Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #2: solar flares

comp / comp.misc / Re: Changing details by email.

SubjectAuthor
* Changing details by email.Sylvia Else
+* Re: Changing details by email.Anton Shepelev
|`- Re: Changing details by email.candycanearter07
`* Re: Changing details by email.Rich
 `- Re: Changing details by email.Theo

1
Subject: Changing details by email.
From: Sylvia Else
Newsgroups: comp.misc
Date: Thu, 9 May 2024 10:46 UTC
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: sylvia@email.invalid (Sylvia Else)
Newsgroups: comp.misc
Subject: Changing details by email.
Date: Thu, 9 May 2024 18:46:37 +0800
Lines: 11
Message-ID: <la3nsdFevfuU1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net ncSgIWrAaoL3URUh2mBIWQ8XVOEXwsv5wD62O+rrtIYipNfV+v
Cancel-Lock: sha1:IaybXVQXIhDi3Q69Y+1k3hAYziE= sha256:/h4R51jQyQ3XF6mDK4l2GGqul5v45r47okqWkAtUlBs=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.15.1
Content-Language: en-US
View all headers

"For the security and protection of your details we are unable to deal
with your change of address by e-mail. You can provide the information
either by contacting us on [....] or you can write to us at [...]"

Because phoning and writing are so much more secure.

Am I missing something here, or is this just standard bureaucratic
nonsense that is perpetuated because no one with the power to change
things looks at the rationale behind these decisions?

Sylvia.

Subject: Re: Changing details by email.
From: Anton Shepelev
Newsgroups: comp.misc
Organization: A noiseless patient Spider
Date: Thu, 9 May 2024 11:46 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: anton.txt@gmail.moc (Anton Shepelev)
Newsgroups: comp.misc
Subject: Re: Changing details by email.
Date: Thu, 9 May 2024 14:46:40 +0300
Organization: A noiseless patient Spider
Lines: 34
Message-ID: <20240509144640.0adf34de42f6ec0b810ba8da@gmail.moc>
References: <la3nsdFevfuU1@mid.individual.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 09 May 2024 13:46:41 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="d649f16627600658fa4a2ea112d99423";
logging-data="682937"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/dtC5wSZrOJwQfNYBrIjjsaVz+pEd5zbM="
Cancel-Lock: sha1:W/pCLC3Nd77WCJLKsD+YiYHzM6w=
X-Newsreader: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32)
View all headers

Sylvia Else:

> "For the security and protection of your details we are
> unable to deal with your change of address by e-mail. You
> can provide the information either by contacting us on
> [....] or you can write to us at [...]"
>
> Because phoning and writing are so much more secure.

Perhaps they are, considering how careless the majority of
people are with their e-mail accounts. I wish, however,
businesses continued to use this very convenient means of
communication and let clueless users deal with the
consequences. Large internet shops (such as Amazon) used to
provide tolerable to good technical support over e-mail back
when I started using them, but then dropped it one by one
inn favour of phone calls and chat, which (being
synchornous) are colossalluy inconvenient, making client to
wait for answer on the phone or in a browser window.

> Am I missing something here, or is this just standard
> bureaucratic nonsense that is perpetuated because no one
> with the power to change things looks at the rationale
> behind these decisions?

E-mail may be the next clean and free protocol to die out of
general use after Usenet. I for one am positively outraged
when modern e-mail providers become unusabe unless you give
them your mobile number and (or) use some new-fangled client
with 2FA.

--
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments

Subject: Re: Changing details by email.
From: candycanearter07
Newsgroups: comp.misc
Organization: the-candyden-of-code
Date: Thu, 9 May 2024 15:00 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: candycanearter07@candycanearter07.nomail.afraid (candycanearter07)
Newsgroups: comp.misc
Subject: Re: Changing details by email.
Date: Thu, 9 May 2024 15:00:10 -0000 (UTC)
Organization: the-candyden-of-code
Lines: 39
Message-ID: <v1iodq$ndga$1@dont-email.me>
References: <la3nsdFevfuU1@mid.individual.net>
<20240509144640.0adf34de42f6ec0b810ba8da@gmail.moc>
Injection-Date: Thu, 09 May 2024 17:00:10 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="66a87544313f6736c2791b88dd146fc2";
logging-data="767498"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/hCouWaxOnIEtjtpwdSmH44rwi/bNk4jnOaP+SxrIqQg=="
User-Agent: slrn/pre1.0.4-9 (Linux)
Cancel-Lock: sha1:+0VuJJN4GRP9QtgbKBu+BoRKF4w=
X-Face: b{dPmN&%4|lEo,wUO\"KLEOu5N_br(N2Yuc5/qcR5i>9-!^e\.Tw9?/m0}/~:UOM:Zf]%
b+ V4R8q|QiU/R8\|G\WpC`-s?=)\fbtNc&=/a3a)r7xbRI]Vl)r<%PTriJ3pGpl_/B6!8pe\btzx
`~R! r3.0#lHRE+^Gro0[cjsban'vZ#j7,?I/tHk{s=TFJ:H?~=]`O*~3ZX`qik`b:.gVIc-[$t/e
ZrQsWJ >|l^I_[pbsIqwoz.WGA]<D
View all headers

Anton Shepelev <anton.txt@gmail.moc> wrote at 11:46 this Thursday (GMT):
> Sylvia Else:
>
>> "For the security and protection of your details we are
>> unable to deal with your change of address by e-mail. You
>> can provide the information either by contacting us on
>> [....] or you can write to us at [...]"
>>
>> Because phoning and writing are so much more secure.
>
> Perhaps they are, considering how careless the majority of
> people are with their e-mail accounts. I wish, however,
> businesses continued to use this very convenient means of
> communication and let clueless users deal with the
> consequences. Large internet shops (such as Amazon) used to
> provide tolerable to good technical support over e-mail back
> when I started using them, but then dropped it one by one
> inn favour of phone calls and chat, which (being
> synchornous) are colossalluy inconvenient, making client to
> wait for answer on the phone or in a browser window.

My guess is that they can use more tricks to market to you on a phone
call.

>> Am I missing something here, or is this just standard
>> bureaucratic nonsense that is perpetuated because no one
>> with the power to change things looks at the rationale
>> behind these decisions?
>
> E-mail may be the next clean and free protocol to die out of
> general use after Usenet. I for one am positively outraged
> when modern e-mail providers become unusabe unless you give
> them your mobile number and (or) use some new-fangled client
> with 2FA.

At least you can still use IMAP.. for now..
--
user <candycane> is generated from /dev/urandom

Subject: Re: Changing details by email.
From: Rich
Newsgroups: comp.misc
Organization: A noiseless patient Spider
Date: Thu, 9 May 2024 16:21 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: rich@example.invalid (Rich)
Newsgroups: comp.misc
Subject: Re: Changing details by email.
Date: Thu, 9 May 2024 16:21:20 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 47
Message-ID: <v1it60$ois2$1@dont-email.me>
References: <la3nsdFevfuU1@mid.individual.net>
Injection-Date: Thu, 09 May 2024 18:21:21 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="f4a83f4ca3d91046e0e77e18b67ab0ba";
logging-data="805762"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19/7JoH3d0x79C1BfQwft1F"
User-Agent: tin/2.6.1-20211226 ("Convalmore") (Linux/5.15.139 (x86_64))
Cancel-Lock: sha1:Q045hv5cEh5rWTz5Cn2JWUi89S8=
View all headers

Sylvia Else <sylvia@email.invalid> wrote:
> "For the security and protection of your details we are unable to
> deal with your change of address by e-mail. You can provide the
> information either by contacting us on [....] or you can write to us
> at [...]"
>
> Because phoning and writing are so much more secure.

Small correction, at least for the phone: it /was/ previously more
secure.

> Am I missing something here, or is this just standard bureaucratic
> nonsense that is perpetuated because no one with the power to change
> things looks at the rationale behind these decisions?

It's one part of each.

For a good long time, email was trivial to forge, and expecting a lowly
minimum-wage boiler room worker to know how to read email headers with
sufficient detail to detect a forged email was a no-go.

This was the original source of the "don't do X via email" rules. And,
much like the use of Fax in the medicial environment (at least in the
US) once something like "email is too easy to forge, don't use email
for account changes" filters into the burearacy such that it makes a
rule, then the rule remains stuck long past the time when the rule no
longer applies (email with DMARC, DKIM, and SPF is reasonably
authenticated, in fact likely a better authentication than the usual
"who are you, where do you live" questions used to authenticate. over
a phone call).

As to "phone" -- a similar issue applies, only the reverse situation.
In days long ago, when phone service was from one very regulated
monopoly (in the US, AT&T), the "phone" was very secure (ignoring the
issue of "how do I make sure the voice I'm hearing belongs to person
X). At that time the phone network was both closed, quite proprietary,
and due to the high regulation, also quite secure (to an extent).
Enough such that the various bureaucracy's formulated their rules that
"phone calls are secure -- so making this change over the phone is ok".

