Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Communications Google Network Networking Privacy Security Software IT Technology

A Typo Led To Podesta's Email Hack, Says Report (thehill.com) 274

tomhath quotes a report from The Hill: Last March, Podesta received an email purportedly from Google saying hackers had tried to infiltrate his Gmail account. When an aide emailed the campaign's IT staff to ask if the notice was real, Clinton campaign aide Charles Delavan replied that it was "a legitimate email" and that Podesta should "change his password immediately." Instead of telling the aide that the email was a threat and that a good response would be to change his password directly through Google's website, he had inadvertently told the aide to click on the fraudulent email and give the attackers access to the account. Delavan told The New York Times he had intended to type "illegitimate," a typo he still has not forgiven himself for making. The email was a phishing scam that ultimately revealed Podesta's password to hackers. Soon after, WikiLeaks began releasing 10 years of his emails.
This discussion has been archived. No new comments can be posted.

A Typo Led To Podesta's Email Hack, Says Report

Comments Filter:
  • by suso ( 153703 ) * on Tuesday December 13, 2016 @06:31PM (#53479793) Journal

    Clinton campaign aide Charles Delavan replied that it was "a legitimate email"............he had intended to type "illegitimate,"

    If that's true, shouldn't they have used "an" instead of "a". These are college graduates after all, right?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Who talks like that anyway? I would say something like "this is a scam, don't listen" or "this is fake"

      • by saloomy ( 2817221 ) on Tuesday December 13, 2016 @06:59PM (#53480019)
        Some people who are professionals or trying to appear that way for position in a future administration may talk that way. Maybe an autocorrect change "an legitimate email" to "a legitimate email". That being said, I'm still glad we had access to this information as voters. It led us to a more informed decision vs. just a "public position" to go off of.
        • Re: (Score:2, Troll)

          by SCPaPaJoe ( 767952 )
          Thank god for Mother Russia!
      • Who talks like that anyway?

        Lawyers. If you are paid to obfuscate, it eventually becomes second nature, and you fail to communicate clearly even to your friends and family.

    • by sexconker ( 1179573 ) on Tuesday December 13, 2016 @06:37PM (#53479835)

      Yup. This is just CYA bullshit designed to make them look less incompetent. We're all made typos, right?

      It coudl happent o anyone!

      • by suso ( 153703 ) * on Tuesday December 13, 2016 @06:41PM (#53479869) Journal

        We're all made typos, right?

        Don't you mean "we've"?

        • Woosh!
          • by rtb61 ( 674572 ) on Tuesday December 13, 2016 @09:39PM (#53480841) Homepage

            Of course the other big woosh in this is the excuse. We have all made mistakes but I never remember adding extras letters and reversing the definition. Of course normal response in IT circles when phishing email is questioned, is fuck no, do not touch it, I will be right there to check it, this because phishing attacks are normally picked up by filters and any suspect ones that get through become an immediate concern because they represent a greater threat. Of course if you set up your insecure email server in a bathroom with intend to destroy all records if you do not have time to edit out the ones you do not want, meh who gives a fuck, arrogant criminals in government who can completely distort the application of justice as far as their criminally corrupt arse is concerned, well, security that a problems for the plebs. You just know some extremely bad file attachments will leaked out and that's what all the real fuss is about, you could imagine splashed all over Russian media and they after some time censored versions on grudgingly put on western media. When they start to arrogantly ignoring network security, they always go nuts become idiots and starting pushing the limits, no matter where they work government or private, right up until they are brought crashing down to earth. Nobody tolerates fuck ups in the end and they readily toss them out as sacrifices to the appearance of justice.

        • by grcumb ( 781340 )

          We're all made typos, right?

          Don't you mean "we've"?

          WEAVE! Duh!

          Fucking apostrophes....

          ...
          ..
          .

          :-D

        • by Swave An deBwoner ( 907414 ) on Tuesday December 13, 2016 @07:36PM (#53480227)
          Russian to English translation is not easy. Please give dispensation.
        • by Maritz ( 1829006 )
          There's usually, but not always, one.
      • by ShanghaiBill ( 739463 ) on Tuesday December 13, 2016 @07:24PM (#53480169)

        This is just CYA bullshit designed to make them look less incompetent.

        I am confused. Up till now, I thought they were the victims of sophisticated Russian ex-KGB agents using quantum cryptanalysis. But it turns out they fell for a common phishing scam written by some script kiddie. How does this make them look less incompetent?

        • by kenh ( 9056 ) on Tuesday December 13, 2016 @10:05PM (#53480943) Homepage Journal

          But it turns out they fell for a common phishing scam written by some script kiddie. How does this make them look less incompetent?

          Podesta used G-fucking-mail... HRC used a homebrew server for convienience... The DNC ran an UN patched Exchange server on Windows... I believe these are textbook definitions for incompetence!

          • Podesta used G-fucking-mail...

            What's wrong with Gmail?

            HRC used a homebrew server for convienience...

            That may have been illegal, but I don't see how it demonstrates technical incompetence. Since there is no evidence it was hacked, I would say it demonstrates the opposite.

        • by AmiMoJo ( 196126 )

          This is the unfortunate reality of phishing and malware. The attack doesn't have to be very good, just persistent. Eventually someone will screw up, click the wrong thing, typo the response, and the bad guys are in.

          Time to hack = number of people in organization / quality of security

          Since "quality of security" can never be infinite, it's always just a matter of time.

      • by jandrese ( 485 )
        They're trying to look less incompetent by saying that the staffer got taken in by a phishing email?
    • by Ungrounded Lightning ( 62228 ) on Tuesday December 13, 2016 @06:37PM (#53479837) Journal

      Clinton campaign aide Charles Delavan replied that it was "a legitimate email"............he had intended to type "illegitimate,"

      If that's true, shouldn't they have used "an" instead of "a". These are college graduates after all, right?

      Depends on the layer of his mind where the mistake was made. If it is above the abstraction layer of the grammar processing for emitting the typo, he would emit a grammatical but erroneous-in-multiple-words statement.

      • by dbIII ( 701233 )
        Personally I think the major failure here was to outsource something important enough that a fuckup could cost them an election. Hence the cascading failure where nobody inhouse could do anything about it and they had to trust a naive user and a third party.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Legitimate or not, the huge thing that everyone should know is [b]never[/b] to use an email to log into an account.

      • the huge thing that everyone should know is never to use an email to log into an account.

        Technology is failing if it falls on individuals to remember rules like this. They won't. Instead, services like Gmail, Yahoo, etc. should detect when emails contain fake links to login pages for email accounts or financial institutions, and warn the user that they are about to do something dumb.

        • Before pointing out the big obvious problem with that idea, I'll pause for a moment so that you can go check the links in some of your legitimate email. After you've had a bit of time to sob quietly, if you are again feeling brave, check the relay paths and senders of some of that crap.

          Oh, and also some of us run our own mail services, but we generally know better than to click links in emails.

        • by Jeremi ( 14640 )

          Technology is failing if it falls on individuals to remember rules like this. They won't. Instead, services like Gmail, Yahoo, etc. should detect when emails contain fake links to login pages for email accounts or financial institutions, and warn the user that they are about to do something dumb.

          Agreed, they should -- but even then it won't be sufficient, since the clever scammers will constantly be putting up new fake pages that Gmail/Yahoo/etc won't necessarily be able to detect. Gmail/Yahoo/etc can only do so much to protect users, short of a wholesale replacement of email with a more secure communications mechanism.

          I think if there is one silver lining to this whole fiasco, it's that government and politicians might finally start taking seriously the need for proper online security measures.

    • Agreed, Delevan's explanation is BS. But it's interesting to consider how often this sort of thing will happen when we're all using voice recognition on a day-to-day basis. The difference between "This is a legitimate email" and "This is an illegitimate email" can be very subtle depending on the speaker's accent, background noise, and any number of other factors.

      If Delevan were the sort of person who thinks on his feet, he'd have blamed voice recognition instead of a typo.

    • These are college graduates after all, right?

      . . . so what other "typos" did they make that we don't know about . . . ? Maybe they wrote users telling them to turn their firewall and anti-virus "off" . . . but they meant to write "on" . . . ? It's just a typo.

      So, instead of Trump employing Master Russian Hackers to swing the election . . . it just turns out that Hillary's staff are not aware of basic computer security essentials.

      Typical Hillary: Following computer security policies is for "little people" and "deplorables", not for elite folks, li

    • by whoever57 ( 658626 ) on Tuesday December 13, 2016 @07:18PM (#53480135) Journal

      What about the second part, where he told him to change his password? There isn't a single letter typo that can reverse the meaning, plus, if there is no action, then "immediately" is completely redundant.

      No, this is a poor cover story from someone who fucked up massively.

      • by Jeremi ( 14640 )

        No, this is a poor cover story from someone who fucked up massively.

        First rule of politics: never voluntarily admit to any wrongdoing, because everyone will immediately assume that your admission is actually a coverup for something worse, whether it is or not.

        In this case, though, it's hard for me to imagine what could be worse. What do you think the actual mistake was?

      • by ark1 ( 873448 )
        Because he believed it was a legitimate email, he trusted the embedded link to reset the password.
      • by dbIII ( 701233 )
        I said this elsewhere but I think the massive fuckup was outsourcing.
        If it was inhouse they could just change the password and ring the guy up and say "your new temporary password is sword-a-da-fish". Yes, it does sound a bit Marxist to do it that way, but if you want to keep stuff secret paying an advertising agency to handle your email is not a good step.
      • Probably what he should have done in the reply is not include the body of the message being discussed as part of the response, including the fraudulent link to change the email. . There was no reason for him to have chained the response along containing any of that information and the phishing link to click on.

    • Clinton campaign aide Charles Delavan replied that it was "a legitimate email"............he had intended to type "illegitimate,"

      If that's true, shouldn't they have used "an" instead of "a". These are college graduates after all, right?

      He doesn't mean typo in the sense that he meant to write "illegitimate" and wrote "jllegitmate".

      He meant typo in the sense that he thought "oh that's an illegitimate email" and intended to write something to that effect, but ended up writing something completely opposite.

      Just think back to the times you proofread and found a typo, sometimes it's a mistyped word, and sometimes you find words that are radically different than you intended.

      Of course that doesn't mean he's telling the truth, it does seem odd th

      • The technical term for that is that it was a 'brain fart'. Brain farts can happen to anybody. As evidenced here, when a brain fart happens you can even re-correct the words around the 'typo' as in using 'a' instead of 'an.' The takeaway is that it was ordinary low-level phishing that cracked Podesta's account. The Clinton team wasn't even invulnerable to plain vanilla phishing. Is Podesta even in any kind of position now where his computer illiteracy could get him in trouble again? The team he was on
        • The technical term for that is that it was a 'brain fart'. Brain farts can happen to anybody. As evidenced here, when a brain fart happens you can even re-correct the words around the 'typo' as in using 'a' instead of 'an.'

          Agreed though I wouldn't necessarily call "brain fart" a technical term.

          The takeaway is that it was ordinary low-level phishing that cracked Podesta's account. The Clinton team wasn't even invulnerable to plain vanilla phishing.

          Well they did have protocols to protect against phishing, and those protocols were followed, but one of the people in that chain made a fairly epic screw up, and fundamentally no organization is immune to someone making an epic screw up.

          And remember the RNC was also hacked, so this isn't a case of one side being incompetent.

          Is Podesta even in any kind of position now where his computer illiteracy could get him in trouble again?

          He was computer literate enough to delegate the tasks he didn't understand, unfortunately the people he delegated

      • by Calydor ( 739835 )

        The ones I usually see are people typing 'do' and 'can' instead of 'don't' and 'can't'.

        As far as this goes, he was intending to err on the side of caution. This one aide reports one email - but have there been other emails? Has a link been clicked already? Going PROPERLY to Google and changing the password would be a 'no harm done' situation, and I suspect that's what he was aiming for.

        And then human error happened.

    • by Solandri ( 704621 ) on Tuesday December 13, 2016 @08:42PM (#53480581)
      To me, "illegitimate" is one of those words which seems to be semi-archaic in modern English. To my ears, it sounds right to use it only in certain legal contexts. e.g. An illegitimate search, an illegitimate child, etc. In the context of a phising email, I would simply say "that's not a legitimate email." And that's rather easy to corrupt into "that's a legitimate email" if you're thinking 5 words ahead of your typing.

      Of course I proofread my emails before hitting send to avoid these problems. And Delavan claiming he meant "illegitimate" rather than "not legitimate" decreases the possibility that this explanation is correct. Just wondering what native English speakers think. Despite living here 45 years and English being my best language, it isn't my native language and some of the intricacies still elude me.
      • To me, "illegitimate" is one of those words which seems to be semi-archaic in modern English.

        Then despite being a native English speaker and almost certainly literate, I would ask you to brush up on day-to-day Englsih and your O-level English certs (or whatever they are now(.

    • by msauve ( 701917 )

      If that's true, shouldn't they have used "an" instead of "a".

      Shhh. You're disturbing the narrative. How can they be expected to place blame on others, if they have to accept personal responsibility? It was Comey's fault, anyway. Or maybe the Russkie's. Someone other than them, anyway.

  • KGB (Score:5, Funny)

    by Anonymous Coward on Tuesday December 13, 2016 @06:33PM (#53479805)

    That sounds like a really sophisticated Russian hacking effort! I'm glad the CIA is on it!

    • It's amazing how they didn't manage to link to any of the actual emails or other original sources on this. No, I don't want to read your other 10 related articles on the subject, I'd like to see the damned emails in question, please.

      I covered this exact story quite thoroughly [slashdot.org] just the other day, not to mention several other comments which you can find if you go back further, wherein I covered the DKIM signatures, stats on the bit.ly link to the phishing page, etc. which all proved this to be real.

      We figure

    • Exactly. Having done this for a few years, CLEAR LANGUAGE is very important. There are english courses dedicated to that concept, but its pretty simple to grasp.

      "Yes, that's probably a virus. Delete it."

      While not exactly technically accurate, leaves absolutely no ambiguity. You would never tell the user to change their password, because obviously, they are being told that already by a third party so you telling them that would be an explicit validation of the problem and cause them to immediately act on it

  • Who uses the word "illegitimate" to describe a phishing email? It's more likely the IT guy thought the email was authentic and is now trying to cover for his incompetence.
    • And furthermore, if the IT guy believed the email saying Posesta's account was hacked is illegitimate then why would he instruct Podesta to change his email password?
    • by dfsmith ( 960400 )
      None of the 4 definitions of "illegitimate" that my dictionary gives fits the nature of an email like that.

      il.le.git.i.mate \.il-i-'jit-*-m*t\ adj
      1: born of parents not married to each other
      2: ILLOGICAL
      3: ERRATIC
      4: ILLEGAL
      -- il.le.git.i.mate.ly adv
      -- il.le.git.i.ma.cy \-'jit-*-m*-se_-\ n
    • Who uses the word "illegitimate" to describe a phishing email?

      When you're talking to non-techies you do, if you said phishing email to Podesta he would start looking for his tackle box.

      • I have never in my life referred to an email as "illegitimate". Not talking to bumpkins, not to construction workers, not to tradesmen, not to policemen, not to soldiers, not to doctors, not to lawyers, not to elected officials. Not to my employees, not to my bosses, not to CEOs, not to directors. Not to teenagers, not to millennials, not to adults, not to boomers, not to octogenarians.

        However, I use the phrases "That's spam, delete it." and "Fake, trash it." damn near every day.

        I haven't been around the

      • I wouldn't have used the word phishing either. But it's not a question of tech vs non-tech but of conversational English. Saying the email was fake would have done the trick, since the question posed to him was "Is the notice real?"
    • He's working for the Russians like every other person that gets in to the Democrat party's email.

      He doesn't speak English well. :-^

  • by DidgetMaster ( 2739009 ) on Tuesday December 13, 2016 @06:42PM (#53479883) Homepage
    Apparently, there were thousands of typos in the emails themselves. All those racial slurs. All those admissions of collusion with the press and super PACS. All those derogatory things the Clinton campaign was saying about Obama. All the campaign's dirty tricks. All the gaffes in Hillary's paid speeches....They were just all TYPOS!
    • That's the real shame here... the Left screaming and hollering about hackers, while trying to pretend the released information doesn't exist.

  • by Crashmarik ( 635988 ) on Tuesday December 13, 2016 @06:44PM (#53479887)

    To hack complete idiots.

    • And that there is the only shred of a possible reasonable doubt that Trump is in Russia's pocket wrt email hacks. The attack was so simple, anyone could have pulled it off.
  • by voislav98 ( 1004117 ) on Tuesday December 13, 2016 @06:50PM (#53479945)
    Apparently he wasn't tipped off by the start of the email

    Comrade Podesta,

    Filthy imperialist pigs have hacked into you email. To change your password please click http://www.ussrlives.com/mail/ [ussrlives.com]
  • Seriously- If you haven't enabled MFA on your Gmail account then please don't complain when you get hacked. It takes a couple of minutes- you have no excuse not to.

  • text of email (Score:5, Informative)

    by Anonymous Coward on Tuesday December 13, 2016 @07:14PM (#53480099)

    https://wikileaks.org/podesta-emails/emailid/36355

    [Edited to remove blank lines and phone numbers]

    Re: Someone has your passwrd

    From:mfisher@hillaryclinton.com
    To: slatham@hillaryclinton.com
    CC: john.podesta@gmail.com
    Date: 2016-03-19 12:14
    Subject: Re: Someone has your passwrd

    Hi- yes I will call John right away and work on new passwords. He will need
    to use my two step verification codes to sign in.

    Milia Fisher
    [phone number]

    On Mar 19, 2016, at 10:07 AM, Sara Latham
    wrote:

    The gmail one is REAL

    Milia, can you change - does JDP have the 2 step verification or do we need
    to do with him on the phone? Don't want to lock him out of his in box!

    Sent from my iPhone

    Begin forwarded message:

    *From:* Charles Delavan
    *Date:* March 19, 2016 at 9:54:05 AM EDT
    *To:* Sara Latham , Shane Hable
    *Subject:* *Re: Someone has your passwrd*

    Sara,

    This is a legitimate email. John needs to change his password immediately,
    and ensure that two-factor authentication is turned on his account.

    He can go to this link: https://myaccount.google.com/security [Stupid assistant ignored the correct way to chg pass]
    to do both. It is absolutely imperative that this is done ASAP.

    If you or he has any questions, please reach out to me at [phone number[

    On Sat, Mar 19, 2016 at 9:29 AM, Sara Latham
    wrote:

    > Sent from my iPhone
    >
    > Begin forwarded message:
    >
    [Forwarded Phishing Email from Delavan here]
    > *From:* Google
    > *Date:* March 19, 2016 at 4:34:30 AM EDT
    > *To:* john.podesta@gmail.com
    > *Subject:* *Someone has your passwrd*
    >
    > Someone has your passwrd
    > Hi John
    >
    > Someone just used your password to try to sign in to your Google Account
    > john.podesta@gmail.com.
    >
    > Details:
    > Saturday, 19 March, 8:34:30 UTC
    > IP Address: 134.249.139.239
    > Location: Ukraine
    >
    > Google stopped this sign-in attempt. You should change your password
    > immediately.
    >
    > CHANGE PASSWORD
    >
    > Best,
    > The Gmail Team
    > You received this mandatory email service announcement to update you about
    > important changes to your Google product or account.
    >
    --
    -Charles Delavan
    HFA Help Desk

    The HFA Operations Team is here to support you. Let us know how we’re doing
    by filling out a brief survey .

    So the help desk actually provided the correct URL to change the password, but the assistant went on click the phishing bit.ly link. Funnily enough, the HelpDesk monkey's sig contains a link to a survey using A BIT.LY LINK! LOL>

    • by quenda ( 644621 )

      Not a very sophisticated phishing attack. I can't imagine an automated system saying "Someone has your password".
      Rather it would warn more like "We've detected suspicious activity in your account," and advise user to check it was OK.

      However, google security emails really are addressed "Hi " and signed "Best", so who knows??

      I'd expect the KGB version to be more polished.

    • Given the nature of the hack, it seems like if Podesta had just enabled two-factor like he was told, the typo wouldn't have mattered and even giving the hackers his password wouldn't have mattered. The IT guy says right there that two-factor should be enabled as soon as possible, and even implies that it already should have been. Actually this level of person not using two-factor is just madness. And how does the first part of the email even make sense? Why would he use mfisher's two-step verification c
      • by jandrese ( 485 )
        Why does the DNC handle email like my retirement age parents? Do they not have any young people working for them who know how email works these days?
    • Thanks for posting this. It appears that the email sent by Charles Delavan in fact said that the email (purportedly from Google Gmail) was legitimate and that therefore Podesta should change his password.

      It looks like Delavan is trying to wiggle out of that mistake now by claiming that he meant illegitimate; however Delavan's stated conclusion that Podesta should immediately change his password in response to that "illegitimate" email shows otherwise.
  • Idiot (Score:5, Insightful)

    by byteherder ( 722785 ) on Tuesday December 13, 2016 @07:15PM (#53480107)
    You mean he didn't check the url where he was giving his new password, he didn't log into Google directly, he didn't to make sure that the email was really sent from someone at Google.
    He blindly clicked on a link in an email and gave up his password.

    And this proves that Russia hacked is account.

    All this proves is that John Podesta is an idiot.
    • and you're bound to get one through. Weight of fire. And it's easy when you've got (Russian) pros firing the Ammo non-stop every day.
  • by ooloorie ( 4394035 ) on Tuesday December 13, 2016 @07:16PM (#53480123)

    Delavan told The New York Times he had intended to type "illegitimate," a typo he still has not forgiven himself for making. The email was a phishing scam that ultimately revealed Podesta's password to hackers. Soon after, WikiLeaks began releasing 10 years of his emails.

    The Russian psychic warfare department strikes again! We really need to stop those evil Russians meddling with our democracy! Who knows in what other nefarious ways they use their psychic superpowers!

  • I find it curious that so many of the folks posting here are confusing the act of someone clicking on a phishing link as proof positive that -- contrary to US intelligence agencies reporting -- the illegal access to Podesta's email account was not in fact the result of a Russian operation.

    Normally the slashdot folks are smart. What happened here?
    • the illegal access to Podesta's email account was not in fact the result of [Russian intelligence]

      Well, it was certainly not the result of US intelligence!

      What the release of the Clinton E-mails shows is that (1) the people around Hillary Clinton were incompetent when it came to E-mail security, and (2) Hillary Clinton and the DNC had a lot of dirty laundry.

      Who actually released those E-mails hardly matters. Obviously, it was someone who wanted to hurt Hillary. So what? That's how adversarial systems work.

  • and yet... (Score:5, Insightful)

    by argStyopa ( 232550 ) on Tuesday December 13, 2016 @09:11PM (#53480711) Journal

    ...we continue to talk about the HACK and who did it, not what the emails showed.

    • by dbIII ( 701233 )

      ...we continue to talk about the HACK and who did it, not what the emails showed.

      That's been done everywhere else, so why nor talk about the hack on a tech site and the politics on a political site?
      How about this suggestion - link to a one of the many places discussing what the emails showed.

  • Really, if he's going to be changing the password after receiving every phishing scheme message there isn't going to be much time left for actually doing work.

    All that he had to do was reply, "It's a scam to try and get you to enter your password on a bad guy's website. Delete the email and forget about it." Then write up a message that provides a few more details to be distributed to everyone that basically says the same thing because if one person asks you know that more than one person has that questi

  • Eight years ago these people mocked McCain as "out of touch" [factcheck.org] for his reluctance to use a computer...

    Turns out, they need two layers of aides themselves to be able to tell an e-mail scam... Hypocrite scum.

    • Eight years ago these people mocked McCain as "out of touch" [factcheck.org] for his reluctance to use a computer...

      Turns out, they need two layers of aides themselves to be able to tell an e-mail scam... Hypocrite scum.

      Right. And then I'm supposed to believe that the well-written "answers" from "Hillary Clinton" on Quora are really from Hillary herself - someone who demonstrably is baffled by a fax machine.

  • I've had the misfortune of having to deal with a few of these types that went to college to play politics and never grew up.
    They like to call it "Political Science", but as valid a study as it is the "science" bit just doesn't cut it. When a manager has come in via a political track it is important to use small words instead of communicating as if they had studied science, engineering or literature. People who have not been to college at all usually make up the slack, but on the political track they are o
  • I got a letter (actual paper sent via USPS) telling me that a healthcare provider suffered a data breach and my personal information has been stolen from them.

    It tells me to go to a website to get a year of free credit monitoring and enter a customer number they have assigned me. I've never heard of this website. Warning bells go off, but as long as I only enter the customer number they assigned me what harm can it do? It seems legit. I really did use that healthcare provider. (So did thousands if n

    • My CC credit union outsources its fraud investigation. So I get a cold call from a company I don't recognize, asking me to confirm my identity and CC info, from a phone number that isn't on the back of the CC, in order to confirm some activity. I hang up, call my credit union from the # on the card, and they confirm that the company was legit and give me the number to call back. Turns out the original call was real. The last thing I say to them is that they are conditioning their customers to respond to
    • by jandrese ( 485 )
      Frankly if a badguy has gone to the trouble to snail mail you they could have gotten your SSN way easier and faster with a bit of detective work. The fact that the site asked for you SSN so it can do credit monitoring makes sense too. I'd rate the chance that it was a phishing operation pretty low. If the site started asking you for your gmail passwords or bank logins that would be a red flag, but just the SSN isn't outside of what you would expect.

      And if you were feeling extra paranoid you could call
      • Obviously if they're offering legit credit protection they'll need an SSN, but presumably they already have it because I did cough up that information when I sought health care.

        Assuming they're legit and I am inclined to agree they probably are, they're just using this to confirm that I am who I say I am.

        But how else would anyone know my unique Customer ID Number unless the snail-mail was intercepted or someone had hacked into their system? And what good would it do an identity thief to enroll me into a y

  • Why would you use an email link to change your password anyways, given the possibility of a faked or hijacked domain ? You should obviously go to the source and perform admin functions though the official tools and channels provided by that source even if someone vetted the email for you.

Life is a whim of several billion cells to be you for a while.

Working...