Schneier on Security
A blog covering security and security technology.
« Security Risks of Wholesale Telephone Eavesdropping |
| Hacker Firefox Extensions »
October 16, 2007
Security Risks of Online Political Contributing
Security researcher Christopher Soghoian gave a presentation this month warning of the potential phishing risk caused by online political donation sites. The Threat Level blog reported:
The presidential campaigns' tactic of relying on impulsive giving spurred by controversial news events and hyped-up deadlines, combined with a number of other factors such as inconsistent Web addresses and a muddle of payment mechanisms creates a conducive environment for fraud, says Soghoian.
"Basically, the problem here is that banks are doing their best to promote safe online behavior, but the political campaigns are taking advantage of the exact opposite," he says. "They send out one million e-mails to people designed to encourage impulsive behavior."
He characterizes the current state of security of the presidential campaigns' online payment systems as a "mess."
"It's a disaster waiting to happen," he says.
Fraudsters could easily send out e-mails and establish Web sites that mimic the official campaigns' sites and similarly send out such e-mails that would encourage people to "donate" money without checking for the authenticity of the site.
He has a point, but it's not new to online contributions. Fake charities and political organizations have long been problems. When you get a solicitation in the mail for "Concerned Citizens for a More Perfect Country" -- insert whatever personal definition you have for "more perfect" and "country" -- you don't know if the money is going to your cause or into someone's pocket. When you give money on the street to someone soliciting contributions for this cause or that one, you have no idea what will happen to the money at the end of the day.
In the end, contributing money requires trust. While the Internet certainly makes frauds like this easier -- anyone can set up a webpage that accepts PayPal and send out a zillion e-mails -- it's nothing new.
Posted on October 16, 2007 at 12:20 PM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I take exception to: "banks are doing their best to promote safe online behavior"
banks are doing their best to maximize their profits, which means balancing the savings of safe online behavior with the cost of promoting such behavior.
At the risk of sounding like a broken record, banks could do a great deal by not putting any links in any emails, and including a short note explaining why. Users would get used to this, and not jump to click every link in an email.
AFAIK only one bank does this- the Royal Bank of Canada.
This isn't limited to online fraud; parking lot setup tables, door-to-door, mailings, I can think of a number of ways to leverage this sort of attack.
The problem is compounded by the fact that nonprofits and political organizations are exempted from spam/cold calling rules (at least in the US). I personally avoid this by making a blanket policy not to give money over the phone or online unless I instigated the transaction myself, by finding the charity/political campaign contact information and originating the transaction.
It does lead to an awful lot of, "Sorry, I don't donate over the phone" conversations, though.
Rich Wilson - To be honest, it makes fuck all difference if a bank sends out emails with links in or not.
Customers will always be stupid, and people who have never, ever received an email from their bank will still click on the link.
People who, after the have logged onto internet banking, get presented with a HUGE windows saying "Don't click on links!" will click on the link. Then they give their details to the fraudster, then they tell the bank they would never do such a thing.
People who are not even customers of that particular bank will, instead of being suspicious, call the bank to tell them to stop sending them emails, or will forward it to a friend in case they have an account with that bank.
Such is the fantastic human brain.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.