing I try to understand but just can't is how Telco
| providers can be so incompetent in effectively stopping scam
| texts.
|
| First of, texts are not encrypted and they can see ALL
| communication.
|
| On the other hand the US forces me, using Twilio for SMS
| automation, to sign up "campaigns" with "Sample messages" if
| maybe all I want to do is building a personal assistant with text
| commands. My messages will get hit with fees for non compliance,
| or end up silently blocked without any visibility.
|
| Then there are these scammers sending the same or very similar
| messages to millions of people, pretending to be the same 50
| companies (national banks, shipping companies, cell phone
| carriers) - how about these $bigcorp register their "campaigns"
| to combat scams and they'll leave me alone (one number sending
| texts to always the same one or handful of numbers).
|
| ... Oh wait I figured it out! Telco don't care, they enjoy
| inflated traffic numbers in their network and charge for it - why
| would they stop it
| cfinnberg wrote:
| I received once a mail from my bank at the time stating that they
| have a message for me, but for security reasons I have to read it
| on their systems. And they provide the following link:
| https://cbk.pwlnk.io/~hc
|
| The bank's name is CaixaBank. I was wrong and the message was
| legit. My first thought was it was a scam :)
| bonton89 wrote:
| I definitely would have called on that one and tried to avoid
| the whole link altogether.
| wiradikusuma wrote:
| I frequently buy things from Tokopedia, one of the largest
| e-commerce in Indonesia.
|
| At one point, I ordered something, and the next day, someone
| contacted me through WhatsApp, claiming to be from the courier
| (with the company logo as a profile picture). They said my
| package was rerouted, and I had to click a link to fill out some
| form. Typical scam message, with typo and urgency. I can track
| the status of my order in the app, and it says it's in transit
| somewhere. So, their explanation matches.
|
| You might think, "Well, that's obviously a scam. They would not
| contact you through personal WhatsApp!" But sometimes couriers
| _DO_ contact you to ask for your precise location or notify you,
| "Hey, I left your package with your neighbor. Here's the photo."
|
| I'm just wondering how the scammer got this info that Mr X is
| expecting Product Y from Shop Z. I almost fell for it (I was in
| the middle of something and got distracted), and I can only
| imagine the unlucky victims.
|
| It happened 2-3 times during that period and then gone. Did
| someone find out and fix it? How did they find out? Because I'm
| guessing there are lots of hands involved in the delivery
| pipeline.
| pflenker wrote:
| One time working at a bigger company I received an email that was
| a very, very obvious, poorly made phishing attempt - in fact, so
| poorly done that I wondered if I could break the login form
| somehow. So I submitted bogus data to see what happened -
|
| Turns out it was part of some kind of "test" of the company to
| raise awareness for phishing, and I failed the test since I
| submitted the form.
| pch00 wrote:
| Reminds me of the "householdresponse.com" domain quite a few
| people in the UK have been exposed to at one time or another...
|
| https://www.bleepingcomputer.com/news/security/uk-gov-keeps-...
| gaogao wrote:
| In illustration of the prevalence of the phish, I got a dodgy SMS
| from a sketchy email address that "The USPS package has arrived
| at the warehouse and cannot be delivered due to incomplete
| address information." while I was reading the article on my
| phone.
| red_admiral wrote:
| The number of "Please click this Microsoft Sway link for an
| important update" emails that I get these days ... sigh. So far
| they've all been legit (although rarely important), but if I ever
| go over to the dark side, that's what my first phishing campaign
| will look like.
| MarkusWandel wrote:
| This is a real problem with so much stuff outsourced to external
| cloud providers. Used to be, if it was from the company intranet,
| no problem. Now every survey, every training thing, every new
| flavour of the month is from external mystery domains and then it
| wants your corporate credentials to log in. At my company they
| keep us sharp by running "fake phishing" campaigns to kind of
| gamify recognizing phishing emails. But this shouldn't be
| necessary for legitimate corporate stuff.
| al_borland wrote:
| Is it common for people to have to pay previously unknown charges
| to get their packages delivered? I don't frequently make
| international orders, but have a few times, and have never seen
| this. Everything has always been charged up front.
| Kye wrote:
| https://en.wikipedia.org/wiki/Cash_on_delivery
|
| There are also import duties in some places like the US that
| can be a surprise if you don't know where the seller is or how
| they're shipping:
| https://en.wikipedia.org/wiki/Customs_duties_in_the_United_S...
|
| I forget the name, but the USPS has a special service shippers
| at companies like Aliexpress often use to avoid stuff like this
| when shipping to the US.
| Symbiote wrote:
| The EU and UK have systems to allow the tax to be paid when
| purchasing, for large companies that support it like Ali
| Express. These are fairly new.
|
| Countries also have their own limits below which they don't
| bother with the taxes. There was so much abuse of this in the
| EU+UK the limit is now zero.
|
| The only time it should be surprising is when the foreign
| website isn't paying the taxes, and it also isn't clear it's a
| foreign site. Generally on cheap crap from China.
| crazygringo wrote:
| Absolutely. That's very often how customs works. As a general
| rule, the sender is responsible for postage, while the
| recipient is responsible for customs, and the package only gets
| released to them once they pay it.
|
| But many times there are no customs fees, so there's no issue
| -- it depends entirely on the pair of sending and receiving
| country and the category and amount of merchandise. That may
| have been your experience.
|
| Generally speaking, customs can't be charged upfront with your
| order. Perhaps there are exceptions with certain delivery
| services in certain countries which have managed to modernize
| some of it, but I haven't come across that yet.
| prakashn27 wrote:
| At this point I use sms only for 2 factor authentication WhatsApp
| for connecting with friends and family Email for rest of the
| stuff.
| jwally wrote:
| I got an sms from "Nikki Haley" the other week asking me to join
| some political rally. This has SUCH potential for abuse.
|
| A) spreading misinformation. Not hard to confuse people that
| their polling location is closed but the inconvenient one across
| town is still open
|
| B) fake fundraising. Blast out an sms from "citizens for action"
| who need money to support ${popular cause/candidate}
| PaulHoule wrote:
| I just got a letter from the insurance agent that I thought was
| going to say "THIS IS NOT A BILL" but it was a cancellation
| notice for my homeowner's policy. The letter was designed to be
| as difficult to read as possible, about 97% of the space was form
| letter elements that weren't relevant, in the middle of page 2
| there was an area covered with large black underlines that had
| the reason for the cancellation typed lightly in it.
|
| It is probably time to look for a new insurance provider but I
| was thinking of calling back the insurance agent and telling her
| I was planning to run for state senate on a platform of reforming
| the insurance laws and legislating that you can get 20 years in
| prison for sending a letter that says "THIS IS NOT A BILL" and
| that insurance paperwork has to be written in English excerpting
| any words that are shared with Latin or French. (Which I'm sure
| the French would approve of)
| hibikir wrote:
| St Louis county just did some of this for their property
| declaration system. It used to set right there in the website: An
| ugly set of forms, but perfectly functional. Apparently they
| ordered a rewrite to yet another contractor, and now you get a
| link to.. stlouismosmartfile.tylerhost.net. Following the link,
| from the county's own website, warns of a third party link! The
| link prompts the user to register... and the validation email,
| unsurprisingly, is sent to spam, and then flagged as risky by
| gmail! Enough red flags, you'd think it's an old soviet military
| parade, but no... when you call the county, they say that yes,
| this isn't them getting hacked (again), but the way things are
| supposed to be.
|
| This is something everyone that owns any property and is a
| resident of the county must fill out: About half a million
| accounts will be created in two weeks. Making sure that all of
| this comes from the county's domain? Too difficult for them. And
| all for a website on the other side that doesn't look much better
| than the old one.
| habosa wrote:
| FedEx may have the worst and least secure digital platform for a
| major company. Some examples I've noticed:
|
| 1. I moved into a 10-unit apartment building and wanted to set up
| FedEx Delivery Manager. I just put in my new address, no
| verification whatsoever, and I was immediately given access to
| the previous tenant's delivery instructions which included the
| buildings private garage code. Any thief could have done the
| same.
|
| 2. When I moved out of that building I wanted to add my new
| address to delivery manager ... but I couldn't. The site errored
| every time. The reason? Some forums revealed the correct
| hypothesis that if you have special characters in your password
| then some parts of the site are permanently broken for you.
| Including the change password flow. So I had to have my wife make
| a new account with a worse password.
