RSS
How Leaky Web Site Allow For Hostile Consumer Profiles
from the build-a-profile dept
Last week, there were reports that phishers were getting more personalized, including specific data they knew about you to make the phishing attempt more effective. Apparently, the folks at Citibank didn't realize this, because their latest method for distinguishing legit emails from phishing ones is to include personal info in their emails. Of course, some may ask just how phishers and identity thieves can get more info about a person, and Business Week has just provided one answer. While it's unclear whether or not any scammers are actually doing this, Stephen Wildstrom explains the fairly simple technique of building a "hostile consumer profile." If you know someone's email address it's quite easy. All you need to do is go to various websites and put in the email address and say that you forgot your password. On many sites, if they recognize the email address, they'll admit that you have an account on the site and say that you've been sent an email. If you don't have an account, the site will simply say that no such account exists. In that way, someone could enter your email address in a few different sites, and find out which ones you have accounts on. Wildstrom fears that someone will write programs to throw millions of email addresses into such systems, and build up huge profiles of info about people. Of course, if someone did this to you, you would suddenly get a bunch of emails reminding you of your password -- so you might suspect something was up. Also, plenty of sites have usernames, rather than email addresses, as the unique identifier for logging in. However, that doesn't change the fact that someone can pretty easily check to see if you've registered on certain sites.
2 Comments | Leave a Comment..
- Brazen Scams By Engineers Uncovered
- DailyDirt: Making Foods Yucky...
- No Surprise: Scammers Focus On Tricking The French With False Three Strikes Infringement Notices
- Wall Street Journal Europe Doles Out Cash And Favors To Inflate Circulation Numbers
- Paul Ceglia To Facebook: I Didn't Forge A Contract, You Did!
Reader Comments (rss)
(Flattened / Threaded)
No Subject Given
Or you might not, if that mail is automatically junked or deleted by virtue of your mail filter or the strange admin email address that isn't in your whitelist.
[ reply to this | link to this | view in thread ]
Don't use the same email address everywhere
[email protected]
[email protected]
[email protected]
You get the picture. Now if you register somewhere and they decide to share your email address, you can easily set up a filter for mail to that address.
More to the point of this article, though, it makes it a little more difficult to use this technique to figure out where you're registered. Especially if you "salt" the address you use like:
[email protected]
The salt ("_xx" in this case) stays the same every time, but you make it up uniquely for yourself -- so that if everyone starts using a scheme like this it is harder for the harvesters.
[ reply to this | link to this | view in thread ]
Add Your Comment