return to table of content

Thanks FedEx, This Is Why We Keep Getting Phished

sebtron
107 replies
8h57m

A few months ago I got an email from the IT center of the company I work for that was dodgier than any phishing email I have ever received:

- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something. - Subject: "URGENT: your account is expiring soon". - Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company. - No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).

And still, it turns out it was real.

~100k employees company btw

lobochrome
60 replies
8h37m

Our IT did the exact same thing with expiring m365 passwords. They weren’t using the corp domain, typos all over and the URL was obscured using a bizarre link shortener.

The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!

I think IT incompetence should lead to audit fails or even better delisting from exchanges.

Thorrez
17 replies
7h10m

Is blocking the last 20 passwords a bad thing? I agree the other stuff is bad, but to me, that part doesn't seem bad.

meindnoch
5 replies
6h57m

Forced password updates are a bad thing.

If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.

bbarnett
2 replies
6h44m

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)

bluGill
1 replies
6h39m

Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.

bbarnett
0 replies
2h52m

Anything is admissible in court, the judge merely has to allow it.

There are 1000s of such organizations, and many conflict with each other.

My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.

Does that make it so? No.

ixwt
0 replies
6h47m

The company I work for had a ransomware issue, so they got more zealous about security.

They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.

internet101010
0 replies
4h55m

Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.

alistairSH
4 replies
6h46m

In combination with forced changes, it leads to…

Password1

Password2

Password3

Etc

pierat
1 replies
6h30m

The one I see that stays updatable is:

PasswordFebruary2024!

Where month and year update on the date of forced password change.

alistairSH
0 replies
5h59m

Oh, that's a good one. <runs off to update corporate logins>

bluGill
0 replies
6h36m

I'm closing in on password100... It is the only sane thing to do, a good password is hard to memorize. (passphrases are must better, but hard to type correctly first thing in the morning and take too long when I need to type my password a dozen times a day)

Karellen
0 replies
6h3m

ITYM

hunter3

hunter4

hunter5

pflenker
3 replies
7h7m

It leads to less security as it is more likely that the new password will just be an old one with an incremented number at the end.

thesuitonym
0 replies
5h4m

The worst part is it actually leads users to boasting about how they `beat the system', essentially telling their coworkers what their pattern is, making the password easier to guess.

cobbaut
0 replies
7h0m

And unless there is a minimum password age some people will just change it 20 times and then back to the same password.

Workaccount2
0 replies
5h26m

Myself and most people keep our login passwords written on paper in our desk because of this stupid practice. Can't use previous passwords and new password every 90 days. This is on top of 2FA.

swozey
0 replies
6h21m

I mean it's great for 99% of your passwords and pretty much forces people into using randomized generated passwords.. but I still have to remember at least ONE password by heart. Whether it's 32 characters or 16 or what not, I still need SOME way to get into my password manager to even get to my passwords. So what, I'm going to make my password tacokissies69 and.. what, add a 0 every 6 months so I pass the 20 password minimum?

So a hacker can infer that my password is tacokissies69000 of some sort..

pama
0 replies
7h3m

Even if this rule technically seems benign, together with the forced change it encourages users to game the system leading to predictable patterns, eg adding a rotating letter or digit combo at the end of a same password.

swozey
14 replies
7h3m

I forget who puts that stuff out NIST/STIG(?) but IIRC in the recent few years they determined that rotating passwords like that was basically security theater and wasn't worth the damage to the staffs productivity

user3939382
8 replies
6h53m

NIST, whose guidelines, somehow, even other federal departments and agencies usually don’t follow.

NIST has very good password complexity and management guidelines. Just USE THEM! It’s not that hard!

How do you have billion dollar companies that can’t RTFM.

bluGill
7 replies
6h42m

NIST whose guidelines are admissible in court and a competent judge will take over expert testimony. (an expert witness who says something that contradicts these guidelines is guilty of perjury, though good luck persecuting that)

Zak
4 replies
6h22m

Perjury is lying under oath, not disagreeing with government guidelines.

bee_rider
3 replies
6h11m

On one hand, I agree that just disagreeing with a guideline isn’t perjury. Especially in a case like this where lots of the industry still uses the old (bad, imo) plan.

On the other, an expert witness has specifically represented themselves to be an expert. Is there any level of incompetence that raises to the level of perjury in that case? IMO there ought to be.

dmorgan81
2 replies
5h1m

That would be argued in cross-examination. A witness can be shown to be not a good witness. Perjury is very specific to knowingly lying while testifying under oath. We really don't want to expand it to areas of ignorance or disagreement; that way would stop people from testifying entirely.

bluGill
1 replies
3h0m

An expert is someone who claims to know though, and thus if they say something that contradicts established facts they are lying under oath.

singleshot_
0 replies
32m

This is not even near the truth. An expert (under Daubert) is someone who convinces the court they can say something relevant and reliable based on a technique that passes a test concerning:

Whether the technique or theory in question can be, and has been tested; Whether it has been subjected to publication and peer review; Its known or potential error rate; The existence and maintenance of standards controlling its operation; and Whether it has attracted widespread acceptance within a relevant scientific community.

The expert does not “know.” The expert is the only witness who can give an opinion, more or less. Because the opinion is backed up by something, the court considers it useful.

The technique they use is what’s important, not whether their opinion contradicts a fact. I think you will find in many expert trials, two experts get the same facts and come to two completely contradictory opinions, neither of which is perjury.

singleshot_
0 replies
4h58m

The rules of evidence govern what is admissible in court and I don’t recall any rule pertaining to NIST guidelines. I think what you might mean is that the guidelines are a learned treatise which, while it would be hearsay for me or you to quote as a fact witness, is nevertheless something an expert witness can refer to.

bee_rider
0 replies
6h17m

Are there any examples of the former that you know of? Or is this just optimism?

marcosdumay
3 replies
5h57m

They decided it was useless security theater decades ago. What happened recently is that they discovered that they rule they used to actively push causes severe harm to security.

Now there's a positive rule about not doing it.

throwway120385
2 replies
4h26m

Yeah when I was a shipping clerk, we had a pile of usernames and passwords for the Census Bureau's Automated Export System on sticky notes next to the shared computer because the password rotation and complexity requirements made it impossible to remember our passwords.

marcosdumay
1 replies
3h58m

Oh, there are many fun games from the 90's where you must infiltrate some place and every computer has some version of "due to the password rotation requirements, this week's password for the South-East door is 1-2-3-4, effective from Monday" pasted into it.

When the NIST added the bad rule into their ruleset (it was mostly a collection of bad rules at the time), it was already widely mocked in popular culture (well, within the target population).

I now wonder if that ruleset (the original one, that basically mandated you copy every flaw on Windows NT) was honest.

Terr_
0 replies
1h45m

there are many fun games from the 90's where you must infiltrate some place and every computer has some [sticky note]

"Come to think of it, it's about time to replay Deus Ex again..."

spott
0 replies
6h45m

NIST, but they required password rotation up until very recently, against their own advice.

gnfargbl
9 replies
6h52m

The lack of use of a non-corp domain, the typos and the use of shortened links does sound like a form of incompetence, probably at the management layer.

However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.

homeyKrogerSage
3 replies
5h46m

It is. I work as an IT tech at a military defense contractor and they require regular recycling passwords, with a decent number of passwords remembered. They at least have complexity requirements applied so not 100% bad, but still archaic

withinboredom
1 replies
5h24m

Heh. I just increased a number in my password for my passwords. Then just repeat. So “CompanyName[00]” meets almost all complexity requirements and all I have to do is increment the numbers.

Note: I only do this when I have these requirements and I can’t use a password manager.

mondobe
0 replies
4h28m

Sounds like a certain BOFH story... have you ever thought about just adding another "s" to the end of your password instead?

resfirestar
0 replies
3h27m

The same NIST document (800-63) that recommends against password expiration also recommends against complexity requirements, instead organizations are supposed to develop a list of bad passwords that would likely be used in an external dictionary attack.

People understandably get really fired up by the idea of not having to change their password every 90 days, but forget that the guidelines are a package that contains a lot of "shall"s (no password expiration is a mere "should") that would be more painful for organizations stuck with a lot of legacy software, like the requirement to use two authentication factors and the use of secure authentication protocols.

bluGill
2 replies
6h46m

Fortunately NIST has specific advice that recommends against that which is admissible in court (in the US). I'm not sure how to work through the bureaucracy to do this, but your company should sue them in court for incompetence to get their money back.

flatline
0 replies
6h19m

Two then-current NIST standards (62 and 71?) side by side gave contradictory advice. It is a step forward though for sure.

Kye
0 replies
6h27m

I've seen multiple accounts from IT/security people who discovered something like "this could get the company in legal trouble" with links to details was exactly what got an otherwise intractable issue resolved.

k8svet
0 replies
6h27m

Yeah, define recently.

DarkGauss
0 replies
2h51m

Yep. That leads directly to passwords like:

ReallyLongP@assword$01, ReallyLongP@assword$02, ReallyLongP@assword$03, and so on.

M95D
9 replies
6h18m

have to type 10-20 per day

Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.

reaperman
6 replies
6h14m

Might be a good product to app-ify. Maybe a USB dongle that acts like a keyboard and controlled by your phone. Give it some sort of 1Password / Bitwarden integration.

Could make it double as a YubiKey.

Surely this exists already?

f3d46600-b66e
4 replies
6h1m

Yubikey supports this already, but without the phone part.

reaperman
2 replies
5h16m

Does it require installing 3rd party software on the host machine? This might not work great for this kind of "shadow IT" application in all environments, whereas one that acts as a USB keyboard might be more versatile.

organsnyder
0 replies
4h4m

Only to configure it. It presents as a USB keyboard (among other device types).

aidenn0
0 replies
3h59m

Does it require installing 3rd party software on the host machine?

No, it identifies as a keyboard. It also defaults to generating a password that will use the same scancodes on (most?) western keyboard layouts so that computers configured to default to e.g. QWERTZ or AZERTY will still result in the same password.

mikepurvis
0 replies
5h50m

I should do this for ssh password entry. Running ssh-agent is still 90% of the story, but it comes up often enough that I'm on a terminal in a remote machine or inside a screen session or something that it would still be awfully useful to be able to just autotype it.

Terr_
0 replies
1h42m

Separately from the password aspect, consider how convenient it may be to use your smartphone as a kind of re-reified "clipboard": Use the camera and on-device OCR to copy text, then "paste" it as a virtual keyboard connected over USB.

It's very niche, but in those rare situations it'll be a big time-saver compared to human transcription or the rigamarole of setting up some other kind of data channel.

Grazester
1 replies
5h53m

Yubikeys can do this.

eropple
0 replies
5h47m

It can, and I tried this, but in practice we have to change our passwords at my current employer so frequently that I got more irked changing it on the Yubikey (not the least hassle-free of processes, as I couldn't install the Yubikey software on the work machine) than just typing the thing.

pjc50
0 replies
7h30m

I think IT incompetence should lead to audit fails or even better delisting from exchanges.

Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.

jraph
0 replies
7h53m

The same guys also force us to change our passwords every 6 months and block the last twenty

It's good we have 26 letters, that comfortably leaves you a margin of 6 combinations :-)

iamthirsty
0 replies
2h4m

The Walt Disney Company did exactly this when I was there, and everyone dreaded it. Did nothing but waste time.

danaris
0 replies
6h59m

The same guys also force us to change our passwords every 6 months

While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.

The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.

abustamam
0 replies
5h20m

I had a similar experience at an old company that used M365. YMMV but with Bitwarden I generate passphrases like Pregnant-Guppy-Skateboard9 and it made it tons easier for me to type 20x a day than &7UoTod#$7OOD

aaronharnly
0 replies
4h47m

My work password now has an "18" embedded somewhere in the middle of it thanks to my autoincrement approach to handling that kind of obnoxious policy.

Then I became CTO and retired the policy to align to modern NIST recommendations, so that "18" is in there forever :)

WorldMaker
0 replies
2h13m

I've noticed that Microsoft themselves aren't helping this right now. M365 seems to default to using random-tenant-guid.onmicrosoft.com for a lot of these transactional emails like password changes even though the official account.microsoft.com is fully multi-tenant aware and most Microsoft guidance tells you to always go directly to account.microsoft.com. These transactional email mistakes seem like another case of Microsoft accidentally exposing problems in their org chart to external customers. I imagine it has something to do with the wild rewrites from old Azure AD to new "exciting brand" Entra ID and other such shenanigans combined with Microsoft's willingness to bend over backwards to bad IT administrators and letting them set bad defaults (such as "just us the .onmicrosoft.com GUID instead of a real domain"), because companies love to pay them good money for the "control" to do stupid things in Group Policies and corporate configuration.

Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.

bombcar
18 replies
8h4m

Healthcare companies in the US send the most scammy looking links for payment processing you’ve ever seen - things like my-healthcare-billing.net

It’s insane.

philsnow
6 replies
7h30m

I’m supposed to pay my semi-annual property taxes (on the order of ~thousands of USD) on a site that ends in .org instead of .gov, and nobody apparently sees anything weird or wrong with it.

bombcar
2 replies
4h43m

Now that I think of it, I'm not sure I've ever seen a government payment site hosted on .gov; usually .com.

01HNNWZ0MV43FF
1 replies
4h26m

You can tell it's legit if they charge you $2 extra for a credit card instead of a bank transfer lol

bombcar
0 replies
2h57m

Most have gone that way, but a few were still letting you put your entire property tax on credit card with no fee whatsoever as recently as last year.

Woohoo free miles! Sometimes the fee is so low that even when they do charge it, it's worth using the credit card.

15457345234
1 replies
2h9m

id.me

Still can't believe it

Best hope the government of Macedonia remains friendly I guess

pakyr
0 replies
16m

*Montenegro

kube-system
0 replies
4h15m

Some places in the US outsource not only payment processing, but the entire tax collection process to the private sector. I've heard stories of people living in Pennsylvania who have gone years without filing their local tax return because they thought the tax form was spam. Nope, that sketchy looking mail from some random business, with the .com address is the legally designated tax collector.

sgerenser
3 replies
7h4m

Yeah I got a text from one of these a couple years ago. Something like. “You have an overdue doctor bill of $183.56, please kindly pay immediately at this link: http://my-doctorpay.net/defintelylegit123. Thx!” Didn’t even include the name of the doctor or office, but after calling the only doctors office I had used recently it was apparently legit. I let them know whatever company handles their billing is completely incompetent.

sneak
1 replies
6h30m

What incentive do they have to change it? People will still click and still pay, and if they don’t, they’ll refer it to collections and ruin their credit. As long as the billing office gets the money, in their view, the bar for “competence” is passed.

