Some people wonder whether the situation with PayPal is that bad.\u00a0 Well, at least the phishing part is.\u00a0 Today’s mail included this little gem from points unknown pretending to be PayPal:<\/p>\n
Attention! Your PayPal account has been limited!<\/strong><\/span><\/p>\n […]<\/span><\/p>\n [Link to a phishing site]<\/p>\n This is the Last reminder to log in to PayPal as soon as possible. Once you log in, you will be provided with steps to restore your account access.<\/span><\/p>\n […]<\/p>\n How did I know this was a forgery?\u00a0 Let’s take a look at the email headers:<\/p>\n The first thing we note is the From:<\/strong> line.\u00a0 While this line can be easily forged, in this case, the miscreant forged not paypal’s domain but service.com<\/strong>‘s.\u00a0 Well, that’s not PayPal.\u00a0 This one was easy to establish as a fraud.\u00a0 But had we any doubts we would need look no further than the previous two lines (the last Received<\/strong>: header).\u00a0 If we look at the address 196.12.233.14, which is claimed to be dynamic.casa1-15-233-12-196.wanamaroc.com, we note that the name it has begins with “dynamic”.\u00a0 That name, and the numbers that follow in it, indicate that this is probably someone’s house or office PC, and not paypal’s email server.\u00a0 Note I’ve highlighted to “To” line, with the address lear@ofcourseimright.com<\/strong>.\u00a0 But that is not<\/strong> the address I’ve given PayPal.<\/p>\n What’s more, I happen to have an actual paypal.com set of headers to compare against.\u00a0 Here is what it looks like:<\/p>\n A few things to note: first, there my own mailer adds an Authentication-Results<\/strong> header, and in this case you see dkim=pass<\/strong>.\u00a0 It’s done that by looking at the DKIM-Signature<\/strong> header to determine if Paypal really did send the email.\u00a0 This is a strong authoritative check.\u00a0 Knowing that PayPal does this makes me feel comfortable to discard just about any email from paypal.com that lacks this header.\u00a0 Also, this email was addressed to the correct address (I’m not actually showing the address that I use).\u00a0 Not every site uses dkim<\/strong> and that’s a pity.\u00a0 One has to know in advance when to expect dkim=pass<\/strong> and one has to look at the headers to check.<\/p>\n Just by comparing email headers we can see that this is a poor forgery.\u00a0 And yet it takes time and effort for people to determine just that.\u00a0 And this is the risk that we consumers face.\u00a0 If one decides that any email one wasn’t expecting from PayPal is in fact a forgery, then should someone break into one’s account, one may not notice that there is a problem.<\/p>\n Summarizing, here are the things that I’ve done to limit the chances of something bad happening:<\/p>\n But it’s not all that easy for me.\u00a0 It certainly isn’t easy for those who haven’t been paying attention to all of this stuff as part of their job.<\/p>\n","protected":false},"excerpt":{"rendered":" Some people wonder whether the situation with PayPal is that bad.\u00a0 Well, at least the phishing part is.