Forwarded from: William Knowles <wkat_private> http://www.arabnews.com/Article.asp?ID=25690 Molouk Y. Ba-Isa, Arab News Staff ALKHOBAR, 29 April 2003 - The incident I am about to reveal today is so bizarre that it might seem to be the stuff of fantasy. Unfortunately, it's not. This extremely weird fiasco does make me wonder though if people put on their thinking caps before they go to work each morning in Saudi Arabia. The incident involves a Saudi bank and in good conscience I can't say which one - not to protect the bank, but to protect the bank's customers. The whole crazy mess got started on April 23 when the bank sent out a message to a group of its Internet banking users. The message read in part: "As a valued member and as part of our services enhancement strategy, we invite you to give us your appreciated feedback and comments. This would enable us to serve you better...Kindly be mindful of safeguarding your subscriber ID and password. Rest assured, your accounts are secured and protected with us. Please feel free to call us on our toll-free number for further clarifications. We look forward to an everlasting relationship with you." I want to emphasize here that it was not the bank's message that was the problem. It's what happened next. A man named Riyadh received the message. He had a problem and he wanted the bank to help him. On April 26, he sent the administrators of the Internet banking service the following communication: "Thank u for your nice message. For me I forget my user ID & password. So could you help me on this matter? Best Regards." Once again, I must emphasize that there was nothing bad about Riyadh sending the bank an e-mail. The problem occurred in how he addressed the message. You see, instead of simply clicking on "reply" in the original message, Riyadh clicked on "Reply all." That still might not have created a crisis except that the bank's mail server was incorrectly configured. When Riyadh clicked reply all, two e-mail addresses came up. The first one was for the bank's administration. The second one was for a group of Internet banking customers. When it received Riyadh's e-mail, the bank's incorrectly configured mail server sent out Riyadh's request for his user identification and password to everyone - both the bank's administration and the bank's customers. When they received the strange e-mail, some customers in the Internet banking group realized immediately what had happened and simply phoned the bank to report a problem with the mail server. Unfortunately, one man, Samir, who wasn't so knowledgeable about IT, went bananas and sent out an aggressive message in reply to Riyadh's e-mail. Even worse, instead of typing in only Riyadh's address on the new mail, Samir clicked reply on the original e-mail he'd received from Riyadh. Since the e-mail was already primed to go out to everyone - the bank's administration and customers, the nasty message was received by all, including Riyadh. It read: "Who are you? How come I am getting your request? Which user ID are you talking about? Are you sure about what you are asking for? Kindly go to the bank near you and find out what is to be done. I am holding the bank responsible for this if they release my ID and password. Watch out." I am sure that many of you can imagine what happened next. Customers in the Internet banking group freaked out. Some sent messages directly back to the concerned individuals but others clicked reply and their e-mails went to everybody. Those individuals revealed their primary e-mail addresses and, in most cases, their full names, to a bunch of people they don't know. Let's hope that all customers in that Internet banking group are decent folks because that information could be used for spoofing, SPAM registration or even as a starting point for identity theft. On the evening of April 26, the bank sent out a message to all their abused Internet banking customers. Please note, the text is exactly as sent by the bank. It read: "This is to bring to your attention to a recent incident that you might have been part of. We have created a mailing group for our continuous strive to better communicate with you. Unfortunately, the setting of this e-mail address allowed your reply to be viewable by the bank's administration as well as some other users. This involuntary fault has been remedied and you will no longer receive non-bank authorized e-mail. We apologize for any inconvenience that this mishap may have caused you. Nevertheless, we assure you that there has been no compromise on your privileged information whatsoever. Again, make certain that your account transactions and information are secure and protected with this bank. Trust your understanding." Yes, ladies and gentlemen, trust your understanding of this situation. The incorrect configuration of the bank's mail server was most likely unintentional - it was not involuntary. [...] *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 02:53:48 PDT