This is something that only people like us can see. The rest of the world doesn’t care about the problem, and even if they did, they have zero incentive to fix it.

avarun
0 replies
3h49m

People will still click and still pay, and if they don’t, they’ll refer it to collections and ruin their credit.

Healthcare has one of the lowest payment collection rates of any consumer industry. And as of a couple years ago, medical debt under $500 can no longer go on your credit report even after going to collections. States have passed even more consumer-friendly versions of this law, like NY where no amount of medical debt can affect your credit score.

So actually medical billers are directly hurting themselves with their incompetence in this and many other departments.

jameshart
0 replies
6h10m

The US healthcare billing model’s total lack of authentication and disconnection from point of service means that it’s broadly plausible you do owe some random provider money at any time up to several years after your last doctor visit.

Send someone an official looking piece of paper telling them they received $394 worth of in office medical laboratory service from Tristate Medical Partners Inc in August last year, that insurance paid $374 and that they just owe you a $20 copay, and I think a lot of people will just go to the online bill pay site and hand over the money.

bonton89
3 replies
6h25m

Lets not forget all the typosquatting looking domains Microsoft uses. It almost seems like they bought them up to protect users, forgot why they did that and said "hey we have all these domains, lets use those?"

__float
2 replies
5h53m

Do you have any examples? I'm largely out of the Microsoft ecosystem these days, aside from the occasional Xbox usage.

bombcar
1 replies
4h37m

Office.com redirects you to login.microsoftonline.com which isn't horribly bad, but is starting to get there. Now you have microsoft365.com and friends, too.

At least when things were login.microsoft.com you could apply the "last part is definitive" now that heuristic is pretty useless. And if you watch the actual DNS requests during a login, whew.

CDNs make it even worse, here's a few VALID requests from my DNS cache:

store-images.s-microsoft.com-c.edgekey.net

www.msftconnecttest.com

123499-ipv4v6.farm.dprodmgd103.aa-rt.sharepoint.com

download.windowsupdate.com.edgesuite.net

At least some end in apparently legitimate domains, but sheesh, that last one looks like something straight out of 2000s era scams.

WorldMaker
0 replies
2h7m

Also Azure AD and Entra ID and other parts of Microsoft 365 all use onmicrosoft.com, too. A fun bonus to that particular domain is the random meaningless to people GUID-derived tenant IDs in the second level. Knowing what is legitimate, and what is tied so a specific corporate tenant, seems impossible. Certainly helps Microsoft themselves avoid XSS problems, I'm sure, but greatly adds to the confusion of what is a legitimate M365 URL.

mnau
0 replies
7h36m

Our government uses equivalent of www.mydatabox.cz (real one is mojedatovaschranka.cz).

Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.

The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.

chuckadams
0 replies
4h6m

To be fair, US healthcare billing companies aren't very far removed from scammers in the first place. Except most scammers are more ethical.

bluGill
0 replies
6h32m

Worse every doctor/lab sends their own separate bill with their own separate account numbers and URLs. You could probably make a ton of money just a bill to every address in your city, so long as the amount is around $50 many will not question it anymore as they get so many of those things.

Rygian
8 replies
8h46m

Did you click on the "Report Phishing attempt" button installed by your IT center in your mail client?

Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.

sebtron
3 replies
8h43m

I wanted to, but I could not find it. It turn out I could not see the "report phishing" button because of an Outlook glitch. Thanks Microsoft.

lrem
2 replies
7h42m

Forward the email to your security org?

sebtron
0 replies
4h13m

I did end up forwarding the email to another IT service address (one that I knew was legit). They thanked me for the feedback and said they would improve the message.

alistairSH
0 replies
6h44m

This. We have a dedicated phish/scam/it-sec channel in Slack for this (in addition to an embedded “report this email” plug-in in Outlook).

natebc
1 replies
7h55m

This is even worse in companies that have security offices actively sending out phishing emails worded as internal emails from your company that shame you if you click any of the links in them.

email is well and truly dead.

dunham
0 replies
2h38m

That reminds me that we had a "chief architect" who sent out his fairwell email with a link to his linked-in page in the footer, but the link actually went to a certain music video on youtube.

I suppose, if you want to train people to not click on links, that's a fun way to do it.

ano-ther
0 replies
7h1m

It’s a good idea.

I am usually a bit pessimistic about it though. If their SOP doesn’t account for “looks like phishing but is from internal sender” then chances are that nobody connects the dots and informs that sender.

The intelligence of a small and motivated IT team seems difficult to scale.

TeMPOraL
0 replies
8h14m

FWIW, I did exactly that a few times where I was 90% certain the e-mail is legit, but it still looked like a phishing attempt. The IT department needs to learn to do better, this is inexcusable, especially in a corporation with otherwise restrictive policies that waste ridiculous amounts of money and effort (think: Windows Defender real-time "protection" on developer machines, with no way to exclude your repos).

walrus01
5 replies
7h43m

If I saw one of those in a 100k employee company I'd first just assume it's a phish-test email and that anyone who clicks on any URL in it is going to get put in the list for remedial training.

There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.

joezydeco
4 replies
6h41m

I love how those emails have extra metadata in the headers like "X-Phishing-Test: True"

Marsymars
2 replies
3h59m

I have an Outlook rule to redirect these to junk.

WorldMaker
1 replies
2h3m

I wish I could do that, but then that would impact my "scoreboard" on the anti-phishing tool and they would yell at me or send me to remedial "training" too. They really like to see that useless button pressed that just patronizingly tells me "Yes, this was a training exercise".

At the moment in my current corporate email address this the number one source of spam, just all the internal phishing testing emails. It feels like the attempted cure is worse than the disease and I hate getting so much useless trash.

Marsymars
0 replies
1h40m

I wish I could do that, but then that would impact my "scoreboard" on the anti-phishing tool and they would yell at me or send me to remedial "training" too. They really like to see that useless button pressed that just patronizingly tells me "Yes, this was a training exercise".

It's actually even a worse than that for our anti-phishing tool, somehow Outlook's processing triggers the tool to think that I've interacted with the email, but after several rounds of "our tool says you clicked a link" and my reply of "I 100% didn't, let me see some logs", they now seem to ignore notifications of me clicking on phishing test links. So a win for me, I guess?

walrus01
0 replies
4h1m

Indeed, though the sort of person who knows how to read and understand mail headers is probably pretty unlikely to fall for a real phish.

dormento
2 replies
6h42m

On our company (hosting & PaaS), I was contacted on our internal messenger by a person I've never seen before, asking me to "please" run some commands as root and send back the results. After the initial shock (and due infosec diligence) I found out it was just "the new guy", needing to collect info about our systems for equipment inventory purposes. Since they didn't have access to our networked management tool yet, and didn't know the finer points about how running `curl ... | sh` randomly is not a good idea, they thought it would be ok to get that information piecemeal directly from people.

It happens.

from-nibly
0 replies
6h8m

I flip tables when people make offhand requests like this. Infra teams are not keyboard monkeys with admin creds.

chuckadams
0 replies
4h17m

When I worked at Sun Microsystems, they had a clever launcher shell script dealie for things like StarOffice documents that did usage tracking, portability fixes (usually setting obscure environment vars), and of course downloading and opening the actual document. Then they started sending those shell scripts as email attachments. One day they sent out an email telling people to not open executable email attachments: the full memo was a SO document wrapped in one of these scripts.

To their credit, after the inevitable replies to that email they never used that wrapper again (they moved the launchers to the centralized NFS install where they always should have been)

anonymous_sorry
2 replies
6h47m

My company's security training tells me to carefully verify any URLs in received emails, but then they have some security software that rewrites all the URLs in incoming emails - presumably as a way of screening them themselves.

This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!

lhamil64
0 replies
6h19m

My company does that too, it's really annoying. They also sometimes send out mass emails for things like surveys but link to some third party service. I've even seen them put, in the email, things like "the link goes to a trusted third party and is perfectly safe". Why should I trust that if I'm already suspicious of the emails legitimately?

ToucanLoucan
0 replies
5h52m

Our last round of security training was roundly mocked by our software division, especially around the subject of one of the rules emphasized over and over being to "never click URLs in emails" and the sign-in process for the website alongside the distribution of lessons was done exclusively through magic links... in emails.

Our CEO is actually a developer himself on our core product (and a bit of a paranoid fella on the cybersecurity front to boot) and he was absolutely furious about this vendor being chosen...

bnralt
1 replies
5h43m

Banks do this as well. I made a purchase, and within minutes got a very scammy looking e-mail from them - low quality gifs, asking me to click on links to a random non-bank website(something like purchase-verification-users.net/235532/confirm.html, and the site wasn’t coming up on any searches). At the same time I get a call from a random number asking me to go over some purchases - I looked up the number, and it’s none of the ones listed for my bank.

So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.

xur17
0 replies
1h29m

Well, they said they often call from numbers they haven’t listed online.

Worth noting - do not trust the incoming callerid number. This is trivial to fake.

sokoloff
0 replies
7h23m

I report those as phishing in order to get the feedback to the IT team who sent them from their colleagues in infosec. (I often have had IT and infosec reporting to me, which makes this even more effective of a feedback mechanism. :) )

silverquiet
0 replies
7h54m

Regarding the external domain thing, I can say that dealing with domains in a big company gets about as bureaucratic and terrible as just about everything else; I experienced this myself - at a youngish company when I needed a new sub-domain off the big official domain, it was just talk to $dude on the DNS team and he’ll help you out. And he did. A few years later once things had “grown up” a bit, I needed to update a record and I asked the same guy. He told me I needed to fill out a 25 question form and they’d review it. I about half copy and pasted it from another team member’s project and they accepted it.

Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.

SilasX
0 replies
1h36m

Similar unforced error: I got emails from healthcare.gov for required actions on the site's marketplace. But the links used the lnks.gd shortener, hiding what domain you were actually going to end up at! They're encouraging people to blindly click on links with no idea where it takes them!

What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.

There was no reason to use a shortener, let alone such a shady one!

Macha
0 replies
6h53m

Yeah, was working for a (then) 15k employee company and got an email "You have expenses due". Blank content, PDF attachment. I hadn't initiated any payments (but it later turned out the bank had just charged the annual tax on my corporate card account)

Ignored it.

Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.

habosa
66 replies
5h53m

FedEx may have the worst and least secure digital platform for a major company. Some examples I’ve noticed:

1. I moved into a 10-unit apartment building and wanted to set up FedEx Delivery Manager. I just put in my new address, no verification whatsoever, and I was immediately given access to the previous tenant’s delivery instructions which included the buildings private garage code. Any thief could have done the same.

2. When I moved out of that building I wanted to add my new address to delivery manager … but I couldn’t. The site errored every time. The reason? Some forums revealed the correct hypothesis that if you have special characters in your password then some parts of the site are permanently broken for you. Including the change password flow. So I had to have my wife make a new account with a worse password.

Truly amateur stuff for an otherwise very impressive company.

n0us
24 replies
5h21m

Is it impressive though? They have about a 50% success rate delivering things to me across multiple addresses and I know other people who have had similar long term issues.

yashap
9 replies
4h12m

Yeah, in my experience FedEx drivers absolutely LOVE saying they “attempted delivery of my package, but nobody was home,” so I have to go get it from the depot. But I 100% was home, working from home all day, and they 100% never came.

Libcat99
8 replies
3h17m

I had video of them pulling into the driveway and leaving without getting out of the vehicle and saying "no one was home."

I'm also in the video.

lcnPylGDnU4H9OF
7 replies
2h54m

That sounds like internal verification uses GPS. So in most cases it's going to be the customer's word against the astonishingly lazy driver's evidence.

eastbound
5 replies
1h20m

Can you file a small-claims?

You have nothing to lose, it’s not like they could threaten to stop delivering your packages.

duderific
4 replies
58m

It's probably not worth the time and effort. You can get a judgment, but good luck getting them to pay out on it.

lagniappe
1 replies
46m

A lien is a claim upon a part of another's property that arises because of an unpaid debt related to that property and that operates as an encumbrance on the property until the debt is satisfied.

eastbound
0 replies
32m

Yes, and I wonder what a hundred thousand small-claims would do upon UPS or Fedex.

ballenf
0 replies
7m

If you got a judgment, you would get a prompt response.

Problem you'd probably have is getting the judgment, if they show up at the hearing. Their clickwrap agreements are one barrier. Also, you have no relationship with them -- you weren't the customer (and if you were see point 1).

Would be interesting to see what type of claim would work. Maybe conversion (ie theft) if they delivered it to the wrong address. But if they just hold it at the depot, I don't know what claim you could make. Would probably have to take it up with the seller.

JumpCrisscross
0 replies
7m

can get a judgment, but good luck getting them to pay out on it

Honestly, finding a sheriff to enforce a judgement against FedEx property sounds like the fun part.

cromulent
0 replies
2h3m

I called them and questioned them about this - they didn't even come down my street, and yet claimed that they "attempted delivery". The customer service person was honest enough to say there was no code for the driver to say "too busy, can't meet my unrealistic targets".

throwway120385
4 replies
4h30m

At one of my addresses FedEx will happily sell anyone overnight shipping and then just keep the parcel at the depot for a week until they have a driver who can actually make the trip. I have had like 6 very urgent packages delayed like this. Once my wife ordered something perishable and they pulled this then told her she had to drive into town and pick it up at the airport.

I've also been nearly run off the road by FedEx drivers on the highway before. One guy was so angry that I was only going 10 over that he tailgated me within a foot and then punish passed me.

They're also the only service that still corrects my other address to the wrong address. I tried for a whole month to get ahold of anyone there who even knows what address correction is and then just stopped using them for anything important.

They doubled down on "digital" during the pandemic and fired a bunch of CSRs and stuff. It doesn't look like it's working out very well for them.

zdragnar
1 replies
2h55m

Strangely, I've had perishable medicine delivered to me (a biologic injection) for two years without a single hiccup by FedEx. They have been the most consistently reliable delivery service where I live (though the post office is pretty good too). My house is at the bottom of a hill that is difficult for rear wheel drive vehicles in winter.

UPS, on the other hand, can go pound sand. They often refuse to deliver due to weather, then force me to either drive two hours round trip to their distribution center, or charge me to pick it up at the local UPS store.

When when FedEx couldn't get their truck to my house due to road conditions, they were totally fine with my picking it up at their store.

gopher_space
0 replies
1h43m

They have been the most consistently reliable delivery service where I live (though the post office is pretty good too).

Every service relies on the USPS to some extent, which makes the Republican attempt to gut the organization so baffling. There's no replacement and nobody is looking to replace it.

From my perspective as an ex letter carrier, your personal experience with package delivery is determined almost entirely by whoever runs the local hub and handles last-mile. Unfortunately it's a McDonald's Assistant Manager kind of role; anyone truly competent will be able to find better work sooner or later.

saintfire
2 replies
1h44m

I'm in the same camp. The single time they actually delivered it to me without saying I wasn't home they had actually delivered it one street over.

I spent 72 hours waiting (3x24 periods they told me to wait and call back tomorrow while they "investigated") for a $1300 package. Initially they said it must have been stolen and its my loss, to which I said "no I was home and near the front door all day, you didn't deliver it". Pretty absurd they can't just look where he was when it was "delivered" and deal with it. Or maybe they can and they just don't bother.

Eventually the person actually called me using my number on the box and said it was delivered there.

Still no recourse from FedEx, whom I have not informed I got the package in the end.

eastbound
1 replies
1h24m

I’d quote this as the best federated peer-to-peer package delivery. Distribute in a nearby city and it will get to its destination eventually. Fortunately, your personal info is written in the clear for everyone to see, and anyone can open the box.

sidewndr46
0 replies
20m

that is called crowd sourcing your last mile of delivery

bongodongobob
1 replies
3h56m

Can I ask where you live? I'm 40 and have never had anything get lost in the mail, ever. Is it a big city thing or something?

biftek
0 replies
1h3m

It really just depends on your local distribution hubs. My semi rural address regularly gets serviced by two different FedEx hubs, if I see it go to X hub I'll get it that day, but if it goes to Y hub it'll most likely be late.

zardo
0 replies
32m

I get a kick out of the mismatch between delivery estimates and tracking information.

They're telling both that my package will be delivered this afternoon, and that it's in a distribution center 3000 miles away.

madaxe_again
0 replies
4h18m

No. They’re 100% useless in my experience, and literally never manage to deliver to me - everything ends up returned to sender. No other courier has this problem.

As for the SMSs - in Portugal, and I’d guess Australia too, they contract all of their local operations out to some random group of muppets who can’t organise their way out of a paper bag - the SMSs they send me come from a mobile number, are handwritten (they seem to literally have someone whose job it is to write messages, on a phone, and send them), as are the emails. When it comes to delivery, i’m inevitably the last delivery of the day as I live way out in the boonies, and they just go “it’s 5pm I’m going home”, and it goes back to the depot. They drive it back and forth for a week before declaring the parcel undeliverable.

These days, if I see someone has shipped something with FedEx, despite my instructions not to, I immediately request a refund, as I know it won’t arrive.

The whole thing beggars belief.

kragen
0 replies
5h0m

"50% success rate delivering packages" is a totally different level of risk from "automated system gives your garage access code to anyone who claims to live there"

i mean in the first case what's at risk is the five-dollar trinket you bought off amazon

jonathanlydall
0 replies
2h49m

They certainly can be quite impressive, I recently had something delivered from China I bought through Alibaba to South Africa, shipping cost less than 5USD and it arrived in about 13 days, 1 day less than the maximum estimate.

In my case I got an email about customs and tax payment which was needed, but the link was clearly to fedex.com.

eropple
19 replies
5h49m

UPS is up there, too. I still get text messages about an old address on an account I can't log into for...reasons. (Special characters sound plausible! And of course the password reset flow doesn't work.)

Wonder if they share a vendor.

ryandrake
17 replies
5h11m

I can’t believe it’s 2024 and we are still seeing bugs with handling “special” characters. Unicode has been here for how long? Robust string handling is supported in every language. There is no such thing as a special character. My name should be able to contain Chinese characters. My password should be able to contain emojis. What is this Stone Age shit still running on companies’ backends?

gjsman-1000
7 replies
5h2m

Most companies don't like rewriting their code. If it ain't broke, don't fix. (Weird password issues don't count as broke.) There's no guarantee, after all, that the rewrite won't have major edge cases and mistakes of it's own.

The upper layer might change now and then, to give a veneer of modernity. But just like Windows being built on 90s technology, the stuff underneath could be even more ancient.

ryandrake
6 replies
4h52m

A software that can't accept a % as part of your password is absolutely, positively broken--in any industry or application. In many companies, this would be a P0 "don't go home until it's fixed" production emergency if a bug like this crept in to the software. We need to stop excusing long-standing bugs in horrible legacy software just because they are long-standing.

gjsman-1000
4 replies
4h50m

In many companies, this would be a P0 "don't go home until it's fixed" production emergency if a bug like this crept in to the software.

Would it, really?

P0 would probably be "10% of our customers can't submit an order." Or "20% of our vendors are experiencing 404s."

ryandrake
3 replies
4h32m

If 10% of customers have passwords that now can't log in and submit orders, that would be an emergency.

We're taking OP's word for it that FedEx doesn't allow certain characters as passwords (actually, from the description, it seems more like FedEx only allows specific characters which is even worse). If either of those are true, it is most certainly a defect. Whether FedEx treats that defect as an emergency is up to them I guess. I'm saying many modern companies would.

You originally said "Weird password issues don't count as broke." I think this might just be a case where we have to "agree to disagree".

gjsman-1000
1 replies
4h18m

You originally said "Weird password issues don't count as broke." I think this might just be a case where we have to "agree to disagree".

I meant broke in the sense of "if it ain't broke, don't fix." If there are over 300 microservices running code, connected to mainframes running code that was originally from the 80s, but they occasionally have password issues - the risks caused by trying to fix it might be greater than it's worth.

That doesn't mean FedEx can't do a better job telling people not to use special characters - or detecting if their current password contains them and forces a password change.

krisoft
0 replies
2h44m

If there are over 300 microservices running code, connected to mainframes running code that was originally from the 80s, but they occasionally have password issues

And we ended up where the thread originally begin "FedEx may have the worst and least secure digital platform for a major company."

Besides that is horrible! There should be 1 microservice which deals with passwords, the authentication one. Everything else should just get a token attesting that the user is authenticated (or not).

krisoft
0 replies
2h48m

it seems more like FedEx only allows specific characters which is even worse)

If I read it right it sounds even worse. Fedex allows the characters and then random stuff just breaks.

It is much preferred to get a simple "only english alphabet and numbers please" warning message when you are trying to set the password than not getting any warning and then things breaking.

WorldMaker
0 replies
2h44m

Unfortunately the InfoSec Red Team determined that % in a password could be an attempt at an SQL Injection Attack and the Security Priority is to not fix the current behavior and instead other password checks in the company should also start erroring for % and other such "power characters" used in attacks.

crazygringo
6 replies
4h36m

My password should be able to contain emojis.

It's probably better if it shouldn't. It's generally better to prevent passwords from containing characters that can't be entered on a decent proportion of devices you may encounter.

Emojis are particularly problematic because new ones keep being added which require OS upgrades, and you might find yourself needing to log in from another device that just doesn't support those emojis yet.

Also it's not like Unicode makes everything easy. For example, you have to remember to normalize the password before hashing. Otherwise something as simple as "ñ" may be a totally different byte sequence depending on which device you're using.

grodriguez100
2 replies
3h46m

If a system cannot handle ñ in a password then it is completely broken. We are not talking about the latest emoji here but about a character which is part of one of the most common languages in the world, included in 8859-1 / Latin-1, etc.

It is no longer realistic to pretend that only ASCII exists and try to get away with that.

jerf
1 replies
3h29m

That's not what crazygringo means. ñ can be represented both as a single unicode U+00F1 https://www.compart.com/en/unicode/U+00F1, or as an n with a combining tilde https://www.compart.com/en/unicode/U+0303, which looks like this: ñ.

    Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
    >>> "ñ".encode("utf-8")
    b'\xc3\xb1'
    >>> "ñ".encode("utf-8")
    b'n\xcc\x83'
A naive hashing algorithm will hash them to different things.

For way too much information on this, see: https://www.unicode.org/reports/tr15/

Even a lot of Unicode-aware code written by a developer aware of at least some Unicode issues often fails to normalize properly, most likely because they're not even aware it's an issue. Passwords are a case where you need to run a Unicode normalization pass on the password before hashing it, but, unfortunately, if you're already stored the wrong password hash fixing it is rather difficult. (You have to wait for the correctly-incorrect password to be input, then you can normalize and fix the password entry. This requires the users to input the correctly-incorrect password; if they only input an incorrectly-incorrect password you can't do anything.) I'd suspect storing a lot of unnormalized passwords before learning the hard way this is an issue is the majority case for homegrown password systems. You hear "don't roll your own crypto" and think reaching for a bcrypt or scrypt library solves it, but don't realize that there's some stuff that needs to be done before the call to those things still.

grodriguez100
0 replies
3h22m

Right. I misunderstood the comment. Thanks for clarifying!

WorldMaker
2 replies
2h47m

With built in emoji entry keywords in every modern OS how many devices are left that can't type emoji? Even if you plan to restrict to Unicode Version N - 1 or N - 2 where N is the current version to avoid "user can't type password on older hardware", the proportion of emoji you can reliably type today on just about any device is huge.

crazygringo
1 replies
2h24m

People are still using Windows 7 -- it's the third most popular Windows version after 10 and 11 -- and it only supports Unicode 5.1.

Emoji weren't officially supported until Unicode 6.0, though there are a subset of current emoji (less than a quarter) that work on Windows 7 in practice.

Meanwhile the current standard is 15.1.

There's no security or convenience necessity whatsoever for supporting emoji in passwords, but inconsistent OS support is an excellent reason against it.

WorldMaker
0 replies
1h25m

Windows 7 market share is barely at 3% on the internet per statcounter.com. Third place doesn't mean "popular", especially not right now.

There's quite a bit of convenience, and some concomitant security, to using emoji in passwords. Emoji are high entropy code points that are easily visually distinguishable across most language boundaries. A "short" password of just emoji is going to have way higher entropy and be way harder to brute-force/rainbow table than any equivalent "length" (by visual character count) ASCII-only password. That should go without saying. The fact that huge boost in entropy also comes with a massive benefit in how quickly a user can glance at their password and know that they typed in right/wrong often faster than they could if forced to build a line-noise password is a huge bonus. (Related to why Windows 10 experimented with Picture Passwords and a lot of Android users use some form or another of Gesture PINs.)

That said, I think the real solution is of course to eliminate passwords altogether (and yes Passkeys are our best hope right now). But saying that we have to stick to ASCII for passwords because that's a lowest common denominator for keyboards is very much like saying that we should stick only to passwords that you can T-9 on flip phones or send in an SMS or that passwords shouldn't really be longer than 8 characters just in case some Unix system needs to use the old DES-based crypt() function or that passwords shouldn't contain quote marks, semicolons, or percentage signs because those might be SQL injection attacks and you might have some PHP apps that are vulnerable to those. You are letting silly technical lowest common denominator bugs stop you from increasing security for the median/mean user.

xenophonf
0 replies
3h53m

I'm in complete agreement about usernames, but if you're at the point where you want to use Unicode in a password, you might as well make the jump to WebAuthn. Going from a UTF-8 input to a normalized bitstream that gets fed into a KDF could be tricky.

kansface
0 replies
2h0m

Companies aren’t rewriting their entire stack or even upgrading across major versions basically ever.

judge2020
0 replies
5h12m

UPS is better in my experience with them always requiring a code sent to me via USPS to verify access to UPS My Choice, except for when I signed up with a new construction address - It also seems to only show me packages with my last name on it, packages with just a company name did not show up.

bastardoperator
4 replies
3h44m

I ordered a computer from Southern California, they shipped it to Texas, Florida, Maine, and then back to Northern California. My last two orders were just stolen from someone at FedEx. They got the shipment, but it never left the facility after that. Customer service is an offshore apology machine that can't help with anything. I used to prefer fedex, but the standard of service is so subpar I go out of my way to avoid them.

zamalek
3 replies
3h41m

I assume you know that you can open a claim? They'll either find your package really fast, or will have to pay its full value. Often the vendor has to initiate the claim. If the vendor doesn't want to open a claim, refund. If the vendor doesn't want to refund, chargeback.

deedub
1 replies
3h6m

Be careful about those chargebacks. I bought two new pixel phones directly from Google and only one arrived. Google support was of course awful and Fedex did absolutely nothing outside of asking me what color the phone was. lol

I ended up reversing charges for the missing phone and Google immediately wrecked me - I was using Fi at the time so they killed my cell service and killed my ability to use Google Pay for anything - including the Play Store. Probably some other stuff I don't even remember. Between my personal account and my business accounts I realized at that moment that Google could completely wreck my life. Be careful about retaliation for a chargeback, if you live within one company's ecosystem it can be a brutal retaliation you're not ready for.

doubloon
0 replies
2h45m

Did you contact the card company about this? Or your bank? Or a lawyer? Just curious. Card company should have someone who works on goog account

CamperBob2
0 replies
2h34m

Only if the package is insured. That's around 1% of the declared value of the package, so many/most vendors don't opt for it.

bsimpson
3 replies
31m

You're reminding me of the time I realized that Schwab (a massive American bank/broker) truncated all passwords to 8 characters.

S201
1 replies
24m

Heh, that's the same company that sends physical mail to me every time I make a trade because they believe that email sent to my personal domain is "undeliverable" and automatically opt me out of e-statements no matter how many times I opt-back in. They have to be losing money on me by paying for so much postage at this point.

(And no, nothing is wrong with my email, it's hosted by a professional email host with the proper MX records and literally only Schwab claims to have this problem with me).

bsimpson
0 replies
19m

My college had a credit union with an ATM in the cafeteria. It was in your interest to keep enough money in the credit union to pay for lunch etc. while you were a student there.

When I graduated, I pulled the money back out. Apparently they issued the final interest payment after I'd emptied the account. For at least a year after that, I got monthly statements informing me that I had an account with less money in it than the postage on the statement.

Enginerrrd
0 replies
10m

Bonus points are given when they handle truncating your password differently in the initial validation vs authentication and it fails silently!

pishpash
2 replies
12m

Much worse than that. I wanted to get some free shipping supplies from FedEx, so I had to sign up for a shipping account. Account could not be created due to password issues on the website, forgot how I got around it but maybe had to use the mobile app which used a different flow.

