License to Phish

Phishing (where fraudsters create imitation emails and sites to extract personal details from users) and identity theft are pretty serious problems online, and the clueless behaviour of many companies isn’t helping.

For example, TalkTalk lets you register online to manage your account via their site. Instead of simply emailing you to let you know when a new account statement is available, they send out the whole thing as an attached HTML file, complete with your name, address, phone number and account number. OK, that’s not much more than what Amazon includes in a dispatch notification, but what makes it amusing/disturbing is the first line of the email:

Your latest bill is now available to view online. Don’t worry it’s from TalkTalk.

No, I didn’t make that up. Also, the return address is @f-eds.com rather than @talktalk.co.uk, and the address mentioned in the email for enquiries uses @cpw.co.uk, so they’re introducing 2 extra domains the user may not be familiar with.

But phone billing is relatively low-risk, so consider a banking example.

Alliance & Leicester uses www.alliance-leicester.co.uk. The emails they send out about credit cards are from @mbna.co.uk and direct the user to www.aandl.com, which redirects to wwwa.applyonlinenow.com, leading through to www.bankcardservices.co.uk for existing customers. So simply by dealing with your credit card you’ve encountered 4 additional domains that you have to trust are legitimate.

That kind of behaviour is crazy, and makes it impossible to educate users to trust only a small number of specific domains. Companies that aren’t keeping things simple, consistent and transparent have to take some of the blame for social engineering fraud.

Thu 8th Mar 2007, 2:18pm GMT

Filed under: E-commerce, Email, Rants and Grumbles, Security and Privacy, Usability, Web

Comments

Of course, Alliance & Leicester aren't specifically to blame (other than for outsourcing their credit card handling) — MBNA are the real culprits in their part of the equation.
What about companies which use PayPal or WorldPay (for example) for payment processing — at what point does transferring users to a different domain become acceptable practice?

— Peter Parkes, 8th Mar, 8:27pm

It's acceptable when the branding and information make the transition clear. If a site transfers me to PayPal I know who I'm dealing with. It's a trickier issue when payment pages are fully rebranded or the URL is obscure, but at least that's just one extra URL for one small site; a financial institution should be held to higher standards.
MBNA and A&L are both to blame; if they had talented web people running the projects then sensible URLs would've been one of the first things in the spec.

— Matt Round, 8th Mar, 8:45pm

Many financial services and other companies simply don't understand the point. Even PayPal, who is surely #1 most phished company in the world, doesn't get it. Here's a verbatim response I received after complaining about their emailed invitation to participate in a customer satisfaction survey with third party URLs:
"PayPal frequently issues surveys in attempt to find more ways to improve our service and accommodate your needs.
At times, you may receive these types of surveys through one of our third party vendors, Decipher or Benchmark Portal. These will arrive as a link sent to you through email.
To get to the survey page, simply click on the link, or paste the link into your browser's web address box.
Please keep in mind that a medium like email allows anyone to send a message to you. Before entering information into the survey you received via email, you should verify the source of the email.
To make sure that the email survey you received was from PayPal, follow these tips:
1. You will NOT need to enter your password at any point during the survey.
2. The survey you received will never ask you for any personal information.
3. All surveys will address you by first and last name.
We appreciate your input, and we thank you for using PayPal!"
Yeah, right.

— Gary Hinson, 9th Mar, 12:35am

There's no s in licence.

— anonymous, 10th Mar, 11:50am

I'd normally use 'c', but have clearly been corrupted by those pesky Americans. Let me know if I start dropping 'u' out of words.

— Matt Round, 10th Mar, 2:04pm

Comments are now closed for this entry.

Matt Round’s company blog, covering web development, media, technology and pretty much anything else.

Web Sites: Good-looking, effective, accessible sites.
Multimedia: Logos, Flash games, animation and illustration.
Advice: Help with strategy, planning and getting noticed.