However, today, the phone network is effectively as "open" as the
Internet, and no more secure than any other very "open" system. But,
because the bureaucracy's long ago set in stone their rule of "phone is
secure" they continue to operate as if it is just as secure as it once
was, even though for mere pennies one can obtain phone numbers at will
and forge just about everything related to a phone call.

Subject: Re: Changing details by email.
From: Theo
Newsgroups: comp.misc
Organization: University of Cambridge, England
Date: Thu, 9 May 2024 21:19 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!newsfeed.xs3.de!nntp-feed.chiark.greenend.org.uk!ewrotcd!.POSTED.chiark.greenend.org.uk!not-for-mail
From: theom+news@chiark.greenend.org.uk (Theo)
Newsgroups: comp.misc
Subject: Re: Changing details by email.
Date: 09 May 2024 22:19:01 +0100 (BST)
Organization: University of Cambridge, England
Message-ID: <9vD*X90Jz@news.chiark.greenend.org.uk>
References: <la3nsdFevfuU1@mid.individual.net> <v1it60$ois2$1@dont-email.me>
Injection-Info: chiark.greenend.org.uk; posting-host="chiark.greenend.org.uk:93.93.131.173";
logging-data="27680"; mail-complaints-to="abuse@chiark.greenend.org.uk"
User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (Linux/5.10.0-28-amd64 (x86_64))
Originator: theom@chiark.greenend.org.uk ([93.93.131.173])
View all headers

Rich <rich@example.invalid> wrote:
> For a good long time, email was trivial to forge, and expecting a lowly
> minimum-wage boiler room worker to know how to read email headers with
> sufficient detail to detect a forged email was a no-go.
>
> This was the original source of the "don't do X via email" rules. And,
> much like the use of Fax in the medicial environment (at least in the
> US) once something like "email is too easy to forge, don't use email
> for account changes" filters into the burearacy such that it makes a
> rule, then the rule remains stuck long past the time when the rule no
> longer applies (email with DMARC, DKIM, and SPF is reasonably
> authenticated, in fact likely a better authentication than the usual
> "who are you, where do you live" questions used to authenticate. over
> a phone call).

One key thing here is that the bank/etc doesn't have any insight into your
email system. It might say that you truly sent the message, but maybe your
sysadmin forged it?

Also, email generates a record. If they ask you for your security passcode,
that will be recorded in your 'Sent Mail' folder. Any attacker just needs
to look in there and they have enough to impersonate you. The bank might
record phone calls, but they can store the recordings securely and may
disable the recording for the security information.

Finally email is asynchronous, which makes it slow to deal with. Some
companies like it for long running issues since the agent can go back and
read the history, but for simple one-off transactional things having to
back-and-forth to establish identity makes it slower than a phone call.

> As to "phone" -- a similar issue applies, only the reverse situation.
> In days long ago, when phone service was from one very regulated
> monopoly (in the US, AT&T), the "phone" was very secure (ignoring the
> issue of "how do I make sure the voice I'm hearing belongs to person
> X). At that time the phone network was both closed, quite proprietary,
> and due to the high regulation, also quite secure (to an extent).
> Enough such that the various bureaucracy's formulated their rules that
> "phone calls are secure -- so making this change over the phone is ok".

In general, banks often don't pay a lot of credence to the phone metadata -
the number you're calling from, etc, they only look at the content of the
call. When they ask for security information it's often of the nature of
'please tell us the 5th digit of your security number' which means anyone
intercepting the call (or looking at your phone screen) doesn't get your
full credentials. They would have to record you making several calls, which
implies a (virtual) wiretap rather than just something transient like
overhearing a call.

In other words the process is designed on the basis that phone *isn't*
secure, and can cope with limited levels of leakiness.

> However, today, the phone network is effectively as "open" as the
> Internet, and no more secure than any other very "open" system. But,
> because the bureaucracy's long ago set in stone their rule of "phone is
> secure" they continue to operate as if it is just as secure as it once
> was, even though for mere pennies one can obtain phone numbers at will
> and forge just about everything related to a phone call.

Web and email are also easier to do in bulk (see Nigerian Princes passim),
while phone is typically harder to fake at scale and easier to spot trouble.
Generative AI may change the game on that one, alas.

Theo

1

rocksolid light 0.9.8
clearnet tor