\u00a0 Today’s mail included this little gem from points unknown pretending to be PayPal: Attention! Your PayPal account has been limited! […] [Link to a phishing site] This is the Last reminder to log in to PayPal as … Continue reading “Paypal follow-up”<\/span><\/a><\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,11,9],"tags":[99,8],"class_list":["post-809","post","type-post","status-publish","format-standard","hentry","category-complexity","category-internet-consumer-identity","category-security","tag-dkim","tag-phishing"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=809"}],"version-history":[{"count":3,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/809\/revisions"}],"predecessor-version":[{"id":812,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/809\/revisions\/812"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Return-Path: <paypal@service.com>\r\nReceived: from mail.realinterface.com (mail.cecreal.com [66.101.212.157])\r\n\tby upstairs.ofcourseimright.com with ESMTP id n9GAJ9h3022332\r\n\tfor <lear@ofcourseimright.com>; Fri, 16 Oct 2009 12:19:31 +0200\r\nReceived<\/strong>: from dynamic.casa1-15-233-12-196.wanamaroc.com ([196.12.233.14])<\/span><\/strong> by\r\n mail.realinterface.com with Microsoft SMTPSVC(5.0.2195.6713);\r\n\t Fri, 16 Oct 2009 06:32:45 -0400\r\nFrom<\/strong>: \"PayPal Services\" <paypal@service.com<\/strong><\/span>>\r\nTo: \"lear\" <lear@ofcourseimright.com><\/span><\/strong>\r\nSubject: Your PayPal account has been Limited\r\nDate: Fri, 16 Oct 2009 10:18:53 +0000\r\nOrganization: PayPal\r\nMIME-Version: 1.0\r\nContent-Type: multipart\/alternative;\r\n boundary=\"----=_NextPart_000_0000_01C6527E.AE8904D0\"\r\nMessage-ID: <RI1BvDvIMYk5XYA4IyF00002a42@mail.realinterface.com>\r\nX-OriginalArrivalTime: 16 Oct 2009 10:32:45.0859 (UTC) FILETIME=[00099730:01CA4E4C]<\/pre>\nReturn-Path: <payment@paypal.com>\r\nReceived: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])<\/span><\/strong>\r\n\tby upstairs.ofcourseimright.com (8.14.3\/8.14.3\/Debian-6) with ESMTP id n9E8KIwI026171\r\n\tfor <xxx@ofcourseimright.com>; Wed, 14 Oct 2009 10:20:39 +0200\r\nAuthentication-Results: upstairs.ofcourseimright.com; dkim=pass\r\n\t(1024-bit key; insecure key) header.i=service@paypal.ch;\r\n\tdkim-adsp=none (insecure policy)<\/strong><\/span>\r\nDKIM-Signature: v=1; a=rsa-sha256; c=relaxed\/relaxed;\r\n d=paypal.ch; i=service@paypal.ch; q=dns\/txt; s=dkim;\r\n t=1255508439; x=1287044439;\r\n h=from:sender:reply-to:subject:date:message-id:to:cc:\r\n mime-version:content-transfer-encoding:content-id:\r\n content-description:resent-date:resent-from:resent-sender:\r\n resent-to:resent-cc:resent-message-id:in-reply-to:\r\n references:list-id:list-help:list-unsubscribe:\r\n list-subscribe:list-post:list-owner:list-archive;\r\n z=From:=20\"service@paypal.ch\"=20<service@paypal.ch>\r\n |Subject:=20Receipt=20for=20Your=20Payment=20to=XXX\r\n |Date:=20Wed,=2014=20Oct=202009=2001:20:17=20-0700|\r\n |Message-Id:=20<1255508417.22290@paypal.co\r\n m>|To:=20Eliot=20Lear=20<paypal@ofcourseimright.com>\r\n |MIME-Version:=201.0;\r\n bh=q82fwVBPBq26WHflKsNcdbCIf3Vcc5wRznZ9tfI8+8k=;\r\n b=OPyR7evc\/VcnTZyDZSlYCh9oLm+vmKt8qsocqMrAr7y\/kg3P5+DhO3mB\r\n UDbhkCvqu+owm45X1te+PxoREXR9aMEuuD20ltP2B5f5JWf\/MjICk6zc6\r\n gYv6pY6ZRFKclXFGvtViJwv0LsW8N7uaoiZCAh5mxrjfuJaF+SmNyX23c\r\n I=;\r\nReceived: (qmail 22290 invoked by uid 99); 14 Oct 2009 08:20:17 -0000\r\nDate: Wed, 14 Oct 2009 01:20:17 -0700\r\nMessage-Id: <1255508417.22290@paypal.com>\r\nSubject: Receipt for Your Payment to XXXX\r\nX-MaxCode-Template: email-receipt-xclick-payment\r\nTo: Eliot Lear <xxx@ofcourseimright.com><\/span>\r\n<\/strong>From: \"service@paypal.ch\" <service@paypal.ch>\r\nX-Email-Type-Id: PP120\r\nX-XPT-XSL-Name: email_pimp\/CH\/en_US\/xclick\/ReceiptXClickPayment.xsl\r\nContent-Type: multipart\/alternative;\r\n boundary=--NextPart_048F8BC8A2197DE2036A\r\nMIME-Version: 1.0<\/pre>\n\n