After getting the account, immediately I get shipping bills for international shipping in the thousands of dollars, both sender and recipient have nothing to do with me. Credit card on file was auto-charged. Removed credit card, started getting thick FedEx bills in physical mail.

It turns out FedEx allows billing to be charged to any account as long as you have their nine-digit account number, so of course scammers do this all the time just generating random numbers. FedEx didn't give a shit, denied my reporting of fraud, allowed more scam shipping even after I reported. Finally I had to initiate chargeback via the credit card issuer and only then did they close the account. But I still get marketing emails that I can no longer turn off. Absolutely not a company anyone should use.

sidewndr46
1 replies
6m

They ask for an ID whenever you use an account number. I have to FedEx stuff to my home address for work. The guy at the counter is always perplexed when I tell him the destination address is the same one as the one on my ID.

pishpash
0 replies
4m

Maybe if you do it in person, but they must have direct shipping flows where nobody checks.

toss1
1 replies
4h25m

Re password reset workflow issues: I had an account at a bank where password reset always failed. I had to go through a VERY convoluted process with customer website support to get it fixed. It turned out that the problem was that my registered email address was just two characters (my initials) to the left of the "@", e.g., ab@mydomain.com. They allowed me to enter and use it throughout the system without any error flagging whatsoever, but it completely broke the password system. They claim to have raised it as a bug, but never fixed in 3 years+ (moving away from them now).

robocat
0 replies
46m

After 50 years of software crud, eventually a civilisation ending bug occurs and it can't be fixed (like how Telstra couldn't fix their phone system because the phone system was down). That's why we are all alone in the universe. Enjoy life while civilisation still works!

TuringNYC
1 replies
5h13m

My favorite was when they put my well-marked mail-order medicine right at the exit of the roof gutter pipe, instead of the front door. Sometimes it feels like the workers want to purposely cause chaos.

callalex
0 replies
1h40m

One part workers, 3 parts horrible management setting impossible metrics and bad incentives.

sidewndr46
0 replies
22m

I've had FedEx hand packages to other couriers who promptly lost them never to be seen again. When I contact them they said this counts as delivering the package.

I no longer use FedEx for any shipment that I need to have arrive.

orangevelcro
0 replies
5h38m

I wonder if that's why I can't change my password with petco - every time I shop there they tell me I have rewards but I can't load them because the site errors out when I try to reset my password.

I used to be able to load the rewards to my account without logging in at all, just clicked the link in my email, but I guess they fixed that and then I realized I didn't know my password.

nonameiguess
0 replies
5h31m

I'd put Spectrum up against them. A few years back, an incoming neighbor typoed their address in a new account setup request to my address and Spectrum very helpfully inferred that the previous resident would want their account terminated and they turned off my service. Apparently, you can DOS any person on the planet you want from the entire Internet by simply knowing their address.

genman
0 replies
5h29m

Maybe, but UPS is close to it. They for example are sending out emails that request users to log into their account to "avoid losing their profile". If this is not ripe for phishing then I don't know what will be.

delfinom
0 replies
4h6m

It's fine.

At least they don't automatically lowercase and truncate your password behind the scenes like AMEX. Lol.

Kwpolska
27 replies
8h57m

There's an EU law demanding such documents to be delivered on a "durable medium". Some banks and financial institutions may have a strange approach to those, even though email attachments seem to be enough for others.

yau8edq12i
26 replies
8h51m

I've never heard of this "EU law". Which one are you talking about? I live in the EU and my bank pretty much only contacts me through email.

actionfromafar
11 replies
8h33m

For some things, you must use paper (or as it turns out, USB).

Why the bank decided to use USB for this purpose, instead of paper, is very strange.

TeMPOraL
4 replies
8h9m

Here in Poland, I've already had several banks and at least one insurer send me CD-ROMs. Never heard of anyone sending USB sticks before, but I'm not surprised. The problem is, approximately no one owns a CD/DVD reader anymore, and there are no modern read-only physical media. With SD cards also going the way of the floppy, USB stick is just about the only medium you can hope most customers have means to read.

actionfromafar
3 replies
7h6m

SD cards are really neat. Theoretically they could have been made with a fixed notch so they would always present as read-only.

TeMPOraL
1 replies
3h53m

AFAIK notch is just declaration of intent, like with floppies and magnetic tapes - it's politely asking the reading device to not write to the medium, and it's up to the device to respect it (or up to user to not bridge the notch with a piece of tape).

Still, actual write-once (or read/write until hardware fuse is triggered, read-only afterwards) SD cards should be possible to make.

vel0city
0 replies
3h16m

It depends on the card. Sometimes it is just a suggestion to the firmware, sometimes it physically prevents writes.

I've definitely encountered read-only SD cards which I couldn't figure out a way to set it back to RW mode.

01HNNWZ0MV43FF
0 replies
4h22m

Since SD cards and USB sticks are both just computers you plug in to a network port on your computer, they could definitely make write-once SD card controllers.

Denvercoder9
3 replies
6h37m

For some things, you must use paper

Do you have a source backing that up?

Aside from the local tax collector, which insists on snailmailing me a copy of all correspondence even though they also sent everything to me digitally, I can't even remember the last time I received any documents on paper, and I'm in the EU.

oittaa
0 replies
4h20m

From your link

"A PDF can therefore meet the definition of a durable medium."

Denvercoder9
0 replies
34m

Neither of those sources back up your claim that paper (or a USB drive, for that matter) is required in certain cases. The court case cited in your second link even lays out the conditions under which a website can be considered to satisfy the requirements.

yau8edq12i
0 replies
5h36m

I'm asking for a source. You're just reformulating the statement I asking a source for.

Symbiote
0 replies
8h8m

Danish institutions (including banks) seems fine with PDFs.

I think that's shown by the post statistics: around 25 letters received per resident, per year.

I can't remember the last letter I received which only contained papers.

ar0
4 replies
8h35m

I do not read this court decision like that at all: the point of contention there seems to be that the customer was just sent a link to a webpage (where the contractual terms can be changed from under him at will by the company, thus this not being durable). The court makes it pretty clear in my (non-lawyer) opinion that attaching a PDF to the email would have been fine.

actionfromafar
3 replies
8h29m

I was prepared to disagree with you, but I now have the same interpretation you have. Durable medium can be email - but the example seems a little fuzzy, for instance a durable medium is definitely when the email is stored on a HDD on a customer device. But is it still durable medium if the email only exists in a webmail? Probably yes, but maybe no. So the conservative approach would be to send paper for some things. (Or in this case, stupidly, USB devices. Banks, don't do that, please.)

Ramble Edit: it's unfortunate IMHO that there is no "read only" medium anymore. Not sure what it would look like now when USB-C is taking over the world, and that ship probably sailed, but it would be really cool and useful to have the option of a "data only" USB.

Maybe computers could have one USB port marked as "ROM". Or a switch or LED symbol indicating "ROM safe" mode.

When using such a ROM port, anything USB inserted there would only look like a DVD reader. A USB drive would get its files "mirrored" into a virtual ISO filesystem. Any other devices, such as keyboards etc would be just ignored and not connected to at all.

jimktrains2
1 replies
7h22m

That doesn't fix the issue though. The issue is a killer USB or a virus on the disk. Being able to only read an infected file still allows it to be read.

Also, this is only a software solution as the USB protocol would require bidirectional transmission.

actionfromafar
0 replies
7h8m

It doesn't fix the issue vs paper.

But it would bring us back to being as safe as a CD or diskette was.

I was thinking a special chip, talking bidirectionally both ways, pretending to be a PC host to the USB drive, and pretending to a DVD-ROM to the actual PC.

dfox
0 replies
7h6m

Most USB flash controllers support being read-only by either just being read-only or emulating optical drive. Obviously for the WORM usecase this is only an software solution inside the controller configuration as the underlying medium is still writable/erasable flash. In theory one could replace the flash with some kind of mask ROM with NAND-like interface and make it truly read only, but the cost makes that impractical for most applications.

Then there are LTO tapes that have WORM version, which is notionally not overwritable, but that is IIRC also only enforced by software (of the drive).

yau8edq12i
0 replies
5h36m

Putting aside the fact that the conclusion of this text is not at all what GP said... You do realize that this is not a law, not even a court decision, but that it is a prosecutor's opinion / suggestion to the court??

yau8edq12i
1 replies
5h34m

Putting aside the fact that the conclusion of this text is not at all what GP said... You do realize that this is not a law, not even a court decision, but that it is a prosecutor's opinion / suggestion to the court??

Yes, if two people are going to answer with the exact same link and nothing else, I'm going to answer both with the exact same comment.

Kwpolska
0 replies
43m

It is a court decision. Citing the actual law and context for it.

verticalscaler
0 replies
8h31m

Haha, nice try!

pornel
0 replies
7h58m

It defers to a repealed 97/7/EC, replaced by 2011/83/EU:

Durable media should enable the consumer to store the information for as long as it is necessary for him to protect his interests stemming from his relationship with the trader. Such media should include in particular paper, USB sticks, CD-ROMs, DVDs, memory cards or the hard disks of computers as well as e-mails.

USB sticks are on the list, but so is paper and e-mail. This USB stick could have been an e-mail.

drooopy
0 replies
8h4m

Likewise. I have multiple accounts across different EU/Eurozone states and with the exception of the original contracts that I've had to sign to open said accounts, I've never had to deal with anything other than e-mail or in-app communication.

tux3
12 replies
8h58m

I will simply refuse to believe this is real. As a psychological defense mechanism.

What the hell.

cesarb
7 replies
7h24m

And even if you do have a CD drive in your computer, the risk is still lower than a USB stick. A CD contains only data, it cannot do things like emulating a keyboard. The worst it can do is shatter when your high-speed DVD-ripping drive spins it up a bit too fast.

kibwen
3 replies
6h47m

CD drives may not be able to emulate a keyboard, but they can certainly install software. You might not click on any system popups that appear after inserting a malicious CD, but the sort of people who plug in random USB sticks likely wouldn't bat an eye.

"The Sony BMG CD copy protection scandal concerns the copy protection measures included by Sony BMG on compact discs in 2005. When inserted into a computer, the CDs installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits."

https://en.m.wikipedia.org/wiki/Sony_BMG_copy_protection_roo...

extraduder_ire
2 replies
6h21m

I think windows has moved away from executing autorun exes from discs by default a few versions ago. But back in the day it would prompt you what to do when you insert a USB storage drive, and just run whatever's set as the autorun if it's on a disc.

The common way to get USB malware to install automatically those days was to modify the USB drive to appear as a virtual disc drive, which worked.

Fanmade
1 replies
5h8m

I am currently sitting at my gaming PC, which does have a Blu Ray drive. I use it about one or two times a year. Just today I threw in a CD with the driver of my newly installed tp-link AXE5400 (WiFi PCIe adapter), because it wasn't detected on my PC and I didn't have internet without Wi-Fi. I immediately got a prompt if I want to run the "autorun.exe" on the disc. So that is still there (Windows 22635.3209, Windows-Insider Beta Chanel).

vel0city
0 replies
3h20m

But back in the day, popping the disk in the drive would have just executed the autorun without even prompting you. Put the disk in the drive, suddenly new application running on your box as you (and generally, back in the day, as local admin). Not even a chance to say no.

malfist
1 replies
4h23m

A USB stick only contains data too.

yjftsjthsd-h
0 replies
3h59m

No, that's specifically the problem - that's not necessarily true. You're talking about a small plastic box that contains a USB port and some electronics. You have absolutely no way of telling what those electronics will expose to the USB port. It's possible that they only expose some persistent storage, true, but it's equally possible that they expose an emulated keyboard, or just the good old https://en.wikipedia.org/wiki/USB_killer

lifestyleguru
1 replies
8h44m

The CD contains PDF with scanned terms and conditions?

paulmd
0 replies
8h6m

Since nobody has cd drives anymore, I don’t think it functionally needs to? You could save on shipping costs by just mailing blank disks instead, plus hey free disks! It’s like aol all over again.

NegativeK
0 replies
2h9m

There's a reason why infosec is hard and why there's a hiring shortage.

lifestyleguru
7 replies
8h45m

Some German banks created paid storage service with multiple plans available. They are required to deliver documents to their customers but managements have massive brainfuck about the requirement and the most absurd solutions and ideas are being sold to them.

k8sToGo
6 replies
8h28m

My bank offers that and I use it to store backups of important files.

lifestyleguru
5 replies
8h19m

What makes bank a relevant or suitable service provider to store my "important files"? To store any files whatsoever other than those they're obliged to deliver to me?! "upload your testament, passport, and id documents here, you can trust us we are A BANK".

hayyyyydos
4 replies
7h40m

It's the electronic version of a safe deposit box

OJFord
2 replies
7h30m

I can understand that marketing message making sense and appealing to.. some people; I am surprised to see it on HN though.

This is like buying vegetable & olive oils from BP or Shell because they're oil experts looking for new income streams as we shift away from petroleum.

lifestyleguru
0 replies
6h3m

When shit hits the fan the bank will be like: "The storage was actually a service we nearshored to Romania and Belarus. Part of your stuff is lost, part of it had leaked. We can offer insurance lump sum of €3.64 for your loss. You consented to all the risks on the page 475 of T&C which we sent by post".

jimktrains2
0 replies
7h16m

Without knowing the details, one difference from your hypothetical could be ease of access to 3rd parties, especially after death.

PKop
0 replies
4h17m

Perhaps this was the point of your comparison, but it's funny because "safe" deposit boxes aren't safe[0]

https://archive.is/63xoB

Aldipower
4 replies
8h22m

Man, this is just a marketing gimmick. I am always short in USB sticks. So, could have gotten another one.. How about a little bit more of humor?

romwell
3 replies
8h14m

If you give me your mailing address, I'll arrange it that the bank will mail you one, too.

Just be sure to use the included NOTVIRUS.EXE viewer for best experience.

Aldipower
1 replies
2h41m

In your fantasies. It is of course in the responsibility of the bank to check if this is virus free. I am using Linux anyway.. No autorun.exe here. Is this still a thing with Windows?

NegativeK
0 replies
2h11m

The problem isn't the bank verifying that the USB stick is clean; the problem is that the bank is distributing info in the exact same way that APTs would try to compromise an important target.

Hyperbole, but it's like a bank employee calling you from an unknown number and asking for your email password so they can make sure their communications about your mortgage application don't go to the spam folder.

marcosdumay
0 replies
5h52m

Just set it to autorun. I'm sure anybody you mail it to will just confirm running it without even looking what they are doing.

vgalin
0 replies
8h10m

(translation provided by ChatGPT)

Terms and Conditions, Price and Service List, Conditions.

Dear customer,

our price and service list, our terms and conditions, as well as further conditions which will come into effect on May 1, 2024, can be found on the USB stick.

With kind regards,

The Sparkasse Bremen AG
praptak
0 replies
8h20m

German IT is weird, German bank IT doubly so.

jowea
0 replies
8h29m

Hey at least it's 100% safe from a hacker who has broken SSL/TLS altering the terms and conditions on the wire.

grishka
0 replies
6h26m

At least you get a free USB stick!

em-bee
0 replies
8h34m

i love this comment:

ich arbeite als (externe) CyberCyberCyber Nase in einer Organisation irgendwo in der Sparkassengruppe. Ich kann dir versichern, dass niemand, der auch nur im entferntesten was mit InfoSec in der Bank zu tun hat, von dieser Marketing Idee erfahren hat.

"I work as an (external) CyberCyberCyber nose in an organization somewhere in the Sparkassen-group. I can assure you that no one who is involved even the slightest with infosec at the bank, has heard anything about this marketing idea."

bell-cot
15 replies
9h30m

Suggest Law: If a company's electronic notification to you is so phishy that a "reasonable man" would have obvious cause to doubt its legitimacy, then all financial and legal consequences of ignoring it are on the sender.

Edit: "sender" here refers to the sender of the electronic notification.

dijit
5 replies
9h26m

Any time the law sets things like "reasonable" it's a quagmire.

For every utterance of "reasonable" in law you can be sure over $1B of laywer fees have been (or will be) spent.

tialaramex
2 replies
7h22m

You can spend as much as lawyer money as you want on arguing whatever nonsense you want, reasonableness is a common standard so sure, people will have spent lots of money pointlessly arguing about it but that's not a problem with reasonableness.

MichaelZuo
1 replies
6h8m

Sometimes the arguers win and set a new precedent... so it definitely creates a new problem with everyone who subsequently encounters the issue.

tialaramex
0 replies
3h1m

Sure, I'm certainly not going to pretend this is perfect, but it seems to be working basically fine and I don't see "reasonableness" - which actually avoids a lot of wrangling - as a problem.

Compare Legal Tender against an ordinary Reasonableness test. Legal Tender says that I only have to accept payment of your debt in specific forms (the "Legal Tender") and I can refuse to accept other payment.

So maybe our currency is Doodads, the Legal Tender law specifies that the 10 and 50 Doodad Coins shall be Legal Tender, and you owe me 15000 Doodads. You try to pay by card, I refuse. You try to write a cheque, I refuse. You try to pay with 150 of the 100 Doodad Coins, but again I refuse. Eventually I take you to court and... I win?! You did not pay your debt in the required Legal Tender.

With Reasonableness the court might buy that it was OK to refuse to accept the card (maybe I don't have a merchant account) and maybe even the cheque too (but already by then I expect a judge to have a lot of questions about how I thought you would pay and I'd better have a really good answer) but the 100 Doodad Coins are clearly money, with Reasonableness as our standard it's obvious that I lose my case, there's no need to write a law saying "Yeah duh, the 100 Doodad Coin is money" because a reasonable person can see that.

bell-cot
0 replies
8h59m

True, to a degree. But let's imagine that (1) FedEx felt that profits were more desirable than legal expenses, and (2) FedEx had some power over the sending and contents of the notifications. Might FedEx decide to start following well-regarded standards for writing and sending legit-looking electronic notifications? And iterate from there, as an ongoing strategy?

Repulsion9513
0 replies
8h39m

I think the answer here is "don't do things that are borderline (un)reasonable"

brntn
4 replies
9h27m

In this case the consequence is that the Australian government agency collecting the import tax doesn't get paid. Which means that they don't release the package to FedEx, and that you don't get your package.

FedEx needs to do a better job with these notifications. At the very least they need to hire a copywriter.

Hamuko
3 replies
9h8m

Our local FedEx once asked me for my details so they could be able to declare my package to the customs and in the SMS message they said that "The sender is paying all declaration fees." I sent them my info and got my package.

Then about five months later, I got a bill from FedEx for import fees, tax and service charges. Had to fight with FedEx for some time about it but eventually they agreed to void the bill. At this point in time, I have no idea if I paid the taxes when I bought the stuff, if FedEx paid them out of pocket or if the sender paid them out of pocket.

actionfromafar
2 replies
8h16m

There are more possible realities. You listed the 3 first. There are more options, at least these:

4. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have kept your extra taxes for themselves in the end.

5. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have paid the extra taxes. The government kept them because, hey, they trust Fedex.

6. You paid the taxes when you bought the stuff. Fedex wants the taxes anyways. They would have paid the extra taxes. The government kept them but eventually returned them, because some kind of accounting kicked in.

7. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket.

Could have happened if you paid:

8. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket. You pay out of pocket. Fedex keeps twice the taxes in the end.

9. You didn't pay the taxes when you bought the stuff. The sender didn't either. Fedex informs the sender and you. Fedex pays out of pocket. The sender pays out of pocket. You pay out of pocket. The fed. governemnt keeps triple the taxes.

And many variations I can't think of right now.

Hamuko
1 replies
7h32m

I mean, either I paid the taxes when I bought the stuff, or I didn't. There's no reality where I "didn't pay the taxes when [I] bought the stuff" and also I "pay out of pocket", since I have not paid anything after placing the order. I guess there's also the possibility that I paid for the taxes but the seller ended up pocketing them, with FedEx footing the bill.

actionfromafar
0 replies
7h10m

Sorry, I was unclear.

I mean in the general case - how much does FedEx win or loose from problems like this?

If they win, do they exploit it, by design or incompetence?

j16sdiz
1 replies
7h52m

The management will overreact by implementing 100-factor authentication, requiring 30 letter password with mandatory Unicode symbols

bell-cot
0 replies
7h6m

A bunch of extra authentication factors and a password sure sounds like phishing for sensitive PII to me.

matsemann
0 replies
8h37m

I almost got in some trouble because of that. A "bank" I wasn't a customer of kept sending me messages about "urgent, answer this form with your personal details or we will lock your account". Seemed quite scammy to me.

Then I later got a physical letter in the mail about the same, and then I called the bank. Apparently I had some account there holding some pension stuff from a previous employer. Shrugs.

consp
0 replies
9h21m

then all financial and legal consequences of ignoring it are on the sender.

They are, since non compliance will either result in destruction of the package or sending it back (differs a bit per country and type of goods).

It's a bit sad there are no easy ways to prepay taxes and it's hit or miss if you get checked. I'm glad the EU figured it out and have almost no weird surprises any more, except from the Uniteds (states and kingdom).

Rudism
14 replies
5h17m

A while ago my wife applied for a home equity loan. At some point I got a call from someone claiming to be from the bank she had applied through (I forget which one), calling to make sure I approved the loan since the home is in both our names. He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue. I told him I wouldn't do that, and was there a number on the bank's website I could call in order to get back to him, in order to verify that he actually worked for the bank. The guy started acting really annoyed, and said he didn't think there was any number on the bank's website that could reach him, and that if I didn't give him my full social security number he would be forced to reject the loan application. I told him I didn't feel comfortable giving that information to someone who had phoned me, and if there was no way for me to call him back through an official bank phone number then the call was over. He hung up angrily.

Turns out he actually was from the bank and he did cancel the loan application.

lucb1e
1 replies
3h1m

Terms of service from my bank say you're not allowed to give your PIN or secrets like one-time passwords (called "TAN" here) to third parties, not even the bank employees themselves.

But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...

I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example

d_k_f
0 replies
2h35m

I've implemented the bank account checking flow for a German client in a purely B2B setting, and this is essentially based on the PSD2 directive, which requires all/some/most (not entirely sure) banks to provide exactly this functionality (google keywords "PSD2" and "XS2A"). The bank's T&C should reflect this ... somewhere.

The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.

The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.

kccqzy
1 replies
2h36m

This is just an extremely incompetent and rude loan officer. Generally the loan officers are motivated to close the deal and write you a check because they get commission from that. They are nice to their customers because pissing off customers won't get them that sweet commission. The loan officer I last talked to managed to close more than $1B of mortgages in a year and he's the nicest guy on the phone. In your case, they could for example let you email them using their official bank email address, or use the bank's own web app or messaging system.

lifeisstillgood
0 replies
31m

Wait what? 1B in mortgages per year, even at a nice fat 500k per is what 2,000 closures or something like 10 per day every day.

It’s not impossible but, wow, that’s grinding it out day after day.

bastawhiz
1 replies
3h14m

I'd have read him the riot act on the phone. My bank has big warning banners on virtually every page of the site warning me to be careful of scammers. Someone calling me on the phone and asking for my TIN? Yeah, I don't think so.

krisoft
0 replies
2h38m

I'd have read him the riot act on the phone.

No point. If he is a scammer he has a thick skin. If he is working for the bank this is either a training or a policy issue.

Just refuse politely and report to the bank. (preferably to some security channel if there is one.)

userabchn
0 replies
1h51m

A bank called me to ask me security questions. I said that I would call back using the number on the bank's website. They said (and the bank confirmed when I did call the number) that there is no way to be transferred to the security question people when I call the bank - the only way is for them to call me. I explained that that was poor security practice. They said that I should just look at the caller ID to see that it was the bank calling. It was useless trying to tell them about caller ID spoofing.

sf_rob
0 replies
1h48m

This method of data exfiltration is in Kevin Mitnick's book! He needed a daily pin that banks used to validate intra-bank communications. He called a bank, said that he needed to fax over loan forms from another branch for signing later that day (or something like that). He then asked the bank that he called for the daily PIN. They refused because he called them. He pointed out that he was sending sensitive data to them so they needed to provide the pin... and they did.

mooreds
0 replies
29m

Turns out he actually was from the bank and he did cancel the loan application.

Plot twist! Didn't see that coming.

Seems bizarre to me that this would happen, but reading sibling comments just keeps having me shake my head in dismay.

cogman10
0 replies
6m

Shout out to my car insurance, Amica. They called me because they needed some account information updated/clarified. Before we started doing anything I told them "Hey, not to be rude but could I call you with the number on your website? I'm paranoid about scamming and that's safer" They said "Absolutely, that actually makes a lot of sense". So, I called back and we got everything done.

The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.

calfuris
0 replies
2h38m

PSA: If you are of a certain age, the last four digits might be roughly all of the useful entropy in your SSN. Be careful with them. Before 2011, the first three digits indicated the office that issued the number and the middle two (the "group number") were used in a publicly-known sequence. The Social Security Administration helpfully published periodic lists of the highest group number reached by each office. This makes it extremely easy to predict the first five numbers for people who were registered at birth, which became quite common in 1986 when tax laws changed to require children's SSNs to claim the associated tax credit.

belthesar
0 replies
3h12m

Any bank where this is the standard operating procedure for interacting with loan applications is not a bank that I'd want to do business with. Perhaps this was just one loan officer's way of doing things, and not the way of the business, but that's just not okay to me.

Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.

WorldMaker
0 replies
2h29m

He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue.

I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.

The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.

SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.

Kirby64
0 replies
1h37m

Similar story, I transferred a decent amount of money from one bank account to another (different bank). I thought nothing of it, but I got a call randomly from what appeared to be the receiving bank's 'fraud' phone number (based on Google). I picked up, and the person on the end had an extremely thick accent similar to scam callers. He started asking me if I had made a transaction recently (I said yes), then asked me to confirm this transaction if I would provide additional information about myself, including home address and social... I refused, and was told if I didn't my bank account would get locked!

Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.

tomashubelbauer
10 replies
9h25m

I know this comes down to institutional incompetency, but at some point there was a singular human person putting the template content the SMS message in question was generated from into some computer system somewhere and I genuinely wonder what was going on in their head that made them string the words together in this way. You'd have to give it a true, earnest shot to make it worse.

sverhagen
4 replies
9h12m

"The words" are probably nested templates so that at the level of input it's hard to really understand what the completed end result looks like. Also, there's many well-intentioned people in tech doing stuff that's just a tiny bit too complex for them to execute by themselves without a buddy or a reviewer. There are also whole teams and departments at big enterprises where someone might not be doing it alone, and they might also not be completely incompetent, making them the star engineer on the team, while everyone else wisely keeps their mouths shut since they surely don't have anything to contribute to the process. All the really good people that worked there, were snatched up by some fancy, greenfield project, on another floor, or got a position on some elite "refactoring team", surely not wasting their time on updating templates.

MichaelZuo
3 replies
6h11m

Someone, a single concrete specific individual, must actually sign off on it and/or authorize it with the SMS service provider.

andrewaylett
2 replies
5h29m

Not everywhere requires bulk SMS to use an authorised template.

MichaelZuo
1 replies
5h1m

Everywhere that I know of requires a real, specific, individual to sign off on the purchase order, charge it to their card, send the bill to accounts payables, etc...

malfist
0 replies
1h12m

That's not what GP was saying?

Whether or not the provider makes the customer pay with a credit card has no impact on if the provider requires templated SMS messages.

yura
2 replies
8h15m

Some say scammers are very smart, and that they deliberately use every trick in the book to tap into our psychological weaknesses and make us act irrationally. But I have the feeling that, 90% of the time, scammers are just told to write an "official-sounding" message – which is the same thing that the hypothetical human who wrote this template was trying to do: that's why the result is so similar. No doubt the use of the word "urgent", or capitalizing the words "Duty" and "Taxes", come from this attempt at making the message sound more formal and official, from someone who is definitely not a skilled writer.

notahacker
1 replies
7h23m

Yep. It's a bit like the theory that scammers mention they're from Nigeria because they're ingeniously weeding out all the people who've heard of the scam before, and not because they need an excuse for people to send money to Nigeria (and with their culture and education level the ALLCAPS and religious references look very official and honest indeed), and if the cost of that is that 99.99% of their emails don't get delivered due to automatic filters protecting even the most gullible of recipients, well that's probably not something they've given much thought to.

chuckadams
0 replies
3h55m

I've read one interview with a scammer who mentioned that the initial pitch is deliberately written that way to screen for gullible people, and I've read extended email exchanges with Nigerian scammers where their broken English becomes flawless after the initial reply. 419eater.com was a treasure.

These days though, like most scams the 419 scams have been taken over by organized crime and worse. The average Nigerian scammer nowadays is probably doing it because Boko Haram will kill their family if they don't.

nonrandomstring
0 replies
8h48m

I know this comes down to institutional incompetency

"Incompetency" is an interesting word.

The old maxim about incompetence versus malice suggests a binary choice.

I prefer the more nuanced take that there is a spectrum of positions between the two, and other dimensions that describe a cluster of intents, both conscious and unconscious.

Take the UK Post Office scandal where we see incompetence layered on top of malice, layered on top on incompetence. In some organisations obviously deliberately harmful positions are written into "policy". Often this comes under "PR" [fn:1]. More and more "AI" will be used to disguise malintent and deflect scrutiny.

In the final episode of the ITV dramatisation [0], Alan Bates (played by Toby Jones) delivers an absolutely shocking, knock down line. When talking about incompetence and evil he says: "They're the same thing" At some point there is no difference between incompetence and evil. For a deeper psychological discussion of that listen here [1].

[0] https://en.wikipedia.org/wiki/Mr_Bates_vs_The_Post_Office

[1] https://cybershow.uk/episodes.php?id=23 (from 39:20)

[fn:1] Edward Bernays seminal definition of public relations outlines a creed of deception, manipulation and disinformation which is antithetical to security [2].

[2] https://en.wikipedia.org/wiki/Public_Relations_(book)

MattGaiser
0 replies
9h16m

You assume it is a singular person.

Could easily be one person writing the message. Another who demanded partial edits in a Jira ticket. But then the data types didn't match up with what the writer requested and then the dev didn't want to deal with it and just shipped it.

Or it could be that the message is made with a bunch of disjointed and constructed if statements and only the final output is piped to the customer. I have seen some very terrible log messages like that as nobody is looking at the entire message, just the little bit in the conditional they are editing at that point.

As an anecdote, I once worked on code that generated these very detailed error messages about why something went wrong. I discovered most never made it to the customer as someone later down the line reassigned a variable rather than +=. Piles of support tickets could have been avoided.

fma
10 replies
9h27m

Maybe its just the hunan brain bad at perception, but I feel like there's some system compromised and info is leaked so scammers know when you are expecting a package because FedEx/USPS spam text increases.

MattGaiser
9 replies
9h22m

But in a modern day and age, when aren’t you expecting a package?

Nearly 100% of the time, I am expecting a notification from Canada Post or Amazon (FedEx less frequently, but still).

Even outside of that, you can often predict when people are expecting a package. Christmas. After various sales weeks.

latexr
5 replies
9h7m

But in a modern day and age, when aren’t you expecting a package?

When you’re not constantly buying things online. Most people in the world aren’t expecting packages “nearly 100% of the time”.

the_snooze
0 replies
8h36m

These scammers probably aren't targetting specific individuals. They blast these messages out to a bunch of randos, and odds are very high that at least some of those are expecting packages just by chance. The marginal cost of an added message is tiny compared to the reward of one successful scam.

resolutebat
0 replies
8h27m

In Australia, if you buy something off AliExpress and use the budget shipping option, it will take anywhere from one week to two months to arrive. Shop there a couple of items a year and you're always expecting something.

What annoys me is that even the legit SMS notifications contain nothing identifiable about the package or sender, it's always "Your shipment #QWERTYUIOP is arriving by UnrelatedCourier between 1 AM and 11 PM today".

joseda-hg
0 replies
7h6m

If you buy stuff with long delivery estimates, you might very well be even with relatively low numbers, Electronics from China, Custom Comissions or things with waitlists

Some of those can have over a month between purchase and reception, and might be shipped at arbitrary dates after purchase

I'm not that big of an online shopper, but there's certainly people that are

Denvercoder9
0 replies
6h21m

Maybe not in the world, but in my country (the Netherlands) in 2022 (last available data) there were 473 million packages send to 8.3 million households, which works out to a bit more than one package per household per week.

Biganon
0 replies
5h16m

Yeah, I feel like I'm taking crazy pills here

Do these people need to buy shit constantly? I order maybe 5 packages a year, max

distances
0 replies
2h56m

What are you buying constantly? Apart from food and hygiene items, I mostly shop online. I feel I do order too much already, but the parcels are one every 1-2 months. Any more than that and the apartment would start filling up, I imagine.

cesarb
0 replies
7h14m

But in a modern day and age, when aren’t you expecting a package?

Some people still prefer to buy most things directly in physical stores. For me, would be easier to list the few times when I am expecting a package. And even then, I'm expecting the package, not some random message about it; it usually arrives without any notification at all (and the tracking on the site is usually delayed).

caddemon
0 replies
7h1m

I would be curious if FedEx specifically has some sort of leak though, it's super anecdotal but I seem to get more FedEx phishing attempts when I'm expecting a FedEx package.

You're right though that there are other mechanisms for this, it was around the holidays when this happened most recently. Plus humans tend to remember salient things and I probably more easily forget the ones that come when I'm expecting nothing.

Anyway, if their systems were better it would be easier to avoid scams without stress. I've never had to rely on external info for Amazon and it's true I'm often expecting something from them.

chb
8 replies
9h22m

Not that I’m endorsing the use of smart phones, but FedEx does have a mobile application. Why not just use that for notifications regarding deliveries?

genman
4 replies
9h1m

You mean everyone should install a piece of software from a company that appears to be ignorant about security?

dotancohen
3 replies
8h7m

And buy a very expensive tracking device with frequent security issues?

I am lucky to live in a country in which a large religious population eschews the smartphone, so saying "I don't have one" is acceptable and common here. But I have colleagues who tell me that they are expected to have a smartphone from everything to banks to government services to simple small restaurants.

risfriend
0 replies
7h37m

And where is this?

nonrandomstring
0 replies
6h46m

Was also thinking, cool, where is this place, and how do I sign up?

But then I remembered, I already belong to a religion that makes the ownership of a smartphine quite unconscionable to me.

Indeed I wrote about how even a religious objection is unnecessary when there's a knock-down argument on the grounds of what is merely patently unethical.

are expected to

I find these "expectations" come from those who didn't read Dickens.

[0] https://news.tuxmachines.org/n/2023/03/06/Microsoft_is_Not_a...

RugnirViking
0 replies
7h37m

interesting. Where is that? I would like to know more

consp
1 replies
9h14m

The FedEx one is meh and does afaik, but some (looking at you dhl) are almost useless as they provide little information (tracking info is hidden sometimes), sometimes do not allow you to add the parcel as it has a tracking code from a foreighn service which you cannot use and you have to figure out the local one, are full of "news" also known as ads and do not allow you to select the dropoff location closest to you (go ups!). Sorry, /rant.

lobsterthief
0 replies
6h56m

I feel like DHL is the “YOLO” of delivery companies. My stuff always arrives, somehow, despite the entire process seeming archaic.

DharmaPolice
0 replies
8h17m

Installing an app for every courier firm you might receive a parcel from seems a bit much.

hn_throwaway_99
7 replies
4h15m

Wow, I thought this was a great post, and I'm just dumbfounded about how egregiously bad that first SMS was - FedEx might as well tell the recipient they want to customs duties wired to a Nigerian prince.

But I also disagree with the general push of Troy Hunt's recommendations. That is, we should just take the base assumption that humans, generally, can't distinguish between real and phishing inbound messages. That's only going to become more true with AI. Relying on those distinguishing characteristics in the first case is an absolute fatal flaw.

Instead (and, in fairness, Troy Hunt did do this) you should never depend on an outbound link or phone number in a message you received. You should log in to whatever service you think sent it based on looking up the address or phone number yourself. This "hang up, look up, call back" advice should be an absolute mantra. I think responsible organizations should just start by saying they will never put links or phone numbers in text/emails/calls, and their notification messages should say something like "Log in to your dashboard to see details."

samatman
2 replies
3h41m

This is more restriction than necessary, and unkind to users who may be technically unsophisticated, distracted, sick that day, or just kinda dumb.

Include a link, make it a part of the core domain, short, and prominent: https://example.com/contact. If the user isn't logged in, lead with a login flow explaining "If you received a message from us, login for details", and include a contact form, phone number, and if there's a chat with customer support, that too.

These are all things a phish can spoof to some degree, but that's not a good reason to force the user to figure out how to resolve whatever problem you're bringing to their attention.

hn_throwaway_99
1 replies
2h6m

This is more restriction than necessary, and unkind to users who may be technically unsophisticated, distracted, sick that day, or just kinda dumb.

Couldn't disagree more. By sending outbound links in notifications we're only perpetuating the idea that it's OK to click those in the first place. It's hardly any more difficult to just open your browser yourself. I also don't like the idea that we're not willing to accept the absolute mildest of inconveniences, when on the flip side we have loads of stories of people's lives being completely ruined when their life savings are stolen by scammers. It'd be like telling people not to lock their doors because that adds 5 seconds to the time it takes to enter your house.

samatman
0 replies
44m

It's a mild inconvenience to you, to some number of your customers, it will mean they never follow-up on whatever presumably important message you were sending them.

Keep telling people not to click on links, ever. The ones who listen, and are paranoid about taking that advice literally, will look the company up on a search, or copy-and-paste the link instead of clicking it.

If I get a link from a company I have an account with, and the link is from their URL, I'm going to click it. I'll also check to make sure there wasn't some kind of redirect or Punycode involved.

But you're not helping your customers by refusing to provide them with an important affordance just because scammers might do something similar. That kind of logic doesn't help anyone, because "anyone" breaks down into two groups: the ones who click, and the ones who don't. The ones who click get to resolve the problem, the ones who don't have to do a search first, exactly what you're suggesting forcing everyone to do.

avarun
2 replies
3h59m

I don't think Troy Hunt is recommending what you're suggesting at all? The very beginning of the post starts with:

but I'm a smart human so I don't fall for this (that's a joke, read why humans are bad at URLs).

It's clear that he thinks relying on heuristics to distinguish scammy URLs is not a scalable long term approach.

hn_throwaway_99
1 replies
2h17m

Two things:

1. The entire article is about a (surprisingly) legit FedEx SMS looking totally spammy. My point is that we should take "looking totally scammy" completely out of our vocabulary, and pointing out similarities or differences in scam vs real notifications only furthers the notion that they're distinguishable in the first place. Again, to emphasize, I still think this overall was a great article highlighting the ineptitude of FedEx sending such egregiously bad notifications in the first place

2. Hunt says exactly this in the article "But if I were to take a guess, they've merely blocked the tip of the iceberg. This is why in addition to technical controls, we reply [sic] on human controls which means helping people identify the patterns of a scam: requests for money, a sense of urgency, grammar and casing that's a bit off, add [sic] looking URLs." My point is we should stop "helping people identify patterns of a scam". We should instead just teach people to treat all incoming notifications as suspect and to never follow a link/phone number from an incoming message.

WorldMaker
0 replies
1h55m

On that second point that is what Troy Hunt shows doing: he goes to the FedEx website and finds no indicator of any duties/taxes in the official package tracker. This seems a case where the Australian customs team doesn't have feature access to the main website to service this case and are instead badly routing around it.

I think this is the core point Troy Hunt is trying to show, but I don't think Troy Hunt makes it explicit enough that this org chart/processes problem is the real problem and the thing FedEx should most fix because you can't rely on incoming notifications to not look scammy, real notifications are indistinguishable from fake ones even if the real ones weren't doing so horribly to begin with. Troy Hunt often makes that point better in other posts (see the old, long series on "Extended Validation" certificates for an example) and maybe just assumed that message was clear rather than harping on it and then resummarizing it in bold text and blinking lights this post.

0xbadcafebee
0 replies
2h42m

That's only going to become more true with AI.

It can't become any more true than it already is. Humans already fail to identify phishing 95% of the time. And a human can already create an exact duplicate e-mail, website, text, etc as a real one. There's no need for AI.

nonrandomstring
5 replies
9h18m

Your security is increasing at risk from organisations and corporations whose own grasp of security is appalling. Because instead of dealing with it they externalise risks and consequences onto the public and customers.

Even worse, is where attempts to query that security is actively punished.

This is typical now. Listen here (at 42:20) with an example regarding the UK NHS whose incompetence plays directly into the hands of cybercriminals.

[0] https://cybershow.uk/episodes.php?id=24 (time:42:20)

nonrandomstring
0 replies
7h45m

Excellent example em-bee, thanks! I'm writing up a blog post on this subject, so more examples welcome plz.

gpderetta
0 replies
6h52m

My UK bank semi-regularly cold-calls me and ask me to authenticate by providing personal information. When I decline they readily tell me instead to call some number available on the bank website. So they not only are incompetent, they actually know it.

corndoge
1 replies
9h4m

Since the link to this podcast is in your profile, you're affiliated with it, right?

nonrandomstring
0 replies
8h46m

Yes

hugoromano
5 replies
8h42m

DHL, FedEx, and UPS are experts in overcharging to process a form and not caring about customers. Duty and VAT are usually low compared to this processing fee, and shipping has already been paid. Here is the catch in the EU, this simple duty form can be processed by the receiver, an agent (some related to the carrier), or an attorney-in-fact of the receiver. The big three carriers (and many others) threaten you if you refuse to use them.

At the end of the day, they don't care if we get phished or scammed; it is all of customs confusion. Next time process your customs form, you will realise how much money you will save, and the form only has less than 8 fields, the Union Customs Code is easy to read.

dghlsakjg
0 replies
3h7m

The processing fee is as high as $35 when the taxes are as low as $10, and then you get charged tax on the fee too!

CBSA should require affirmative opt-in to use the shipper as the broker, and allow you to file the paperwork yourself on their site.

JackMcMack
1 replies
7h35m

I've often felt frustrated by the processing fees. Can you elaborate on handling this yourself? Which EU country are you based in?

AnssiH
0 replies
5h15m

Does not answer your question, but related:

In Finland you can declare DHL/UPS/Fedex packages yourself with customs and pay directly to them, with no fees to carrier (it took a Finnish Competition and Consumer Authority decision in 2017 to get rid of the fees, though). But this is a bit different as it is not a hidden option but standard procedure (though you still get the option of paying the carrier to declare, instead).

Declaring inbound packages to Customs by yourself was already the standard here for postal parcels even before Customs internet services, so this was not a completely new way of working.

bradley13
0 replies
4h36m

This. They have been paid to ship an international package. Billing the recipient for delivery is just dishonest. I assume they do it, to make their price for the shipper look artificially low.

For this reason, whenever possible, I choose delivery through the post office.

tonymet
4 replies
4h14m

This reinforces the need for "mutual trust security" that I've been calling for now for years.

All of the significant authentication schemes are built to validate the customer, and none validate the vendor.

When your bank or mobile provider gives you a call : how do you know it's them? They start asking you for personal data right away, but you have no idea who you are sharing information with.

We need "mutual authentication" including better identity, trust, challenge-response and more. Customers should be able to validate who they are talking to before even sharing their own credentials.

Bjartr
1 replies
4h11m

That exists, but isn't super widespread. Some places will have you choose something (image, phrase, etc.) that they will display to you when logging in. If you don't recognize the thing shown when you go to login, don't trust it.

tonymet
0 replies
4h4m

You're right but it's for web and hardly used.

Phone, text and email are much bigger threats.

email has some incomplete protections including DKIM and others. Phone and text only have caller-id which is easily spoofed and vendors don't even manage their contact points .

we need a platform that consumers can easily understand and use.

zokier
0 replies
3h29m

EV certs were intended for that. They should always contain info of the company who they were issued to. They were mostly a trainwreck, and now almost completely abandoned.

ianburrell
0 replies
3h3m

For voice calls, and maybe SMS, there could be mechanism to do bidirectional authentication with words. The problem is that would have to switch to app to generate the words and validate the response. For user, password or passkey would work. For company, the SSL cert on domain might work. Otherwise, would need to download certificates.

For SMS and voice calls, it would help if they could implement call authentication so can trust the number. Phones should show the user if the number is validated. It would also be good to add trusted CallerID names; Google does with some numbers.

franze
4 replies
9h6m

The Booking.com scams look better than the actual "Self check and pre payments solutions" links send via the Booking hotels.

1 time I was right it is a scam, 2 times it was wrong.

Booking.com should make a proper report payment circumvent button and kick out all hotels who do it.

throwaway290
3 replies
9h1m

How do those booking.com scams work?

fmobus
1 replies
8h12m

In a case I read (can't remember where), reservation data was somehow leaking (either from booking or from hotels), and scammers were sending messages purporting to be the hotel saying the room was cancelled or mischarged or something like that.

zapu
0 replies
8h1m

It's even worse than that. Scammers are sending messages through booking.com, so you get a message from the hotel, in your booking.com inbox, with a link to a payment site that just makes a payment to the crooks. The root cause is either hotel employees installing session-stealing malware, either accidentally or by being part of the scam.

naruhodo
3 replies
8h3m

There really needs to be some kind of cryptographic authentication system for text messages and caller ID that gives the recipient absolute certainty about the identity of the sender. Registering a name in this system should require real-world proof of identity including a business address and the contact information of real people. There should be serious financial penalties for identity fraud. It should be an open standard that can be implemented in open source software. And all the big phone manufacturers should be legally compelled to use it.

chatmasta
1 replies
8h1m

This will never work as long as calls and SMS messages are routed over the existing telecom networks. The infrastructure is simply too insecure to enable this kind of scheme.

If calls are routed over internet then it becomes more viable but obviously there is still a large coordination problem and misalignment of incentives.

zokier
0 replies
3h4m

BS. Many countries have successfully implemented SMS sender registration/verification schemes. See for example here for a list: https://support.sms.to/support/solutions/articles/4300056265...

The details differ per country, but either all non-registered senderids will be blocked, or registered senderids will be allowed only from authorized sources. The degree of mandatoriness varies also, in some places its mandatory for telcos to comply, in other places it is some voluntary cooperative scheme.

But despite such details, the problem is clearly not completely intractable.

dwighttk
3 replies
8h13m

So far every time I’ve gotten dodgy AF texts or emails I’ve been able to verify at the real site… crazy that FedEx doesn’t have the info attached to the tracking.

krisoft
2 replies
7h27m

crazy that FedEx doesn’t have the info attached to the tracking

It is crazy how much the "paying duties at the border" situation feels like an afterthought for all currier companies. It is almost as if it was not really their design they just tackled it on later.

I wanted to send a present to my brother in an other country using DHL Express. It was impossible to convince them that I would like to pay duties. Not a thing. Can't be done.

gpderetta
1 replies
6h46m

They get a significant markup for providing this "service" to the receiver, so it is not in their interest to help the sender. More charitably the actual duties to be paid might not be known until the package reaches the border at destination.

krisoft
0 replies
4h12m

They get a significant markup for providing this "service" to the receiver, so it is not in their interest to help the sender.

I understand. It is a service, and I am willing to pay for it. The alternative is that I don't send presents with them. "Happy birthday! Quick pay 20 bucks before you can get your present!" is not really a good experience.

More charitably the actual duties to be paid might not be known until the package reaches the border at destination.

I understand that too. That is why they are sending the request for the duties only once the package is at the border. But why can they send the request towards the recipient and not towards the sender?

anonymous_sorry
3 replies
8h51m

In a Blackhat talk several years ago Adam Shostak had a clever term for companies interacting with you in ways that were indistinguishable from scammers.

But I can't remember what the memorable term was.

nonrandomstring
2 replies
7h50m

Anyone found this? Can you remember the episode?

anonymous_sorry
1 replies
6h55m

Found it here.

https://i.blackhat.com/us-18/Wed-August-8/us-18-Shostack-Thr...

He used the term "scamicry": legit communications that mimic scams. For example when a company calls you directly and asks for your security details, but offer you no way to verify who they are first.

nonrandomstring
0 replies
6h45m

You star! Thank you anon.

al_borland
3 replies
6h32m

Is it common for people to have to pay previously unknown charges to get their packages delivered? I don’t frequently make international orders, but have a few times, and have never seen this. Everything has always been charged up front.

crazygringo
0 replies
4h8m

Absolutely. That's very often how customs works. As a general rule, the sender is responsible for postage, while the recipient is responsible for customs, and the package only gets released to them once they pay it.

But many times there are no customs fees, so there's no issue -- it depends entirely on the pair of sending and receiving country and the category and amount of merchandise. That may have been your experience.

Generally speaking, customs can't be charged upfront with your order. Perhaps there are exceptions with certain delivery services in certain countries which have managed to modernize some of it, but I haven't come across that yet.

Symbiote
0 replies
5h47m

The EU and UK have systems to allow the tax to be paid when purchasing, for large companies that support it like Ali Express. These are fairly new.

Countries also have their own limits below which they don't bother with the taxes. There was so much abuse of this in the EU+UK the limit is now zero.

The only time it should be surprising is when the foreign website isn't paying the taxes, and it also isn't clear it's a foreign site. Generally on cheap crap from China.

wccrawford
2 replies
8h54m

When I bought a car once, I received an email a few months later saying I hadn't proven I had obtained insurance on it, and the bank wanted me to visit a domain that wasn't theirs to provide proof.

The email I got looked like a badly-scanned letterhead and was very, very fishy.

After I received a few of them, I finally contacted the bank and it was legit.

I tried telling the office person (not just a clerk at the counter, someone with their own desk) about the situation and they couldn't understand why it was bad.

I soon paid off that loan and got away from that bank.

dudul
1 replies
7h36m

Happened to me with my mortgage. Got this very weirdly phrased letter about how my homeowner insurance info needed to be updated/confirmed and that I had to go to <random website> to clear it out.

I called my insurance broker and yes indeed it was legit. I also tried to explain to them how this letter was a few steps removed from a Nigerian prince scam based on all the red flags, but i don't think it made a big difference.

judge2020
0 replies
4h49m

The national insurance providers are often pretty slow or shady when it comes to claims, but I've never had a bad experience with Allstate or State Farm when it comes to their cybersecurity and domain experience. Allstate's frontends (web and app) sometimes feel more clunky but their APIs feel good enough and sites seem to follow good design practices.

tempestn
2 replies
1h21m

Was just dealing with similar nonsense from BMO Harris bank yesterday. I got this text (numbers changed):

"FreeMsg: BMO Fraud Ctr: 18774352371 Case 19684358 Did you attempt $4.00 at NYTIMES with card x1234? Reply YES or NO"

The 1234 did match the last 4 digits of my card - not the first four, a common trick - but the rest of the message is, as Troy says, Dodgy AF.

They then followed up with a similar email, prompting me to click on a link that began like this: https://ecs01-us.ficoccs-prod.net/2088/en-US/tran_Not_Author...

That's certainly not a BMO domain. Wtf, bank?

So, called them and confirmed the messages were legit, unlike that charge.

And as an aside, this is far from the first time I've had a card compromised while never using it at a physical vendor, and only a handful of large online ones. Once I actually started getting fraud transactions on a card I had never used. I'm guessing access to credit card info is far too broadly available within the bank.

malfist
1 replies
1h16m

The first four are not secrets. The first two digits identify the card issuer, and the next two are the card type. That's how those credit card numbers can show you your card issuer's logo after you type the first two characters.

lights0123
0 replies
54m

Right—they're saying it would be easy for a scammer to "prove legitimacy" by showing those first four, given that they're public.

emilecantin
2 replies
7h43m

Canada Post actually does something good here: you can pay from the tracking page. And they don't add any fees, you just pay the duties and taxes.

emilecantin
0 replies
5h32m

I might misremember the last time I had to pay duties, then. Still, 10$ is much more reasonable than UPS's 70$ plus taxes!

MattGaiser
2 replies
9h26m

Maybe FedEx sees better results and gets more payments from appearing scammy? Scammers seem to do alright.

I know we tech people think this is type of messaging is ridiculous, but I’m constantly pulling less technical friends and family away from crap like this. Half a dozen have asked me about Elon Musk’s crypto trading breakthrough.

labster
1 replies
9h21m

I doubt FedEx’s customer engagement increased by sending a query string with no domain or protocol. Someone’s asleep at the wheel here.

tomschwiha
0 replies
9h15m

Well theoretically they force people to Google FedEx which IS a strong signal for google people are interested in the FedEx Brand. Doubt however that's the reason.

Havoc
2 replies
8h55m

Corporates are shockingly incompetent at this sort of stuff.

Seriously just use your main domain for URLs. For me at least that clears up 99% of this.

I dont want to memorise a list of valid mystery domains for each shipper. Is that really too much to ask?

jiggawatts
1 replies
8h50m

It is.

If they use their main domain, their normal corporate email will get blocked by anti-spam filters.

So everyone uses a different, unrelated domain for bulk mails.

Sophira
0 replies
7h44m

Okay, but this isn't a bulk email. It's a very specific situation personal to the receiver and will never be sent to anyone else. (Obviously the template will be used for multiple emails, but that's not what defines a bulk email, even though bulk emails can also be defined using a template.)

urbandw311er
1 replies
9h7m

Wow. Just wow. Troy Hunt does an incredible job of calling out this utterly piss-poor performance from FedEx. Shame it needs somebody with a platform like this to draw attention to it. They should find a way to make them somehow more liable for fraudulent losses.

It's gotten to the point now where it sometimes actually is impossible to speak to a human being in customer service - the thick layers of chat bots, deliberately gated 'contact us' pages and "why not use our app" nags.. ..if you're savvy enough to know already that only a human can resolve your particular query, getting hold of one can become a time consuming and sometimes traumatic experience. (only slightly tongue-in-cheek, I do actually believe this affects mental health)

nonrandomstring
0 replies
8h19m

What concerns me is that this mentality of erecting infuriating barriers will eventually lead to direct in-person stalking of staff.

If anyone has honest anecdotes around this I'd love to hear from you (maybe privately is best if its detailed accounts)

sureglymop
1 replies
7h27m

At my company, they announced that in the upcoming month there would be an internal phishing sensibility campaign. Then, in the same month, they started sending out incredibly dodgy looking emails to "security training" provided by an external website. Of all emails, those looked the most like phishing but they are not. I decided that I refuse to do this training completely because to me it seems crazy how that was coordinated. I would never lose my job over this but it is amusing that I get an "Urgent: security training still outstanding" about once a week which just goes straight into the trash.

dghlsakjg
0 replies
3h1m

My company uses an outside vendor for security training that requires us to login using company credentials.

The outside security vendors also run phishing security campaigns that they send out from their own domain, and that have "phishing" URLs that point to the same domain we do the training on.

I got reported as being phished for following a link that goes to the SAME domain as our required security training. Our security compliance team got my point when I reported every required training reminder as coming from a known phishing domain.

sf_rob
1 replies
5h42m

I contacted Wells Fargo to complain that their use of 3rd party surveys from non WellsFargo.com domains attenuates customers to entering banking information to 3rd parties.

They had one incompetent employee contact me to assure me that the communication was legitimate (not the complaint), then escalated to another employee who understood the complaint and promised to escalate… 6 months later I get an email assuring me that the communication was legitimate and closing the ticket.

ActionHank
0 replies
5h17m

Thank goodness it was legitimate.

omar_alt
1 replies
9h6m

One out of ~10 international shipments of records I had in the last year one was from FedEx and they sat on it in their out for delivery warehouse in a nearby town for two months with the usual pass the buck/pillar to post treatment. The extra fees plus customs they put on added up to 40% of the value of the items as well. DHL and UPS arrive within a week and are normally no higher than 25%

caddemon
0 replies
7h7m

FedEx seems to be the worst option domestically too. Maybe it depends on your location but they're the only service that somehow fails to deliver signature required packages to my mail room. I've also tried to have them contact me directly while I wait at home and I've tried to waive the signature requirement online, but they still just say "delivery attempted" for 3 consecutive days and then hold stuff at their warehouse. Happened to me twice recently. I now try to avoid buying anything expensive that uses FedEx to ship.