|
| Truly amateur stuff for an otherwise very impressive company.
| eropple wrote:
| UPS is up there, too. I still get text messages about an old
| address on an account I can't log into for...reasons. (Special
| characters sound plausible! And of course the password reset
| flow doesn't work.)
|
| Wonder if they share a vendor.
| judge2020 wrote:
| UPS is better in my experience with them always requiring a
| code sent to me via USPS to verify access to UPS My Choice,
| except for when I signed up with a new construction address -
| It also seems to only show me packages with my last name on
| it, packages with just a company name did not show up.
| ryandrake wrote:
| I can't believe it's 2024 and we are still seeing bugs with
| handling "special" characters. Unicode has been here for how
| long? Robust string handling is supported in every language.
| There is no such thing as a special character. My name should
| be able to contain Chinese characters. My password should be
| able to contain emojis. What is this Stone Age shit still
| running on companies' backends?
| gjsman-1000 wrote:
| Most companies don't like rewriting their code. If it ain't
| broke, don't fix. (Weird password issues don't count as
| broke.) There's no guarantee, after all, that the rewrite
| won't have major edge cases and mistakes of it's own.
|
| The upper layer might change now and then, to give a veneer
| of modernity. But just like Windows being built on 90s
| technology, the stuff underneath could be even more
| ancient.
| ryandrake wrote:
| A software that can't accept a % as part of your password
| is absolutely, positively broken--in any industry or
| application. In many companies, this would be a P0 "don't
| go home until it's fixed" production emergency if a bug
| like this crept in to the software. We need to stop
| excusing long-standing bugs in horrible legacy software
| just because they are long-standing.
| gjsman-1000 wrote:
| > In many companies, this would be a P0 "don't go home
| until it's fixed" production emergency if a bug like this
| crept in to the software.
|
| Would it, really?
|
| P0 would probably be "10% of our customers can't submit
| an order." Or "20% of our vendors are experiencing 404s."
| ryandrake wrote:
| If 10% of customers have passwords that now can't log in
| and submit orders, that would be an emergency.
|
| We're taking OP's word for it that FedEx doesn't allow
| certain characters as passwords (actually, from the
| description, it seems more like FedEx only _allows_
| specific characters which is even worse). If either of
| those are true, it is most certainly a defect. Whether
| FedEx treats that defect as an emergency is up to them I
| guess. I 'm saying many modern companies would.
|
| You originally said "Weird password issues don't count as
| broke." I think this might just be a case where we have
| to "agree to disagree".
| gjsman-1000 wrote:
| > You originally said "Weird password issues don't count
| as broke." I think this might just be a case where we
| have to "agree to disagree".
|
| I meant broke in the sense of "if it ain't broke, don't
| fix." If there are over 300 microservices running code,
| connected to mainframes running code that was originally
| from the 80s, but they occasionally have password issues
| - the risks caused by trying to fix it might be greater
| than it's worth.
|
| That doesn't mean FedEx can't do a better job telling
| people not to use special characters - or detecting if
| their current password contains them and forces a
| password change.
| krisoft wrote:
| > If there are over 300 microservices running code,
| connected to mainframes running code that was originally
| from the 80s, but they occasionally have password issues
|
| And we ended up where the thread originally begin "FedEx
| may have the worst and least secure digital platform for
| a major company."
|
| Besides that is horrible! There should be 1 microservice
| which deals with passwords, the authentication one.
| Everything else should just get a token attesting that
| the user is authenticated (or not).
| krisoft wrote:
| > it seems more like FedEx only allows specific
| characters which is even worse)
|
| If I read it right it sounds even worse. Fedex allows the
| characters and then random stuff just breaks.
|
| It is much preferred to get a simple "only english
| alphabet and numbers please" warning message when you are
| trying to set the password than not getting any warning
| and then things breaking.
| Fogest wrote:
| I've had this before at a University I used to attend. I
| had a password with either a % or a & and I found I
| couldn't log into one specific system. I changed my
| password to a different one, but still had one of those
| special characters. I was curious and tried a more
| "basic" password and I was able to get in. The system
| just wouldn't accept certain characters in your password.
| The main University password manager did disallow certain
| special characters, but clearly not enough of them.
|
| It never makes you feel very confident in an institutions
| security when they can't even figure out how to get a
| username/password to work properly on their systems.
| WorldMaker wrote:
| Unfortunately the InfoSec Red Team determined that % in a
| password could be an attempt at an SQL Injection Attack
| and the Security Priority is to not fix the current
| behavior and instead other password checks in the company
| should also start erroring for % and other such "power
| characters" used in attacks.
| crazygringo wrote:
| > _My password should be able to contain emojis._
|
| It's probably better if it shouldn't. It's generally better
| to prevent passwords from containing characters that can't
| be entered on a decent proportion of devices you may
| encounter.
|
| Emojis are particularly problematic because new ones keep
| being added which require OS upgrades, and you might find
| yourself needing to log in from another device that just
| doesn't support those emojis yet.
|
| Also it's not like Unicode makes everything easy. For
| example, you have to remember to normalize the password
| before hashing. Otherwise something as simple as "n" may be
| a totally different byte sequence depending on which device
| you're using.
| grodriguez100 wrote:
| If a system cannot handle n in a password then it is
| completely broken. We are not talking about the latest
| emoji here but about a character which is part of one of
| the most common languages in the world, included in
| 8859-1 / Latin-1, etc.
|
| It is no longer realistic to pretend that only ASCII
| exists and try to get away with that.
| jerf wrote:
| That's not what crazygringo means. n can be represented
| both as a single unicode U+00F1
| https://www.compart.com/en/unicode/U+00F1, or as an n
| with a combining tilde
| https://www.compart.com/en/unicode/U+0303, which looks
| like this: n. Python 3.10.12 (main, Nov
| 20 2023, 15:14:05) [GCC 11.4.0] on linux >>>
| "n".encode("utf-8") b'\xc3\xb1' >>>
| "n".encode("utf-8") b'n\xcc\x83'
|
| A naive hashing algorithm will hash them to different
| things.
|
| For way too much information on this, see:
| https://www.unicode.org/reports/tr15/
|
| Even a lot of Unicode-aware code written by a developer
| aware of at least some Unicode issues often fails to
| normalize properly, most likely because they're not even
| aware it's an issue. Passwords are a case where you need
| to run a Unicode normalization pass on the password
| before hashing it, but, unfortunately, if you're already
| stored the wrong password hash fixing it is rather
| difficult. (You have to wait for the correctly-incorrect
| password to be input, then you can normalize and fix the
| password entry. This requires the users to input the
| correctly-incorrect password; if they only input an
| incorrectly-incorrect password you can't do anything.)
| I'd suspect storing a lot of unnormalized passwords
| before learning the hard way this is an issue is the
| majority case for homegrown password systems. You hear
| "don't roll your own crypto" and think reaching for a
| bcrypt or scrypt library solves it, but don't realize
| that there's some stuff that needs to be done before the
| call to those things still.
| grodriguez100 wrote:
| Right. I misunderstood the comment. Thanks for
| clarifying!
| WorldMaker wrote:
| With built in emoji entry keywords in every modern OS how
| many devices are left that can't type emoji? Even if you
| plan to restrict to Unicode Version N - 1 or N - 2 where
| N is the current version to avoid "user can't type
| password on older hardware", the proportion of emoji you
| can reliably type today on just about any device is huge.
| crazygringo wrote:
| People are still using Windows 7 -- it's the third most
| popular Windows version after 10 and 11 -- and it only
| supports Unicode 5.1.
|
| Emoji weren't officially supported until Unicode 6.0,
| though there are a subset of current emoji (less than a
| quarter) that work on Windows 7 in practice.
|
| Meanwhile the current standard is 15.1.
|
| There's no security or convenience necessity whatsoever
| for supporting emoji in passwords, but inconsistent OS
| support is an excellent reason against it.
| WorldMaker wrote:
| Windows 7 market share is barely at 3% on the internet
| per statcounter.com. Third place doesn't mean "popular",
| especially not right now.
|
| There's quite a bit of convenience, and some concomitant
| security, to using emoji in passwords. Emoji are high
| entropy code points that are easily visually
| distinguishable across most language boundaries. A
| "short" password of just emoji is going to have way
| higher entropy and be way harder to brute-force/rainbow
| table than any equivalent "length" (by visual character
| count) ASCII-only password. That _should_ go without
| saying. The fact that huge boost in entropy also comes
| with a massive benefit in how quickly a user can glance
| at their password and know that they typed in right
| /wrong often faster than they could if forced to build a
| line-noise password is a huge bonus. (Related to why
| Windows 10 experimented with Picture Passwords and a lot
| of Android users use some form or another of Gesture
| PINs.)
|
| That said, I think the real solution is of course to
| eliminate passwords altogether (and yes Passkeys are our
| best hope right now). But saying that we have to stick to
| ASCII for passwords because that's a lowest common
| denominator for keyboards is very much like saying that
| we should stick only to passwords that you can T-9 on
| flip phones or send in an SMS or that passwords shouldn't
| really be longer than 8 characters just in case some Unix
| system needs to use the old DES-based crypt() function or
| that passwords shouldn't contain quote marks, semicolons,
| or percentage signs because those might be SQL injection
| attacks and you might have some PHP apps that are
| vulnerable to those. You are letting silly technical
| lowest common denominator bugs stop you from increasing
| security for the median/mean user.
| bitfilped wrote:
| 3% of the internet is still an incredibly large amount of
| people.
| sib wrote:
| I'm pretty sure that most of the on-screen keyboards for
| TV / streaming device platforms don't support emoji.
|
| (I've spent about 6 years of my career running video
| streaming services... People watch a lot of video on TVs,
| it turns out, so you probably don't want to let them put
| these sorts of characters into their passwords when they
| sign up on mobile or computer devices.)
| xenophonf wrote:
| I'm in complete agreement about usernames, but if you're at
| the point where you want to use Unicode in a password, you
| might as well make the jump to WebAuthn. Going from a UTF-8
| input to a normalized bitstream that gets fed into a KDF
| could be tricky.
| kansface wrote:
| Companies aren't rewriting their entire stack or even
| upgrading across major versions basically ever.
| jabroni_salad wrote:
| Alright cool but maybe they can put the exact phrase "IF
| you put an ampersand in your password, your account will
| be bricked and we wont help you with it" on the password
| form.
| orangevelcro wrote:
| I wonder if that's why I can't change my password with petco -
| every time I shop there they tell me I have rewards but I can't
| load them because the site errors out when I try to reset my
| password.
|
| I used to be able to load the rewards to my account without
| logging in at all, just clicked the link in my email, but I
| guess they fixed that and then I realized I didn't know my
| password.
| nonameiguess wrote:
| I'd put Spectrum up against them. A few years back, an incoming
| neighbor typoed their address in a new account setup request to
| my address and Spectrum very helpfully inferred that the
| previous resident would want their account terminated and they
| turned off my service. Apparently, you can DOS any person on
| the planet you want from the entire Internet by simply knowing
| their address.
| sidewndr46 wrote:
| I once moved into a duplex and Spectrum's precursor told me I
| already had service. After 8 hours on the phone I talked to
| someone in customer service who told me "I know the problem
| you have, I know how to fix it. I can 100% fix it. You are
| welcome to stay on the phone, but it will take more than 6
| hours for me to create an account for you". So in the end it
| took days to open a new account.
|
| When I moved they someone opened a second account in my name
| and kept billing me for the original account.
| genman wrote:
| Maybe, but UPS is close to it. They for example are sending out
| emails that request users to log into their account to "avoid
| losing their profile". If this is not ripe for phishing then I
| don't know what will be.
| n0us wrote:
| Is it impressive though? They have about a 50% success rate
| delivering things to me across multiple addresses and I know
| other people who have had similar long term issues.
| kragen wrote:
| "50% success rate delivering packages" is a totally different
| level of risk from "automated system gives your garage access
| code to anyone who claims to live there"
|
| i mean in the first case what's at risk is the five-dollar
| trinket you bought off amazon
| throwway120385 wrote:
| At one of my addresses FedEx will happily sell anyone
| overnight shipping and then just keep the parcel at the depot
| for a week until they have a driver who can actually make the
| trip. I have had like 6 very urgent packages delayed like
| this. Once my wife ordered something perishable and they
| pulled this then told her she had to drive into town and pick
| it up at the airport.
|
| I've also been nearly run off the road by FedEx drivers on
| the highway before. One guy was so angry that I was only
| going 10 over that he tailgated me within a foot and then
| punish passed me.
|
| They're also the only service that still corrects my other
| address to the wrong address. I tried for a whole month to
| get ahold of anyone there who even knows what address
| correction is and then just stopped using them for anything
| important.
|
| They doubled down on "digital" during the pandemic and fired
| a bunch of CSRs and stuff. It doesn't look like it's working
| out very well for them.
| zdragnar wrote:
| Strangely, I've had perishable medicine delivered to me (a
| biologic injection) for two years without a single hiccup
| by FedEx. They have been the most consistently reliable
| delivery service where I live (though the post office is
| pretty good too). My house is at the bottom of a hill that
| is difficult for rear wheel drive vehicles in winter.
|
| UPS, on the other hand, can go pound sand. They often
| refuse to deliver due to weather, then force me to either
| drive two hours round trip to their distribution center, or
| _charge me_ to pick it up at the local UPS store.
|
| When when FedEx couldn't get their truck to my house due to
| road conditions, they were totally fine with my picking it
| up at their store.
| gopher_space wrote:
| > They have been the most consistently reliable delivery
| service where I live (though the post office is pretty
| good too).
|
| Every service relies on the USPS to some extent, which
| makes the Republican attempt to gut the organization so
| baffling. There's no replacement and nobody is looking to
| replace it.
|
| From my perspective as an ex letter carrier, your
| personal experience with package delivery is determined
| almost entirely by whoever runs the local hub and handles
| last-mile. Unfortunately it's a McDonald's Assistant
| Manager kind of role; anyone truly competent will be able
| to find better work sooner or later.
| ciabattabread wrote:
| It took the 2020 pandemic for Republicans to finally get
| on board and pass the Postal Service Reform Act of 2022.
| gffrd wrote:
| It's almost as if they're giant companies employing
| thousands of people, and quality varies across geography
| ...
| late2part wrote:
| today I learned a new thing:
|
| https://www.bikelaw.com/2017/07/punishment-pass-defined/
| wormius wrote:
| That's really unacceptable. If they're going to be that
| late, they should at least ship it using Jiffy Express:
| https://www.youtube.com/watch?v=e134NoLyTug
| Arrath wrote:
| > just keep the parcel at the depot for a week until they
| have a driver who can actually make the trip.
|
| Depot workers can get up to the weirdest stuff. One time I
| was returning unused product (oil well perforating guns, a
| UN 1.4D explosive device) via Yellow Freight. I handed over
| the cases and signed all the appropriate paperwork to
| handover custody at the depot and went on about my day. The
| supplier called me ~10 days later saying they never
| received the shipment! Perturbed, I called down to the
| depot who basically shrugged it off with "no idea lol not
| our problem". Their attitude changed when I told them that
| in accordance with my license and federal law I would be
| notifying the ATF at the end of the day that there were
| missing or lost explosives and it would _very much_ be
| their problem.
|
| A couple hours later they called back and told me the boxes
| had missed their truck and were just sitting in the corner
| of the secure cage in the loading dock, forlorn and
| forgotten. What the fuck, guys.
| Fogest wrote:
| One of the big problems I find in the shipping industry
| is the reliance on insurance. The idea that most packages
| are insured or easily replaceable. When I was a bit
| younger and doing some seasonal postal work in a
| processing plant this was the mentality. The mentality
| being that sometimes things will go wrong and ruin a
| package, but hey, whatever. Machines would sometimes
| destroy a package, packages would get thrown around,
| heavy boxes would be stacked on very small/fragile ones,
| etc...
|
| Myself and many of the people I worked with all tried
| their best. But at the end of the day there is only so
| much you can do as a temp seasonal worker to prevent such
| things. They'd rather have a higher amount of
| damaged/lost items and a higher throughput.
|
| It'd be interesting to see a competitor that made it
| their goal to handle packages with more care and not have
| this attitude. However I can't see them getting too far.
| They would likely have to charge more money, and any of
| the big companies are not going to care to pay more.
| They'd rather take the risk and just ship it again if it
| gets broken on the way. It'll end up being cheaper for
| them that way. The ones who lose out are the smaller
| businesses and individuals shipping personal items. It
| pissed me off when I'd see a damaged package of an item
| that was clearly a personal homemade thing. Something
| that isn't easy to just quick send another copy of.
| madaxe_again wrote:
| No. They're 100% useless in my experience, and literally
| never manage to deliver to me - everything ends up returned
| to sender. No other courier has this problem.
|
| As for the SMSs - in Portugal, and I'd guess Australia too,
| they contract all of their local operations out to some
| random group of muppets who can't organise their way out of a
| paper bag - the SMSs they send me come from a mobile number,
| are handwritten (they seem to literally have someone whose
| job it is to write messages, on a phone, and send them), as
| are the emails. When it comes to delivery, i'm inevitably the
| last delivery of the day as I live way out in the boonies,
| and they just go "it's 5pm I'm going home", and it goes back
| to the depot. They drive it back and forth for a week before
| declaring the parcel undeliverable.
|
| These days, if I see someone has shipped something with
| FedEx, despite my instructions not to, I immediately request
| a refund, as I _know_ it won't arrive.
|
| The whole thing beggars belief.
| yashap wrote:
| Yeah, in my experience FedEx drivers absolutely LOVE saying
| they "attempted delivery of my package, but nobody was home,"
| so I have to go get it from the depot. But I 100% was home,
| working from home all day, and they 100% never came.
| Libcat99 wrote:
| I had video of them pulling into the driveway and leaving
| without getting out of the vehicle and saying "no one was
| home."
|
| I'm also in the video.
| lcnPylGDnU4H9OF wrote:
| That sounds like internal verification uses GPS. So in
| most cases it's going to be the customer's word against
| the astonishingly lazy driver's evidence.
| cromulent wrote:
| I called them and questioned them about this - they
| didn't even come down my street, and yet claimed that
| they "attempted delivery". The customer service person
| was honest enough to say there was no code for the driver
| to say "too busy, can't meet my unrealistic targets".
| lcnPylGDnU4H9OF wrote:
| > too busy, can't meet my unrealistic targets
|
| At least that could explain why the driver showed up to
| the address without dropping off the package. If finding
| the package takes a non-trivial amount of time, it would
| add up over the course of the day.
|
| It's otherwise just wild to me that the driver did 99% of
| the delivery and just noped out of the last 1%.
| cozzyd wrote:
| this happens to me all the time, but I live in a place
| where a delivery van/truck is basically always going to
| be double parking.
| eastbound wrote:
| Can you file a small-claims?
|
| You have nothing to lose, it's not like they could
| threaten to stop delivering your packages.
| duderific wrote:
| It's probably not worth the time and effort. You can get
| a judgment, but good luck getting them to pay out on it.
| lagniappe wrote:
| A lien is a claim upon a part of another's property that
| arises because of an unpaid debt related to that property
| and that operates as an encumbrance on the property until
| the debt is satisfied.
| eastbound wrote:
| Yes, and I wonder what a hundred thousand small-claims
| would do upon UPS or Fedex.
| JumpCrisscross wrote:
| > _can get a judgment, but good luck getting them to pay
| out on it_
|
| Honestly, finding a sheriff to enforce a judgement
| against FedEx property sounds like the fun part.
| ballenf wrote:
| If you got a judgment, you would get a prompt response.
|
| Problem you'd probably have is getting the judgment, if
| they show up at the hearing. Their clickwrap agreements
| are one barrier. Also, you have no relationship with them
| -- you weren't the customer (and if you were see point
| 1).
|
| Would be interesting to see what type of claim would
| work. Maybe conversion (ie theft) if they delivered it to
| the wrong address. But if they just hold it at the depot,
| I don't know what claim you could make. Would probably
| have to take it up with the seller.
| bongodongobob wrote:
| Can I ask where you live? I'm 40 and have never had anything
| get lost in the mail, ever. Is it a big city thing or
| something?
| biftek wrote:
| It really just depends on your local distribution hubs. My
| semi rural address regularly gets serviced by two different
| FedEx hubs, if I see it go to X hub I'll get it that day,
| but if it goes to Y hub it'll most likely be late.
| QuercusMax wrote:
| When we lived in San Jose, CA, we had stuff which never
| arrived quite often. Birthday cards and such especially.
| jonathanlydall wrote:
| They certainly can be quite impressive, I recently had
| something delivered from China I bought through Alibaba to
| South Africa, shipping cost less than 5USD and it arrived in
| about 13 days, 1 day less than the maximum estimate.
|
| In my case I got an email about customs and tax payment which
| was needed, but the link was clearly to fedex.com.
| saintfire wrote:
| I'm in the same camp. The single time they actually delivered
| it to me without saying I wasn't home they had actually
| delivered it one street over.
|
| I spent 72 hours waiting (3x24 periods they told me to wait
| and call back tomorrow while they "investigated") for a $1300
| package. Initially they said it must have been stolen and its
| my loss, to which I said "no I was home and near the front
| door all day, you didn't deliver it". Pretty absurd they
| can't just look where he was when it was "delivered" and deal
| with it. Or maybe they can and they just don't bother.
|
| Eventually the person actually called me using my number on
| the box and said it was delivered there.
|
| Still no recourse from FedEx, whom I have not informed I got
| the package in the end.
| eastbound wrote:
| I'd quote this as the best federated peer-to-peer package
| delivery. Distribute in a nearby city and it will get to
| its destination eventually. Fortunately, your personal info
| is written in the clear for everyone to see, and anyone can
| open the box.
| sidewndr46 wrote:
| that is called crowd sourcing your last mile of delivery
| zardo wrote:
| I get a kick out of the mismatch between delivery estimates
| and tracking information.
|
| They're telling both that my package will be delivered this
| afternoon, and that it's in a distribution center 3000 miles
| away.
| Szpadel wrote:
| in my country fedex isn't popular, but I had one
| international package delivered by them and I was very
| positively surprised because they paid duties for me to speed
| up process and invoiced me that costs.
| timbaboon wrote:
| That's a bit better than my experience with DHL :) they've
| delivered packages to random people multiple times across the
| UK, France, Switzerland and South Africa. Important documents
| they've handed over to strangers, like my passport, for
| example...
| TuringNYC wrote:
| My favorite was when they put my well-marked mail-order
| medicine right at the exit of the roof gutter pipe, instead of
| the front door. Sometimes it feels like the workers want to
| purposely cause chaos.
| callalex wrote:
| One part workers, 3 parts horrible management setting
| impossible metrics and bad incentives.
| toss1 wrote:
| Re password reset workflow issues: I had an account at a bank
| where password reset always failed. I had to go through a VERY
| convoluted process with customer website support to get it
| fixed. It turned out that the problem was that my registered
| email address was just two characters (my initials) to the left
| of the "@", e.g., ab@mydomain.com. They allowed me to enter and
| use it throughout the system without any error flagging
| whatsoever, but it completely broke the password system. They
| claim to have raised it as a bug, but never fixed in 3 years+
| (moving away from them now).
| robocat wrote:
| After 50 years of software crud, eventually a civilisation
| ending bug occurs and it can't be fixed (like how Telstra
| couldn't fix their phone system because the phone system was
| down). That's why we are all alone in the universe. Enjoy
| life while civilisation still works!
| filoleg wrote:
| This comment just unlocked a new fear of mine.
|
| I specifically got a custom domain and email address for any
| non-personal/"professional" comms, which is essentially just
| me@<custom-domain-featuring-my-name>.com.
|
| At least with non-ASCII characters in passwords, while I
| think it is stupid to not handle those properly, I can at
| least see some sort of an excuse there, no matter how weak it
| is. All it takes to mess this up is not thinking about
| handling those scenarios, so I can definitely see "this issue
| was created due to us not thinking about this possibility or
| not willing to deal with handling it."
|
| But what's even the reason to not allow sub-3-character local
| portions of emails? How does one even mess those up, aside
| from intentionally setting some triggers for less than 3
| characters in local portions of email addresses?
| JoshTriplett wrote:
| > But what's even the reason to not allow sub-3-character
| local portions of emails? How does one even mess those up,
| aside from intentionally setting some triggers for less
| than 3 characters in local portions of email addresses?
|
| Wild guess: someone copy-pasted an incorrect email address
| validation regex, and different parts of the system are
| using different criteria for email address validation.
| delfinom wrote:
| It's fine.
|
| At least they don't automatically lowercase and truncate your
| password behind the scenes like AMEX. Lol.
