LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 12-09-2024, 04:35 PM   #1
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057
Blog Entries: 4

Rep: Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068
Probable-fraud alert: "You just added a new card to your Google Pay account"


I just received a perfectly authentic-looking email which purported to be from "Google Pay," which told me that a "Visa card ending with 2331" had just been added to "my account."

Two problems: (1) I don't have a "Google Pay" account, and (2) I don't have a Visa card ending with "2331."

However, the eagerly-animated (and entirely authentic-looking) button invited me to push it.

So: I wonder just how many people who do have such an account would actually bother to "look into their wallets?" The visual appearance of this email ... which I very promptly deleted ... was perfect.
 
Old 12-09-2024, 05:21 PM   #2
VektorAlian
LQ Newbie
 
Registered: Nov 2024
Posts: 11

Rep: Reputation: 8
Reminds me of the phone call about my Microsoft Windows operating system being hacked. After I said Linux there was a click and a dial tone.

Vektor
 
Old 12-09-2024, 10:35 PM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057

Original Poster
Blog Entries: 4

Rep: Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068
What is utterly mystifying(!) to me is that email has never "generally adopted" the very-fundamental principles of "data integrity and provenance" that – thanks to LetsEncrypt – we are finally able to sort-of enjoy in this space.

I underscore the word, "adopted," because two data-security-plus-data-integrity standards have always existed within "the email space." (1) PGP®/GPG, and (2) S/MIME. Take your choice.

The world's most prominent e-mail provider, "GMail®," after having fought away most other providers by claiming to better prevent "spam," initially provided access to encrypted and/or signed messaging. But, very shortly thereafter, they removed it from their public presence.

I continue to use "email client" programs – never "web-mail" – and these interfaces allow for seamless encryption of those messages which "I wish to remain private."

But, as to the public at large, and to the "web-mail" interfaces which routinely supply all of them, I truly remain astonished: Today, is there absolutely nothing that anyone "wishes to remain private?"
 
Old 12-09-2024, 10:54 PM   #4
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,722
Blog Entries: 28

Rep: Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275Reputation: 6275
Just an aside, but . . . .

My friend received such an email last week; it claimed that she had made a purchase she never made. She knew right off that it was a con and a scam.

What befuddles me is that so many persons, when they read stuff on their computer screens, well, their defenses seem to go down and they lose their ability to think critically. They believe stuff written in electrons when they wouldn't believe the same stuff if it were written in ink.

Last edited by frankbell; 12-09-2024 at 10:55 PM. Reason: grammatical erorr
 
Old 12-10-2024, 08:04 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057

Original Poster
Blog Entries: 4

Rep: Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068
When I use an "https" web-site like this one ... thank you, "LetsEncrypt!" ... I know that I am actually talking to the intended site and that my posts are being "delivered to me 'as tendered.'"

How very different(!) it would be if "email" could routinely offer the same assurances.

Well, in fact it can. Both "message encryption" and, separately, "message signing." Consumer-grade but very strong.

What truly baffles me, then, is that "easily the world's most popular email web-portal," gmail, once provided message-signing and message-encryption, but then ... silently took it out.

Businesses throughout the world are therefore forced to use a message-transport system which effectively contains no "provenance," let alone "privacy," whatsoever. Even though it very-easily can.

It's absolutely trivial to provide for an: "Alert! This message didn't come from 'Southwest Airlines!'"

Absolutely trivial. Existing technology. Perfected. Available. Not Used.

Why not, Google? "Microsoft, Linux, etc., why is this still a 'plug-in?'"

Last edited by sundialsvcs; 12-10-2024 at 08:06 AM.
 
Old 12-11-2024, 08:18 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057

Original Poster
Blog Entries: 4

Rep: Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068
P.S.: I am now getting quite a few "Google Pay" e-mails every day. The scam is very much "in play."

How very easy it would be to re-cast the "email" system to completely eliminate this problem. If "Google Mail (gmail)" alone(!) took some action, using existed and tested technologies, the entire world would immediately – and, gratefully – follow suit.
 
