The relationships between enterprises and their “designated agents” are often pretty murky from a customer point of view. In the old days, few people cared. But in the world of phishing, we need a lot more clarity about who is representing whom – we need to know if an offer originates from a someone legitimate or not.
In this post, Ben Laurie shows just how hard the current identity patchwork (read “architectural black hole”) makes it to know what is going on – even if you're one of the top Internet security people in the world.
Ben tells us, “O2 like phishing…”:
They must do, or they wouldnâ€™t do stupid things like this.
I got an email, looking just like this:Weâ€™d like to say â€˜thanksâ€™ for being a great customer by offering you either a FREE Pay Monthly handset upgrade OR £100 credit added to your account â€“ provided you havenâ€™t recently upgraded.â€
And it couldnâ€™t be easier. All you have to do is renew your contract with O2 before 31st August 2006.
If you choose to renew your contract for 18 months, rather than 12 then thereâ€™s even more on offer:
If you prefer to talk we have a range of Talker plans with Double Minutes each month*. For example, on an Online 500 Talker plan youâ€™ll get 1000 minutes and 150 messages each month for £35.
If you prefer to text we also have a range of Texter plans which offer 50% Extra Minutes and Texts each month*.
For example, on an Online 500 Texter plan youâ€™ll get 750 mins and 750 messages each month for £35.
To see our full range of handsets and offers and to renew your contract, click here.
And thanks again for choosing O2 .
â€ The information used in this mailing is based on your contract status as at 30th April 2006. Unfortunately, if you upgraded after this date your new contract means you wonâ€™t be eligible for these offers. Terms and conditions apply.
*Offer subject to ongoing connection to eligible tariff see letter for details. Promotional allowances must be used within the month. Unused allowances cannot be carried over into subsequent months.
OK, I removed some maybe-identifying data from the link, but youâ€™ll notice the link goes to http://www.o2-mail.co.uk/. â€œOhoâ€, says I, being a suspicious sort, â€œthatâ€™s not O2â€™s website, I wonder who managed to register it?â€$ whois o2-mail.co.uk
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.
MCI Worldcom Ltd [Tag = UUNETPIPEX]
Registered on: 01-Aug-2003
Renewal date: 01-Aug-2007
Last updated: 04-Aug-2003
Registered until renewal date.
Hmmm, a non-trading individual who wants to renew my phone contract, eh? Think Iâ€™d better check that out – but what a shame, http://www.uk.uu.net/ doesnâ€™t actually resolve, so looks like Iâ€™m not talking to them. And, oh dear, Nominet are closed until Monday, so that avenue is out, too.
The mail itself, incidentally, purports to come from o2-email.com, a domain which they didnâ€™t even bother to register.
So, fearing nothing, I clicked on the link – which redirects me to http://www.o2renew.co.uk/. Here we go again.$ whois o2renew.co.uk
AIS Group Ltd
UK Limited Company, (Company number: 3561278)
47-48 Berners St
Global Registration Services Ltd [Tag = GRS]
Registered on: 14-Apr-2005
Renewal date: 14-Apr-2007
Last updated: 27-Jul-2005
Registered until renewal date.
At least this has an address, if I could be bothered to follow up, which I canâ€™t, but this all looks a bit fishy. To compound the fun, I also got a text on my mobile with the same offer, but anyway, I phone O2 customer services. They explain that this cannot possibly be O2, it must be one of their â€œmarketing partnersâ€ who will, if I fill in the form, renew my contract with O2, but via them. And, presumably, or maybe not, give me a new phone. I ask where they got my email address and phone number, and the answer is that at some point I left a box ticked that said it was OK for partners to send me stuff.
So, do O2 condone this practice, I ask? The answer is, apparently, that they do. They donâ€™t even mind, it seems, that the website has O2 branding on it.
If O2 is going to allow people they have contractual relationships with to do this kind of thing, how on Earth do they expect consumers to learn what is phishing and what is not?
Ben's aproach is the only one you can take with today's web technology. Basically, you need to know how to analyse subdomains and understand DNS paths. Given this, one wonders why O2 condones the use of URLs worthy of the best phisher. It is cutting the last safety line we have been able to clutch between our fingers in trying to achieve even the most marginal Internet safety.
Still, I find myself choking on the idea that for people to understand they are being phished, they need to understand subdomains and the intricacies of DNS.
One of the great advantages of the way Information Cards work is that the site the user is visiting (in this case O2.co.uk) can specify its designated agents in a cryptographically secure fashion. In this case, O2 could specifify O2renew.co.uk as the entity the user should exchange identity information with. The user would be guaranteed that this was an extension of her relationship with O2, with O2renew acting as an agent of O2.co.uk.