[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Edlug Archive May 2004 ]

Re: [edlug] intercepting emails

To: Samsara <phi1ipp@xxx.xxx.xxx>
Subject: Re: [edlug] intercepting emails
From: Rory McCune <rorym@xxx.xxx.xxx>
Date: Thu, 06 May 2004 21:10:52 +0100
Cc: edlug@xxx.xxx.xxx
In-reply-to: <20040506193844.57319.qmail@xxx.xxx.xxx>
List-post: <mailto:edlug@xxx.xxx.xxx>
List-subscribe: <mailto:edlug-request@xxx.xxx.xxx>
List-unsubscribe: <mailto:edlug-request@xxx.xxx.xxx>
References: <20040506193844.57319.qmail@xxx.xxx.xxx>
Sender: owner-edlug@xxx.xxx.xxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114

Samsara wrote:

Dear Peter,

Thanks for your illuminating comments. It may be
necessary for me to give some more details of the case
at hand:

We're talking about an airline here. Transmission of
details is via https, so may be assumed secure. Also,
it is not possible to see your details if you log in
as yourself. However, it is possible to book
additional tickets on your credit card with arbitrary
passenger names - I thought some of the John Smithes
in this world might be interested in having a free
flight on my card. They would never be traceable
unless I check my credit card statement before they
board (or if we are going to assume the airline more
capable, leave) the plane, and alert the airline of
the fraud.

I've asked them to delete my details. They have not
informed me that they have done so, although they got
in touch once to claim that their site is perfectly
secure. I also out of habit chose an unguessable (i.e.
unmemorable) password, so I cannot now access my own
details unless I have them send my password
unencrypted. The username is just the email address,
so no security there, either. (Note to deviants: not
this email address.)

hi all,

The practice your describing (e-commerce sites resetting a password and transmitting that over e-mail) is pretty standard practice in my experience*. Whilst Peter is correct in saying that it is technically possible for someone to get access to any plaintext e-mail travelling over the Internet, the logistics of grabbing a *specific* e-mail from a large ISP would be reasonably challenging, so someone would have to be motivated to do that, and unless they were targetting you specifically I'd be suprised if they'd go to that trouble to get 1 Credit card number (for reference, professional credit card scammers tend to deal in CD's full of Credit card details/names/addresses).

Also where flights are involved you would *hope* that they would only allow bookings where the credit card holder is one of the people flying (definately the case for Easyjet) and also that they would check ID at the airport (some airlines do, some don't)...

One thing that would worry me is if they sent your original password to you in e-mail rather than resetting your password and sending that (it would imply that they had access to your plain-text password which is a bad thing (tm))...

cheers

Rory

* while it is pretty common practice, doesn't mean it is a good thing. A better way is to use secondary questions/answers, set-up when you create the account and then ask that if you forget your password......

-
----------------------------------------------------------------------
You can find the EdLUG mailing list FAQ list at:
http://www.edlug.org.uk/list_faq.html

Follow-Ups:
- Re: [edlug] intercepting emails
  - From: Andrew Aylett

References:
- Re: [edlug] intercepting emails
  - From: Samsara

Prev by Date: Re: [edlug] intercepting emails
Next by Date: Re: [edlug] intercepting emails
Previous by thread: Re: [edlug] intercepting emails
Next by thread: Re: [edlug] intercepting emails
Index(es):
- Main
- Thread

Morpheux

This archive is kept by wibble@morpheux.org.DONTSPAMME

homepage