Old 12-11-2024, 11:08 PM   #7
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: Rocky 9.5
Posts: 5,843

Rep: Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263Reputation: 2263
My wife got a text message “from the USPS” with a link to a phishing page advising that there was 30 cents postage due on a piece of email. “Click here and enter your credit card to pay for it…” She told me about it when I got home because the page wouldn’t accept the card number.
I suspect it was because the bank had that vendor blocked (whew)…or she mistyped the number (possible)

We had a(nother) conversation about how to ID spam/phishing attempts. Pointed out that the post office doesn’t know our mobile numbers, and simply wouldn’t do such a thing anyway…but it does give one pause.
 
Old 12-12-2024, 03:12 AM   #8
tony rice
LQ Newbie
 
Registered: Oct 2024
Distribution: Core Linux 15.0
Posts: 12

Rep: Reputation: 3
Quote:
Originally Posted by VektorAlian View Post
Reminds me of the phone call about my Microsoft Windows operating system being hacked. After I said Linux there was a click and a dial tone.

Vektor
I once had the good fortune to have a guy "from Microsoft" call me with that scam on a Saturday when I had nothing better to do. I kept him on the phone for almost an hour and he even brought his "supervisor" onto the call when when nothing I did under his instruction seemed to work (because I was on linux). At one point, I had to remote in to an actual Windows box so I could convincingly describe what he expected me to see in the event log. They eventually caught on to me only because my son, whom I had invited to sit in on the call, couldn't keep his laughter to inaudible levels (I couldn't blame him as I was having trouble that way myself). Then these guys acted like -I- was the bad guy for leading them on and they said mean things about my mother! I was about fifteen minutes into the call before I thought to start recording it.

As far as email scams v/v google pay are concerned, I haven't got any of those yet but I also -don't- use google pay. I do, however, have my system configured such that, with the click of a button, my browser will be reset to a pristine state that I saved as soon as I had the browser configured the way I wanted it. This way, I can click on that scam button just to see what happens and if it's really an attack on the browser, as opposed to an attack on a credit card, no harm done. Worst case, I might have to reboot and lose my "uptime" (currently 127 days).
 
Old 12-12-2024, 06:07 AM   #9
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,538

Rep: Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593Reputation: 1593
Quote:
Originally Posted by sundialsvcs View Post
When I use an "https" web-site like this one ... thank you, "LetsEncrypt!" ... I know that I am actually talking to the intended site and that my posts are being "delivered to me 'as tendered.'"
As I'm sure you know, but for the benefit of others, never assume HTTPS is secure. If you're using a VPN that requires the installation of a CA certificate, or if you've a corporate managed laptop or VPN then there are multiple ways to perform SSL packet inspection. Usually by presenting a SSL certificate to the browser "signed" by the VPN provider / corporate CA which the browser will accept.

Sometimes this can be spotted by looking at the certificate presented to the browser, it may be signed or issued by an "unexpected" CA. However, unless you know the CA that the website uses it can be hard to even spot.

Last edited by TenTenths; 12-12-2024 at 06:09 AM.
 
Old 12-13-2024, 01:03 PM   #10
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057

Original Poster
Blog Entries: 4

Rep: Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068Reputation: 4068
There's always another way to break security where it exists. But, inexplicably and unnecessarily, conventional email has no security nor accountability at all. It does not have to be this way. Why have we invested so much security-concern with web sites, and absolutely none with email? Particularly when we effortlessly can?

Notice that "digital signing" and "encryption" are two separate ideas. An unencrypted message can be signed. All encrypted messages are also signed.

If "digital signing" were a standard practice, "spoof" emails would disappear.

Last edited by sundialsvcs; 12-13-2024 at 01:05 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Yet Another Reason to Pay Attention... and the Price You Pay When You Don't tronayne Slackware 25 06-18-2015 08:27 AM
LXer: Open Source in the Enterprise: To Pay or Not to Pay? LXer Syndicated Linux News 0 02-17-2014 05:01 PM
LXer: Lenovo ordered to pay â?¬1920 for making French laptop buyer pay for Windows too LXer Syndicated Linux News 0 02-09-2012 09:30 AM
LXer: Lenovo ordered to pay â?¬1920 for making French laptop buyer pay for Windows too LXer Syndicated Linux News 0 02-09-2012 08:10 AM
LXer: Pay a little now, pay a lot later LXer Syndicated Linux News 0 07-09-2006 10:03 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 12:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration