Bank of America vs security

[David Farber <dave () farber net>]

Begin forwarded message:

From: Bob Frankston <Bob19-0501 () bobf frankston com>
Date: June 22, 2005 12:40:17 PM EDT
To: Dave Farber <dave () farber net>
Subject: Bank of America vs security


I’m in the middle of redoing my screen scraping now that Bank of  
America is forcing Fleet’s Homelink users to convert to their new  
online banking service. I scrape because the data is mine and they  
make the information available for only al limited time and only  
while the particular account is open. That’s a big issue in its own  
right – at least with paper statements and printed checks people can  
set the own retention policy but that’s not my main problem at the  
moment.



As an aside, looking their site itself they seem to have lots of home  
brew Jscript code and I’ve found their seem to have trouble  
maintaining their DNS entries so their redirects can behave badly.  
Again, a separate topic.



I’m more concerned with a strange letter I got. It was sent in the  
clear, of course, because no one seems to care enough to do even  
simple encryption – while I don’t blame CALEA it’s a reminder that  
policies that allow the FBI to spy on us make it even easier for  
third parties to do so.



The letter was in response to my attempt to setup online transfers.  
It’s the usual thing, emailing me a letter asking me to type back a  
one-time code to their site to verify that my email address is valid  
and that I approve the transfer. Everything went smoothly but I  
decided to look at the received fields in the envelope of the letter  
(vs the header) and found it to be a bit strange:



Here’s the header (with my email address and such information  
replaced by *’s) [you really need HTML to understand this – again,  
another topic …]



x-sender: bankofamericatransfer () transfers bankofamerica com

x-receiver: **MyUser**@**MySite**

Received: from pula.cashedge.com ([129.41.8.16]) by **MYMachine**  
with Microsoft SMTPSVC(6.0.2600.2180);

       Mon, 20 Jun 2005 16:44:45 -0400

Received: from real2 (sonicwall [10.0.1.252])

      by pula.cashedge.com (8.11.6+Sun/8.10.2) with ESMTP id  
j5KKiie25797

      for <**MyUser**@**MySite**>; Mon, 20 Jun 2005 13:44:44 -0700  
(PDT)

Message-ID: <89617797.1119300283724.JavaMail.appft8@real2>

Date: Mon, 20 Jun 2005 13:44:43 -0700 (PDT)

From: bankofamericatransfer () transfers bankofamerica com

To: **MyUser**@**MySite**

Subject: Outside the Bank transfers Email confirmation.

Mime-Version: 1.0

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

Return-Path: bankofamericatransfer () transfers bankofamerica com

X-OriginalArrivalTime: 20 Jun 2005 20:44:45.0778 (UTC) FILETIME= 
[E48D5320:01C575D8]



What is “pula.cashedge.com”? The DNS entry is gone and the number is  
within IBM’s world. I asked about this online to BofA and got a  
generic response “The e-mail was not legitimate. It was part of a  
fraudulent scheme to illegally acquire your personal financial  
information. Authorities shut down the fraudulent site within 2.5  
hours of its launch. We are working with the Secret Service to  
prosecute those responsible.” It was from a “Gregory I. Robinson”.  
When I called the 1-877-833-5617 listed in the letter and pressed 1  
(not the 5 they commended because I never typed info into a third  
party site I was told there was no such person. The letter itself had  
no site information – just the expected confirmation number.



As far as I can tell my own information wasn’t compromised – the  
letter contained no critical information other than the email address  
I use for just that account. The BoA response seemed canned –  
misdirecting rather than informative.



Any idea what is going on? If there was such an interception that is  
very worrisome.



Even more so because of a letter I received after sending an online  
Query to CallVantage using another unique address and I quickly got  
an unrelated letter from a third party site that seemed fraudulent. I  
reported it to the third party’s ISV and got a response saying they  
were shut down but know no more than that.



I view these as very serious breaches because they indicate attacks  
at the vital points in the system.



I’ve been mulling how to do edge-to-edge implementations in place of  
relying on the IP addresses but it’s been difficult to come up with  
an alternative to the DNS as an authoritative mapping of identifiers  
to IP addresses. Maybe that trust is misplaced …



Any ideas as to what is going on?







Bob Frankston http://www.frankston.com





-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/