Strange email

13»

Comments

  • middlepuss
    middlepuss Posts: 461 Forumite
    Part of the Furniture Combo Breaker
    jamesd wrote: »
    What mechanism requires a person sending an attack email to use something other than an email that has the same cosmetic appearance as one using this system...

    Any bets on how long it will be before we hear that some scammer has done exactly that - copied the appearance of the Scottish Widows email?

    The more word gets around about how wonderfully secure the (real) Scottish Widows email is the more likely the unwitting are to be taken in by a scam version of it.
  • jem16
    jem16 Posts: 19,566 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    jamesd wrote: »
    What do you look a there to prove the from address is genuine? Not the From line, I hope, because that's useless for the purpose.

    If I have doubts over the "genuineness" of an email I will check the message source. However I don't do that for every email I receive.
    I'm unsure from your wording, but surely you don't mean after following the link in the email to get to the site that is pretending to be a secure messaging site, then looking at whatever source that site shows?

    The full message source is available before following any link.
    What mechanism requires a person sending an attack email to use something other than an email that has the same cosmetic appearance as one using this system, for the sole purpose of getting you to click on a link in the email?

    I get the impression that it won't matter what I say, you will come up with a reason against the system. I understand your reservations over the web based system so avoid i then and use the email client system. It's much easier to use anyway.
    middlepuss wrote: »
    Any bets on how long it will be before we hear that some scammer has done exactly that - copied the appearance of the Scottish Widows email?

    The more word gets around about how wonderfully secure the (real) Scottish Widows email is the more likely the unwitting are to be taken in by a scam version of it.

    The financial companies are recommending the use of the Outlook/Outlook Express plugin to read the emails. There is then no html link to follow and it simply decrypts the email.
  • jamesd
    jamesd Posts: 26,103 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    edited 27 December 2010 at 4:17AM
    jem16 wrote: »
    I get the impression that it won't matter what I say, you will come up with a reason against the system.
    It's not this system specifically, it's any link in email and the methods you've suggested you use to help don't, except possibly the plugin.

    Checking email source rarely helps to prove genuineness, certainly not the easy to forge From address.

    I haven't done any research to find out whether the plugin also has major security flaws or not. My guess is not, because I expect it to be possible for anyone to send an email appearing to be from any address and have the plugin display them, but I don't know.
    middlepuss wrote: »
    Any bets on how long it will be before we hear that some scammer has done exactly that - copied the appearance of the Scottish Widows email?
    Depends how popular it becomes. But for those providing email addresses and the name Scottish Widows in proximity on the web they are at higher risk of being targeted.
    middlepuss wrote: »
    The more word gets around about how wonderfully secure the (real) Scottish Widows email is the more likely the unwitting are to be taken in by a scam version of it.
    Right. Scottish Widows seems to be training its customers to use insecure email practices. If someone does mount an attack based on this that tries to get account details this will increase the amount of success that they will have, if people's trust is increased. Add in more vulnerability to whole computer compromises with instructions to "install our new more secure email viewing plugin" that attackers will be able to use.

    Scottish Widows doesn't seem to be acting in a responsible manner here.
  • jem16
    jem16 Posts: 19,566 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    jamesd wrote: »
    Checking email source rarely helps to prove genuineness, certainly not the easy to forge From address.

    One minute you say you would check the message source to see where the link would take you and the next minute you say viewing the message source doesn't help.
    I haven't done any research to find out whether the plugin also has major security flaws or not. My guess is not, because I expect it to be possible for anyone to send an email appearing to be from any address and have the plugin display them, but I don't know.

    So you would have to correctly guess the registered email address then guess the password? To install the plugin in the first place you have to know 4/5 pieces of information and then be able to verify that email address through them sending you an email to the registered address so you'll need the password on that account too.

    Did you take up dh's offer to send you an encrypted email so you could see how it works?
    Add in more vulnerability to whole computer compromises with instructions to "install our new more secure email viewing plugin" that attackers will be able to use.

    The plugin is provided by two major security firms who might just have a little clue about what they're doing.
  • jamesd
    jamesd Posts: 26,103 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    Viewing the message source is fine to check links, if they are readable in the source, which isn't always the case, but almost useless for verifying the from address.

    Those pieces of information for the genuine plugin don't have any effect on what a fake plugin requires or what at fake email might say.

    The two major security firms have a product to sell. I assume that if used as intended the product will protect the contents of genuine emails sent using it. That's not my concern, compromise of the computer receiving the email or the account details of recipients by fake emails is. This approach seems to be increasing the chance of compromise of computer or account details to gain some privacy of some individual emails. I think that's a poor bargain.
  • jem16
    jem16 Posts: 19,566 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    jamesd wrote: »
    Viewing the message source is fine to check links, if they are readable in the source, which isn't always the case,

    Which takes us back to your point of some hacker taking you to an alternate website and downloading something to compromise your computer.

    Yes the link is viewable in the message source.
    Those pieces of information for the genuine plugin don't have any effect on what a fake plugin requires or what at fake email might say.

    The fake plugin would not be asking the security questions you have already set up at the legitimate site so you would immediately know to be wary.

    And yes I have followed sensible computer security by going to the security site directly to register, download and install my plugin as opposed to simply clicking on an email link.
    The two major security firms have a product to sell. I assume that if used as intended the product will protect the contents of genuine emails sent using it.

    That's the whole idea of it. If we are going to use electronic mail as a way forward then a more secure way must be found. Emails, as it stands, can be intercepted anywhere.
    That's not my concern, compromise of the computer receiving the email or the account details of recipients by fake emails is. This approach seems to be increasing the chance of compromise of computer or account details to gain some privacy of some individual emails. I think that's a poor bargain.

    No account details are ever asked for unlike in internet banking where you would be giving someone access to your bank account.

    Also anti-phishing modules are built into the email so that you can trust its source.

    http://www.voltage.com/pdf/VoltageSecureMailDatasheet.pdf

    The Unipass system works in exactly the same way. Demo here if you want to see it in use.

    http://us.trendmicro.com/us/products/enterprise/email-encryption/flash-demo/index.html
  • jamesd
    jamesd Posts: 26,103 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    jem16 wrote: »
    Also anti-phishing modules are built into the email so that you can trust its source.

    http://www.voltage.com/pdf/VoltageSecureMailDatasheet.pdf
    Thanks:
    jamesd wrote: »
    It can be made less risky if the initial email contains pre-agreed personal or other information known only to the place that sent you the email that can't possibly be guessed by a spammer. Has to be pre-agreed or it can be used by someone with stolen information who can fake it by supplying whatever genuine information they have about you to say that it's to prove it's genuine.
    There's an image in the email that may do that job, if it's not possible to get it just by knowing the email address you're sending to and it it's checkable before any link has to be followed.

    If you can use the image just by knowing the email address you're sending to an attacker can use it. Hopefully that's been dealt with.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.2K Banking & Borrowing
  • 252.8K Reduce Debt & Boost Income
  • 453.2K Spending & Discounts
  • 243.1K Work, Benefits & Business
  • 597.5K Mortgages, Homes & Bills
  • 176.5K Life & Family
  • 256.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture