The Smell of Molten Projects in the Morning

Ed Nisley's Blog: Shop notes, electronics, firmware, machinery, 3D printing, laser cuttery, and curiosities. Contents: 100% human thinking, 0% AI slop.

Tag: Rants

And kvetching, too

Credit Union vs. Credit Karma vs. Account Security: FAIL

You know how you’re supposed to not click on email links these days, even when they’re from “trustworthy” sources, because you might be a spear-phishing target? Well, here’s a true story about how our Credit Union handles the situation.

The backstory: I recently signed up for a service that provides an estimate of my credit score, which it does by asking the usual Big Three credit reporting agencies for my records on, presumably, a monthly basis. I’m not happy with that arrangement, but I wanted to see how well it worked and figured I’d cancel after a month or two. Based on these exchanges with their support staff, it’s time to cancel…

After I received the expected email from them, I discovered that the only way to reach the service was through an embedded link. I try to avoid doing that sort of thing, so I went directly to (what I assumed was) their website and tried to log in. That didn’t work, so I fired off a support message…

From me to CreditKarma:

Having signed up for your service through the Hudson Valley Federal Credit Union, it seems that I cannot sign on directly to your site using the email address and password I provided during the HVFCU signup.

That means the only way to sign on to my account requires clicking on the link provided in your monthly email, which redirects me through the HVFCU website.

Is that correct?

If so, how can I distinguish your email from a well-designed spear phishing attack that requires me to divulge two banking userids and passwords?

Thanks…

Their reply, which neatly avoids answering the questions:

Sorry for the confusion. Your HVFCU Credit Karma account is different from any account you may have created with www.CreditKarma.com. To log into your HVFCU Credit Karma account, you’ll first need to log into your online banking account and then log in through there.

But that’s not how it works:

OK, so I must go through the HVFCU website to reach you. That process seems to require cookies set by the redirection included in the email link, because simply signing on to the HVFCU website and clicking the appropriate link does not redirect to your website unless I have already followed the email link.

So, allow me to ask the key questions again:

The only way to sign on to my account requires clicking on the link provided in your monthly email, which redirects me through the HVFCU website.

Is that correct?

If so, how can I distinguish your email from a well-designed spear phishing attack that requires me to divulge two banking userids and passwords?

Please answer those questions, as I need to know how this works.

Thanks…

There’s been no answer after a week, so I think I’ve reached the end of their tech support.

Then I posed much the same question to the Credit Union:

Having recently signed up for the CreditKarma score monitoring service, I’m flabbergasted by the total lack of security awareness.

The only way to access the CreditKarma report is through the link in the monthly email. Clicking that link requires signing in to my HVFCU account, then to the CreditKarma account.

Without that clicking on that link, selecting the “Credit Score” menu item in the HVFCU site does nothing.

Without clicking on that link, the CreditKarma.com website does not recognize my email address.

How, exactly, can I distinguish that monthly email from a well-crafted spear phishing attack that will collect the userid and password for both of my accounts?

Is there an alternate procedure for accessing my CreditKarma account that does not require depending on a lengthy link contained in an email message?

Thanks…

Their reply seems slightly more informative, but note that they ignore the “must click the link” evidence I report and also avoid answering the hard questions:

I regret to hear of the difficulties you are experiencing with Credit Karma. If you would like to access the site directly, you should type: https://hvfcu.creditkarma.com. The https: indicates that the connection will be secured. “creditkarma.com” lets you know that you are connecting to Credit Karma’s web site. hvfcu. is the subdomain created by Credit Karma for HVFCU members. Your account will not work at http://www.creditkarma.com because the subdomain created for HVFCU is separate from their public site.

Additionally, you may also log on to Internet Banking, then click on the “My Credit Score” link near the top right of the page, and you may now log in. If you chose this option, ensure that all pop up blocker settings are adjusted since you will be required to access a separate web page. Clicking on the link in the monthly emails will direct you to the same place. We understand that you may not be comfortable clicking on a link or may be using a system or mobile device that doesn’t allow you to view the link, which would make it difficult to determine if a message was legitimate or fraudulent. In these cases, we recommend that you set a shortcut or favorite for https://hvfcu.creditkarma.com or else sign in to Internet Banking first, then click on the “My Credit Score” link.

So I tried again:

> Your account will not work at http://www.creditkarma.com because the subdomain created for HVFCU is separate from their public site.

Indeed, it doesn’t. When I asked them about that, their reply was, shall we say, unhelpful; they really want me to click on the link and didn’t even mention the HVFCU subdomain. I did tell them that I had an HVFCU account, so they weren’t completely ignorant of the situation.

They have not responded to my question about determining whether an email allegedly from them is a phishing attack, either.

> Additionally, you may also log on to Internet Banking, then click on the “My Credit Score” link near the top right of the page, and you may now log in.

As I reported, that doesn’t work unless you’ve previously clicked on the email link to set whatever tracking cookies they use. I’ve tried it immediately after clearing cookies and cache: it doesn’t work. Clicking on the link to bounce off their website sets everything up properly and then the HVFCU menu item works.

Try that and see how it works for you. I’d like to know whether it’s a peculiarity of Firefox and Chrome.

> We understand that you may not be comfortable clicking on a link

As the HVFCU page on phishing says: “Links within the email take you to a fake website that usually looks authentic because it uses graphics from the institution’s real website.” So, basically, I must regard all clickable links in all emails as suspect.

Given that the URL is total gibberish, with the both the HVFCU and Credit Karma URLs buried within tracking numbers, there’s no possibility of manually extracting and typing the address.

So, as I asked originally, please tell me exactly how I can tell that an email purporting to be from Credit Karma isn’t a very well-done phishing attack?

We both know there’s no way to do so, so why do you and Credit Karma rely on email links for such a vital function? You’re training your customers to click on emailed links, which is a terrible security practice for a bank.

Have you documented the direct sign-on process anywhere your customers can find it? I couldn’t, but maybe I’m not looking in the right place. Why not put those instructions in each email, rather than using clickable links?

Thanks…

Another week has passed, so I suspect they’re not going to answer those questions, either.

Am I the only person who thinks it’s bad practice for a bank to require you to click on emailed links?

2013-01-08
HP3970 Scanjet Lid Hinge Repair

When the second hinge on my father-in-law’s scanner broke, he asked if I could fix it:

HP3970 Scanjet Lid – broken hinge

It’s a flatbed scanner, so the lid is nearly 18 inches long and weighs 2.2 pounds with the slide / negative backlight illuminator. The stress raiser notches, located exactly where the cracks started, look like a perfect example of how not to do these things.

I solvent-glued the hinges back together, with a square brass tube applying clamping force to the joint overnight, but this certainly won’t last for long:

HP3970 Scanjet Lid – crude repair

HP used to have some really smart engineers, but this looks like it was done by a Newkid (I was one, once, so I know the type) after a solid modeling and simulation session convinced him that those two thin plastic webs had enough strength for the job.

No. They. Do. Not.

Of course, HP provides no Official Way to repair that failure, as the hinges emerge seamlessly from the injection-molded plastic lid frame: you must scrap the scanner and buy a new one, because the lid would cost more than a new scanner. Equally of course, the fact that they don’t have a Windows driver beyond XP makes replacement a foregone conclusion.

It runs under Xubuntu 12.04, mostly, which is what I set him up with after the XP PC got compromised.

2013-01-04
Kindle Fire Security: Burn Them. Burn Them All.
My Kindle Fire automagically updates itself whenever Amazon decides it should. Sometimes an update produces a notice that an app (why don’t we call them “programs” these days?) needs more permissions, but the process generally goes unremarked.

This one wasn’t subtle at all:

Kindle Fire – File Expert Trojan warning

I had just fired up File Expert, which immediately dimmed the screen and presented a dialog box with only two unpalatable choices. Here’s a closeup:

Kindle Fire – File Expert Trojan warning – detail

Well, what would you do?

Needless to say, I didn’t press the Download Now button; it probably wouldn’t have worked anyway, because I turned off the Allow Installation of Applications from Unknown Sources option a long time ago. Pressing Exit bails out of the ~~program~~ app and returns to the Home screen.

Some questions immediately spring to mind:
- If the app has been compromised, exactly how did it regain control and complain about the situation?
- If this is truly a compromised app, why wouldn’t the Trojan just download malware without asking?
- How did this pass the ahem QC and auditing that allegedly justifies having a sole-source Amazon App Store? After all, I can load random crap from the Interweb onto a PC all by myself.
- How does one validate the origin of those random security questions that regularly appear on various computer screens? Why wouldn’t malware just pop up a random dialog box asking for the password, any password, and gleefully use whatever you type?
This appears to be a false positive, as explained there. I assume that any malware worth its salt would also kill off any built-in integrity checking, but what do I know? It’s gone missing from the storefront, probably cast forth into the outer darkness away from the light of Kindle Fires…
2012-12-02
Xubuntu 12.04: Some Steps Forward, Some Steps Back
The continuing saga of trying to run a Linux desktop with two monitors (one rotated in portrait mode), separate X sessions, two trackballs, and a Wacom graphics tablet continue with Xubuntu 12.04. KDE continues to not work quite right with dual monitors, Gnome seems to be dead in the water, Unity wants to be a touch-screen UI when it grows up, and Linux Mint introduces yet another not-quite-baked UI. The breathtaking churn in Linux infrastructure continues, rendering everything I’d figured out with respect to FDI / HAL / udev configuration lagely irrelevant.

For lack of a better alternative, I’ve installed Xubuntu, which is now a deprecated (available, but unsupported) version of Ubuntu. Configuring separate X sessions on two monitors requires the proprietary nVidia driver. The XFCE display configurator falls over dead when confronted with two screens and the xrandr extension seems unworkable. Fortunately, I’d left a bit of commented-out cruft in the xorg.conf file that worked in Xubuntu 10.10 and could copy the whole file over with only one change:
```
Section "Screen"
    Identifier     "Portrait"
    Device         "GF9400_1"
    Monitor        "Dell2005FP"
    DefaultDepth    24
    Option         "TwinView" "0"
    Option         "metamodes" "DFP-1: 1680x1050 +0+0"
    Option         "NoLogo" "Off"
#    Option         "RandRRotation" "On"
    Option         "Rotate" "CCW"
    SubSection     "Display"
        Depth       24
    EndSubSection
EndSection
```
Configuring two trackballs with the XFCE utility remains surprisingly easy: the Kensington is left-handed and the Logitech is right-handed.

Swapping buttons 2 and 3 on the Wacom stylus poses a bit more of a challenge. Doing it on a per-session basis seems straightforward:
```
xsetwacom set "Wacom Graphire3 6x8 stylus" button 2 3
xsetwacom set "Wacom Graphire3 6x8 stylus" button 3 2
```
You’d put those into a script and tell XFCE to auto-run it when you sign in, but that doesn’t handle hotplugging. I don’t hotplug the tablet, but random static glitches knock the USB hub into a tailspin and cause the same effect, so I jammed the lines that used to be in xorg.conf into /usr/share/X11/xorg.conf.d/50-wacom.conf:
```
Section "InputClass"
        Identifier "Wacom class"
        MatchProduct "Wacom|WACOM|Hanwang|PTK-540WL|ISD-V4"
        MatchDevicePath "/dev/input/event*"
        Driver "wacom"
        Option "Button2" "3"
        Option "Button3" "2"
EndSection
```
I’m certain there’s a different location for those that fits in with whatever the overall design might be these days, but I’m kinda tired of figuring this stuff out.

The Wacom drivers in Ubuntu 12.04 no longer permit restricting the tablet’s range to a single X session (xsetwacom set ... MapToOutput "HEAD-0" assumes you’re using xinerama with a single X session across two monitors), which sprawls the tablet’s limited resolution across both screens and leaves a big unusable rectangle in the lower third of the left side. This is not progress in a positive direction, but there’s no workaround.

That workaround for the upstart Pachinko machine also applies to this box. The minute-long pause while NFS hauls itself to its feet isn’t attractive: you see VT 1 with the bare white-on-black command-line login prompt, but if you actually log in, things get very ugly, very quickly.

Restoring the usual verbose Unix-oid startup messages requires tweaking /etc/default/grub to set noquiet nosplash, then running update-grub.

Search the blog with the obvious keywords to get my earlier posts on all these topics…
2012-10-19
Beware the Lurking Lorem Ipsum

Fusion Hotspot Scrach-off Card

One of the motels we stayed at had a new (to me, at least) approach to the ubiquitous Free WiFi offering, which involved a small card with scratch-off fields:

Being the curious sort, I checked their website to see what they were up to. The main heading, across the top of the page, read:

Bringing wireless Internet capabilities to your property

Visus, in vut eu in auctor mus sit odio ac habitasse non! Vut et ac ultricies urna, mauris enim magna mus ac urna arcu, etiam vel,

Huh.

The rest of the page has Lorem ipsum filler under every heading, including:

24/7 Support

Tincidunt ultricies magnis adipiscing. Natoque, augue mattis pid placerat mattis pellentesque adipiscing dis, habitasse scelerisque aliquet, ultricies lundium, lectus cras mus, sit? Magna turpis duis placerat massa in integer porta, sit, phasellus, nec, elementum, scelerisque in?
Read More

Clicking that attractive Read More link produces pretty much what you’d expect by now:

Error 404 – Page not found!

The page you trying to reach does not exist, or has been moved. Please use the menus or the search box to find what you are looking for.

All the other links behaved the same way, including the Support header.

Oddly, the Contact Us item hidden in the About us pulldown produced a form, so I sent off a message. Haven’t gotten anything back yet and really don’t expect to, either.

It does give one pause to consider what happens to the bitstream between one’s tablet and the website. I make it a practice to not sign in to vital accounts while traveling…

At least they didn’t use the Samuel L. Jackson slipsum generator…

2012-10-06
Unit Pricing: Fiddling the Unit of Measure

Another trip to WalMart, another unit pricing puzzle…

Here’s the house brand towel:

WM Deco Towel – unit price

And here’s the name-brand towel for a mere one cent more per hundred towels:

Bounty Select-a-Size Towel – unit price

How can this be?

Easy! Notice that the name-brand towel allows you to tear off a smaller sheet, which is actually a good idea. Even better, at least from their perspective: more sheets per package = lower unit price! I didn’t check the actual mini-towel size, but surely it’s less than half the usual size, so the comparable unit prices is more than a factor of two higher than shown.

I suppose it’s only a matter of time before WalMart slices their towels in half to get an even better unit price.

Carpet and floor tile used to be priced per square yard. Now it’s roughly the same dollar amount per square foot.

2012-09-27
NYS DOT Repair Quality Control

The paving along Rt 376 just south of Raymond Avenue developed transverse ridges; evidently the old concrete roadway below the more recent asphalt cap is shifting. Bumps in the travel lane are not to be tolerated, so they milled off all the ridges. Problem solved!

Of course, the remaining asphalt isn’t thick enough to withstand any stress and promptly crumbles:

NYS DOT joint milling quality

Although the shoulder may appear to be wide enough for bicycle traffic, the debris strewn along it makes for a perilous journey: the larger chunks are bigger than my fist. Several of the milled joints along the unimproved section of Raymond and that stretch of 376 are disintegrating, so it’s not like they got just this one wrong.

Doesn’t bother the DOT one little bit, because their idea of a “shared use facility” is a sign with a picture of a bicycle, labeled Share The Road. As long as the travel lane seems mostly passable by automobiles, their job is done.

2012-09-05