ENDitorial: Belgian railways – a case study in bad internet security
This article is also available in:
Deutsch: ENDitorial: Belgische Bahn – ein Paradebeispiel für mangelnde Siche...
Earlier this year, we reported on the major data leak that was suffered by Belgian railways. Following the release of the data – including names, email addresses and even, in some cases, phone numbers and home addresses - the company failed to notify their customers of the leak.
The company practices has unfortunately not improved since this episode. In recent weeks, it sent out an e-mail asking clients if they wanted to opt out of receiving marketing communications, without clarifying whether they were referring to online or offline communications and without clarifying what would happen (default opt-in or default opt-out) if people decided to take no action.
The e-mail is impressive in that it manages to contain virtually every characteristic of a fraudulent (“phishing”) e-mail:
1. The salutation in the e-mail is non-personal. 2. The reply-to e-mail address is different from the sender e-mail address. 3. Neither the reply-to nor sender e-mail address are obviously SNCB e-mail addresses. 4. The e-mail contains links asking people to fill in an “online form”. 5. None of the links in the e-mail point to a website owned or controlled by the SNCB. 6. Because the e-mail was sent in HTML, the characters do not decode in all webmail services, making it appear that the text has been altered automatically to bypass spam filters. 7. The subject-line (“information to clients”) is vague, increasing the likelihood that it will be opened, in case it might contain important information. 8. The e-mail sets a time-limit for responding – if you do not act within the deadline that you have to go through a more cumbersome procedure.
The logic behind the e-mail is baffling. If the SNCB were already behaving appropriately with regard to their direct marketing, there would be no obvious need to send this e-mail. People who receive the e-mail are given a choice between taking the risk of clicking on the links in the message or, it appears, passively giving their consent to receiving unspecified numbers of marketing messages, via unspecified media from unspecified sources, which they could only opt out of through more cumbersome methods.
Whether the Belgian data protection authority would consider this e-mail to be an acceptable opt-in, opt-out or something else is almost irrelevant, because the authority has extremely weak enforcement powers in any case.
The only thing that is certain is that any SNCB subscriber who did avail of this opportunity to opt-out of direct marketing messages will have been shown that e-mails that contain pretty much every possible characteristic of a phishing e-mail may not, in fact, be a phishing e-mail. So, next time they receive a phishing e-mail, it will probably be okay to click on the link.
EDRi was able to verify the validity of the e-mail because one of us has a “wildcard” e-mail system for a personal domain name. Whenever this person gives their e-mail address to a company, the address given is firstname.lastname@example.org. As the e-mail was sent to sncb@, it was easy to identify it as authentic. Or it would have been, if the company hadn't leaked it.
List of phishing e-mail characteristics
The SNCB e-mail
EDRi-gram 11.1: Major data leak at the Belgium railway company (16.01.2013)
(Contribution by Joe McNamee - EDRi)