Discussion
Martin4x4 said:
There is already ample information to determine to pretty high certainty exactly how this 'hack' was carried out and it is in no way sophisticated. B used public wifi to access his email over http and compromised his email account, his customer was spear phished using the details he exposed, the receiving bank account will almost certainly also be a victim of payment/over-payment fraud.
Couldn't the builder have simply responded to a phishing email? We're getting loads of them at work and some are very good - proper logos and personalised to the receiver.They generally still get caught by our spam filters but some get through and weekly I'm asked by users (who all have an electronics / software technical background) if they're real or not.
Remember that hackers are very resourceful
http://www.wired.com/2012/08/apple-amazon-mat-hona...
If you are using Gmail be sure to enable two-factor authentication, it's a minor hassle getting a SMS each time you log in but well worth it!
http://www.wired.com/2012/08/apple-amazon-mat-hona...
If you are using Gmail be sure to enable two-factor authentication, it's a minor hassle getting a SMS each time you log in but well worth it!
Quattromaster said:
Thanks for pointing this out, At no point did I say email had been sent using public wifi.
Original email was sent from office computer, which uses a password protected router.
He changed his passwords using iPad while on holiday using my mothers password protected router, she lives overseas and part of my brothers holiday was a few days with her.
That claim is unconvincing. If he had done that, his email password would not have been compromised.Original email was sent from office computer, which uses a password protected router.
He changed his passwords using iPad while on holiday using my mothers password protected router, she lives overseas and part of my brothers holiday was a few days with her.
You stated he has has lost control of his email and I've given you the most likely scenario but you choose to ignore it and instead clutch at straws. The idea that this is some sort of 'inside job' is as I've already said asinine. You've amply demonstrated why the Human factor is the considered the biggest problem in IT security.
Edited by Martin4x4 on Sunday 26th July 07:51
Sheepshanks said:
Couldn't the builder have simply responded to a phishing email? We're getting loads of them at work and some are very good - proper logos and personalised to the receiver.
They generally still get caught by our spam filters but some get through and weekly I'm asked by users (who all have an electronics / software technical background) if they're real or not.
In this case the phishing email was sent to the customer, once things have reached that point it is hard to counter act. They generally still get caught by our spam filters but some get through and weekly I'm asked by users (who all have an electronics / software technical background) if they're real or not.
If there was an easy solution to human stupidity everybody would be using it.
essayer said:
Remember that hackers are very resourceful
If you are using Gmail be sure to enable two-factor authentication, it's a minor hassle getting a SMS each time you log in but well worth it!
It's not that bad as you can trust a device so it only applies when you login on a new/unknown device.If you are using Gmail be sure to enable two-factor authentication, it's a minor hassle getting a SMS each time you log in but well worth it!
Martin4x4 said:
Sheepshanks said:
Couldn't the builder have simply responded to a phishing email? We're getting loads of them at work and some are very good - proper logos and personalised to the receiver.
They generally still get caught by our spam filters but some get through and weekly I'm asked by users (who all have an electronics / software technical background) if they're real or not.
In this case the phishing email was sent to the customer, once things have reached that point it is hard to counter act. They generally still get caught by our spam filters but some get through and weekly I'm asked by users (who all have an electronics / software technical background) if they're real or not.
If there was an easy solution to human stupidity everybody would be using it.
Many people wouldn't admit to being phished once they realise what they've done.
The bit that I don't understand is the builder resetting the password and then it changing again immediately.
Martin4x4 said:
That claim is unconvincing. If he had done that, his email password would not have been compromised.
You stated he has has lost control of his email and I've given you the most likely scenario but you choose to ignore it and instead clutch at straws. The idea that this is some sort of 'inside job' is as I've already said asinine. You've amply demonstrated why the Human factor is the considered the biggest problem in IT security.
Why is it asinine? AOL got hacked last year and the hackers managed to obtain some password hashes and security question hashes. If those are MD5 hashes then the hackers could have broken many of them by now. You stated he has has lost control of his email and I've given you the most likely scenario but you choose to ignore it and instead clutch at straws. The idea that this is some sort of 'inside job' is as I've already said asinine. You've amply demonstrated why the Human factor is the considered the biggest problem in IT security.
Edited by Martin4x4 on Sunday 26th July 07:51
You also haven't explained how the user managed to use HTTP rather than HTTPS when there is a redirect to HTTPS. The hacker would have to be using a MITM attack and the user would have to be using a non HSTS compliant browser; or AOL doesn't implement HSTS (which would be remiss of them ore even perhaps negligent). You haven't explained how you know he was using HTTP instead of IMAP.
Met the couple who paid the £16,500 into the "fake" account back end of last week, they had popped into my brothers office to say the bank had called them to say all the money will be returned to them in the next 7-10 days, minus the £36 which was all that was removed from account.
So all in all a pretty good result all round
(And it's taught a fair few people, me included , the importance of internet security)
So all in all a pretty good result all round
(And it's taught a fair few people, me included , the importance of internet security)
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff