Aetna, phishing and security

We’ve just gotten home from M3AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance provider. Their website seems to be down, so I called them up and asked them if it was down or if something was broken on my end.
They did confirm there was a problem with the site “earlier today” but then started asking me for my account information. They’ve promised to email me a new password because of reasons.
One of the things about M3AAWG is that concentrated discussions about spam and online criminals and security can make everything feel so fragile and security so inadequate to protect us against criminals. I start thinking that everything is compromised. It doesn’t help that websites fail just at the time when I start trying to figure out if my personal information leaked out.
In the course of trying to figure out if there is something wrong at Aetna and if my personal information is safe, I find an article about how poor security is for health companies. “Health companies flunked an email security survey—except Aetna.” Apparently, out of all the health companies out there, Aetna are the only ones fully implementing DMARC on all their mail streams.
The problem is that for the mail I received from Aetna, the visible From: address is AetnaeBilling@aetnagroupbilling.com. This is one of the major vulnerabilities of DMARC. How can I, as a recipient, tell that this is officially mail from Aetna? Any phisher could register “aetnabilling.com” or “aetnagoupbilling.com” or “aetnaebilling.com” and publish DMARC records and use those records to phish customers. Even worse, aetnagroupbilling.com isn’t a SSL registered website.
This is exactly the type of setup a phisher would use to gain access to people’s health insurance accounts. And Aetna offers the ability to draft payments directly from a business checking account, so breaking into the billing account also offers some level of access to the business money.
Do I think this is a phish? No.
Do I think the average person would be able to tell that? No.
There’s got to be a better way to secure folks online.

Related Posts

Some email related news

A couple links to relevant things that are happening in email.
M3AAWG released the Help! I’m on a Blocklist! (PDF link) doc this week. This is the result of 4 years worth of work by a whole lot of people at M3AAWG. I was a part of the working group (“doc champion” in M3AAWG parlance) and want to thank everyone who was involved and contributed to the process. I am very excited this was approved and published so people can take advantage of the collective wisdom of M3AAWG participants.
In other announcements, Gmail announced today on their Google+ page that that they were putting a new “unsubscribe” link next to the sender name when mail is delivered to the Promotions, Social or Forums tab. This appears to be the official announcement of the functionality they announced at the SF M3AAWG last February. It likely means that all users are currently getting the “unsubscribe” link. What Gmail doesn’t mention in that blog post is that this functionality uses the “List-Unsubscribe” header, not the link in the email, but I don’t think anyone except bulk mailers really care about how it’s being done, just that it is.
Also today Gmail announced they were going to recognize usernames with non-Latin or accented characters in the name. Eventually, they claim, they’ll also allow people to get Gmail addresses with accented characters.

Read More

Mary Litynski Award winner Jayne Hitchcock

This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award.
Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking.
I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started off trying to protect people from being scammed by Woodside Literary Agency. In return for her work to inform and protect people the principals of Woodside set out on a multi-year harassment campaign against her.
This was in the late 90s and the Internet was very new. There weren’t any laws. There weren’t really abuse desks. We had to protect each other. Law enforcement didn’t know what to do with problems. There weren’t any laws against harassment online. The word “cyberstalking” was created by a reporter when describing what was happening to Jayne.
Jayne has been a force for good online and she and her volunteers help people who are victims of abuse online and cyberstalking. She’s been instrumental in getting anti-cyberstalking laws passed and helping law enforcement understand why online abuse is an issue and that it should be addressed.

Read More

Back from M3AAWG

Last week was the another M3AAWG meeting in San Francisco. The conference was packed full of really interesting sessions and things to learn. Jayne’s keynote on Tuesday was great, and brought up a lot of memories of just what it was like to be fighting spam and online abuse in the mid to late 90s. It’s somewhat amazing to me that many of the people I first met, or even just heard about are still actively working to fight abuse and make the Internet safer.
Wednesday was another great keynote from Facebook, discussing security. Facebook is committed to sharing threat information and has started the ThreatExchange website as a hub for sharing data among large companies.
One thing that was amusing was during one talk someone mentioned YubiKey for managing logins. They said many people were sharing long strings of random keys that sometimes happen because someone has accidentally triggered the one time passcode. YubiKey is awesome, if sometimes ccccccdkhjnbitklrrtnhjrdfgdlhektfnfeutgtdcib inscrutable.
As has become a bit of a M3AAWG tradition lately, Wednesday was also kilt day. There may be pictures. For those of you planning to go to Dublin, Wednesday will be kilt day as well.
The conference was great, but ended on a bit of a down note. We received word that Wednesday night a long time friend, Ellen R., passed away due to complications from a stroke. The conference held a moment of silence for her at the end. Ellen was a friend as well as a colleague. She was around on IRC when we started this crazy experiment called Word to the Wise and was always helpful and insightful. She volunteered with, and then worked for, Spamcop and then volunteered with Spamhaus. Ellen will be very missed.
I started off the conference remembering all the friends I made back in the late 90s and ended it remembering and missing those who are no longer around. Email has been one amazing journey, and doesn’t look like it’s going away anytime soon.

Read More