Fallout from the JPMorgan Chase breach

nytimes.scam.leftsideblocked.620w

Most articles about the 76 million or so names and addresses that were stolen from JP Morgan Chase bank focus on the danger of phishing emails. But email is not the only way bad guys can abuse stolen data.

They may also try to scam victims on the telephone.

I ran across a couple articles on the Chase breach that mentioned telephone abuse, but each omitted an important point - you can't trust caller ID. Spoofing phone numbers that appear on caller ID has been a thing for a decade or so. If someone claiming to be from Chase calls on the phone, the safest thing to do is call them back at a known Chase phone number; one from a bank statement, credit card statement or chase.com.

A third way scammers might approach potential victims is postal mail. I say that as a recent target of a billing scam.

A letter in my mailbox pre ed itself as a bill for the New York Times. I subscribe to the newspaper and am quite familiar with their billing. Everything about this bill was different from the norm. In and of itself, this doesn't imply anything, as it could have been from a new computer system employed by the Times or they may have just started to outsource their billing.

NY Times bill

If the scam hadn't been so far out in left field, a Times subscriber might fall for it. Fortunately the bad guys were greedy.

One obvious difference from prior bills was that the billing period was an entire year. The New York Times bills me monthly.

Also hard to miss, was the price. For the year, RPS (a.k.a. Readers Payment Service at publishersspayment dot com) wanted $1,099.95. Six day home delivery of the New York Times, in my neck of the woods, is roughly $430/year.

I sent the newspaper a photo of the bill and asked their advice.

One source at the Times said

Please do not respond to any emails or pop ups from "The Associated Publishers Network". This is a scam to get your credit card and is not associated with The New York Times.

Another said

... our records indicate that the balance on your account is [omitted]. If this bill is more than this amount, it could be a scam bill. Many of our customers have received scam invoices for $1000.00 or more. These are not coming from The New York Times. If an invoice is a legitimate invoice from The New York Times, it will include the following:
1) It will direct you to make checks payable to The New York Times.
2) It will include your account number.
3) It will include the dates of service the charges apply to and any credits or payments made the previous billing cycle.

All well and good, though I am disappointed that the paper says nothing about these scams in the Help section of their website. Even if its not news that's fit to print, surely it's electron worthy.

This type of scam has been going on for a while but there seems to have been a recent torrent of it. Readers of these other publications have also been targeted: the Denver Post, The Atlanta Journal-Constitution, the Wall Street Journal, the Raleigh News & Observer, the Austin American-Statesman, The Sarasota Herald-Tribune, the Minneapolis Star Tribune, The Economist, the New Yorker Magazine and the Omaha World Herald.

In covering the story, a couple newspapers said their subscriber lists were not stolen and noted that phony bills were sent to people not on their subscriber rolls.

Maybe the targeted names and addresses came from the Chase breach, maybe not. There are so many breaches to chose from, and I'm sure there are many more that the public is unaware of.

That said, I have a couple gripes with Chase.

CHASE GRIPES

Automated alerts are an excellent defense against bad guys siphoning money out of your account. At Chase, however, you have to be an online banking customer to get alerts. Yet it was their online banking system that just showed itself to be inadequately protected. You have to make your accounts vulnerable in order to be protected. 

Also, Chase used to offer alerts by phone. A computer made a voice call to say that there had been a withdrawal greater than the threshold amount. It was great. Chase no longer offers alerts by phone. It must have been too secure for them.

And, since this is Computerworld, could a brother get some Perfect Forward Secrecy at chase.com?

chase.ssl.test.results.620w

Forward Secrecy is an attribute of a secure website. I blogged about it last June. Most secure websites don't support it, but if anyone should, it's the major financial institutions.

Without Forward Secrecy, every connection to the somewhat secure site uses the same encryption key. Millions of secure web pages for a year or two or three, all encrypted with the same key. If its true that the NSA records encrypted traffic on the Internet backbone, then the leak of a single small file (or just writing the key on a piece of paper) is all they need to decrypt everything coming and going from chase.com. Not only tomorrows transactions but last weeks too. 

Without Forward Secrecy secure web sites are a house of cards waiting for a single sneeze to knock them down. 

chase.no.pfs.620w

That chase.com does not support Perfect Forward Secrecy is more disgraceful than their getting hacked. There are no bad guys here, it is totally under their control. Chase CEO James Dimon recently announced that the bank will double the amount of money they spend on computer security. Hopefully this will be on their shopping list. 

It's sad that the mainstream press doesn't mention Forward Secrecy, but understandable since non-techies don't understand it. Why the tech press doesn't give Chase grief, I don't know. 

WHAT TO DO

Articles in the targeted newspapers suggest that people who have been sent phony bills contact the BBB or the FTC. But how effective can this be if this sort of thing has been ongoing for so long?

Sadly, most website rating services give publisherspayment dot com a clean bill of health.

OpenDNS runs phishtank.com where they have no information about publisherspayment dot com. Technically, the website is not involved with phishing as they do snail mail rather than email.

Google's Safe Browsing system is focused on malware and thus says "This site is not currently listed as suspicious."

Norton Safe Web also says that publisherspayment dot com is OK. They found no "Computer Threats", "Identity Threats' or "Annoyance factors".

McAfee's SiteAdvisor has no information.

AVG Threat Labs says it is "Currently safe" because "No active malware was reported recently by users .... "

At least my favorite rating service, WOT, came through. They give it an "unsatisfactory" rating for trustworthiness, with the first negative review made three years ago. 

If you feel like making a difference, sign up for WOT at mywot.com (it's free) and offer your opinion of publisherspayment dot com.

I have used the WOT browser plug-in for many years and continue to recommend it. I wouldn't browse without it.

The domain PUBLISHERSPAYMENT dot COM is registered with GoDaddy and uses private registration. Thus the Registrant Organization is listed as "Domains By Proxy, LLC" rather than the actual owner.

I notified GoDaddy and didn't hear back. Since the domain was first registered in June of 2011, my note was probably not the first one that GoDaddy has received.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.