The relationships between enterprises and their “designated agents” are often pretty murky from a customer point of view. In the old days, few people cared. But in the world of phishing, we need a lot more clarity about who is representing whom – we need to know if an offer originates from a someone legitimate or not.
In this post, Ben Laurie shows just how hard the current identity patchwork (read “architectural black hole”) makes it to know what is going on – even if you're one of the top Internet security people in the world.
Ben tells us, “O2 like phishing…”:
They must do, or they wouldn’t do stupid things like this.
I got an email, looking just like this:
We’d like to say ‘thanks’ for being a great customer by offering you either a FREE Pay Monthly handset upgrade OR £100 credit added to your account – provided you haven’t recently upgraded.â€And it couldn’t be easier. All you have to do is renew your contract with O2 before 31st August 2006.
If you choose to renew your contract for 18 months, rather than 12 then there’s even more on offer:
If you prefer to talk we have a range of Talker plans with Double Minutes each month*. For example, on an Online 500 Talker plan you’ll get 1000 minutes and 150 messages each month for £35.
If you prefer to text we also have a range of Texter plans which offer 50% Extra Minutes and Texts each month*.
For example, on an Online 500 Texter plan you’ll get 750 mins and 750 messages each month for £35.
To see our full range of handsets and offers and to renew your contract, click here.
And thanks again for choosing O2 .
†The information used in this mailing is based on your contract status as at 30th April 2006. Unfortunately, if you upgraded after this date your new contract means you won’t be eligible for these offers. Terms and conditions apply.
*Offer subject to ongoing connection to eligible tariff see letter for details. Promotional allowances must be used within the month. Unused allowances cannot be carried over into subsequent months.
OK, I removed some maybe-identifying data from the link, but you’ll notice the link goes to http://www.o2-mail.co.uk/. “Ohoâ€, says I, being a suspicious sort, “that’s not O2’s website, I wonder who managed to register it?â€
$ whois o2-mail.co.ukDomain name:
o2-mail.co.ukRegistrant:
VertisRegistrant type:
UK IndividualRegistrant’s address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.Registrant’s agent:
MCI Worldcom Ltd [Tag = UUNETPIPEX]
URL: http://www.uk.uu.net/Relevant dates:
Registered on: 01-Aug-2003
Renewal date: 01-Aug-2007
Last updated: 04-Aug-2003Registration status:
Registered until renewal date.Name servers:
ns0-o.dns.pipex.net
ns1-o.dns.pipex.netHmmm, a non-trading individual who wants to renew my phone contract, eh? Think I’d better check that out – but what a shame, http://www.uk.uu.net/ doesn’t actually resolve, so looks like I’m not talking to them. And, oh dear, Nominet are closed until Monday, so that avenue is out, too.
The mail itself, incidentally, purports to come from o2-email.com, a domain which they didn’t even bother to register.
So, fearing nothing, I clicked on the link – which redirects me to http://www.o2renew.co.uk/. Here we go again.
$ whois o2renew.co.ukDomain name:
o2renew.co.ukRegistrant:
AIS Group LtdRegistrant type:
UK Limited Company, (Company number: 3561278)Registrant’s address:
Berners House
47-48 Berners St
London
W1T 3NF
GBRegistrant’s agent:
Global Registration Services Ltd [Tag = GRS]
URL: http://www.globalregistrationservices.com/Relevant dates:
Registered on: 14-Apr-2005
Renewal date: 14-Apr-2007
Last updated: 27-Jul-2005Registration status:
Registered until renewal date.Name servers:
ns25.worldnic.com
ns26.worldnic.comAt least this has an address, if I could be bothered to follow up, which I can’t, but this all looks a bit fishy. To compound the fun, I also got a text on my mobile with the same offer, but anyway, I phone O2 customer services. They explain that this cannot possibly be O2, it must be one of their “marketing partners†who will, if I fill in the form, renew my contract with O2, but via them. And, presumably, or maybe not, give me a new phone. I ask where they got my email address and phone number, and the answer is that at some point I left a box ticked that said it was OK for partners to send me stuff.
So, do O2 condone this practice, I ask? The answer is, apparently, that they do. They don’t even mind, it seems, that the website has O2 branding on it.
If O2 is going to allow people they have contractual relationships with to do this kind of thing, how on Earth do they expect consumers to learn what is phishing and what is not?
Ben's aproach is the only one you can take with today's web technology. Basically, you need to know how to analyse subdomains and understand DNS paths. Given this, one wonders why O2 condones the use of URLs worthy of the best phisher. It is cutting the last safety line we have been able to clutch between our fingers in trying to achieve even the most marginal Internet safety.
Still, I find myself choking on the idea that for people to understand they are being phished, they need to understand subdomains and the intricacies of DNS.
One of the great advantages of the way Information Cards work is that the site the user is visiting (in this case O2.co.uk) can specify its designated agents in a cryptographically secure fashion. In this case, O2 could specifify O2renew.co.uk as the entity the user should exchange identity information with. The user would be guaranteed that this was an extension of her relationship with O2, with O2renew acting as an agent of O2.co.uk.
