The Smell of Molten Projects in the Morning

Ed Nisley's Blog: Shop notes, electronics, firmware, machinery, 3D printing, laser cuttery, and curiosities. Contents: 100% human thinking, 0% AI slop.

Category: Oddities

Who’d’a thunk it?

  • Credit Union vs. Credit Karma vs. Account Security: FAIL

    You know how you’re supposed to not click on email links these days, even when they’re from “trustworthy” sources, because you might be a spear-phishing target? Well, here’s a true story about how our Credit Union handles the situation.

    The backstory: I recently signed up for a service that provides an estimate of my credit score, which it does by asking the usual Big Three credit reporting agencies for my records on, presumably, a monthly basis. I’m not happy with that arrangement, but I wanted to see how well it worked and figured I’d cancel after a month or two. Based on these exchanges with their support staff, it’s time to cancel…

    After I received the expected email from them, I discovered that the only way to reach the service was through an embedded link. I try to avoid doing that sort of thing, so I went directly to (what I assumed was) their website and tried to log in. That didn’t work, so I fired off a support message…

    From me to CreditKarma:

    Having signed up for your service through the Hudson Valley Federal Credit Union, it seems that I cannot sign on directly to your site using the email address and password I provided during the HVFCU signup.

    That means the only way to sign on to my account requires clicking on the link provided in your monthly email, which redirects me through the HVFCU website.

    Is that correct?

    If so, how can I distinguish your email from a well-designed spear phishing attack that requires me to divulge two banking userids and passwords?

    Thanks…

    Their reply, which neatly avoids answering the questions:

    Sorry for the confusion. Your HVFCU Credit Karma account is different from any account you may have created with www.CreditKarma.com. To log into your HVFCU Credit Karma account, you’ll first need to log into your online banking account and then log in through there.

    But that’s not how it works:

    OK, so I must go through the HVFCU website to reach you. That process seems to require cookies set by the redirection included in the email link, because simply signing on to the HVFCU website and clicking the appropriate link does not redirect to your website unless I have already followed the email link.

    So, allow me to ask the key questions again:

    The only way to sign on to my account requires clicking on the link provided in your monthly email, which redirects me through the HVFCU website.

    Is that correct?

    If so, how can I distinguish your email from a well-designed spear phishing attack that requires me to divulge two banking userids and passwords?

    Please answer those questions, as I need to know how this works.

    Thanks…

    There’s been no answer after a week, so I think I’ve reached the end of their tech support.

    Then I posed much the same question to the Credit Union:

    Having recently signed up for the CreditKarma score monitoring service, I’m flabbergasted by the total lack of security awareness.

    The only way to access the CreditKarma report is through the link in the monthly email. Clicking that link requires signing in to my HVFCU account, then to the CreditKarma account.

    Without that clicking on that link, selecting the “Credit Score” menu item in the HVFCU site does nothing.

    Without clicking on that link, the CreditKarma.com website does not recognize my email address.

    How, exactly, can I distinguish that monthly email from a well-crafted spear phishing attack that will collect the userid and password for both of my accounts?

    Is there an alternate procedure for accessing my CreditKarma account that does not require depending on a lengthy link contained in an email message?

    Thanks…

    Their reply seems slightly more informative, but note that they ignore the “must click the link” evidence I report and also avoid answering the hard questions:

    I regret to hear of the difficulties you are experiencing with Credit Karma. If you would like to access the site directly, you should type: https://hvfcu.creditkarma.com.  The https: indicates that the connection will be secured.  “creditkarma.com” lets you know that you are connecting to Credit Karma’s web site.  hvfcu. is the subdomain created by Credit Karma for HVFCU members. Your account will not work at http://www.creditkarma.com because the subdomain created for HVFCU is separate from their public site.

    Additionally, you may also log on to Internet Banking, then click on the “My Credit Score” link near the top right of the page, and you may now log in.  If you chose this option, ensure that all pop up blocker settings are adjusted since you will be required to access a separate web page. Clicking on the link in the monthly emails will direct you to the same place.  We understand that you may not be comfortable clicking on a link or may be using a system or mobile device that doesn’t allow you to view the link, which would make it difficult to determine if a message was legitimate or fraudulent.  In these cases, we recommend that you set a shortcut or favorite for https://hvfcu.creditkarma.com or else sign in to Internet Banking first, then click on the “My Credit Score” link.

    So I tried again:

    > Your account will not work at http://www.creditkarma.com because the subdomain created for HVFCU is separate from their public site.

    Indeed, it doesn’t. When I asked them about that, their reply was, shall we say, unhelpful; they really want me to click on the link and didn’t even mention the HVFCU subdomain. I did tell them that I had an HVFCU account, so they weren’t completely ignorant of the situation.

    They have not responded to my question about determining whether an email allegedly from them is a phishing attack, either.

    > Additionally, you may also log on to Internet Banking, then click on the “My Credit Score” link near the top right of the page, and you may now log in.

    As I reported, that doesn’t work unless you’ve previously clicked on the email link to set whatever tracking cookies they use. I’ve tried it immediately after clearing cookies and cache: it doesn’t work. Clicking on the link to bounce off their website sets everything up properly and then the HVFCU menu item works.

    Try that and see how it works for you. I’d like to know whether it’s a peculiarity of Firefox and Chrome.

    > We understand that you may not be comfortable clicking on a link

    As the HVFCU page on phishing says: “Links within the email take you to a fake website that usually looks authentic because it uses graphics from the institution’s real website.” So, basically, I must regard all clickable links in all emails as suspect.

    Given that the URL is total gibberish, with the both the HVFCU and Credit Karma URLs buried within tracking numbers, there’s no possibility of manually extracting and typing the address.

    So, as I asked originally, please tell me exactly how I can tell that an email purporting to be from Credit Karma isn’t a very well-done phishing attack?

    We both know there’s no way to do so, so why do you and Credit Karma rely on email links for such a vital function? You’re training your customers to click on emailed links, which is a terrible security practice for a bank.

    Have you documented the direct sign-on process anywhere your customers can find it? I couldn’t, but maybe I’m not looking in the right place. Why not put those instructions in each email, rather than using clickable links?

    Thanks…

    Another week has passed, so I suspect they’re not going to answer those questions, either.

    Am I the only person who thinks it’s bad practice for a bank to require you to click on emailed links?

  • Merry Christmas: Winter Visitors

    Our back yard serves as a wildlife thoroughfare, but only after a snowfall can we see who’s been afoot overnight.

    Gray squirrels hop across the driveway:

    Squirrel Tracks in Snow
    Squirrel Tracks in Snow

    When they’re not busy raiding the bird feeder, that is:

    Not a Squirrel-Proof Feeder
    Not a Squirrel-Proof Feeder

    Red foxes leave widely spaced tracks:

    Red Fox Tracks in Snow
    Red Fox Tracks in Snow

    Even quadrupeds have trouble maintaining their footing on an icy driveway:

    Red Fox Skidmark in Snow
    Red Fox Skidmark in Snow

    Turkeys travel in flocks:

    Turkey Tracks in Snow
    Turkey Tracks in Snow

    And sometimes monsters stride the Earth:

    Mary Track in Snow
    Mary Track in Snow

    Seeing as how it wouldn’t be a suitable blog post without some numbers, here’s a 1 foot / 30 cm scale with fox and turkey tracks:

    Turkey and Fox Tracks in Snow with Ruler
    Turkey and Fox Tracks in Snow with Ruler

    Those are scary-big birds!

    Merry Christmas to all!

  • Large UV LED Self-Fluorescence

    Just got an ultraviolet LED in a 10 mm epoxy package that’s water-clear in visible light and slightly fluorescent in its own UV:

    10 mm dia 405 nm UV LED
    10 mm dia 405 nm UV LED

    The epoxy usually has some fluorescence, but this seems more dramatic than usual. In any event, the die’s wide beam angle shows clearly; the beam along the axis out in front is actually pretty tight.

    It’s sitting on the back of a white ceramic tile and the colors came out surprisingly close to real life.

    Adding this to an Arduino would follow the same logic as, say, the pager motor: power the LED + resistor + MOSFET from a +5 V external regulator that won’t heat the Arduino board, then define an unused bit in the shift register as, say UV_LED.

    It runs at 20 mA and drops around 3.3 V.

  • Tea Ball Revivial: Bleaching

    As promised, pix of the tea ball bleaching process (it’s plant pot bleaching time again). Before:

    Tea ball – before bleaching

    And After a few minutes in a 10% bleach solution:

    Tea ball – after bleaching

    The pix don’t do it justice; the thing comes out looking like new. Every half-year, like clockwork!

    Of course, one could argue that tea does even worse things to my interior, but …

  • Body Modification: Magnetic Sensor

    Our Larval Engineer reports that the current techie-thing-to-do involves having a tattoo artist or other unlicensed medical technician implant a tiny bar magnet in one’s finger, a process that adds a sixth sense to one’s built-in repertoire after the anesthetic shot of whiskey wears off. Evidently, converting magnetic field variations into mechanical force tweaks those little nerve endings wonderfully well, provided that your finger doesn’t subsequently rot off.

    I point out that a magnet epoxied to a fingernail would probably get you within a few dB of the same result, minus the back-alley surgery thing. She counters that’s tacky and lacks style.

    I point out that her medical insurance (for which, harumph, we are currently paying) probably doesn’t cover self-inflicted damage. She counters that most victims people have no problems at all.

    I point out that a steampunk-style wristband incorporating a Hall effect sensor, LEDs, and maybe a vibrating pager motor would be at least as cool and probably marketable, to boot. She returns broadside fire by observing such a device requires power and she knows how I feel about batteries.

    Game, set, and match.

    In the interest of science and so as to not be rendered completely obsolete, I’ve epoxied a small neodymium magnet to my left little finger to discover what the world feels like. It’s surrounded by epoxy, which ought to prevent corrosion & deterioration until it eventually falls off or the nail grows out. It came with a white ceramic layer on one pole, which means it’s completely encapsulated:

    Neodymium magnet on fingernail
    Neodymium magnet on fingernail

    She’s absolutely right: it’s tacky and lacks style.

    I used JB KwikWeld fast-setting epoxy. The magnet attracted a tendril of uncured epoxy, so the “steel filled” part of the description seems accurate, and the magnetic field produced a nice smooth coat over the entire side of the disk.

    It buzzes gently inside a Sonicare toothbrush handle, snaps firmly to steel surfaces. and is otherwise inoffensive. I must run some calibration tests to figure out what sort of magnetic field intensity a fingernail can detect. I’m certain it’s less sensitive than an implanted magnet, but I’m down with that.

    Memo to Self: If you should occasionally use your little finger to ream out your ear or nose, that’s just not going to work any more…

  • Kindle Fire Security: Burn Them. Burn Them All.

    My Kindle Fire automagically updates itself whenever Amazon decides it should. Sometimes an update produces a notice that an app (why don’t we call them “programs” these days?) needs more permissions, but the process generally goes unremarked.

    This one wasn’t subtle at all:

    Kindle Fire - File Expert Trojan warning
    Kindle Fire – File Expert Trojan warning

    I had just fired up File Expert, which immediately dimmed the screen and presented a dialog box with only two unpalatable choices. Here’s a closeup:

    Kindle Fire - File Expert Trojan warning - detail
    Kindle Fire – File Expert Trojan warning – detail

    Well, what would you do?

    Needless to say, I didn’t press the Download Now button; it probably wouldn’t have worked anyway, because I turned off the Allow Installation of Applications from Unknown Sources option a long time ago. Pressing Exit bails out of the program app and returns to the Home screen.

    Some questions immediately spring to mind:

    • If the app has been compromised, exactly how did it regain control and complain about the situation?
    • If this is truly a compromised app, why wouldn’t the Trojan just download malware without asking?
    • How did this pass the ahem QC and auditing that allegedly justifies having a sole-source Amazon App Store? After all, I can load random crap from the Interweb onto a PC all by myself.
    • How does one validate the origin of those random security questions that regularly appear on various computer screens? Why wouldn’t malware just pop up a random dialog box asking for the password, any password, and gleefully use whatever you type?

    This appears to be a false positive, as explained there. I assume that any malware worth its salt would also kill off any built-in integrity checking, but what do I know? It’s gone missing from the storefront, probably cast forth into the outer darkness away from the light of Kindle Fires…

  • Please Use the Water Fountain for Drinking Purposes Only

    Please Use the Water Fountain for Drinking Purposes Only
    Please Use the Water Fountain for Drinking Purposes Only

    OK, I need some help on this one…

    I understand the English wording and suppose that the Hebrew version says roughly the same thing. What I flat-out don’t understand is why such signs appear over the water fountains in the hallways outside the toilet rooms (which have, FWIW, the expected, perfectly serviceable, sinks with hot & cold running water and soap dispensers).

    We were northbound on I-90 at the Clifton Park rest stop. Given the location, I’d pick French as the second language and maybe Spanish would be reasonable, but Hebrew?

    Is there some mysterious ritual involving water fountain misuse that happens only in upstate New York?

    Obviously, I don’t get out nearly enough…

    [Update: I will ruthlessly squash ethic & religious jokes, snide remarks, and off-point speculation. Selah.]