Suggest Law: If a company's electronic notification to you is so phishy that a "reasonable man" would have obvious cause to doubt its legitimacy, then all financial and legal consequences of ignoring it are on the sender.
Edit: "sender" here refers to the sender of the electronic notification.
In this case the consequence is that the Australian government agency collecting the import tax doesn't get paid. Which means that they don't release the package to FedEx, and that you don't get your package.
FedEx needs to do a better job with these notifications. At the very least they need to hire a copywriter.
Our local FedEx once asked me for my details so they could be able to declare my package to the customs and in the SMS message they said that "The sender is paying all declaration fees." I sent them my info and got my package.
Then about five months later, I got a bill from FedEx for import fees, tax and service charges. Had to fight with FedEx for some time about it but eventually they agreed to void the bill. At this point in time, I have no idea if I paid the taxes when I bought the stuff, if FedEx paid them out of pocket or if the sender paid them out of pocket.
There are more possible realities. You listed the 3 first. There are more options, at least these:
4. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have kept your extra taxes for themselves in the end.
5. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have paid the extra taxes. The government kept them because, hey, they trust Fedex.
6. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have paid the extra taxes. The government kept them but eventually returned them, because some kind of accounting kicked in.
7. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket.
Could have happened if you paid:
8. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket. You pay out of pocket. Fedex keeps twice the taxes in the end.
9. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket. You pay out of pocket. The fed. governemnt keeps triple the taxes.
I mean, either I paid the taxes when I bought the stuff, or I didn't. There's no reality where I "didn't pay the taxes when [I] bought the stuff" and also I "pay out of pocket", since I have not paid anything after placing the order. I guess there's also the possibility that I paid for the taxes but the seller ended up pocketing them, with FedEx footing the bill.
True, to a degree. But let's imagine that (1) FedEx felt that profits were more desirable than legal expenses, and (2) FedEx had some power over the sending and contents of the notifications. Might FedEx decide to start following well-regarded standards for writing and sending legit-looking electronic notifications? And iterate from there, as an ongoing strategy?
You can spend as much as lawyer money as you want on arguing whatever nonsense you want, reasonableness is a common standard so sure, people will have spent lots of money pointlessly arguing about it but that's not a problem with reasonableness.
Sure, I'm certainly not going to pretend this is perfect, but it seems to be working basically fine and I don't see "reasonableness" - which actually avoids a lot of wrangling - as a problem.
Compare Legal Tender against an ordinary Reasonableness test. Legal Tender says that I only have to accept payment of your debt in specific forms (the "Legal Tender") and I can refuse to accept other payment.
So maybe our currency is Doodads, the Legal Tender law specifies that the 10 and 50 Doodad Coins shall be Legal Tender, and you owe me 15000 Doodads. You try to pay by card, I refuse. You try to write a cheque, I refuse. You try to pay with 150 of the 100 Doodad Coins, but again I refuse. Eventually I take you to court and... I win?! You did not pay your debt in the required Legal Tender.
With Reasonableness the court might buy that it was OK to refuse to accept the card (maybe I don't have a merchant account) and maybe even the cheque too (but already by then I expect a judge to have a lot of questions about how I thought you would pay and I'd better have a really good answer) but the 100 Doodad Coins are clearly money, with Reasonableness as our standard it's obvious that I lose my case, there's no need to write a law saying "Yeah duh, the 100 Doodad Coin is money" because a reasonable person can see that.
> then all financial and legal consequences of ignoring it are on the sender.
They are, since non compliance will either result in destruction of the package or sending it back (differs a bit per country and type of goods).
It's a bit sad there are no easy ways to prepay taxes and it's hit or miss if you get checked. I'm glad the EU figured it out and have almost no weird surprises any more, except from the Uniteds (states and kingdom).
I almost got in some trouble because of that. A "bank" I wasn't a customer of kept sending me messages about "urgent, answer this form with your personal details or we will lock your account". Seemed quite scammy to me.
Then I later got a physical letter in the mail about the same, and then I called the bank. Apparently I had some account there holding some pension stuff from a previous employer. Shrugs.
Maybe its just the hunan brain bad at perception, but I feel like there's some system compromised and info is leaked so scammers know when you are expecting a package because FedEx/USPS spam text increases.
These scammers probably aren't targetting specific individuals. They blast these messages out to a bunch of randos, and odds are very high that at least some of those are expecting packages just by chance. The marginal cost of an added message is tiny compared to the reward of one successful scam.
In Australia, if you buy something off AliExpress and use the budget shipping option, it will take anywhere from one week to two months to arrive. Shop there a couple of items a year and you're always expecting something.
What annoys me is that even the legit SMS notifications contain nothing identifiable about the package or sender, it's always "Your shipment #QWERTYUIOP is arriving by UnrelatedCourier between 1 AM and 11 PM today".
If you buy stuff with long delivery estimates, you might very well be even with relatively low numbers, Electronics from China, Custom Comissions or things with waitlists
Some of those can have over a month between purchase and reception, and might be shipped at arbitrary dates after purchase
I'm not that big of an online shopper, but there's certainly people that are
Maybe not in the world, but in my country (the Netherlands) in 2022 (last available data) there were 473 million packages send to 8.3 million households, which works out to a bit more than one package per household per week.
> But in a modern day and age, when aren’t you expecting a package?
Some people still prefer to buy most things directly in physical stores. For me, would be easier to list the few times when I am expecting a package. And even then, I'm expecting the package, not some random message about it; it usually arrives without any notification at all (and the tracking on the site is usually delayed).
I would be curious if FedEx specifically has some sort of leak though, it's super anecdotal but I seem to get more FedEx phishing attempts when I'm expecting a FedEx package.
You're right though that there are other mechanisms for this, it was around the holidays when this happened most recently. Plus humans tend to remember salient things and I probably more easily forget the ones that come when I'm expecting nothing.
Anyway, if their systems were better it would be easier to avoid scams without stress. I've never had to rely on external info for Amazon and it's true I'm often expecting something from them.
What are you buying constantly? Apart from food and hygiene items, I mostly shop online. I feel I do order too much already, but the parcels are one every 1-2 months. Any more than that and the apartment would start filling up, I imagine.
Maybe FedEx sees better results and gets more payments from appearing scammy? Scammers seem to do alright.
I know we tech people think this is type of messaging is ridiculous, but I’m constantly pulling less technical friends and family away from crap like this. Half a dozen have asked me about Elon Musk’s crypto trading breakthrough.
Well theoretically they force people to Google FedEx which IS a strong signal for google people are interested in the FedEx Brand. Doubt however that's the reason.
I know this comes down to institutional incompetency, but at some point there was a singular human person putting the template content the SMS message in question was generated from into some computer system somewhere and I genuinely wonder what was going on in their head that made them string the words together in this way. You'd have to give it a true, earnest shot to make it worse.
Could easily be one person writing the message. Another who demanded partial edits in a Jira ticket. But then the data types didn't match up with what the writer requested and then the dev didn't want to deal with it and just shipped it.
Or it could be that the message is made with a bunch of disjointed and constructed if statements and only the final output is piped to the customer. I have seen some very terrible log messages like that as nobody is looking at the entire message, just the little bit in the conditional they are editing at that point.
As an anecdote, I once worked on code that generated these very detailed error messages about why something went wrong. I discovered most never made it to the customer as someone later down the line reassigned a variable rather than +=. Piles of support tickets could have been avoided.
"The words" are probably nested templates so that at the level of input it's hard to really understand what the completed end result looks like. Also, there's many well-intentioned people in tech doing stuff that's just a tiny bit too complex for them to execute by themselves without a buddy or a reviewer. There are also whole teams and departments at big enterprises where someone might not be doing it alone, and they might also not be completely incompetent, making them the star engineer on the team, while everyone else wisely keeps their mouths shut since they surely don't have anything to contribute to the process. All the really good people that worked there, were snatched up by some fancy, greenfield project, on another floor, or got a position on some elite "refactoring team", surely not wasting their time on updating templates.
Everywhere that I know of requires a real, specific, individual to sign off on the purchase order, charge it to their card, send the bill to accounts payables, etc...
> I know this comes down to institutional incompetency
"Incompetency" is an interesting word.
The old maxim about incompetence versus malice suggests a binary
choice.
I prefer the more nuanced take that there is a spectrum of positions
between the two, and other dimensions that describe a cluster of
intents, both conscious and unconscious.
Take the UK Post Office scandal where we see incompetence layered on
top of malice, layered on top on incompetence. In some organisations
obviously deliberately harmful positions are written into "policy".
Often this comes under "PR" [fn:1]. More and more "AI" will be used to
disguise malintent and deflect scrutiny.
In the final episode of the ITV dramatisation [0], Alan Bates (played
by Toby Jones) delivers an absolutely shocking, knock down line. When
talking about incompetence and evil he says: "They're the same thing"
At some point there is no difference between incompetence and
evil. For a deeper psychological discussion of that listen here [1].
[fn:1] Edward Bernays seminal definition of public relations outlines
a creed of deception, manipulation and disinformation which is
antithetical to security [2].
Some say scammers are very smart, and that they deliberately use every trick in the book to tap into our psychological weaknesses and make us act irrationally. But I have the feeling that, 90% of the time, scammers are just told to write an "official-sounding" message – which is the same thing that the hypothetical human who wrote this template was trying to do: that's why the result is so similar. No doubt the use of the word "urgent", or capitalizing the words "Duty" and "Taxes", come from this attempt at making the message sound more formal and official, from someone who is definitely not a skilled writer.
Yep. It's a bit like the theory that scammers mention they're from Nigeria because they're ingeniously weeding out all the people who've heard of the scam before, and not because they need an excuse for people to send money to Nigeria (and with their culture and education level the ALLCAPS and religious references look very official and honest indeed), and if the cost of that is that 99.99% of their emails don't get delivered due to automatic filters protecting even the most gullible of recipients, well that's probably not something they've given much thought to.
I've read one interview with a scammer who mentioned that the initial pitch is deliberately written that way to screen for gullible people, and I've read extended email exchanges with Nigerian scammers where their broken English becomes flawless after the initial reply. 419eater.com was a treasure.
These days though, like most scams the 419 scams have been taken over by organized crime and worse. The average Nigerian scammer nowadays is probably doing it because Boko Haram will kill their family if they don't.
419eater is also full of scammers whose English notably deteriorates, scammers who have almost endless time to comply with bonkers requests, and scammers that are quite far into the discussion when they go to some effort to produce "official documents" that look like they were produced by a child. And personally, I've experienced the reverse, where even when it's a well constructed item-for-sale scam by someone with access to a PayPal account they can't help but use email addresses that look a bit too Nigerian to be an elderly Scottish lady and English that just doesn't match the ad copy and is obsessed with explaining the safety and urgency of the transaction rather than the "product". Most of the others have to mention Western Union to Nigeria at some point...
Just doesn't make much sense for people whose time is valued in cents per hour and whose theoretical earnings are in the thousands to optimise for screening out non-gullible people, plus the 99.9% of gullible people that have some sort of spam filter in the loop. But hey, if someone's shared that Microsoft Research paper with the scammers and they've come to believe that using formats that almost invariably bump into spam filters is actually a shrewd move on their part, who am I to discourage them?!
I don't know about Boko Haram involvement, but I assume the organized crime guys have some sort of MLM-style operation scamming Nigerians into paying for the get-rich-quick opportunity.
Not that I’m endorsing the use of smart phones, but FedEx does have a mobile application. Why not just use that for notifications regarding deliveries?
The FedEx one is meh and does afaik, but some (looking at you dhl) are almost useless as they provide little information (tracking info is hidden sometimes), sometimes do not allow you to add the parcel as it has a tracking code from a foreighn service which you cannot use and you have to figure out the local one, are full of "news" also known as ads and do not allow you to select the dropoff location closest to you (go ups!). Sorry, /rant.
And buy a very expensive tracking device with frequent security issues?
I am lucky to live in a country in which a large religious population eschews the smartphone, so saying "I don't have one" is acceptable and common here. But I have colleagues who tell me that they are expected to have a smartphone from everything to banks to government services to simple small restaurants.
Was also thinking, cool, where is this place, and how do I sign up?
But then I remembered, I already belong to a religion that makes the
ownership of a smartphine quite unconscionable to me.
Indeed I wrote about how even a religious objection is unnecessary
when there's a knock-down argument on the grounds of what is merely
patently unethical.
> are expected to
I find these "expectations" come from those who didn't read Dickens.
Your security is increasing at risk from organisations and
corporations whose own grasp of security is appalling. Because instead
of dealing with it they externalise risks and consequences onto the
public and customers.
Even worse, is where attempts to query that security is actively
punished.
This is typical now. Listen here (at 42:20) with an example regarding
the UK NHS whose incompetence plays directly into the hands of
cybercriminals.
My UK bank semi-regularly cold-calls me and ask me to authenticate by providing personal information. When I decline they readily tell me instead to call some number available on the bank website. So they not only are incompetent, they actually know it.
why? isn't getting the number from the website the right action? you can verify that you have the bank website, get the right number, and i presume even go to the bank branch to get the number in person, and then save the number as it should not change.
or are you referring to the call itself? i wonder why they need to do that.
Ahh yes, the FedEx GST payment system is wonderful!
You can find that number in the sms on an official FedEx page somewhere or other - I ended up using that as enough evidence to trust and call.
I get the feeling this system as a whole doesn't see much use - from a FedEx perspective, the vast majority of people paying duty will be via some specialised importer, not b2c direct.
Since nobody has cd drives anymore, I don’t think it functionally needs to? You could save on shipping costs by just mailing blank disks instead, plus hey free disks! It’s like aol all over again.
And even if you do have a CD drive in your computer, the risk is still lower than a USB stick. A CD contains only data, it cannot do things like emulating a keyboard. The worst it can do is shatter when your high-speed DVD-ripping drive spins it up a bit too fast.
CD drives may not be able to emulate a keyboard, but they can certainly install software. You might not click on any system popups that appear after inserting a malicious CD, but the sort of people who plug in random USB sticks likely wouldn't bat an eye.
"The Sony BMG CD copy protection scandal concerns the copy protection measures included by Sony BMG on compact discs in 2005. When inserted into a computer, the CDs installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits."
I think windows has moved away from executing autorun exes from discs by default a few versions ago. But back in the day it would prompt you what to do when you insert a USB storage drive, and just run whatever's set as the autorun if it's on a disc.
The common way to get USB malware to install automatically those days was to modify the USB drive to appear as a virtual disc drive, which worked.
I am currently sitting at my gaming PC, which does have a Blu Ray drive.
I use it about one or two times a year.
Just today I threw in a CD with the driver of my newly installed tp-link AXE5400 (WiFi PCIe adapter), because it wasn't detected on my PC and I didn't have internet without Wi-Fi.
I immediately got a prompt if I want to run the "autorun.exe" on the disc.
So that is still there (Windows 22635.3209, Windows-Insider Beta Chanel).
But back in the day, popping the disk in the drive would have just executed the autorun without even prompting you. Put the disk in the drive, suddenly new application running on your box as you (and generally, back in the day, as local admin). Not even a chance to say no.
No, that's specifically the problem - that's not necessarily true. You're talking about a small plastic box that contains a USB port and some electronics. You have absolutely no way of telling what those electronics will expose to the USB port. It's possible that they only expose some persistent storage, true, but it's equally possible that they expose an emulated keyboard, or just the good old https://en.wikipedia.org/wiki/USB_killer
There's an EU law demanding such documents to be delivered on a "durable medium". Some banks and financial institutions may have a strange approach to those, even though email attachments seem to be enough for others.
I do not read this court decision like that at all: the point of contention there seems to be that the customer was just sent a link to a webpage (where the contractual terms can be changed from under him at will by the company, thus this not being durable). The court makes it pretty clear in my (non-lawyer) opinion that attaching a PDF to the email would have been fine.
I was prepared to disagree with you, but I now have the same interpretation you have. Durable medium can be email - but the example seems a little fuzzy, for instance a durable medium is definitely when the email is stored on a HDD on a customer device. But is it still durable medium if the email only exists in a webmail? Probably yes, but maybe no. So the conservative approach would be to send paper for some things. (Or in this case, stupidly, USB devices. Banks, don't do that, please.)
Ramble Edit: it's unfortunate IMHO that there is no "read only" medium anymore. Not sure what it would look like now when USB-C is taking over the world, and that ship probably sailed, but it would be really cool and useful to have the option of a "data only" USB.
Maybe computers could have one USB port marked as "ROM". Or a switch or LED symbol indicating "ROM safe" mode.
When using such a ROM port, anything USB inserted there would only look like a DVD reader. A USB drive would get its files "mirrored" into a virtual ISO filesystem. Any other devices, such as keyboards etc would be just ignored and not connected to at all.
That doesn't fix the issue though. The issue is a killer USB or a virus on the disk. Being able to only read an infected file still allows it to be read.
Also, this is only a software solution as the USB protocol would require bidirectional transmission.
But it would bring us back to being as safe as a CD or diskette was.
I was thinking a special chip, talking bidirectionally both ways, pretending to be a PC host to the USB drive, and pretending to a DVD-ROM to the actual PC.
Most USB flash controllers support being read-only by either just being read-only or emulating optical drive. Obviously for the WORM usecase this is only an software solution inside the controller configuration as the underlying medium is still writable/erasable flash. In theory one could replace the flash with some kind of mask ROM with NAND-like interface and make it truly read only, but the cost makes that impractical for most applications.
Then there are LTO tapes that have WORM version, which is notionally not overwritable, but that is IIRC also only enforced by software (of the drive).
> There's an EU law demanding such documents to be delivered on a "durable medium". Some banks and financial institutions may have a strange approach to those, even though email attachments seem to be enough for others.
Even the (*-grand)parent never said the law actually says it can't be an email attachment, they said companies seem to interpret it that way. Which would not be surprising in the least. Then someone said they've never heard of any such law, and I pointed out that it exists.
I'm not sure who you're arguing with but it isn't me or in fact any of the people in this thread.
Putting aside the fact that the conclusion of this text is not at all what GP said... You do realize that this is not a law, not even a court decision, but that it is a prosecutor's opinion / suggestion to the court??
Putting aside what? Go back and read what the GP actually said, and what the parent comment (yours) actually said as well. All I was pointing out is that there is in fact such a law (requiring a durable medium), because you said you had never heard of such a law.
Sheesh, reading comprehension, please. That or stop moving the goalposts
It defers to a repealed 97/7/EC, replaced by 2011/83/EU:
> Durable media should enable the consumer to store the information for as long as it is necessary for him to protect his interests stemming from his relationship with the trader. Such media should include in particular paper, USB sticks, CD-ROMs, DVDs, memory cards or the hard disks of computers as well as e-mails.
USB sticks are on the list, but so is paper and e-mail. This USB stick could have been an e-mail.
Putting aside the fact that the conclusion of this text is not at all what GP said... You do realize that this is not a law, not even a court decision, but that it is a prosecutor's opinion / suggestion to the court??
Yes, if two people are going to answer with the exact same link and nothing else, I'm going to answer both with the exact same comment.
Here in Poland, I've already had several banks and at least one insurer send me CD-ROMs. Never heard of anyone sending USB sticks before, but I'm not surprised. The problem is, approximately no one owns a CD/DVD reader anymore, and there are no modern read-only physical media. With SD cards also going the way of the floppy, USB stick is just about the only medium you can hope most customers have means to read.
Since SD cards and USB sticks are both just computers you plug in to a network port on your computer, they could definitely make write-once SD card controllers.
AFAIK notch is just declaration of intent, like with floppies and magnetic tapes - it's politely asking the reading device to not write to the medium, and it's up to the device to respect it (or up to user to not bridge the notch with a piece of tape).
Still, actual write-once (or read/write until hardware fuse is triggered, read-only afterwards) SD cards should be possible to make.
Aside from the local tax collector, which insists on snailmailing me a copy of all correspondence even though they also sent everything to me digitally, I can't even remember the last time I received any documents on paper, and I'm in the EU.
Neither of those sources back up your claim that paper (or a USB drive, for that matter) is required in certain cases. The court case cited in your second link even lays out the conditions under which a website can be considered to satisfy the requirements.
Likewise. I have multiple accounts across different EU/Eurozone states and with the exception of the original contracts that I've had to sign to open said accounts, I've never had to deal with anything other than e-mail or in-app communication.
Some German banks created paid storage service with multiple plans available. They are required to deliver documents to their customers but managements have massive brainfuck about the requirement and the most absurd solutions and ideas are being sold to them.
What makes bank a relevant or suitable service provider to store my "important files"? To store any files whatsoever other than those they're obliged to deliver to me?! "upload your testament, passport, and id documents here, you can trust us we are A BANK".
I can understand that marketing message making sense and appealing to.. some people; I am surprised to see it on HN though.
This is like buying vegetable & olive oils from BP or Shell because they're oil experts looking for new income streams as we shift away from petroleum.
When shit hits the fan the bank will be like: "The storage was actually a service we nearshored to Romania and Belarus. Part of your stuff is lost, part of it had leaked. We can offer insurance lump sum of €3.64 for your loss. You consented to all the risks on the page 475 of T&C which we sent by post".
ich arbeite als (externe) CyberCyberCyber Nase in einer Organisation irgendwo in der Sparkassengruppe. Ich kann dir versichern, dass niemand, der auch nur im entferntesten was mit InfoSec in der Bank zu tun hat, von dieser Marketing Idee erfahren hat.
"I work as an (external) CyberCyberCyber nose in an organization somewhere in the Sparkassen-group. I can assure you that no one who is involved even the slightest with infosec at the bank, has heard anything about this marketing idea."
In your fantasies. It is of course in the responsibility of the bank to check if this is virus free. I am using Linux anyway.. No autorun.exe here. Is this still a thing with Windows?
The problem isn't the bank verifying that the USB stick is clean; the problem is that the bank is distributing info in the exact same way that APTs would try to compromise an important target.
Hyperbole, but it's like a bank employee calling you from an unknown number and asking for your email password so they can make sure their communications about your mortgage application don't go to the spam folder.
> Terms and Conditions, Price and Service List, Conditions.
> Dear customer,
> our price and service list, our terms and conditions, as well as further conditions which will come into effect on May 1, 2024, can be found on the USB stick.
That, and you can ask it to translate literally or colloquially, to summarize or explain about acronyms, cultural references, names, code, syntax, diagrams, graphics, or anything else.
GP: If you're going to play a curmudgeon, at least get some first hand experience with what you choose to complain about, otherwise your curmudgeoning isn't very effective, and you complain about things that aren't actually problems, and miss out on complaining about real problems.
I love to hate and complain about Unix and X-Windows and C++ and GCS, but that's because I've used them, not because I succeeded in avoiding them.
Sheesh! Do you need a hug? Anyway, with chat GPT you can simply give it the image from the reddit post and get the OCRd and translated text. It's one step, it's fast, it's accurate enough. Why not use it?
Prompt: Write an a cappella cover of a Philip Glass song in Simlish.
ChatGPT-4:
Creating an a cappella cover of a Philip Glass song in Simlish presents an interesting challenge. Philip Glass is known for his minimalist compositions that often consist of repetitive structures, and Simlish is a nonsensical language. Since Glass's compositions are largely instrumental, I will create an a cappella adaptation inspired by his musical style while using Simlish-like sounds.
Verse 1:
Doo doo zib, doo doo zib, doo doo zib, doo doo zib,
Bada bada zoob, bada bada zoob, bada bada zoob, bada bada zoob,
Glarbni glarbni glarb, glarbni glarbni glarb, glarbni glarbni glarb, glarbni glarbni glarb,
Sul sul sul, sul sul sul, sul sul sul, sul sul sul.
Chorus:
Froodle froodle, zibba zibba,
Dag dag, drib drib, yibbs yibbs,
Slooble slooble, wib wib, dor dor,
Lerpna lerpna, gort gort, zor zor.
Verse 2:
Doo doo zib, doo doo zib, doo doo zib, doo doo zib,
Bada bada zoob, bada bada zoob, bada bada zoob, bada bada zoob,
Glarbni glarbni glarb, glarbni glarbni glarb, glarbni glarbni glarb, glarbni glarbni glarb,
Sul sul sul, sul sul sul, sul sul sul, sul sul sul.
Chorus:
Froodle froodle, zibba zibba,
Dag dag, drib drib, yibbs yibbs,
Slooble slooble, wib wib, dor dor,
Lerpna lerpna, gort gort, zor zor.
Remember, this adaptation is meant to be playful and fun, as it doesn't have any real meaning or convey any specific message. The focus here is on capturing the essence of Philip Glass's minimalist compositions using Simlish-like sounds in an a cappella context.
> What makes this situation so ridiculous is that while we're all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers!
Wow. Just wow. Troy Hunt does an incredible job of calling out this utterly piss-poor performance from FedEx. Shame it needs somebody with a platform like this to draw attention to it. They should find a way to make them somehow more liable for fraudulent losses.
It's gotten to the point now where it sometimes actually is impossible to speak to a human being in customer service - the thick layers of chat bots, deliberately gated 'contact us' pages and "why not use our app" nags.. ..if you're savvy enough to know already that only a human can resolve your particular query, getting hold of one can become a time consuming and sometimes traumatic experience. (only slightly tongue-in-cheek, I do actually believe this affects mental health)
In a case I read (can't remember where), reservation data was somehow leaking (either from booking or from hotels), and scammers were sending messages purporting to be the hotel saying the room was cancelled or mischarged or something like that.
It's even worse than that. Scammers are sending messages through booking.com, so you get a message from the hotel, in your booking.com inbox, with a link to a payment site that just makes a payment to the crooks. The root cause is either hotel employees installing session-stealing malware, either accidentally or by being part of the scam.
One out of ~10 international shipments of records I had in the last year one was from FedEx and they sat on it in their out for delivery warehouse in a nearby town for two months with the usual pass the buck/pillar to post treatment. The extra fees plus customs they put on added up to 40% of the value of the items as well. DHL and UPS arrive within a week and are normally no higher than 25%
FedEx seems to be the worst option domestically too. Maybe it depends on your location but they're the only service that somehow fails to deliver signature required packages to my mail room. I've also tried to have them contact me directly while I wait at home and I've tried to waive the signature requirement online, but they still just say "delivery attempted" for 3 consecutive days and then hold stuff at their warehouse. Happened to me twice recently. I now try to avoid buying anything expensive that uses FedEx to ship.
A funny thing I discovered in this process is that "delivery instructions" are shared for all packages to a given address regardless of the associated name, and never flushed unless you go in and do it manually on their website. I found the name and contact information for the prior tenant of my unit on the FedEx site with no other info besides 1 tracking number to the address (it also let me change the delivery instructions with said info). Potentially they were still calling that person when they tried to deliver initially, though I have other reasons to doubt they actually came to the door that day.
A few months ago I got an email from the IT center of the company I work for that was dodgier than any phishing email I have ever received:
- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something.
- Subject: "URGENT: your account is expiring soon".
- Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company.
- No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).
Did you click on the "Report Phishing attempt" button installed by your IT center in your mail client?
Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.
I did end up forwarding the email to another IT service address (one that I knew was legit). They thanked me for the feedback and said they would improve the message.
FWIW, I did exactly that a few times where I was 90% certain the e-mail is legit, but it still looked like a phishing attempt. The IT department needs to learn to do better, this is inexcusable, especially in a corporation with otherwise restrictive policies that waste ridiculous amounts of money and effort (think: Windows Defender real-time "protection" on developer machines, with no way to exclude your repos).
This is even worse in companies that have security offices actively sending out phishing emails worded as internal emails from your company that shame you if you click any of the links in them.
That reminds me that we had a "chief architect" who sent out his fairwell email with a link to his linked-in page in the footer, but the link actually went to a certain music video on youtube.
I suppose, if you want to train people to not click on links, that's a fun way to do it.
I am usually a bit pessimistic about it though. If their SOP doesn’t account for “looks like phishing but is from internal sender” then chances are that nobody connects the dots and informs that sender.
The intelligence of a small and motivated IT team seems difficult to scale.
Our IT did the exact same thing with expiring m365 passwords. They weren’t using the corp domain, typos all over and the URL was obscured using a bizarre link shortener.
The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!
I think IT incompetence should lead to audit fails or even better delisting from exchanges.
> I think IT incompetence should lead to audit fails or even better delisting from exchanges.
Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.
Myself and most people keep our login passwords written on paper in our desk because of this stupid practice. Can't use previous passwords and new password every 90 days. This is on top of 2FA.
The worst part is it actually leads users to boasting about how they `beat the system', essentially telling their coworkers what their pattern is, making the password easier to guess.
I have long felt that organizations that require password rotation for employees should, when the users are changing their passwords, record and post the old password to an internal site (without any identification of the user) for educational (and mockery) purposes.
Even if this rule technically seems benign, together with the forced change it encourages users to game the system leading to predictable patterns, eg adding a rotating letter or digit combo at the end of a same password.
The company I work for had a ransomware issue, so they got more zealous about security.
They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.
NIST SP 800-63B is informative, not normative. It codifies existing industry-standard best-practice, but is not in itself law. However, not following best-practices may be argued as negligence if it leads to a breach or decrease in shareholder value.
Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.
I'm closing in on password100... It is the only sane thing to do, a good password is hard to memorize. (passphrases are must better, but hard to type correctly first thing in the morning and take too long when I need to type my password a dozen times a day)
I mean it's great for 99% of your passwords and pretty much forces people into using randomized generated passwords.. but I still have to remember at least ONE password by heart. Whether it's 32 characters or 16 or what not, I still need SOME way to get into my password manager to even get to my passwords. So what, I'm going to make my password tacokissies69 and.. what, add a 0 every 6 months so I pass the 20 password minimum?
So a hacker can infer that my password is tacokissies69000 of some sort..
I forget who puts that stuff out NIST/STIG(?) but IIRC in the recent few years they determined that rotating passwords like that was basically security theater and wasn't worth the damage to the staffs productivity
NIST whose guidelines are admissible in court and a competent judge will take over expert testimony. (an expert witness who says something that contradicts these guidelines is guilty of perjury, though good luck persecuting that)
On one hand, I agree that just disagreeing with a guideline isn’t perjury. Especially in a case like this where lots of the industry still uses the old (bad, imo) plan.
On the other, an expert witness has specifically represented themselves to be an expert. Is there any level of incompetence that raises to the level of perjury in that case? IMO there ought to be.
That would be argued in cross-examination. A witness can be shown to be not a good witness. Perjury is very specific to knowingly lying while testifying under oath. We really don't want to expand it to areas of ignorance or disagreement; that way would stop people from testifying entirely.
This is not even near the truth. An expert (under Daubert) is someone who convinces the court they can say something relevant and reliable based on a technique that passes a test concerning:
Whether the technique or theory in question can be, and has been tested;
Whether it has been subjected to publication and peer review;
Its known or potential error rate;
The existence and maintenance of standards controlling its operation; and
Whether it has attracted widespread acceptance within a relevant scientific community.
The expert does not “know.” The expert is the only witness who can give an opinion, more or less. Because the opinion is backed up by something, the court considers it useful.
The technique they use is what’s important, not whether their opinion contradicts a fact. I think you will find in many expert trials, two experts get the same facts and come to two completely contradictory opinions, neither of which is perjury.
The rules of evidence govern what is admissible in court and I don’t recall any rule pertaining to NIST guidelines. I think what you might mean is that the guidelines are a learned treatise which, while it would be hearsay for me or you to quote as a fact witness, is nevertheless something an expert witness can refer to.
They decided it was useless security theater decades ago. What happened recently is that they discovered that they rule they used to actively push causes severe harm to security.
Yeah when I was a shipping clerk, we had a pile of usernames and passwords for the Census Bureau's Automated Export System on sticky notes next to the shared computer because the password rotation and complexity requirements made it impossible to remember our passwords.
Oh, there are many fun games from the 90's where you must infiltrate some place and every computer has some version of "due to the password rotation requirements, this week's password for the South-East door is 1-2-3-4, effective from Monday" pasted into it.
When the NIST added the bad rule into their ruleset (it was mostly a collection of bad rules at the time), it was already widely mocked in popular culture (well, within the target population).
I now wonder if that ruleset (the original one, that basically mandated you copy every flaw on Windows NT) was honest.
> The same guys also force us to change our passwords every 6 months
While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.
The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.
The lack of use of a non-corp domain, the typos and the use of shortened links does sound like a form of incompetence, probably at the management layer.
However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.
Fortunately NIST has specific advice that recommends against that which is admissible in court (in the US). I'm not sure how to work through the bureaucracy to do this, but your company should sue them in court for incompetence to get their money back.
I've seen multiple accounts from IT/security people who discovered something like "this could get the company in legal trouble" with links to details was exactly what got an otherwise intractable issue resolved.
It is. I work as an IT tech at a military defense contractor and they require regular recycling passwords, with a decent number of passwords remembered. They at least have complexity requirements applied so not 100% bad, but still archaic
Heh. I just increased a number in my password for my passwords. Then just repeat. So “CompanyName[00]” meets almost all complexity requirements and all I have to do is increment the numbers.
Note: I only do this when I have these requirements and I can’t use a password manager.
The same NIST document (800-63) that recommends against password expiration also recommends against complexity requirements, instead organizations are supposed to develop a list of bad passwords that would likely be used in an external dictionary attack.
People understandably get really fired up by the idea of not having to change their password every 90 days, but forget that the guidelines are a package that contains a lot of "shall"s (no password expiration is a mere "should") that would be more painful for organizations stuck with a lot of legacy software, like the requirement to use two authentication factors and the use of secure authentication protocols.
Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.
Might be a good product to app-ify. Maybe a USB dongle that acts like a keyboard and controlled by your phone. Give it some sort of 1Password / Bitwarden integration.
I should do this for ssh password entry. Running ssh-agent is still 90% of the story, but it comes up often enough that I'm on a terminal in a remote machine or inside a screen session or something that it would still be awfully useful to be able to just autotype it.
Does it require installing 3rd party software on the host machine? This might not work great for this kind of "shadow IT" application in all environments, whereas one that acts as a USB keyboard might be more versatile.
Does it require installing 3rd party software on the host machine?
No, it identifies as a keyboard. It also defaults to generating a password that will use the same scancodes on (most?) western keyboard layouts so that computers configured to default to e.g. QWERTZ or AZERTY will still result in the same password.
Separately from the password aspect, consider how convenient it may be to use your smartphone as a kind of re-reified "clipboard": Use the camera and on-device OCR to copy text, then "paste" it as a virtual keyboard connected over USB.
It's very niche, but in those rare situations it'll be a big time-saver compared to human transcription or the rigamarole of setting up some other kind of data channel.
It can, and I tried this, but in practice we have to change our passwords at my current employer so frequently that I got more irked changing it on the Yubikey (not the least hassle-free of processes, as I couldn't install the Yubikey software on the work machine) than just typing the thing.
I had a similar experience at an old company that used M365. YMMV but with Bitwarden I generate passphrases like Pregnant-Guppy-Skateboard9 and it made it tons easier for me to type 20x a day than &7UoTod#$7OOD
I've noticed that Microsoft themselves aren't helping this right now. M365 seems to default to using random-tenant-guid.onmicrosoft.com for a lot of these transactional emails like password changes even though the official account.microsoft.com is fully multi-tenant aware and most Microsoft guidance tells you to always go directly to account.microsoft.com. These transactional email mistakes seem like another case of Microsoft accidentally exposing problems in their org chart to external customers. I imagine it has something to do with the wild rewrites from old Azure AD to new "exciting brand" Entra ID and other such shenanigans combined with Microsoft's willingness to bend over backwards to bad IT administrators and letting them set bad defaults (such as "just us the .onmicrosoft.com GUID instead of a real domain"), because companies love to pay them good money for the "control" to do stupid things in Group Policies and corporate configuration.
Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.
The whole Microsoft Office suite online just feels like hacky code on top of more hacky code. And combine with how your account can also be signed into your PC, and then also signed into applications. I have a work email, and two personal emails that all make use of Microsoft products. What a mess it is managing the accounts and the different systems. The business emails and accounts just seem sloppy and seem to work different than personal accounts.
Overall when compared to Google's suite of products, M365 just seems so sloppy.
Add to this the different varieties of their apps. The whole MS thing is a mess imo also because it cannot decide if it is for enterprise or for personal use. Some colleagues had to reinstall outlook, and after that things did not work properly. What actually happened was that they had googled and downloaded "outlook" from microsoft's website, instead of installing the m365 suite version. Which is basically a different application or version or whatever, but sharing the same name and app icon.
> Guess the average strength of an employee password!
It is interesting how sometimes creating "more secure" measures results on less security. Our IT department decided that using 2fa for vpn is not enough, we should also extra 2fa for connecting to the webmail even through intranet or vpn. Guess who stopped using the vpn.
Meanwhile, one can set up and use our email through any email client app on desktop or mobile without any 2fa at any step. Go figure.
Our government uses equivalent of www.mydatabox.cz (real one is mojedatovaschranka.cz).
Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.
The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.
I’m supposed to pay my semi-annual property taxes (on the order of ~thousands of USD) on a site that ends in .org instead of .gov, and nobody apparently sees anything weird or wrong with it.
Some places in the US outsource not only payment processing, but the entire tax collection process to the private sector. I've heard stories of people living in Pennsylvania who have gone years without filing their local tax return because they thought the tax form was spam. Nope, that sketchy looking mail from some random business, with the .com address is the legally designated tax collector.
Yeah I got a text from one of these a couple years ago. Something like. “You have an overdue doctor bill of $183.56, please kindly pay immediately at this link: http://my-doctorpay.net/defintelylegit123. Thx!” Didn’t even include the name of the doctor or office, but after calling the only doctors office I had used recently it was apparently legit. I let them know whatever company handles their billing is completely incompetent.
What incentive do they have to change it? People will still click and still pay, and if they don’t, they’ll refer it to collections and ruin their credit. As long as the billing office gets the money, in their view, the bar for “competence” is passed.
This is something that only people like us can see. The rest of the world doesn’t care about the problem, and even if they did, they have zero incentive to fix it.
> People will still click and still pay, and if they don’t, they’ll refer it to collections and ruin their credit.
Healthcare has one of the lowest payment collection rates of any consumer industry. And as of a couple years ago, medical debt under $500 can no longer go on your credit report even after going to collections. States have passed even more consumer-friendly versions of this law, like NY where no amount of medical debt can affect your credit score.
So actually medical billers are directly hurting themselves with their incompetence in this and many other departments.
The US healthcare billing model’s total lack of authentication and disconnection from point of service means that it’s broadly plausible you do owe some random provider money at any time up to several years after your last doctor visit.
Send someone an official looking piece of paper telling them they received $394 worth of in office medical laboratory service from Tristate Medical Partners Inc in August last year, that insurance paid $374 and that they just owe you a $20 copay, and I think a lot of people will just go to the online bill pay site and hand over the money.
Worse every doctor/lab sends their own separate bill with their own separate account numbers and URLs. You could probably make a ton of money just a bill to every address in your city, so long as the amount is around $50 many will not question it anymore as they get so many of those things.
Lets not forget all the typosquatting looking domains Microsoft uses. It almost seems like they bought them up to protect users, forgot why they did that and said "hey we have all these domains, lets use those?"
Office.com redirects you to login.microsoftonline.com which isn't horribly bad, but is starting to get there. Now you have microsoft365.com and friends, too.
At least when things were login.microsoft.com you could apply the "last part is definitive" now that heuristic is pretty useless. And if you watch the actual DNS requests during a login, whew.
CDNs make it even worse, here's a few VALID requests from my DNS cache:
Also Azure AD and Entra ID and other parts of Microsoft 365 all use onmicrosoft.com, too. A fun bonus to that particular domain is the random meaningless to people GUID-derived tenant IDs in the second level. Knowing what is legitimate, and what is tied so a specific corporate tenant, seems impossible. Certainly helps Microsoft themselves avoid XSS problems, I'm sure, but greatly adds to the confusion of what is a legitimate M365 URL.
Yea, it's really fun to log into some some Microsoft site and get redirected 10 times. The domains it goes through are staggering, some of them don't even look like MS names at all. More than once I've been convinced that there is something fishy going on. Only to realize that, nope, that's the way MS wanted it.
Regarding the external domain thing, I can say that dealing with domains in a big company gets about as bureaucratic and terrible as just about everything else; I experienced this myself - at a youngish company when I needed a new sub-domain off the big official domain, it was just talk to $dude on the DNS team and he’ll help you out. And he did. A few years later once things had “grown up” a bit, I needed to update a record and I asked the same guy. He told me I needed to fill out a 25 question form and they’d review it. I about half copy and pasted it from another team member’s project and they accepted it.
Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.
If I saw one of those in a 100k employee company I'd first just assume it's a phish-test email and that anyone who clicks on any URL in it is going to get put in the list for remedial training.
There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.
I wish I could do that, but then that would impact my "scoreboard" on the anti-phishing tool and they would yell at me or send me to remedial "training" too. They really like to see that useless button pressed that just patronizingly tells me "Yes, this was a training exercise".
At the moment in my current corporate email address this the number one source of spam, just all the internal phishing testing emails. It feels like the attempted cure is worse than the disease and I hate getting so much useless trash.
> I wish I could do that, but then that would impact my "scoreboard" on the anti-phishing tool and they would yell at me or send me to remedial "training" too. They really like to see that useless button pressed that just patronizingly tells me "Yes, this was a training exercise".
It's actually even a worse than that for our anti-phishing tool, somehow Outlook's processing triggers the tool to think that I've interacted with the email, but after several rounds of "our tool says you clicked a link" and my reply of "I 100% didn't, let me see some logs", they now seem to ignore notifications of me clicking on phishing test links. So a win for me, I guess?
I report those as phishing in order to get the feedback to the IT team who sent them from their colleagues in infosec. (I often have had IT and infosec reporting to me, which makes this even more effective of a feedback mechanism. :) )
Yeah, was working for a (then) 15k employee company and got an email "You have expenses due". Blank content, PDF attachment. I hadn't initiated any payments (but it later turned out the bank had just charged the annual tax on my corporate card account)
Ignored it.
Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.
My company's security training tells me to carefully verify any URLs in received emails, but then they have some security software that rewrites all the URLs in incoming emails - presumably as a way of screening them themselves.
This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!
My company does that too, it's really annoying. They also sometimes send out mass emails for things like surveys but link to some third party service. I've even seen them put, in the email, things like "the link goes to a trusted third party and is perfectly safe". Why should I trust that if I'm already suspicious of the emails legitimately?
Our last round of security training was roundly mocked by our software division, especially around the subject of one of the rules emphasized over and over being to "never click URLs in emails" and the sign-in process for the website alongside the distribution of lessons was done exclusively through magic links... in emails.
Our CEO is actually a developer himself on our core product (and a bit of a paranoid fella on the cybersecurity front to boot) and he was absolutely furious about this vendor being chosen...
M365 has an option to rewrite URLs in incoming emails. It's horrible, at least for people that can actually read URLs. Every link turns into a 300 character mess that I have no idea if its valid or not. The only way to tell is to click it. Maddening!
On our company (hosting & PaaS), I was contacted on our internal messenger by a person I've never seen before, asking me to "please" run some commands as root and send back the results. After the initial shock (and due infosec diligence) I found out it was just "the new guy", needing to collect info about our systems for equipment inventory purposes. Since they didn't have access to our networked management tool yet, and didn't know the finer points about how running `curl ... | sh` randomly is not a good idea, they thought it would be ok to get that information piecemeal directly from people.
When I worked at Sun Microsystems, they had a clever launcher shell script dealie for things like StarOffice documents that did usage tracking, portability fixes (usually setting obscure environment vars), and of course downloading and opening the actual document. Then they started sending those shell scripts as email attachments. One day they sent out an email telling people to not open executable email attachments: the full memo was a SO document wrapped in one of these scripts.
To their credit, after the inevitable replies to that email they never used that wrapper again (they moved the launchers to the centralized NFS install where they always should have been)
Banks do this as well. I made a purchase, and within minutes got a very scammy looking e-mail from them - low quality gifs, asking me to click on links to a random non-bank website(something like purchase-verification-users.net/235532/confirm.html, and the site wasn’t coming up on any searches). At the same time I get a call from a random number asking me to go over some purchases - I looked up the number, and it’s none of the ones listed for my bank.
So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.
Similar unforced error: I got emails from healthcare.gov for required actions on the site's marketplace. But the links used the lnks.gd shortener, hiding what domain you were actually going to end up at! They're encouraging people to blindly click on links with no idea where it takes them!
What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.
There was no reason to use a shortener, let alone such a shady one!
The company I work for has a service that sends phishing test emails to everyone that you are supposed to report. I take great joy in reporting every legitimate email that is at all sketchy just for the inevitable email back from the security team informing me that they reviewed my report and it was indeed a legitimate email.
Okay, but this isn't a bulk email. It's a very specific situation personal to the receiver and will never be sent to anyone else. (Obviously the template will be used for multiple emails, but that's not what defines a bulk email, even though bulk emails can also be defined using a template.)
So use a different domain for corporate email. The only reason not to is if you are prioritizing the identifiability of your corporate email over the identifiability of your actual customer-facing operations.
When I bought a car once, I received an email a few months later saying I hadn't proven I had obtained insurance on it, and the bank wanted me to visit a domain that wasn't theirs to provide proof.
The email I got looked like a badly-scanned letterhead and was very, very fishy.
After I received a few of them, I finally contacted the bank and it was legit.
I tried telling the office person (not just a clerk at the counter, someone with their own desk) about the situation and they couldn't understand why it was bad.
I soon paid off that loan and got away from that bank.
Happened to me with my mortgage. Got this very weirdly phrased letter about how my homeowner insurance info needed to be updated/confirmed and that I had to go to <random website> to clear it out.
I called my insurance broker and yes indeed it was legit. I also tried to explain to them how this letter was a few steps removed from a Nigerian prince scam based on all the red flags, but i don't think it made a big difference.
The national insurance providers are often pretty slow or shady when it comes to claims, but I've never had a bad experience with Allstate or State Farm when it comes to their cybersecurity and domain experience. Allstate's frontends (web and app) sometimes feel more clunky but their APIs feel good enough and sites seem to follow good design practices.
Phishing and workflows like this are handled by the same profile of employees. Low paid, outsourced, hating their job, doing the least possible. That's why they're indistinguishable. Reliable workflows, record profits, high salaries and bonuses for executives - pick two.
In a Blackhat talk several years ago Adam Shostak had a clever term for companies interacting with you in ways that were indistinguishable from scammers.
He used the term "scamicry": legit communications that mimic scams. For example when a company calls you directly and asks for your security details, but offer you no way to verify who they are first.
DHL, FedEx, and UPS are experts in overcharging to process a form and not caring about customers. Duty and VAT are usually low compared to this processing fee, and shipping has already been paid. Here is the catch in the EU, this simple duty form can be processed by the receiver, an agent (some related to the carrier), or an attorney-in-fact of the receiver. The big three carriers (and many others) threaten you if you refuse to use them.
At the end of the day, they don't care if we get phished or scammed; it is all of customs confusion. Next time process your customs form, you will realise how much money you will save, and the form only has less than 8 fields, the Union Customs Code is easy to read.
In Finland you can declare DHL/UPS/Fedex packages yourself with customs and pay directly to them, with no fees to carrier (it took a Finnish Competition and Consumer Authority decision in 2017 to get rid of the fees, though). But this is a bit different as it is not a hidden option but standard procedure (though you still get the option of paying the carrier to declare, instead).
Declaring inbound packages to Customs by yourself was already the standard here for postal parcels even before Customs internet services, so this was not a completely new way of working.
This. They have been paid to ship an international package. Billing the recipient for delivery is just dishonest. I assume they do it, to make their price for the shipper look artificially low.
For this reason, whenever possible, I choose delivery through the post office.
This fits nicely with my experience of FedEx. They sent me a bill 7 months after I had received the package. A few days later I get a reminder that doesn't include the necessary information for payment, which seems rather lazy and stupid since an unpaid bill might well have been lost. It refers me to www.fedex.com where I'm told to create an account. I do that only to find it doesn't know anything about my bill. By chance I do find the original bill shortly afterwards. Turns out this bill sent 7 months late had very small text saying "to be paid immediately", the first time I see that on a bill (it's usually 30 days in my country). Of course they sent me a second reminder 10 days after I paid.
I've had this, but the first thing I heard was that my customs charge was sent to collections. Cue lots of scary messaging about debt collection, none of which said anything other than this was for a FedEx parcel of some kind
If you ever drive on a toll road in Texas (there are a lot of them and more every year) there are no toll booths that allow you to pay then and there but you'll get a bill in the mail 6-12 months later informing you that this is your fifth and final warning and you owe $4 for the toll and $80 in late fees. I guarantee you the people behind this have friends or family in the Texas legislature supporting them.
Reminds me of the mess that the LTA are in the UK regarding getting Wimbledon tickets.
Over the years they've changed domains several times, had a breach, reset passwords multiple times, and now do part of their login via a random third party site (but to make it worse they push you to sign you up to a second form of account which logs in separately!)
574 comments
[ 3.3 ms ] story [ 352 ms ] threadEdit: "sender" here refers to the sender of the electronic notification.
FedEx needs to do a better job with these notifications. At the very least they need to hire a copywriter.
Then about five months later, I got a bill from FedEx for import fees, tax and service charges. Had to fight with FedEx for some time about it but eventually they agreed to void the bill. At this point in time, I have no idea if I paid the taxes when I bought the stuff, if FedEx paid them out of pocket or if the sender paid them out of pocket.
4. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have kept your extra taxes for themselves in the end.
5. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have paid the extra taxes. The government kept them because, hey, they trust Fedex.
6. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have paid the extra taxes. The government kept them but eventually returned them, because some kind of accounting kicked in.
7. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket.
Could have happened if you paid:
8. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket. You pay out of pocket. Fedex keeps twice the taxes in the end.
9. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket. You pay out of pocket. The fed. governemnt keeps triple the taxes.
And many variations I can't think of right now.
I mean in the general case - how much does FedEx win or loose from problems like this?
If they win, do they exploit it, by design or incompetence?
For every utterance of "reasonable" in law you can be sure over $1B of laywer fees have been (or will be) spent.
Compare Legal Tender against an ordinary Reasonableness test. Legal Tender says that I only have to accept payment of your debt in specific forms (the "Legal Tender") and I can refuse to accept other payment.
So maybe our currency is Doodads, the Legal Tender law specifies that the 10 and 50 Doodad Coins shall be Legal Tender, and you owe me 15000 Doodads. You try to pay by card, I refuse. You try to write a cheque, I refuse. You try to pay with 150 of the 100 Doodad Coins, but again I refuse. Eventually I take you to court and... I win?! You did not pay your debt in the required Legal Tender.
With Reasonableness the court might buy that it was OK to refuse to accept the card (maybe I don't have a merchant account) and maybe even the cheque too (but already by then I expect a judge to have a lot of questions about how I thought you would pay and I'd better have a really good answer) but the 100 Doodad Coins are clearly money, with Reasonableness as our standard it's obvious that I lose my case, there's no need to write a law saying "Yeah duh, the 100 Doodad Coin is money" because a reasonable person can see that.
They are, since non compliance will either result in destruction of the package or sending it back (differs a bit per country and type of goods).
It's a bit sad there are no easy ways to prepay taxes and it's hit or miss if you get checked. I'm glad the EU figured it out and have almost no weird surprises any more, except from the Uniteds (states and kingdom).
Then I later got a physical letter in the mail about the same, and then I called the bank. Apparently I had some account there holding some pension stuff from a previous employer. Shrugs.
Nearly 100% of the time, I am expecting a notification from Canada Post or Amazon (FedEx less frequently, but still).
Even outside of that, you can often predict when people are expecting a package. Christmas. After various sales weeks.
When you’re not constantly buying things online. Most people in the world aren’t expecting packages “nearly 100% of the time”.
What annoys me is that even the legit SMS notifications contain nothing identifiable about the package or sender, it's always "Your shipment #QWERTYUIOP is arriving by UnrelatedCourier between 1 AM and 11 PM today".
Some of those can have over a month between purchase and reception, and might be shipped at arbitrary dates after purchase
I'm not that big of an online shopper, but there's certainly people that are
Do these people need to buy shit constantly? I order maybe 5 packages a year, max
Some people still prefer to buy most things directly in physical stores. For me, would be easier to list the few times when I am expecting a package. And even then, I'm expecting the package, not some random message about it; it usually arrives without any notification at all (and the tracking on the site is usually delayed).
You're right though that there are other mechanisms for this, it was around the holidays when this happened most recently. Plus humans tend to remember salient things and I probably more easily forget the ones that come when I'm expecting nothing.
Anyway, if their systems were better it would be easier to avoid scams without stress. I've never had to rely on external info for Amazon and it's true I'm often expecting something from them.
I know we tech people think this is type of messaging is ridiculous, but I’m constantly pulling less technical friends and family away from crap like this. Half a dozen have asked me about Elon Musk’s crypto trading breakthrough.
Could easily be one person writing the message. Another who demanded partial edits in a Jira ticket. But then the data types didn't match up with what the writer requested and then the dev didn't want to deal with it and just shipped it.
Or it could be that the message is made with a bunch of disjointed and constructed if statements and only the final output is piped to the customer. I have seen some very terrible log messages like that as nobody is looking at the entire message, just the little bit in the conditional they are editing at that point.
As an anecdote, I once worked on code that generated these very detailed error messages about why something went wrong. I discovered most never made it to the customer as someone later down the line reassigned a variable rather than +=. Piles of support tickets could have been avoided.
Whether or not the provider makes the customer pay with a credit card has no impact on if the provider requires templated SMS messages.
"Incompetency" is an interesting word.
The old maxim about incompetence versus malice suggests a binary choice.
I prefer the more nuanced take that there is a spectrum of positions between the two, and other dimensions that describe a cluster of intents, both conscious and unconscious.
Take the UK Post Office scandal where we see incompetence layered on top of malice, layered on top on incompetence. In some organisations obviously deliberately harmful positions are written into "policy". Often this comes under "PR" [fn:1]. More and more "AI" will be used to disguise malintent and deflect scrutiny.
In the final episode of the ITV dramatisation [0], Alan Bates (played by Toby Jones) delivers an absolutely shocking, knock down line. When talking about incompetence and evil he says: "They're the same thing" At some point there is no difference between incompetence and evil. For a deeper psychological discussion of that listen here [1].
[0] https://en.wikipedia.org/wiki/Mr_Bates_vs_The_Post_Office
[1] https://cybershow.uk/episodes.php?id=23 (from 39:20)
[fn:1] Edward Bernays seminal definition of public relations outlines a creed of deception, manipulation and disinformation which is antithetical to security [2].
[2] https://en.wikipedia.org/wiki/Public_Relations_(book)
These days though, like most scams the 419 scams have been taken over by organized crime and worse. The average Nigerian scammer nowadays is probably doing it because Boko Haram will kill their family if they don't.
Just doesn't make much sense for people whose time is valued in cents per hour and whose theoretical earnings are in the thousands to optimise for screening out non-gullible people, plus the 99.9% of gullible people that have some sort of spam filter in the loop. But hey, if someone's shared that Microsoft Research paper with the scammers and they've come to believe that using formats that almost invariably bump into spam filters is actually a shrewd move on their part, who am I to discourage them?!
I don't know about Boko Haram involvement, but I assume the organized crime guys have some sort of MLM-style operation scamming Nigerians into paying for the get-rich-quick opportunity.
I am lucky to live in a country in which a large religious population eschews the smartphone, so saying "I don't have one" is acceptable and common here. But I have colleagues who tell me that they are expected to have a smartphone from everything to banks to government services to simple small restaurants.
But then I remembered, I already belong to a religion that makes the ownership of a smartphine quite unconscionable to me.
Indeed I wrote about how even a religious objection is unnecessary when there's a knock-down argument on the grounds of what is merely patently unethical.
> are expected to
I find these "expectations" come from those who didn't read Dickens.
[0] https://news.tuxmachines.org/n/2023/03/06/Microsoft_is_Not_a...
Banks do similar dumb things. I once vented to a a Wells Fargo security manager about a similar issue. They had no defense at all.
Even worse, is where attempts to query that security is actively punished.
This is typical now. Listen here (at 42:20) with an example regarding the UK NHS whose incompetence plays directly into the hands of cybercriminals.
[0] https://cybershow.uk/episodes.php?id=24 (time:42:20)
like this case: https://news.ycombinator.com/item?id=37250024
or are you referring to the call itself? i wonder why they need to do that.
Instead they try to do the wrong unsafe thing, but when pointed out they switch the script. So they can't even claim ignorance of basic security .
You can find that number in the sms on an official FedEx page somewhere or other - I ended up using that as enough evidence to trust and call.
I get the feeling this system as a whole doesn't see much use - from a FedEx perspective, the vast majority of people paying duty will be via some specialised importer, not b2c direct.
You can't make this up.
What the hell.
https://t3n.de/news/sparkasse-digital-strategie-cds-per-post...
Since no-one has a CD drive in their computer anymore, the security risk is negligible
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...
"The Sony BMG CD copy protection scandal concerns the copy protection measures included by Sony BMG on compact discs in 2005. When inserted into a computer, the CDs installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits."
https://en.m.wikipedia.org/wiki/Sony_BMG_copy_protection_roo...
The common way to get USB malware to install automatically those days was to modify the USB drive to appear as a virtual disc drive, which worked.
Ramble Edit: it's unfortunate IMHO that there is no "read only" medium anymore. Not sure what it would look like now when USB-C is taking over the world, and that ship probably sailed, but it would be really cool and useful to have the option of a "data only" USB.
Maybe computers could have one USB port marked as "ROM". Or a switch or LED symbol indicating "ROM safe" mode.
When using such a ROM port, anything USB inserted there would only look like a DVD reader. A USB drive would get its files "mirrored" into a virtual ISO filesystem. Any other devices, such as keyboards etc would be just ignored and not connected to at all.
Also, this is only a software solution as the USB protocol would require bidirectional transmission.
But it would bring us back to being as safe as a CD or diskette was.
I was thinking a special chip, talking bidirectionally both ways, pretending to be a PC host to the USB drive, and pretending to a DVD-ROM to the actual PC.
Then there are LTO tapes that have WORM version, which is notionally not overwritable, but that is IIRC also only enforced by software (of the drive).
Even the (*-grand)parent never said the law actually says it can't be an email attachment, they said companies seem to interpret it that way. Which would not be surprising in the least. Then someone said they've never heard of any such law, and I pointed out that it exists.
I'm not sure who you're arguing with but it isn't me or in fact any of the people in this thread.
Sheesh, reading comprehension, please. That or stop moving the goalposts
> Durable media should enable the consumer to store the information for as long as it is necessary for him to protect his interests stemming from his relationship with the trader. Such media should include in particular paper, USB sticks, CD-ROMs, DVDs, memory cards or the hard disks of computers as well as e-mails.
USB sticks are on the list, but so is paper and e-mail. This USB stick could have been an e-mail.
Yes, if two people are going to answer with the exact same link and nothing else, I'm going to answer both with the exact same comment.
> Opinion of Advocate General Mengozzi delivered on 6 March 2012.
> [...]
> In the light of the foregoing considerations, I suggest that the Court answer the question referred to it by the Oberlandesgericht as follows:
It is not the court's decision.
Why the bank decided to use USB for this purpose, instead of paper, is very strange.
Still, actual write-once (or read/write until hardware fuse is triggered, read-only afterwards) SD cards should be possible to make.
I've definitely encountered read-only SD cards which I couldn't figure out a way to set it back to RW mode.
I think that's shown by the post statistics: around 25 letters received per resident, per year.
I can't remember the last letter I received which only contained papers.
Do you have a source backing that up?
Aside from the local tax collector, which insists on snailmailing me a copy of all correspondence even though they also sent everything to me digitally, I can't even remember the last time I received any documents on paper, and I'm in the EU.
https://www.fca.org.uk/firms/durable-medium
https://www.lexology.com/library/detail.aspx?g=788714a1-d7b6...
Why did you need a source for this?
"A PDF can therefore meet the definition of a durable medium."
https://www.fca.org.uk/firms/durable-medium
https://www.lexology.com/library/detail.aspx?g=788714a1-d7b6...
This is like buying vegetable & olive oils from BP or Shell because they're oil experts looking for new income streams as we shift away from petroleum.
https://archive.is/63xoB
ich arbeite als (externe) CyberCyberCyber Nase in einer Organisation irgendwo in der Sparkassengruppe. Ich kann dir versichern, dass niemand, der auch nur im entferntesten was mit InfoSec in der Bank zu tun hat, von dieser Marketing Idee erfahren hat.
"I work as an (external) CyberCyberCyber nose in an organization somewhere in the Sparkassen-group. I can assure you that no one who is involved even the slightest with infosec at the bank, has heard anything about this marketing idea."
Just be sure to use the included NOTVIRUS.EXE viewer for best experience.
Hyperbole, but it's like a bank employee calling you from an unknown number and asking for your email password so they can make sure their communications about your mortgage application don't go to the spam folder.
Oh, trust me, it'll absolutely come from the bank where they're doing all the due diligence necessary, and not from a random malicious party!
It'll say FROM THE BANK on the envelope, so you'll know it's legit.
>I am using Linux anyway.. No autorun.exe here.
Oh, you'll have to do a bit more work then. Just follow the instructions included in the envelope, and run
from the terminal from the root directory of the USB drive once you mount it.> Terms and Conditions, Price and Service List, Conditions.
> Dear customer,
> our price and service list, our terms and conditions, as well as further conditions which will come into effect on May 1, 2024, can be found on the USB stick.
> With kind regards,
> The Sparkasse Bremen AG
GP: If you're going to play a curmudgeon, at least get some first hand experience with what you choose to complain about, otherwise your curmudgeoning isn't very effective, and you complain about things that aren't actually problems, and miss out on complaining about real problems.
I love to hate and complain about Unix and X-Windows and C++ and GCS, but that's because I've used them, not because I succeeded in avoiding them.
Like an English satirical poem to perfect German. Changing the literal translation to keep the meaning and sarcasm of the poem.
https://en.wikipedia.org/wiki/Simlish
https://news.ycombinator.com/item?id=35539207
Prompt: Write an a cappella cover of a Philip Glass song in Simlish.
ChatGPT-4:
Creating an a cappella cover of a Philip Glass song in Simlish presents an interesting challenge. Philip Glass is known for his minimalist compositions that often consist of repetitive structures, and Simlish is a nonsensical language. Since Glass's compositions are largely instrumental, I will create an a cappella adaptation inspired by his musical style while using Simlish-like sounds.
Remember, this adaptation is meant to be playful and fun, as it doesn't have any real meaning or convey any specific message. The focus here is on capturing the essence of Philip Glass's minimalist compositions using Simlish-like sounds in an a cappella context.Hah!
It's gotten to the point now where it sometimes actually is impossible to speak to a human being in customer service - the thick layers of chat bots, deliberately gated 'contact us' pages and "why not use our app" nags.. ..if you're savvy enough to know already that only a human can resolve your particular query, getting hold of one can become a time consuming and sometimes traumatic experience. (only slightly tongue-in-cheek, I do actually believe this affects mental health)
If anyone has honest anecdotes around this I'd love to hear from you (maybe privately is best if its detailed accounts)
1 time I was right it is a scam, 2 times it was wrong.
Booking.com should make a proper report payment circumvent button and kick out all hotels who do it.
A funny thing I discovered in this process is that "delivery instructions" are shared for all packages to a given address regardless of the associated name, and never flushed unless you go in and do it manually on their website. I found the name and contact information for the prior tenant of my unit on the FedEx site with no other info besides 1 tracking number to the address (it also let me change the delivery instructions with said info). Potentially they were still calling that person when they tried to deliver initially, though I have other reasons to doubt they actually came to the door that day.
Of course, the scammers already have the scam systems in place, so they can win the bid on price :D
I know this sounds ridiculous, but I doubt anything will make better sense than this :P
- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something. - Subject: "URGENT: your account is expiring soon". - Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company. - No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).
And still, it turns out it was real.
~100k employees company btw
Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.
email is well and truly dead.
I suppose, if you want to train people to not click on links, that's a fun way to do it.
I am usually a bit pessimistic about it though. If their SOP doesn’t account for “looks like phishing but is from internal sender” then chances are that nobody connects the dots and informs that sender.
The intelligence of a small and motivated IT team seems difficult to scale.
The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!
I think IT incompetence should lead to audit fails or even better delisting from exchanges.
It's good we have 26 letters, that comfortably leaves you a margin of 6 combinations :-)
Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.
If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05
If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.
They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.
This is a stretch. Liable? Please show the case law, or the legislation.
(My statement has no relevance to the validity of NIST's recommendations)
There are 1000s of such organizations, and many conflict with each other.
My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.
Does that make it so? No.
Password1
Password2
Password3
Etc
PasswordFebruary2024!
Where month and year update on the date of forced password change.
hunter3
hunter4
hunter5
Password1
Password1
Password1
Etc?
So a hacker can infer that my password is tacokissies69000 of some sort..
NIST has very good password complexity and management guidelines. Just USE THEM! It’s not that hard!
How do you have billion dollar companies that can’t RTFM.
On the other, an expert witness has specifically represented themselves to be an expert. Is there any level of incompetence that raises to the level of perjury in that case? IMO there ought to be.
Whether the technique or theory in question can be, and has been tested; Whether it has been subjected to publication and peer review; Its known or potential error rate; The existence and maintenance of standards controlling its operation; and Whether it has attracted widespread acceptance within a relevant scientific community.
The expert does not “know.” The expert is the only witness who can give an opinion, more or less. Because the opinion is backed up by something, the court considers it useful.
The technique they use is what’s important, not whether their opinion contradicts a fact. I think you will find in many expert trials, two experts get the same facts and come to two completely contradictory opinions, neither of which is perjury.
Now there's a positive rule about not doing it.
When the NIST added the bad rule into their ruleset (it was mostly a collection of bad rules at the time), it was already widely mocked in popular culture (well, within the target population).
I now wonder if that ruleset (the original one, that basically mandated you copy every flaw on Windows NT) was honest.
"Come to think of it, it's about time to replay Deus Ex again..."
While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.
The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.
However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.
Note: I only do this when I have these requirements and I can’t use a password manager.
People understandably get really fired up by the idea of not having to change their password every 90 days, but forget that the guidelines are a package that contains a lot of "shall"s (no password expiration is a mere "should") that would be more painful for organizations stuck with a lot of legacy software, like the requirement to use two authentication factors and the use of secure authentication protocols.
ReallyLongP@assword$01, ReallyLongP@assword$02, ReallyLongP@assword$03, and so on.
Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.
Could make it double as a YubiKey.
Surely this exists already?
No, it identifies as a keyboard. It also defaults to generating a password that will use the same scancodes on (most?) western keyboard layouts so that computers configured to default to e.g. QWERTZ or AZERTY will still result in the same password.
It's very niche, but in those rare situations it'll be a big time-saver compared to human transcription or the rigamarole of setting up some other kind of data channel.
1: http://inputstick.com
2: https://github.com/inputstick
Then I became CTO and retired the policy to align to modern NIST recommendations, so that "18" is in there forever :)
Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.
Overall when compared to Google's suite of products, M365 just seems so sloppy.
This should be out of the hands of the local IT clowns entirely.
It is interesting how sometimes creating "more secure" measures results on less security. Our IT department decided that using 2fa for vpn is not enough, we should also extra 2fa for connecting to the webmail even through intranet or vpn. Guess who stopped using the vpn.
Meanwhile, one can set up and use our email through any email client app on desktop or mobile without any 2fa at any step. Go figure.
It’s insane.
Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.
The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.
Woohoo free miles! Sometimes the fee is so low that even when they do charge it, it's worth using the credit card.
Still can't believe it
Best hope the government of Macedonia remains friendly I guess
This is something that only people like us can see. The rest of the world doesn’t care about the problem, and even if they did, they have zero incentive to fix it.
Healthcare has one of the lowest payment collection rates of any consumer industry. And as of a couple years ago, medical debt under $500 can no longer go on your credit report even after going to collections. States have passed even more consumer-friendly versions of this law, like NY where no amount of medical debt can affect your credit score.
So actually medical billers are directly hurting themselves with their incompetence in this and many other departments.
Send someone an official looking piece of paper telling them they received $394 worth of in office medical laboratory service from Tristate Medical Partners Inc in August last year, that insurance paid $374 and that they just owe you a $20 copay, and I think a lot of people will just go to the online bill pay site and hand over the money.
At least when things were login.microsoft.com you could apply the "last part is definitive" now that heuristic is pretty useless. And if you watch the actual DNS requests during a login, whew.
CDNs make it even worse, here's a few VALID requests from my DNS cache:
store-images.s-microsoft.com-c.edgekey.net
www.msftconnecttest.com
123499-ipv4v6.farm.dprodmgd103.aa-rt.sharepoint.com
download.windowsupdate.com.edgesuite.net
At least some end in apparently legitimate domains, but sheesh, that last one looks like something straight out of 2000s era scams.
Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.
There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.
At the moment in my current corporate email address this the number one source of spam, just all the internal phishing testing emails. It feels like the attempted cure is worse than the disease and I hate getting so much useless trash.
It's actually even a worse than that for our anti-phishing tool, somehow Outlook's processing triggers the tool to think that I've interacted with the email, but after several rounds of "our tool says you clicked a link" and my reply of "I 100% didn't, let me see some logs", they now seem to ignore notifications of me clicking on phishing test links. So a win for me, I guess?
Ignored it.
Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.
This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!
Our CEO is actually a developer himself on our core product (and a bit of a paranoid fella on the cybersecurity front to boot) and he was absolutely furious about this vendor being chosen...
It happens.
To their credit, after the inevitable replies to that email they never used that wrapper again (they moved the launchers to the centralized NFS install where they always should have been)
So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.
Worth noting - do not trust the incoming callerid number. This is trivial to fake.
What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.
There was no reason to use a shortener, let alone such a shady one!
Seriously just use your main domain for URLs. For me at least that clears up 99% of this.
I dont want to memorise a list of valid mystery domains for each shipper. Is that really too much to ask?
If they use their main domain, their normal corporate email will get blocked by anti-spam filters.
So everyone uses a different, unrelated domain for bulk mails.
If the CFO gets their mail dropped, they'll fire the IT guy.
If a customer is a bit cranky... nothing happens.
The email I got looked like a badly-scanned letterhead and was very, very fishy.
After I received a few of them, I finally contacted the bank and it was legit.
I tried telling the office person (not just a clerk at the counter, someone with their own desk) about the situation and they couldn't understand why it was bad.
I soon paid off that loan and got away from that bank.
I called my insurance broker and yes indeed it was legit. I also tried to explain to them how this letter was a few steps removed from a Nigerian prince scam based on all the red flags, but i don't think it made a big difference.
But I can't remember what the memorable term was.
https://i.blackhat.com/us-18/Wed-August-8/us-18-Shostack-Thr...
He used the term "scamicry": legit communications that mimic scams. For example when a company calls you directly and asks for your security details, but offer you no way to verify who they are first.
At the end of the day, they don't care if we get phished or scammed; it is all of customs confusion. Next time process your customs form, you will realise how much money you will save, and the form only has less than 8 fields, the Union Customs Code is easy to read.
In Finland you can declare DHL/UPS/Fedex packages yourself with customs and pay directly to them, with no fees to carrier (it took a Finnish Competition and Consumer Authority decision in 2017 to get rid of the fees, though). But this is a bit different as it is not a hidden option but standard procedure (though you still get the option of paying the carrier to declare, instead).
Declaring inbound packages to Customs by yourself was already the standard here for postal parcels even before Customs internet services, so this was not a completely new way of working.
CBSA should require affirmative opt-in to use the shipper as the broker, and allow you to file the paperwork yourself on their site.
For this reason, whenever possible, I choose delivery through the post office.
If you ever drive on a toll road in Texas (there are a lot of them and more every year) there are no toll booths that allow you to pay then and there but you'll get a bill in the mail 6-12 months later informing you that this is your fifth and final warning and you owe $4 for the toll and $80 in late fees. I guarantee you the people behind this have friends or family in the Texas legislature supporting them.
Over the years they've changed domains several times, had a breach, reset passwords multiple times, and now do part of their login via a random third party site (but to make it worse they push you to sign you up to a second form of account which logs in separately!)