[IP] Bank of America vs security

To: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Bank of America vs security
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 22 Jun 2005 15:28:30 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <0IIH00297VNH7T@xxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Bob Frankston <Bob19-0501@xxxxxxxxxxxxxxxxxx>
Date: June 22, 2005 12:40:17 PM EDT
To: Dave Farber <dave@xxxxxxxxxx>
Subject: Bank of America vs security

I’m in the middle of redoing my screen scraping now that Bank ofAmerica is forcing Fleet’s Homelink users to convert to their newonline banking service. I scrape because the data is mine and theymake the information available for only al limited time and onlywhile the particular account is open. That’s a big issue in its ownright – at least with paper statements and printed checks people canset the own retention policy but that’s not my main problem at themoment.

As an aside, looking their site itself they seem to have lots of homebrew Jscript code and I’ve found their seem to have troublemaintaining their DNS entries so their redirects can behave badly.Again, a separate topic.

I’m more concerned with a strange letter I got. It was sent in theclear, of course, because no one seems to care enough to do evensimple encryption – while I don’t blame CALEA it’s a reminder thatpolicies that allow the FBI to spy on us make it even easier forthird parties to do so.

The letter was in response to my attempt to setup online transfers.It’s the usual thing, emailing me a letter asking me to type back aone-time code to their site to verify that my email address is validand that I approve the transfer. Everything went smoothly but Idecided to look at the received fields in the envelope of the letter(vs the header) and found it to be a bit strange:

Here’s the header (with my email address and such informationreplaced by *’s) [you really need HTML to understand this – again,another topic …]




x-sender: bankofamericatransfer@xxxxxxxxxxxxxxxxxxxxxxxxxxx

x-receiver: **MyUser**@**MySite**

Received: from pula.cashedge.com ([129.41.8.16]) by **MYMachine**with Microsoft SMTPSVC(6.0.2600.2180);


       Mon, 20 Jun 2005 16:44:45 -0400

Received: from real2 (sonicwall [10.0.1.252])

by pula.cashedge.com (8.11.6+Sun/8.10.2) with ESMTP idj5KKiie25797

for <**MyUser**@**MySite**>; Mon, 20 Jun 2005 13:44:44 -0700(PDT)


Message-ID: <89617797.1119300283724.JavaMail.appft8@real2>

Date: Mon, 20 Jun 2005 13:44:43 -0700 (PDT)

From: bankofamericatransfer@xxxxxxxxxxxxxxxxxxxxxxxxxxx

To: **MyUser**@**MySite**

Subject: Outside the Bank transfers Email confirmation.

Mime-Version: 1.0

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

Return-Path: bankofamericatransfer@xxxxxxxxxxxxxxxxxxxxxxxxxxx

X-OriginalArrivalTime: 20 Jun 2005 20:44:45.0778 (UTC) FILETIME=[E48D5320:01C575D8]

What is “pula.cashedge.com”? The DNS entry is gone and the number iswithin IBM’s world. I asked about this online to BofA and got ageneric response “The e-mail was not legitimate. It was part of afraudulent scheme to illegally acquire your personal financialinformation. Authorities shut down the fraudulent site within 2.5hours of its launch. We are working with the Secret Service toprosecute those responsible.” It was from a “Gregory I. Robinson”.When I called the 1-877-833-5617 listed in the letter and pressed 1(not the 5 they commended because I never typed info into a thirdparty site I was told there was no such person. The letter itself hadno site information – just the expected confirmation number.

As far as I can tell my own information wasn’t compromised – theletter contained no critical information other than the email addressI use for just that account. The BoA response seemed canned –misdirecting rather than informative.

Any idea what is going on? If there was such an interception that isvery worrisome.

Even more so because of a letter I received after sending an onlineQuery to CallVantage using another unique address and I quickly gotan unrelated letter from a third party site that seemed fraudulent. Ireported it to the third party’s ISV and got a response saying theywere shut down but know no more than that.

I view these as very serious breaches because they indicate attacksat the vital points in the system.

I’ve been mulling how to do edge-to-edge implementations in place ofrelying on the IP addresses but it’s been difficult to come up withan alternative to the DNS as an authoritative mapping of identifiersto IP addresses. Maybe that trust is misplaced …




Any ideas as to what is going on?







Bob Frankston http://www.frankston.com





-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Jack Kilby, inventor of integrated circuit, dies
Next by Date: [IP] More insecurity
Previous by thread: [IP] Jack Kilby, inventor of integrated circuit, dies
Next by thread: [IP] More insecurity
Index(es):
- Date
- Thread