The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [50]
As a collector of antique glass jars Edgar did a lot of business through the on-line auction company eBay. He used PayPal often, sometimes several times a week. So Edgar was interested when he received an email in the holiday season of 2001 that seemed to be from PayPal, offering him a reward for updating his PayPal account. The message read:
Season’s Greetings Valued PayPal Customer;
As the New Year approaches and as we all get ready to move a year ahead, PayPal would like to give you a $ 5 credit to your account!
All you have to do to claim your $5 gift from us is update your information on our secure Pay Pal site by January 1st, 2002. A year brings a lot of changes, by updating your information with us you will allow for us to continue providing you and our valued customer service with excellent service and in the meantime, keep our records straight!
To update your information now and to receive $5 in your PayPal account instantly, click this link:
Thank you for using PayPal.com and helping us grow to be the largest of our kind!
Sincerely wishing you a very “Merry Christmas and Happy New Year,”
PayPal Team
A Note about E-commerce Web Sites
You probably know people who are reluctant to buy goods on line, even from brand-name companies such as Amazon and eBay, or the Web sites of Old Navy, Target, or Nike. In a way, they’re right to be suspicious. If your browser uses today’s standard of 128-bit encryption, the information you send to any secure site goes out from your computer encrypted. This data could be unencrypted with a lot of effort, but probably is not breakable in a reasonable amount of time, except perhaps by the National Security Agency (and the NSA, so far as we know, has not shown any interest in stealing credit card numbers of American citizens or trying to find out who is ordering sexy videotapes or kinky underwear).
These encrypted files could actually be broken by anyone with the time and resources. But really, what fool would go to all that effort to steal one credit card number when many e-commerce companies make the mistake of storing all their customer financial information unencrypted in their databases? Worse, a number of e-commerce companies that use a particular SQL database software badly compound the problem: They have never changed the default system administrator password for the program. When they took the software out of the box, the password was “null,” and it’s still “null” today. So the contents of the database are available to anyone on the Internet who decides to try to connect to the database server. These sites are under attack all the time and information does get stolen, without anyone being the wiser.
On the other hand, the same people who won’t buy on the Internet because they’re afraid of having their credit card information stolen have no problem buying with that same credit card in a brick-and-mortar store, or paying for lunch, dinner, or drinks with the card—even in a back-street bar or restaurant they wouldn’t take their mother to. Credit card receipts get stolen from these places all the time, or fished out of trash bins in the back alley. And any unscrupulous clerk or waiter can jot down your name and card info, or use a gadget readily available on the Internet, a card-swiping device that stores data from any credit card passed through it, for later retrieval.
There are some hazards to shopping on line, but it’s probably as safe as shopping in a bricks-and-mortar store. And the credit card companies offer you the same protection when using your card on line—if any fraudulent charges get made to the account, you’re only responsible for the first $50.
So in my opinion, fear of shopping online is just another misplaced worry.
Edgar didn’t notice any of the several tell-tale signs that something was wrong with this email (for example, the semicolon