A funny thing I discovered in this process is that "delivery instructions" are shared for all packages to a given address regardless of the associated name, and never flushed unless you go in and do it manually on their website. I found the name and contact information for the prior tenant of my unit on the FedEx site with no other info besides 1 tracking number to the address (it also let me change the delivery instructions with said info). Potentially they were still calling that person when they tried to deliver initially, though I have other reasons to doubt they actually came to the door that day.

cfinnberg
1 replies
7h16m

I received once a mail from my bank at the time stating that they have a message for me, but for security reasons I have to read it on their systems. And they provide the following link: https://cbk.pwlnk.io/~hc

The bank's name is CaixaBank. I was wrong and the message was legit. My first thought was it was a scam :)

bonton89
0 replies
5h35m

I definitely would have called on that one and tried to avoid the whole link altogether.

cbolton
1 replies
8h24m

This fits nicely with my experience of FedEx. They sent me a bill 7 months after I had received the package. A few days later I get a reminder that doesn't include the necessary information for payment, which seems rather lazy and stupid since an unpaid bill might well have been lost. It refers me to www.fedex.com where I'm told to create an account. I do that only to find it doesn't know anything about my bill. By chance I do find the original bill shortly afterwards. Turns out this bill sent 7 months late had very small text saying "to be paid immediately", the first time I see that on a bill (it's usually 30 days in my country). Of course they sent me a second reminder 10 days after I paid.

proaralyst
0 replies
8h20m

I've had this, but the first thing I heard was that my customs charge was sent to collections. Cue lots of scary messaging about debt collection, none of which said anything other than this was for a FedEx parcel of some kind

albert_e
1 replies
8h16m

The biggest banks and brands in India as well as the government organizations do this type of poorly thought communications all day.

The other day an email from the oldest and biggest bank of India landed in my inbox

Truncated Subject line on mobile said "Cash Withdrawls made ..."

My heart skipped a beat because I did no such thing with my account.

Turns out it is a marketing mailer with subject "Cash Withdrawls made Easy!"

Facepalm.

fmobus
0 replies
8h9m

Well, the marketing person who came up with message can pat themselves in the back because you bet the engagement on that one was thru the roof.

wiradikusuma
0 replies
7h11m

I frequently buy things from Tokopedia, one of the largest e-commerce in Indonesia.

At one point, I ordered something, and the next day, someone contacted me through WhatsApp, claiming to be from the courier (with the company logo as a profile picture). They said my package was rerouted, and I had to click a link to fill out some form. Typical scam message, with typo and urgency. I can track the status of my order in the app, and it says it's in transit somewhere. So, their explanation matches.

You might think, "Well, that's obviously a scam. They would not contact you through personal WhatsApp!" But sometimes couriers DO contact you to ask for your precise location or notify you, "Hey, I left your package with your neighbor. Here's the photo."

I'm just wondering how the scammer got this info that Mr X is expecting Product Y from Shop Z. I almost fell for it (I was in the middle of something and got distracted), and I can only imagine the unlucky victims.

It happened 2-3 times during that period and then gone. Did someone find out and fix it? How did they find out? Because I'm guessing there are lots of hands involved in the delivery pipeline.

vijaypatil
0 replies
5h36m

Do I see a YC pitch idea right here - a platform that gets such comms right and secure would be a right a Solution to develop. It seems major companies can’t get it right or don’t want to get it right.

tome
0 replies
8h23m

Why didn't he email the address provided in the SMS, which will obviously go nowhere else other than to FedEx?

seb1204
0 replies
8h42m

I have received SMS mostly a day after I ordered something of Amazon. I'm not often ordering something, so sometimes I go weeks without scam SMS.

riggsdk
0 replies
2h32m

I've somewhat convinced myself that someone in the postal service is leaking information about pending parcels to scammers (or the scammers have access to some servers). Whenever I'm expecting a package the number of phishing attempts in my email skyrockets. Period of no packages - a lot less attempts. Waiting for a new package? Phishing emails ramp up again.

red_admiral
0 replies
6h55m

The number of "Please click this Microsoft Sway link for an important update" emails that I get these days ... sigh. So far they've all been legit (although rarely important), but if I ever go over to the dark side, that's what my first phishing campaign will look like.

prakashn27
0 replies
6h27m

At this point I use sms only for 2 factor authentication WhatsApp for connecting with friends and family Email for rest of the stuff.

pflenker
0 replies
7h3m

One time working at a bigger company I received an email that was a very, very obvious, poorly made phishing attempt - in fact, so poorly done that I wondered if I could break the login form somehow. So I submitted bogus data to see what happened -

Turns out it was part of some kind of "test" of the company to raise awareness for phishing, and I failed the test since I submitted the form.

pbackx
0 replies
4h55m

I think this will be full of similar experiences: Some time ago my wife's cards suddenly got all kinds of charges, clearly not ours. So we call the bank and while they put the blame on us, among other things they said the bank never ever would contact us by SMS and we may have clicked on dodgy links in one of those messages.

Eventually they decide we should replace all our cards. 5 minutes later we get an SMS asking us to call an unknown number to set our PIN code for the new card. It contained at least 5 warning signs as in the author's article.

We call them back asking them what that SMS is about and the only explanation is "That is the good kind of SMS, you can trust it"

(Eventually we did get all stolen money back, but it took a while. We never got a plausible explanation of what may have happened and what we could do to prevent it in the future)

noirscape
0 replies
7h28m

Here dutch customs doesn't even send you links for this stuff over SMS due to all the spam.

They tell you to look up the package tracking number on the PostNL (the national universal delivery company) where you can pay for it. All you get over SMS is a heads-up to check and the ID to enter (you need to combine it with your zipcode).

nmstoker
0 replies
8h19m

Reminds me of the mess that the LTA are in the UK regarding getting Wimbledon tickets.

Over the years they've changed domains several times, had a breach, reset passwords multiple times, and now do part of their login via a random third party site (but to make it worse they push you to sign you up to a second form of account which logs in separately!)

nerdjon
0 replies
38m

The URL part of this particular drives me insane, and it's not particularly Fedex's fault. But When every online retailer seems determined to keep me in their website (or a branded third party website) when I click a tracking number.

"Track Package" sure, keep me on the website.

But if you present me with a tracking number that you are making a link yourself, just send me to the shipper company. Bonus points when they then make it really hard to find the actual link I want on that random website they send me too. I already bought from you and will soon have your product in my hands, do I really need to be kept on a branded site that offers no extra value?

Emails seem to be the worst for this.

I feel like these companies are setting up people to be phished, when the idea that you can only track Fedex on Fedex.com is no longer true.

meeech
0 replies
1h14m

This is funny to see today because I had exact same experience, but with UPS. Call came in, marked as Probable Spam. Robot voice on the line, claiming to be from UPS. Duties and taxes. I am expecting a package, so I went to the website and it was legit. Though it won't change, because to do it right would cost them $$$. Whereas doing it wrong costs them less, and it then becomes a me problem.

me_jumper
0 replies
2h11m

I bought insurance online. Some days later I got a super dodgy email telling me I should sign up for an online portal. The link was a mess and linked to a different insurance provider.

I called my provider. Turns out the actual insurance is handled by a sub-provider that works for a different (major) insurance... WTF

lnxg33k1
0 replies
2h38m

Couriers are part of the reason I haven’t bought anything for years

lifestyleguru
0 replies
8h52m

Phishing and workflows like this are handled by the same profile of employees. Low paid, outsourced, hating their job, doing the least possible. That's why they're indistinguishable. Reliable workflows, record profits, high salaries and bonuses for executives - pick two.

kylecordes
0 replies
3h53m

The bar to relative excellence in our industry is so very low.

jwie
0 replies
5h17m

The fact that there's no formal difference between tax payments and scam payments should be tickling the part of your brain; this means something.

jwally
0 replies
6h19m

I got an sms from "Nikki Haley" the other week asking me to join some political rally. This has SUCH potential for abuse.

A) spreading misinformation. Not hard to confuse people that their polling location is closed but the inconvenient one across town is still open

B) fake fundraising. Blast out an sms from "citizens for action" who need money to support ${popular cause/candidate}

ilogik
0 replies
7h26m

Text message from my mobile carrier:

Be careful! Never click on links received in messages from strangers. Learn more at www.....

hnfong
0 replies
8h57m

My best theory is that FedEx outsourced the process of sending these SMS notifications to some external contractor.

Of course, the scammers already have the scam systems in place, so they can win the bid on price :D

I know this sounds ridiculous, but I doubt anything will make better sense than this :P

hibikir
0 replies
5h58m

St Louis county just did some of this for their property declaration system. It used to set right there in the website: An ugly set of forms, but perfectly functional. Apparently they ordered a rewrite to yet another contractor, and now you get a link to.. stlouismosmartfile.tylerhost.net. Following the link, from the county's own website, warns of a third party link! The link prompts the user to register... and the validation email, unsurprisingly, is sent to spam, and then flagged as risky by gmail! Enough red flags, you'd think it's an old soviet military parade, but no... when you call the county, they say that yes, this isn't them getting hacked (again), but the way things are supposed to be.

This is something everyone that owns any property and is a resident of the county must fill out: About half a million accounts will be created in two weeks. Making sure that all of this comes from the county's domain? Too difficult for them. And all for a website on the other side that doesn't look much better than the old one.

gregoryl
0 replies
9h18m

Ahh yes, the FedEx GST payment system is wonderful!

You can find that number in the sms on an official FedEx page somewhere or other - I ended up using that as enough evidence to trust and call.

I get the feeling this system as a whole doesn't see much use - from a FedEx perspective, the vast majority of people paying duty will be via some specialised importer, not b2c direct.

gaogao
0 replies
6h56m

In illustration of the prevalence of the phish, I got a dodgy SMS from a sketchy email address that "The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information." while I was reading the article on my phone.

flerchin
0 replies
2h25m

And Amazon emailing me about my package due to arrive today. Clicking the link is right there and very convenient to find out which one. They won't tell me which package because then gmail will be able to know what I'm buying (which I'm fine with).

These emails are the _exact same form_ that a phishing email would take.

e40
0 replies
9h21m

Yet another reason why I will try to never use FedEx. UPS is so much better.

Banks do similar dumb things. I once vented to a a Wells Fargo security manager about a similar issue. They had no defense at all.

dghughes
0 replies
8h38m

Obviously just call the totally normal support number shown 1 800 111 112 /s

dawnerd
0 replies
3h58m

Can we add pharmacies calling and asking to verify your ssn and dob? It’s trained a lot of older people to trust whoever is calling.

datavirtue
0 replies
1h54m

I just read an article detailing how thousands of Americans fall for scams run by Mexican cartel proposing to buy their timeshare from them. Americans buying Mexican timeshares is a big thing apparently. One guy kept getting pulled into the scams eventually paying them (and losing) $1.8MM. Others had lost tens or hundreds of thousands to the same type of scam.

Every time someone supposedly bought their timeshare there would be a bank fee or tax they would have to wire money for. The guy who lost $1.8MM wired money 90+ times.

These are lawyers and doctors, educated people getting ripped off.

d1str0
0 replies
4h13m

I clicked the link to read this article because last week I received a paper letter from FedEx I initially thought was scammy.

It asked me to pay duty/taxes for my $799 Prusa 3D print order that arrived just last week.

So now I know Troy Hunt also bought a Mk4 assemble-yourself kit from Prusa.

Enjoy, Troy! Mine took 8 hours to build and it works like a charm! Fantastic little machine.

csours
0 replies
4h14m

There ought to be a law, I tell you

chankstein38
0 replies
2h21m

FedEx is trash but this kind of handling of these kinds of communications is so common it's disgusting. I say it all of the time too. "No wonder people get scammed." We get security trainings at work or get things like "_company_ will NEVER ask for your password" then they immediately violate their own rules.

It's absurd.

axelthegerman
0 replies
7h20m

The other thing I try to understand but just can't is how Telco providers can be so incompetent in effectively stopping scam texts.

First of, texts are not encrypted and they can see ALL communication.

On the other hand the US forces me, using Twilio for SMS automation, to sign up "campaigns" with "Sample messages" if maybe all I want to do is building a personal assistant with text commands. My messages will get hit with fees for non compliance, or end up silently blocked without any visibility.

Then there are these scammers sending the same or very similar messages to millions of people, pretending to be the same 50 companies (national banks, shipping companies, cell phone carriers) - how about these $bigcorp register their "campaigns" to combat scams and they'll leave me alone (one number sending texts to always the same one or handful of numbers).

... Oh wait I figured it out! Telco don't care, they enjoy inflated traffic numbers in their network and charge for it - why would they stop it

arkitaip
0 replies
9h13m

What makes this situation so ridiculous is that while we're all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers!

Hah!

aggieNick02
0 replies
4h13m

My favorite FedEx facepalm was when they kept trying and failing to deliver a package to themselves...

They have an option to have your package held at a FedEx store. It's great for when the package requires signature and you're not able to wait at home all day for it.

Recently I used it. Unbeknownst to me, the FedEx store changed its physical location while the package was in transit, to a different strip mall across the highway. So for several days in a row, I was notified that FedEx attempted to deliver, but that the business was closed. Every call to customer service yielded understanding and sympathetic employees who had no idea how to fix the issue.

After about 5 days, something clicked, and my package showed up at the new FedEx location.

Triphibian
0 replies
5h30m

There are banks in the US that send sketchy looking text message like this when you get transferred funds. They literally ask that you follow a texted url and enter your bank information.

PaulHoule
0 replies
6h16m

I just got a letter from the insurance agent that I thought was going to say "THIS IS NOT A BILL" but it was a cancellation notice for my homeowner's policy. The letter was designed to be as difficult to read as possible, about 97% of the space was form letter elements that weren't relevant, in the middle of page 2 there was an area covered with large black underlines that had the reason for the cancellation typed lightly in it.

It is probably time to look for a new insurance provider but I was thinking of calling back the insurance agent and telling her I was planning to run for state senate on a platform of reforming the insurance laws and legislating that you can get 20 years in prison for sending a letter that says "THIS IS NOT A BILL" and that insurance paperwork has to be written in English excerpting any words that are shared with Latin or French. (Which I'm sure the French would approve of)

MarkusWandel
0 replies
6h43m

This is a real problem with so much stuff outsourced to external cloud providers. Used to be, if it was from the company intranet, no problem. Now every survey, every training thing, every new flavour of the month is from external mystery domains and then it wants your corporate credentials to log in. At my company they keep us sharp by running "fake phishing" campaigns to kind of gamify recognizing phishing emails. But this shouldn't be necessary for legitimate corporate stuff.

EchoReflection
0 replies
4h23m

the only other options I can think of (in the USA) are USPS and a company that I haven't seen in so long that I wondered if they were still in business, DHL. DHL's website is still up and running, but I guess they aren't doing great if I never see their delivery trucks anymore. Maybe they have a stronger presence in areas away from where I live...

0xbadcafebee
0 replies
2h45m

Compare this to USPS, which is so secure that I can't get back into the account I created to manage deliveries for my home address, and there is absolutely no recourse. (no customer or technical support, going into a USPS office does nothing, etc) I still receive e-mails at my old e-mail address about deliveries coming to my home, but I can not turn them off, change the e-mail address, etc.