The OpSec Blog

Security and privacy information and advice at home and abroad.

Phishing: or How Your Bank Contributes to (In)Security

with one comment

I, like many (?) in the Foreign Service, are forced to maintain some sort of online access to our bank accounts while overseas.  The Department requires us to direct deposit our pay into a US bank account, which does not make for what one would normally consider “easy access.”  I’ll tell ya- getting hit with a $3.00 out-of-network ATM fee on top of the 1-3% foreign exchange fee gets old fast.  After years of holding out, I recently switched to USAA for my direct deposit and checking accounts for the free account transfers and free ATM withdrawals (mostly) worldwide.

I haven’t been with USAA long enough to be unhappy with their customer service (although it did take some arm twisting to get them to believe that Foreign Service employees were eligible for the same products that military families are), but I was dismayed to discover that USAA’s notification e-mails contribute to a widespread malicious tactic known as phishing.

Before I go any further, it should be noted that USAA is certainly not the only institution in possession of my (and your) personal data that does this.  I have had to turn off or opt out of e-mails purporting to be from Capital One, PNC, Vanguard, and Citibank for the same reason.  Major clothing retailers my wife shops from do the same thing, as does Amazon, eBay, AT&T, Cox Cable, and occasionally Paypal.  In this post I will refer to the banks, but I’m referring more to the practice and not the industry.

The problem is that whenever I get a new “View Your USAA Document Online” e-mail (a statement, transfer notice, whatever), there is always a link that helpfully takes you straight to a login page.  This is very bad.  By conditioning customers to open e-mail links to web portals in which they provide their login credentials, banks and others are circumventing the number one defense against identity theft, fraud, and cybercrime- safe browsing habits.

I wrote at some length about the importance of using SSL-encrypted websites in the context of WiFi networks, but it’s also important to bookmark your https banking login portals in your browser and access them directly; not by clicking a link in an e-mail.

Phishing is an method of deception in which the attacker poses as a legitimate authority (such as a bank) and attempts to trick you into sending them your login credentials through an official-looking login page.  The risks of the habit of clicking on e-mail links are clear; after a while, one stops checking that the web address begins with https or whether or not the site’s SSL Certificate is extant or valid.  You probably won’t even think about it for a week until you notice strange things happening in your account activity.  It only takes one slip to compromise your account.

Overseas depending on your post, e-mail phishing is actually a very serious problem.  Foreign intelligence services are not as likely to go after your banking info but to compromise Department networks using phishing as a delivery method for a trojan horse program.

Safe browsing habits developed at home will carry over to the workplace.  Here are some quick tips to avoid getting phished.

  1. Bookmark your bank’s https-secure login portaland only access your bank account from that link.
  2. Scrutinize the sender of the e-mail. If you don’t recognize it, don’t click the link.  Note this can be a bit tricky; my USAA e-mails come from “USAA.Web.Services@customermail.usaa.com.”  I honestly have no idea if this is a legitimate e-mail address or not.
  3. View your e-mails in plain text. This may take some digging around in your e-mail client or web interface, but almost every e-mail service offers this option.  This will at least let you see the link’s prefix and if it is https or not (remember, avoid http!).  In my case, the link goes to “https://www.usaa.com/inet/ent_edd/CpEdd?EID=66676-0211_txt”.  I still don’t know if that’s legitimate, but if it has https and a valid SSL certificate it’s probably safe.
  4. Turn off e-mail notifications altogether. If you’re on a regular pay schedule like myself and the rest of my government colleagues, our paychecks don’t contain many surprises.  If your pay schedule is more irregular, this might not be for you.  If your notification e-mails are off and you get a banking e-mail requesting you to login, that is cause for immediate suspicion.
  5. If you think you have been compromised, immediately change your password and, if possible, your login ID. Call your bank’s security hotline for further guidance.  If possible, save what you believe the offending e-mail was to forward to your bank on their request.
USAA E-mail

Here's a sample e-mail from USAA. Note the HTML "View Your Documents" button that hides a link to a login portal. Ironically, there's a link to the USAA Security Center in the top-right corner (cropped out so you'd be able to see the text) of the mailing.

This problem exemplifies one of the basic maxims of security:  security is an inconvenience.  There’s no question that clicking a link directly from your mail client is less cumbersome than launching your browser and navigating to your bookmark to load the site directly, but isn’t it worth the peace of mind knowing your login and password is safe?  Safe browsing habits will trump any antivirus software suite, firewall, or well-meaning security FAQ.  It’s better to be safe than sorry.

I’d be interested in knowing if anyone banks with an institution that doesn’t send out notifications with login links in them as well as banks that do.  I haven’t found one that doesn’t yet after asking family and friends.  Leave a comment if you’ve got either!

Advertisements

One Response

Subscribe to comments with RSS.

  1. I found out during all the hacking my husband’s x (AF also in San Antonio) did that USAA has a web bill pay company contracted to send out those emails. When we opted out like the police said to do we were still getting emails from uSAA even though online and over the phone they said they removed my email but they forgot to tell this web bill pay company. USAA made sure to fix the problem but it was too late damage was done.

    You can also contact web help for your bank which is what the police told us to do and they told us that yes they could see others in our accounts infact while we were speaking to them but nothing was done. Amazing.

    So heres what happened…

    Here is only a 2yr glimpse:
    After looking into our pc problems we found that my step daughter & her mom (who abused her recent Ramstein AFB clearance).  She abused base pc privilages & hacked our USAA our pc, even our parents’ pc’s, nothing was untouched all to cyberstalk us like some creepy uncle all because they can.  The children spoke of aiming shot guns at us & killing to us & others.  After reporting this to the police their investigation confirmed it all. They informed us that my step kids mom hacked us from Ramstein, San Antonio & Alabama Bases.

    My step daughter told us how her mom & step dad taught her to hack her Ramstein AFB jr high principal’s computer b/c the principal punished her but we didn’t believe her till now.  

    My step daughter finally confessed to what her & her mom did to us only to try & regain our info again but we unfortunately had to harden our hearts toward my step daughter she/they are dangerous. We were told nothing was done by AF because she was retiring & many military members know this that’s why they wait till they retire. If you cant put the person behind the computer (though they could because the type of base location found by the civilian police which they got from the ip address my husband could be discovered if a CAC card was used, which it is believed it was). The AF didnt touch this for some strange reason and all the leg work was already done by civilian police.

    2greatdogs

    05/12/2011 at 00:51


Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: