Daily Movement

So much for the bill of rights.

The US treasury online site requires the treasury direct account number and recipients social security number to transfer bonds as a gift. This is fine if it is between family members, but what about as a gift from relatives and friends? Imagine telling relatives and friends your treasury account and social security number just so they can send a gift to your child?

One more piece of personal information has fallen into common use.

So, here’s a list of personal information that is pretty much handed out as public knowledge nowdays:

• Name (of course)
• birthday
• social security number

This information is still somewhat private (or at least hard to find – until ChoicePoint starts selling the information to anyone and everyone with a credit card):

• mother’s maiden name
• city of birth
• driver’s license number
• Passport #

And information that is less commonly asked for and may actually not be well known:

• favorite color
• pet’s name
• first model of car

It’s funny that online sites ask these information as additional authenticators and very well be more secure than those that rely just on social security number and mother’s maiden name.

It seems I get at least 2 or 3 faked messages a day from Paypal and eBay which are – ironically for reasons i will soon explain – are the same company. The claims are that my account will be suspended or has been accessed illegally or might have been compromised and that I need to provide my login info again to avoid being deactivated.

It seems these problems persist and aren’t being addressed by eBay or PayPal because:

• eBay/PayPal isn’t communicating to users what legitimate communication should look like
• eBay/PayPal uses HTML to communicate making it easier for impostors to hide fake addresses behind a legitimate looking link.
• eBay/PayPal has in the past (and maybe still does) allowed their official graphics to be included in email making it easier for impostors to fake a legitimate looking email.

What are some fixes:

• only communicate via telephone, postal mail, or by an indirect mechanism such as notifying user to go to a well known, constant address such as www.paypal.com or www.ebay.com, logging in and retrieving the communications.
• actually tell users how they are addressing the problem of faked email communication.

Well, this has only been going on for about a year now (as of march 2005). I suspect nothing will be done about it. Ironically, the three phishing scams I know about: eBay, PayPal, and washington mutual, two of them are attacking the same company and that same company is not doing anything about either of them.

Other people talking about this:

• http://donxml.com/allthingstechie/archive/2005/01/25/1742.aspx#FeedBack
• http://www.techdirt.com/articles/20050314/113209.shtml
• http://www.free-conversant.com/irweblog/445
• http://nimrods.blogspot.com/200501_01nimrods_archive.html#110719917292796355
• http://www.iht.com/articles/2005/03/07/business/ebay.html
• http://www.theopensourcery.com/wordp1/index.php?p=222
• http://cleverhack.com/archives/2004/08/stupid-ebay-phishing-scam/
• http://www.washingtonpost.com/wp-dyn/articles/A59347-2004Nov18.html
• http://www.filteringcraig.com/sidebar/archives/000973.html

Update for 2005-Jul-20:

It appears that ebay is communicating as of June, 2005 via its ‘my ebay’ portal, but the existence of those messages aren’t communicated via email and they expire, so if you don’t log in for a month, your messages will have disappeared. But it is a good step taken that’s a long time coming.

Re: http://weblog.infoworld.com/dickerson/001194.html,
I have not seen any reliability problems with the Treo 650, however, it will sometimes reset when Blazer (web browser) downloads too large of a page. I am running the stock applications. I also am using the Sprint PCS service.