| bastardoperator wrote:
| I ordered a computer from Southern California, they shipped it
| to Texas, Florida, Maine, and then back to Northern California.
| My last two orders were just stolen from someone at FedEx. They
| got the shipment, but it never left the facility after that.
| Customer service is an offshore apology machine that can't help
| with anything. I used to prefer fedex, but the standard of
| service is so subpar I go out of my way to avoid them.
| zamalek wrote:
| I assume you know that you can open a claim? They'll either
| find your package really fast, or will have to pay its full
| value. Often the vendor has to initiate the claim. If the
| vendor doesn't want to open a claim, refund. If the vendor
| doesn't want to refund, chargeback.
| deedub wrote:
| Be careful about those chargebacks. I bought two new pixel
| phones directly from Google and only one arrived. Google
| support was of course awful and Fedex did absolutely
| nothing outside of asking me what color the phone was. lol
|
| I ended up reversing charges for the missing phone and
| Google immediately wrecked me - I was using Fi at the time
| so they killed my cell service and killed my ability to use
| Google Pay for anything - including the Play Store.
| Probably some other stuff I don't even remember. Between my
| personal account and my business accounts I realized at
| that moment that Google could completely wreck my life. Be
| careful about retaliation for a chargeback, if you live
| within one company's ecosystem it can be a brutal
| retaliation you're not ready for.
| doubloon wrote:
| Did you contact the card company about this? Or your
| bank? Or a lawyer? Just curious. Card company should have
| someone who works on goog account
| thechao wrote:
| Retaliation for charge back probably elevates this from a
| civil matter to a criminal one; you should totally
| contact your local DA. They might think it's fun.
| joemi wrote:
| I wouldn't be surprised if it's just covered by the EULA.
| There's almost certainly a clause in there about Google
| being able to terminate service for any reason.
| CamperBob2 wrote:
| Only if the package is insured. That's around 1% of the
| declared value of the package, so many/most vendors don't
| opt for it.
| bastardoperator wrote:
| My last two stolen packages required the vendor to open a
| claim, I did in both cases and both vendors refunded me.
| Fedex wouldn't even entertain trying to help me.
| bsimpson wrote:
| You're reminding me of the time I realized that Schwab (a
| massive American bank/broker) truncated all passwords to 8
| characters.
| S201 wrote:
| Heh, that's the same company that sends physical mail to me
| every time I make a trade because they believe that email
| sent to my personal domain is "undeliverable" and
| automatically opt me out of e-statements no matter how many
| times I opt-back in. They have to be losing money on me by
| paying for so much postage at this point.
|
| (And no, nothing is wrong with my email, it's hosted by a
| professional email host with the proper MX records and
| literally only Schwab claims to have this problem with me).
| bsimpson wrote:
| My college had a credit union with an ATM in the cafeteria.
| It was in your interest to keep enough money in the credit
| union to pay for lunch etc. while you were a student there.
|
| When I graduated, I pulled the money back out. Apparently
| they issued the final interest payment after I'd emptied
| the account. For at least a year after that, I got monthly
| statements informing me that I had an account with less
| money in it than the postage on the statement.
| thfuran wrote:
| Earlier this winter, I got a bunch of those letters
| completely out of the blue. I was also receiving emails
| from Schwab throughout the several weeks they were sending
| me a pile of letters saying they couldn't deliver emails to
| my address. Then the letters stopped.
| Enginerrrd wrote:
| Bonus points are given when they handle truncating your
| password differently in the initial validation vs
| authentication and it fails silently!
| sidewndr46 wrote:
| I've had FedEx hand packages to other couriers who promptly
| lost them never to be seen again. When I contact them they said
| this counts as delivering the package.
|
| I no longer use FedEx for any shipment that I need to have
| arrive.
| pishpash wrote:
| Much worse than that. I wanted to get some free shipping
| supplies from FedEx, so I had to sign up for a shipping
| account. Account could not be created due to password issues on
| the website, forgot how I got around it but maybe had to use
| the mobile app which used a different flow.
|
| After getting the account, immediately I get shipping bills for
| international shipping in the thousands of dollars, both sender
| and recipient have nothing to do with me. Credit card on file
| was auto-charged. Removed credit card, started getting thick
| FedEx bills in physical mail.
|
| It turns out FedEx allows billing to be charged to any account
| as long as you have their nine-digit account number, so of
| course scammers do this all the time just generating random
| numbers. FedEx didn't give a shit, denied my reporting of
| fraud, allowed more scam shipping even after I reported.
| Finally I had to initiate chargeback via the credit card issuer
| and _only then_ did they close the account. But I still get
| marketing emails that I can no longer turn off. Absolutely not
| a company anyone should use.
| sidewndr46 wrote:
| They ask for an ID whenever you use an account number. I have
| to FedEx stuff to my home address for work. The guy at the
| counter is always perplexed when I tell him the destination
| address is the same one as the one on my ID.
| pishpash wrote:
| Maybe if you do it in person, but they must have direct
| shipping flows where nobody checks.
| sidewndr46 wrote:
| oh wow, that is incredibly dumb.
| jd3 wrote:
| I bought an OP-1 from teenage engineering years ago and fedex
| delivered it inside of the mailbox. USPS removed the fedex
| package from the mailbox and impounded it at our local USPS
| post office without ever notifying me. After 1-2 months of
| waiting/assuming the package had been stolen, I call the USPS
| office and asked if they somehow had the package in their
| custody/possession and, lo-and-behold, they did (in the
| "undeliverable mail room") and started lecturing me about how
| it was illegal for fedex to deliver a package into the mailbox,
| which is usps/government property etc. etc.
|
| I called Fedex to try to rectify this and, as far as I
| remember, they either never answered the phone or told me they
| had no way of contacting the delivery driver (??).
|
| I've always avoided fedex (and UPS, for that matter, since they
| destroyed two antique lamps that I ordered through ebay) since
| then.
| denkmoon wrote:
| The mailbox? On your property? that you paid for an installed
| (or bought off the previous owner), is government/usps
| property and they'll steal a parcel that someone else has
| delivered to it?
|
| That's insane lmao
| quatrefoil wrote:
| USPS owns and maintains some cluster mailboxes at apartment
| complexes and HOAs.
| the__alchemist wrote:
| Of the carriers, FedEx is the worst for me (North Carolina,
| USA). DHL is the fastest and most reliable. UPS and USPS tie
| for second place, slightly below. (People I talk to in person
| hate USPS, but I've had consistently good experiences with them
| for both sending, and receiving). Then FedEx several rungs
| below; Out for delivery, then rescheduled every time.
| bitfilped wrote:
| I wasn't very impressed when they tossed my new 100G network
| switch under the water runoff spout on my porch during a snow
| melt day.
| sf_rob wrote:
| I contacted Wells Fargo to complain that their use of 3rd party
| surveys from non WellsFargo.com domains attenuates customers to
| entering banking information to 3rd parties.
|
| They had one incompetent employee contact me to assure me that
| the communication was legitimate (not the complaint), then
| escalated to another employee who understood the complaint and
| promised to escalate... 6 months later I get an email assuring me
| that the communication was legitimate and closing the ticket.
| ActionHank wrote:
| Thank goodness it was legitimate.
| vijaypatil wrote:
| Do I see a YC pitch idea right here - a platform that gets such
| comms right and secure would be a right a Solution to develop. It
| seems major companies can't get it right or don't want to get it
| right.
| Triphibian wrote:
| There are banks in the US that send sketchy looking text message
| like this when you get transferred funds. They literally ask that
| you follow a texted url and enter your bank information.
| Rudism wrote:
| A while ago my wife applied for a home equity loan. At some point
| I got a call from someone claiming to be from the bank she had
| applied through (I forget which one), calling to make sure I
| approved the loan since the home is in both our names. He asked
| for my name, which I gave him, and then the last four digits of
| my social security number, which I also gave him. He then
| proceeded to ask for my full social security number, at which
| point alarms started going off in my head and I started sweating
| about even giving the last four digits to a stranger who had
| called me out of the blue. I told him I wouldn't do that, and was
| there a number on the bank's website I could call in order to get
| back to him, in order to verify that he actually worked for the
| bank. The guy started acting really annoyed, and said he didn't
| think there was any number on the bank's website that could reach
| him, and that if I didn't give him my full social security number
| he would be forced to reject the loan application. I told him I
| didn't feel comfortable giving that information to someone who
| had phoned me, and if there was no way for me to call him back
| through an official bank phone number then the call was over. He
| hung up angrily.
|
| Turns out he actually was from the bank and he did cancel the
| loan application.
| bastawhiz wrote:
| I'd have read him the riot act on the phone. My bank has big
| warning banners on virtually every page of the site warning me
| to be careful of scammers. Someone calling me on the phone and
| asking for my TIN? Yeah, I don't think so.
| krisoft wrote:
| > I'd have read him the riot act on the phone.
|
| No point. If he is a scammer he has a thick skin. If he is
| working for the bank this is either a training or a policy
| issue.
|
| Just refuse politely and report to the bank. (preferably to
| some security channel if there is one.)
| belthesar wrote:
| Any bank where this is the standard operating procedure for
| interacting with loan applications is not a bank that I'd want
| to do business with. Perhaps this was just one loan officer's
| way of doing things, and not the way of the business, but
| that's just not okay to me.
|
| Any time anyone asks me for any part of my social over the
| phone, I ask for some other method of verification. Most folks
| have other ways of doing stuff. It's ridiculous that what
| should purely be an ID number is so powerful, but I can't
| change that fact, just how I interact with folks with regards
| to it.
| lucb1e wrote:
| Terms of service from my bank say you're not allowed to give
| your PIN or secrets like one-time passwords (called "TAN" here)
| to third parties, not even the bank employees themselves.
|
| But when I contacted them about a phishing practice, it was
| A-OK because it was a "legitimate" website that phished your
| credentials to view the last 180 days of transaction histories,
| compute a credit score, and then withdraw the money. They would
| "look into the situation and see if a better solution could be
| found" with this german company...
|
| I don't understand how anyone is okay with this but klara or
| klarna or something is a pretty popular payment provider in
| germany as far as I know, but so my experience is now that
| banks like to change their security-relevant terms one-sided.
| But it's your fault if you give out secrets to the wrong person
| of course, not like the bank was going to care if your social
| security number had gone to a scammer for example
| d_k_f wrote:
| I've implemented the bank account checking flow for a German
| client in a purely B2B setting, and this is essentially based
| on the PSD2 directive, which requires all/some/most (not
| entirely sure) banks to provide exactly this functionality
| (google keywords "PSD2" and "XS2A"). The bank's T&C should
| reflect this ... somewhere.
|
| The main protection to you not getting scammed out of money
| this way is in the kind of TAN used for this process. It
| should/must only allow read access to your account, and at
| least one of my banks very clearly shows this in the 2fa
| approval app. Technically, checking your account history and
| then deducting money will (hopefully) have been two different
| processes.
|
| The moral/ethical implications of requesting (up to) 365 days
| of full bank transaction details _and being allowed to store
| this information_ is a whole different animal, tough, and I
| 'm glad I haven't had to do this myself yet.
| JoshTriplett wrote:
| AirBnB has adopted Plaid for credit card verification
| recently, which wants bank login credentials. _Nope_ ,
| never going to happen.
| calfuris wrote:
| PSA: If you are of a certain age, the last four digits might be
| roughly all of the useful entropy in your SSN. Be careful with
| them. Before 2011, the first three digits indicated the office
| that issued the number and the middle two (the "group number")
| were used in a publicly-known sequence. The Social Security
| Administration helpfully published periodic lists of the
| highest group number reached by each office. This makes it
| extremely easy to predict the first five numbers for people who
| were registered at birth, which became quite common in 1986
| when tax laws changed to require children's SSNs to claim the
| associated tax credit.
| filoleg wrote:
| Tangentially related - wouldn't that mean that if you are an
| immigrant, then you are at least theoretically somewhat safe
| from that enumeration type of an attack?
|
| Because if I got my SSN in my late teens, then my date of
| birth shouldn't mean much at all to anyone trying to use that
| method you describe, right?
| calfuris wrote:
| Your date and place of birth would not be helpful, but an
| analogous attack may be possible. The key factors are when
| and where you applied and that the SSN was issued before
| June 25, 2011.
| kccqzy wrote:
| This is just an extremely incompetent and rude loan officer.
| Generally the loan officers are motivated to close the deal and
| write you a check because they get commission from that. They
| are nice to their customers because pissing off customers won't
| get them that sweet commission. The loan officer I last talked
| to managed to close more than $1B of mortgages in a year and
| he's the nicest guy on the phone. In your case, they could for
| example let you email them using their official bank email
| address, or use the bank's own web app or messaging system.
| lifeisstillgood wrote:
| Wait what? 1B in mortgages per year, even at a nice fat 500k
| per is what 2,000 closures or something like 10 per day every
| day.
|
| It's not impossible but, wow, that's grinding it out day
| after day.
| kccqzy wrote:
| This is in the Bay Area so more like 1M each. But still I
| was also very impressed.
| trog wrote:
| I think it highlights why this jerk was rude and short
| about it. They want to avoid high maintenance customers
| because it impacts their short term metrics of how many
| they can churn out and directly affects their compensation.
| There are presumably zero repercussions for them personally
| - the worst case maybe is some long term reputational
| damage for the bank.
| WorldMaker wrote:
| > He asked for my name, which I gave him, and then the last
| four digits of my social security number, which I also gave
| him. He then proceeded to ask for my full social security
| number, at which point alarms started going off in my head and
| I started sweating about even giving the last four digits to a
| stranger who had called me out of the blue.
|
| I'm super paranoid about even the last four. The first five
| digits of an SSN were algorithmic for most of US history, and
| still mostly are but a _tiny_ bit more random entropy, and can
| be narrowed down with mostly only the city in which you were
| born and what year. You can often use basic k-means clustering
| to find it even without that information. More often than not
| entire families share the first five (or close to it) and you
| only need to phish one family member to k-means cluster the
| five digits for the rest.
|
| The last four are more often than not the _most_ significant
| digits in terms of identification and entropy. Masking the rest
| is almost silly for most Americans. Our masking schemes have
| actually made phishing _easier_ because people feel safer
| sharing just the last four, when for most those are the only
| four that matter.
|
| SSN was never intended to be a secret so its design is
| horrifyingly bad for something that has come to be a huge
| secret in banking and healthcare and so many other industries.
| Recent SSN changes have made it a little better for anyone born
| after roughly 2010, increasing somewhat the entropy in the
| first five, but the rest of us have problems that we can't
| solve easily and banks should be ashamed they helped lead us to
| these problems.
| userabchn wrote:
| A bank called me to ask me security questions. I said that I
| would call back using the number on the bank's website. They
| said (and the bank confirmed when I did call the number) that
| there is no way to be transferred to the security question
| people when I call the bank - the only way is for them to call
| me. I explained that that was poor security practice. They said
| that I should just look at the caller ID to see that it was the
| bank calling. It was useless trying to tell them about caller
| ID spoofing.
| bertil wrote:
| It's a real mystery why, as soon as I heard about a bank
| founded by people who sounded like they had heard about the
| internet (Monzo, in the UK), I switched away from my
| venerable bank (NatWest) that, at the time still had security
| practices unsuited for the 18th century.
|
| Appropriately enough, the last thing they did was to insist
| --demand, really-- that, in 2018, I _fax_ them my demand. It
| just so happens that this could have been relatively safe
| because, after asking everyone I knew for a week (including
| some venerable hackers), the only way that I found to send a
| fax was to ask the local branch of the same bank.
|
| Asking them to authorize the transfer wasn't possible (by
| showing them all relevant documentation). Asking them to let
| me send a fax, using their machine, to a sister branch to
| tell them to authorize a transfer without anyone verifying my
| ID, was fine.
| sf_rob wrote:
| This method of data exfiltration is in Kevin Mitnick's book! He
| needed a daily pin that banks used to validate intra-bank
| communications. He called a bank, said that he needed to fax
| over loan forms from another branch for signing later that day
| (or something like that). He then asked the bank that he called
| for the daily PIN. They refused because he called them. He
| pointed out that he was sending sensitive data to them so they
| needed to provide the pin... and they did.
| Kirby64 wrote:
| Similar story, I transferred a decent amount of money from one
| bank account to another (different bank). I thought nothing of
| it, but I got a call randomly from what appeared to be the
| receiving bank's 'fraud' phone number (based on Google). I
| picked up, and the person on the end had an extremely thick
| accent similar to scam callers. He started asking me if I had
| made a transaction recently (I said yes), then asked me to
| confirm this transaction if I would provide additional
| information about myself, including home address and social...
| I refused, and was told if I didn't my bank account would get
| locked!
|
| Sure enough... I had to go down to the local branch to get my
| account unlocked, as well as prove the amount of money I was
| transferring was... available in the other account? Absolutely
| ridiculous. I don't even know what sort of fraud they were
| trying to prevent, as this wasn't a new bank account and I'd
| made transfers between them before.
| mooreds wrote:
| > Turns out he actually was from the bank and he did cancel the
| loan application.
|
| Plot twist! Didn't see that coming.
|
| Seems bizarre to me that this would happen, but reading sibling
| comments just keeps having me shake my head in dismay.
| cogman10 wrote:
| Shout out to my car insurance, Amica. They called me because
| they needed some account information updated/clarified. Before
| we started doing anything I told them "Hey, not to be rude but
| could I call you with the number on your website? I'm paranoid
| about scamming and that's safer" They said "Absolutely, that
| actually makes a lot of sense". So, I called back and we got
| everything done.
|
| The issue, I think, is the larger the company is the more
| incentivized it is to hide away access to it's internal
| employees. If you can call a department directly you can start
| phishing between multiple employees pretty quickly. Locking
| that down and putting a horrible automated system in place
| makes that harder to do.
| jwie wrote:
| The fact that there's no formal difference between tax payments
| and scam payments should be tickling the part of your brain; this
| means something.
| pbackx wrote:
| I think this will be full of similar experiences: Some time ago
| my wife's cards suddenly got all kinds of charges, clearly not
| ours. So we call the bank and while they put the blame on us,
| among other things they said the bank never ever would contact us
| by SMS and we may have clicked on dodgy links in one of those
| messages.
|
| Eventually they decide we should replace all our cards. 5 minutes
| later we get an SMS asking us to call an unknown number to set
| our PIN code for the new card. It contained at least 5 warning
| signs as in the author's article.
|
| We call them back asking them what that SMS is about and the only
| explanation is "That is the good kind of SMS, you can trust it"
|
| (Eventually we did get all stolen money back, but it took a
| while. We never got a plausible explanation of what may have
| happened and what we could do to prevent it in the future)
| EchoReflection wrote:
| the only other options I can think of (in the USA) are USPS and a
| company that I haven't seen in so long that I wondered if they
| were still in business, DHL. DHL's website is still up and
| running, but I guess they aren't doing great if I never see their
| delivery trucks anymore. Maybe they have a stronger presence in
| areas away from where I live...
| hn_throwaway_99 wrote:
| Wow, I thought this was a great post, and I'm just dumbfounded
| about how egregiously bad that first SMS was - FedEx might as
| well tell the recipient they want to customs duties wired to a
| Nigerian prince.
|
| But I also disagree with the general push of Troy Hunt's
| recommendations. That is, we should just take the base assumption
| that humans, generally, can't distinguish between real and
| phishing inbound messages. That's only going to become more true
| with AI. Relying on those distinguishing characteristics in the
| first case is an absolute fatal flaw.
|
| Instead (and, in fairness, Troy Hunt did do this) you should
| _never_ depend on an outbound link or phone number in a message
| you received. You should log in to whatever service you think
| sent it based on looking up the address or phone number yourself.
| This "hang up, look up, call back" advice should be an absolute
| mantra. I think responsible organizations should just start by
| saying they will _never_ put links or phone numbers in text
| /emails/calls, and their notification messages should say
| something like "Log in to your dashboard to see details."
| avarun wrote:
| I don't think Troy Hunt is recommending what you're suggesting
| at all? The very beginning of the post starts with:
|
| > but I'm a smart human so I don't fall for this (that's a
| joke, read why humans are bad at URLs).
|
| It's clear that he thinks relying on heuristics to distinguish
| scammy URLs is not a scalable long term approach.
| hn_throwaway_99 wrote:
| Two things:
|
| 1. The entire article is about a (surprisingly) legit FedEx
| SMS looking totally spammy. My point is that we should take
| "looking totally scammy" completely out of our vocabulary,
| and pointing out similarities or differences in scam vs real
| notifications only furthers the notion that they're
| distinguishable in the first place. Again, to emphasize, I
| still think this overall was a great article highlighting the
| ineptitude of FedEx sending such egregiously bad
| notifications in the first place
|
| 2. Hunt says exactly this in the article "But if I were to
| take a guess, they've merely blocked the tip of the iceberg.
| This is why in addition to technical controls, we reply [sic]
| on human controls which means helping people identify the
| patterns of a scam: requests for money, a sense of urgency,
| grammar and casing that's a bit off, add [sic] looking URLs."
| My point is we should _stop_ "helping people identify
| patterns of a scam". We should instead just teach people to
| treat _all_ incoming notifications as suspect and to never
| follow a link /phone number from an incoming message.
| WorldMaker wrote:
| On that second point that is what Troy Hunt shows doing: he
| goes to the FedEx website and finds no indicator of any
| duties/taxes in the official package tracker. This seems a
| case where the Australian customs team doesn't have feature
| access to the main website to service this case and are
| instead badly routing around it.
|
| I think this is the core point Troy Hunt is trying to show,
| but I don't think Troy Hunt makes it explicit enough that
| this org chart/processes problem is the real problem and
| the thing FedEx should most fix _because_ you can 't rely
| on incoming notifications to not look scammy, real
| notifications _are_ indistinguishable from fake ones even
| if the real ones weren 't doing so horribly to begin with.
| Troy Hunt often makes that point better in other posts (see
| the old, long series on "Extended Validation" certificates
| for an example) and maybe just assumed that message was
| clear rather than harping on it and then resummarizing it
| in bold text and blinking lights this post.
| samatman wrote:
| This is more restriction than necessary, and unkind to users
| who may be technically unsophisticated, distracted, sick that
| day, or just kinda dumb.
|
| Include a link, make it a part of the core domain, short, and
| prominent: https://example.com/contact. If the user isn't
| logged in, lead with a login flow explaining "If you received a
| message from us, login for details", and include a contact
| form, phone number, and if there's a chat with customer
| support, that too.
|
| These are all things a phish can spoof to some degree, but
| that's not a good reason to force the user to figure out how to
| resolve whatever problem you're bringing to their attention.
| hn_throwaway_99 wrote:
| > This is more restriction than necessary, and unkind to
| users who may be technically unsophisticated, distracted,
| sick that day, or just kinda dumb.
|
| Couldn't disagree more. By sending outbound links in
| notifications we're only perpetuating the idea that it's OK
| to click those in the first place. It's hardly any more
| difficult to just open your browser yourself. I also don't
| like the idea that we're not willing to accept the absolute
| mildest of inconveniences, when on the flip side we have
| loads of stories of people's lives being completely ruined
| when their life savings are stolen by scammers. It'd be like
| telling people not to lock their doors because that adds 5
| seconds to the time it takes to enter your house.
| samatman wrote:
| It's a mild inconvenience _to you_ , to some number of your
| customers, it will mean they never follow-up on whatever
| presumably important message you were sending them.
|
| Keep telling people not to click on links, ever. The ones
| who listen, and are paranoid about taking that advice
| literally, will look the company up on a search, or copy-
| and-paste the link instead of clicking it.
|
| If I get a link from a company I have an account with, and
| the link is from their URL, I'm going to click it. I'll
| also check to make sure there wasn't some kind of redirect
| or Punycode involved.
|
| But you're not helping your customers by refusing to
| provide them with an important affordance just because
| scammers might do something similar. That kind of logic
| doesn't help anyone, because "anyone" breaks down into two
| groups: the ones who click, and the ones who don't. The
| ones who click get to resolve the problem, the ones who
| don't have to do a search first, exactly what you're
| suggesting forcing everyone to do.
| 0xbadcafebee wrote:
| > That's only going to become more true with AI.
|
| It can't become any more true than it already is. Humans
| already fail to identify phishing 95% of the time. And a human
| can already create an exact duplicate e-mail, website, text,
| etc as a real one. There's no need for AI.
| csours wrote:
| There ought to be a law, I tell you
| tonymet wrote:
| This reinforces the need for "mutual trust security" that I've
| been calling for now for years.
|
| All of the significant authentication schemes are built to
| validate the customer, and none validate the vendor.
|
| When your bank or mobile provider gives you a call : how do you
| know it's them? They start asking you for personal data right
| away, but you have no idea who you are sharing information with.
|
| We need "mutual authentication" including better identity, trust,
| challenge-response and more. Customers should be able to validate
| who they are talking to before even sharing their own
| credentials.
| Bjartr wrote:
| That exists, but isn't super widespread. Some places will have
| you choose something (image, phrase, etc.) that they will
| display to you when logging in. If you don't recognize the
| thing shown when you go to login, don't trust it.
| tonymet wrote:
| You're right but it's for web and hardly used.
|
| Phone, text and email are much bigger threats.
|
| email has some incomplete protections including DKIM and
| others. Phone and text only have caller-id which is easily
| spoofed and vendors don't even manage their contact points .
|
| we need a platform that consumers can easily understand and
| use.
| zokier wrote:
| EV certs were intended for that. They _should_ always contain
| info of the company who they were issued to. They were mostly a
| trainwreck, and now almost completely abandoned.
| ianburrell wrote:
| For voice calls, and maybe SMS, there could be mechanism to do
| bidirectional authentication with words. The problem is that
| would have to switch to app to generate the words and validate
| the response. For user, password or passkey would work. For
| company, the SSL cert on domain might work. Otherwise, would
| need to download certificates.
|
| For SMS and voice calls, it would help if they could implement
| call authentication so can trust the number. Phones should show
| the user if the number is validated. It would also be good to
| add trusted CallerID names; Google does with some numbers.
| d1str0 wrote:
| I clicked the link to read this article because last week I
| received a paper letter from FedEx I initially thought was
| scammy.
|
| It asked me to pay duty/taxes for my $799 Prusa 3D print order
| that arrived just last week.
|
| So now I know Troy Hunt also bought a Mk4 assemble-yourself kit
| from Prusa.
|
| Enjoy, Troy! Mine took 8 hours to build and it works like a
| charm! Fantastic little machine.
| aggieNick02 wrote:
| My favorite FedEx facepalm was when they kept trying and failing
| to deliver a package to themselves...
|
| They have an option to have your package held at a FedEx store.
| It's great for when the package requires signature and you're not
| able to wait at home all day for it.
|
| Recently I used it. Unbeknownst to me, the FedEx store changed
| its physical location while the package was in transit, to a
| different strip mall across the highway. So for several days in a
| row, I was notified that FedEx attempted to deliver, but that the
| business was closed. Every call to customer service yielded
| understanding and sympathetic employees who had no idea how to
| fix the issue.
|
| After about 5 days, something clicked, and my package showed up
| at the new FedEx location.
| dawnerd wrote:
| Can we add pharmacies calling and asking to verify your ssn and
| dob? It's trained a lot of older people to trust whoever is
| calling.
| kylecordes wrote:
| The bar to relative excellence in our industry is so very low.
| 0xbadcafebee wrote:
| Compare this to USPS, which is so secure that I can't get back
| into the account I created to manage deliveries for my home
| address, and there is absolutely no recourse. (no customer or
| technical support, going into a USPS office does nothing, etc) I
| still receive e-mails at my old e-mail address about deliveries
| coming to my home, but I can not turn them off, change the e-mail
| address, etc.
| lnxg33k1 wrote:
| Couriers are part of the reason I haven't bought anything for
| years
| riggsdk wrote:
| I've somewhat convinced myself that someone in the postal service
| is leaking information about pending parcels to scammers (or the
| scammers have access to some servers). Whenever I'm expecting a
| package the number of phishing attempts in my email skyrockets.
| Period of no packages - a lot less attempts. Waiting for a new
| package? Phishing emails ramp up again.
| flerchin wrote:
| And Amazon emailing me about my package due to arrive today.
| Clicking the link is right there and very convenient to find out
| which one. They won't tell me which package because then gmail
| will be able to know what I'm buying (which I'm fine with).
|
| These emails are the _exact same form_ that a phishing email
| would take.
| chankstein38 wrote:
| FedEx is trash but this kind of handling of these kinds of
| communications is so common it's disgusting. I say it all of the
| time too. "No wonder people get scammed." We get security
| trainings at work or get things like "_company_ will NEVER ask
| for your password" then they immediately violate their own rules.
|
| It's absurd.
| me_jumper wrote:
| I bought insurance online. Some days later I got a super dodgy
| email telling me I should sign up for an online portal. The link
| was a mess and linked to a different insurance provider.
|
| I called my provider. Turns out the actual insurance is handled
| by a sub-provider that works for a different (major) insurance...
| WTF
| datavirtue wrote:
| I just read an article detailing how thousands of Americans fall
| for scams run by Mexican cartel proposing to buy their timeshare
| from them. Americans buying Mexican timeshares is a big thing
| apparently. One guy kept getting pulled into the scams eventually
| paying them (and losing) $1.8MM. Others had lost tens or hundreds
| of thousands to the same type of scam.
|
| Every time someone supposedly bought their timeshare there would
| be a bank fee or tax they would have to wire money for. The guy
| who lost $1.8MM wired money 90+ times.
|
| These are lawyers and doctors, educated people getting ripped
| off.
| tempestn wrote:
| Was just dealing with similar nonsense from BMO Harris bank
| yesterday. I got this text (numbers changed):
|
| "FreeMsg: BMO Fraud Ctr: 18774352371 Case 19684358 Did you
| attempt $4.00 at NYTIMES with card x1234? Reply YES or NO"
|
| The 1234 did match the last 4 digits of my card - not the first
| four, a common trick - but the rest of the message is, as Troy
| says, Dodgy AF.
|
| They then followed up with a similar email, prompting me to click
| on a link that began like this: https://ecs01-us.ficoccs-
| prod.net/2088/en-US/tran_Not_Author...
|
| That's certainly not a BMO domain. Wtf, bank?
|
| So, called them and confirmed the messages were legit, unlike
| that charge.
|
| And as an aside, this is far from the first time I've had a card
| compromised while never using it at a physical vendor, and only a
| handful of large online ones. Once I actually started getting
| fraud transactions on a card I had _never_ used. I 'm guessing
| access to credit card info is far too broadly available within
| the bank.
| malfist wrote:
| The first four are not secrets. The first two digits identify
| the card issuer, and the next two are the card type. That's how
| those credit card numbers can show you your card issuer's logo
| after you type the first two characters.
| lights0123 wrote:
| Right--they're saying it would be easy for a scammer to
| "prove legitimacy" by showing those first four, given that
| they're public.
| eiiot wrote:
| I got an email from BMO the other day that I had changed my
| password. I immediately tried to log in (with my current
| password) and it worked fine. Never got any other communication
| from them about it, or even a fraud alert after I supposedly
| "changed" the password.
|
| I moved to Schwab a while ago, so I'm not sure what I would've
| done to change the password. Schwab is much better, by the way.
| BMO is a joke. I never thought I would say this, but I miss
| Bank of the West.
| meeech wrote:
| This is funny to see today because I had exact same experience,
| but with UPS. Call came in, marked as Probable Spam. Robot voice
| on the line, claiming to be from UPS. Duties and taxes. I am
| expecting a package, so I went to the website and it was legit.
| Though it won't change, because to do it right would cost them
| $$$. Whereas doing it wrong costs them less, and it then becomes
| a me problem.
| nerdjon wrote:
| The URL part of this particular drives me insane, and it's not
| particularly Fedex's fault. But When every online retailer seems
| determined to keep me in their website (or a branded third party
| website) when I click a tracking number.
|
| "Track Package" sure, keep me on the website.
|
| But if you present me with a tracking number that you are making
| a link yourself, just send me to the shipper company. Bonus
| points when they then make it really hard to find the actual link
| I want on that random website they send me too. I already bought
| from you and will soon have your product in my hands, do I really
| need to be kept on a branded site that offers no extra value?
|
| Emails seem to be the worst for this.
|
| I feel like these companies are setting up people to be phished,
| when the idea that you can only track Fedex on Fedex.com is no
| longer true.
| asveikau wrote:
| Some of these package themed spams are amusing. I got some spam
| texts from a +44 number (UK) claiming to be USPS. Similarly I got
| a call from a +1 416 number (Toronto area) telling me they were
| US Customs and Border Control.
| TheDudeMan wrote:
| "while we're all watching for scammers attempting to imitate
| legitimate organisations, FedEx is out there imitating scammers!"
|
| Brilliant. Troy is the best.
___________________________________________________________________
(page generated 2024-02-23 23:00 UTC)