General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-09-2024, 04:35 PM
|
#1
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057
|
Probable-fraud alert: "You just added a new card to your Google Pay account"
I just received a perfectly authentic-looking email which purported to be from "Google Pay," which told me that a "Visa card ending with 2331" had just been added to "my account."
Two problems: (1) I don't have a "Google Pay" account, and (2) I don't have a Visa card ending with "2331."
However, the eagerly-animated (and entirely authentic-looking) button invited me to push it.
So: I wonder just how many people who do have such an account would actually bother to "look into their wallets?" The visual appearance of this email ... which I very promptly deleted ... was perfect.
|
|
|
12-09-2024, 05:21 PM
|
#2
|
LQ Newbie
Registered: Nov 2024
Posts: 11
Rep:
|
Reminds me of the phone call about my Microsoft Windows operating system being hacked. After I said Linux there was a click and a dial tone.
Vektor
|
|
|
12-09-2024, 10:35 PM
|
#3
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057
Original Poster
|
What is utterly mystifying(!) to me is that email has never "generally adopted" the very-fundamental principles of "data integrity and provenance" that – thanks to LetsEncrypt – we are finally able to sort-of enjoy in this space.
I underscore the word, "adopted," because two data-security-plus-data-integrity standards have always existed within "the email space." (1) PGP®/GPG, and (2) S/MIME. Take your choice.
The world's most prominent e-mail provider, "GMail®," after having fought away most other providers by claiming to better prevent "spam," initially provided access to encrypted and/or signed messaging. But, very shortly thereafter, they removed it from their public presence.
I continue to use "email client" programs – never "web-mail" – and these interfaces allow for seamless encryption of those messages which "I wish to remain private."
But, as to the public at large, and to the "web-mail" interfaces which routinely supply all of them, I truly remain astonished: Today, is there absolutely nothing that anyone "wishes to remain private?"
|
|
|
12-09-2024, 10:54 PM
|
#4
|
LQ Guru
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,722
|
Just an aside, but . . . .
My friend received such an email last week; it claimed that she had made a purchase she never made. She knew right off that it was a con and a scam.
What befuddles me is that so many persons, when they read stuff on their computer screens, well, their defenses seem to go down and they lose their ability to think critically. They believe stuff written in electrons when they wouldn't believe the same stuff if it were written in ink.
Last edited by frankbell; 12-09-2024 at 10:55 PM.
Reason: grammatical erorr
|
|
|
12-10-2024, 08:04 AM
|
#5
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057
Original Poster
|
When I use an "https" web-site like this one ... thank you, "LetsEncrypt!" ... I know that I am actually talking to the intended site and that my posts are being "delivered to me 'as tendered.'"
How very different(!) it would be if "email" could routinely offer the same assurances.
Well, in fact it can. Both "message encryption" and, separately, "message signing." Consumer-grade but very strong.
What truly baffles me, then, is that "easily the world's most popular email web-portal," gmail, once provided message-signing and message-encryption, but then ... silently took it out.
Businesses throughout the world are therefore forced to use a message-transport system which effectively contains no "provenance," let alone "privacy," whatsoever. Even though it very-easily can.
It's absolutely trivial to provide for an: "Alert! This message didn't come from 'Southwest Airlines!'"
Absolutely trivial. Existing technology. Perfected. Available. Not Used.
Why not, Google? "Microsoft, Linux, etc., why is this still a 'plug-in?'"
Last edited by sundialsvcs; 12-10-2024 at 08:06 AM.
|
|
|
12-11-2024, 08:18 PM
|
#6
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057
Original Poster
|
P.S.: I am now getting quite a few "Google Pay" e-mails every day. The scam is very much "in play."
How very easy it would be to re-cast the "email" system to completely eliminate this problem. If "Google Mail (gmail)" alone(!) took some action, using existed and tested technologies, the entire world would immediately – and, gratefully – follow suit.
|
|
|
12-11-2024, 11:08 PM
|
#7
|
LQ Veteran
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: Rocky 9.5
Posts: 5,843
|
My wife got a text message “from the USPS” with a link to a phishing page advising that there was 30 cents postage due on a piece of email. “Click here and enter your credit card to pay for it…” She told me about it when I got home because the page wouldn’t accept the card number.
I suspect it was because the bank had that vendor blocked (whew)…or she mistyped the number (possible)
We had a(nother) conversation about how to ID spam/phishing attempts. Pointed out that the post office doesn’t know our mobile numbers, and simply wouldn’t do such a thing anyway…but it does give one pause.
|
|
|
12-12-2024, 03:12 AM
|
#8
|
LQ Newbie
Registered: Oct 2024
Distribution: Core Linux 15.0
Posts: 12
Rep:
|
Quote:
Originally Posted by VektorAlian
Reminds me of the phone call about my Microsoft Windows operating system being hacked. After I said Linux there was a click and a dial tone.
Vektor
|
I once had the good fortune to have a guy "from Microsoft" call me with that scam on a Saturday when I had nothing better to do. I kept him on the phone for almost an hour and he even brought his "supervisor" onto the call when when nothing I did under his instruction seemed to work (because I was on linux). At one point, I had to remote in to an actual Windows box so I could convincingly describe what he expected me to see in the event log. They eventually caught on to me only because my son, whom I had invited to sit in on the call, couldn't keep his laughter to inaudible levels (I couldn't blame him as I was having trouble that way myself). Then these guys acted like -I- was the bad guy for leading them on and they said mean things about my mother! I was about fifteen minutes into the call before I thought to start recording it.
As far as email scams v/v google pay are concerned, I haven't got any of those yet but I also -don't- use google pay. I do, however, have my system configured such that, with the click of a button, my browser will be reset to a pristine state that I saved as soon as I had the browser configured the way I wanted it. This way, I can click on that scam button just to see what happens and if it's really an attack on the browser, as opposed to an attack on a credit card, no harm done. Worst case, I might have to reboot and lose my "uptime" (currently 127 days).
|
|
|
12-12-2024, 06:07 AM
|
#9
|
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,538
|
Quote:
Originally Posted by sundialsvcs
When I use an "https" web-site like this one ... thank you, "LetsEncrypt!" ... I know that I am actually talking to the intended site and that my posts are being "delivered to me 'as tendered.'"
|
As I'm sure you know, but for the benefit of others, never assume HTTP S is secure. If you're using a VPN that requires the installation of a CA certificate, or if you've a corporate managed laptop or VPN then there are multiple ways to perform SSL packet inspection. Usually by presenting a SSL certificate to the browser "signed" by the VPN provider / corporate CA which the browser will accept.
Sometimes this can be spotted by looking at the certificate presented to the browser, it may be signed or issued by an "unexpected" CA. However, unless you know the CA that the website uses it can be hard to even spot.
Last edited by TenTenths; 12-12-2024 at 06:09 AM.
|
|
|
12-13-2024, 01:03 PM
|
#10
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,057
Original Poster
|
There's always another way to break security where it exists. But, inexplicably and unnecessarily, conventional email has no security nor accountability at all. It does not have to be this way. Why have we invested so much security-concern with web sites, and absolutely none with email? Particularly when we effortlessly can?
Notice that "digital signing" and "encryption" are two separate ideas. An unencrypted message can be signed. All encrypted messages are also signed.
If "digital signing" were a standard practice, "spoof" emails would disappear.
Last edited by sundialsvcs; 12-13-2024 at 01:05 PM.
|
|
|
All times are GMT -5. The time now is 12:11 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|