Phishing – another side of the tale

De Consumentenbond, which is basically the Dutch version of Consumer Reports, released an interesting press release yesterday. Thanks to this organization, eBay is no longer asking for personal information which could identify the user via email. (More information, in Dutch, can be found here.)

eBay had previously been asking some customers for personal details in order to confirm the customer’s credit status. Such requests were for copies of identity cards or passports, recent bank statements and valid phone numbers. Of course such details were juicy bait which phishers could exploit – I’m pleased to hear that eBay will be taking a different approach from now on.

This news also reminded me of some interesting cases I saw some time ago in The Netherlands.

Some big companies had been sending out emails which included no identifiable information whatsoever. Although the ‘from’ address said the email had been sent from company X, company X’s mail servers hadn’t been used to send the email. The URLs in these emails also linked to third party domains. So nothing in the email could be attributed to company X.

Pretty amazing if you ask me. Such practices are dangerous. They also make it very difficult for security companies – from a literal point of view, such emails are simply phishing emails. But antivirus companies can’t detect them.

My hat goes off to De Consumentenbond for pushing eBay in the direction of improved security. And I think that in this day and age it wouldn’t be a bad idea to make better practice mandatory.