Please see the attached screen capture..
-Skip
-Skip
Phishing?
- Thread starter Skip Miller
- Start date
Looks it to me, like any of these companies would ever call us...
poadeleted21
Touchdown! Greaser!
- Joined
- Aug 18, 2011
- Messages
- 12,332
nope, "not phishing"
- Joined
- Feb 17, 2010
- Messages
- 2,110
- Display Name
Display name:
Jim
live.com is a Microsoft domain. With the green highlighted "Microsoft Corporation (US)" in the address bar, Firefox is telling you that the SSL security certificate associated with the live.com address you're looking at is from Microsoft.
It all adds up to a legitimate MS website, not a phishing attempt. (Not that it's absolutely impossible to present a phishing attempt that looks that legitimate, but it would be *very* hard for a phisher to do, it probably wouldn't last long before it was discovered, and it would be big news in the mainstream media soon after it happened.)
It all adds up to a legitimate MS website, not a phishing attempt. (Not that it's absolutely impossible to present a phishing attempt that looks that legitimate, but it would be *very* hard for a phisher to do, it probably wouldn't last long before it was discovered, and it would be big news in the mainstream media soon after it happened.)
Microsoft is immune from phishing?
- Joined
- Feb 17, 2010
- Messages
- 2,110
- Display Name
Display name:
Jim
Nobody is immune from phishing...if the phisher steals the SSL certificate, then they can present a legitimate-looking page until the certificate is canceled.
But two things would have to happen for the OP's situation to be a phishing attempt: (1) An MS SSL certificate would have to be stolen, and (2) either the OP's DNS settings would need to be hijacked such that the "live.com" domain would redirect to a compromised site, or (much more unlikely) a broader DNS hijack to cause such a redirect would have to occur.
That combination is highly unlikely. It is also likely to be quickly detected and would certainly make headlines on the mainstream news immediately after detection.
As for the OP's post, the page presented passes all the "smell tests": The signature you'd expect from a legitimate site is fully presented, and there are none of the common tells from a spoof site--poor spelling, poor grammar, mismatched logos, or other errors.
Conclusion: There is no reason to believe the site is anything but legitimate.
But two things would have to happen for the OP's situation to be a phishing attempt: (1) An MS SSL certificate would have to be stolen, and (2) either the OP's DNS settings would need to be hijacked such that the "live.com" domain would redirect to a compromised site, or (much more unlikely) a broader DNS hijack to cause such a redirect would have to occur.
That combination is highly unlikely. It is also likely to be quickly detected and would certainly make headlines on the mainstream news immediately after detection.
As for the OP's post, the page presented passes all the "smell tests": The signature you'd expect from a legitimate site is fully presented, and there are none of the common tells from a spoof site--poor spelling, poor grammar, mismatched logos, or other errors.
Conclusion: There is no reason to believe the site is anything but legitimate.
Last edited:
I mean Microsoft is doing the phishing under other pretense.
- Joined
- Feb 17, 2010
- Messages
- 2,110
- Display Name
Display name:
Jim
Phishing, by definition, is when some entity pretends to be a different entity in order to fool users into providing data that can be used for fraudulent purposes.
You are (apparently) saying that MS might be collecting data for nefarious means. That would not be "phishing", as they are not pretending to be an organization other than Microsoft.
I also seriously doubt they're doing anything fraudulent with the data. Things you might not want them to do? Maybe. Illegal/fraudulent? Unlikely.
You are (apparently) saying that MS might be collecting data for nefarious means. That would not be "phishing", as they are not pretending to be an organization other than Microsoft.
I also seriously doubt they're doing anything fraudulent with the data. Things you might not want them to do? Maybe. Illegal/fraudulent? Unlikely.
bbchien
Touchdown! Greaser!
You can always use Thunderbird, Skip, and not have windowsLive (hotmail) as a secondary web portal...or a copy of Outlook.
Ahhh, I thought phishing was whenever people collected your data to sell and other wise use for reasons other than stated.
TangoWhiskey
Touchdown! Greaser!
Not phishing. Microsoft's adding for optional additional info to help you recover your password in case you ever forget it... For example, they could text it to your phone or email it to an alternate email address you own. Nothing nefarious here.
gismo
Touchdown! Greaser!
Nope. That's called marketing research.
RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
Google does something similar maybe ever fourth or fifth time I log into any of their services. They want my cell phone number so they can text me if I lose my password. The same seems to be true of department store sites, credit card companies, and pretty much everyone else with whom I have any sort of online account.
In addition, banks, credit card companies, and other financial entities are aggressively pushing their various mobile apps and sites and urging me to log in from my phone. This makes me scratch my beard a bit.
As a Web developer, I build mobile sites for the convenience of potential customers for my clients, to attract more business for them. But I frankly don't give a rat's hindquarters which version of the site they access, or what device they use to access it, except in terms of that knowledge helping me to make the sites friendly to different devices. Other than that, what difference does it make to me? A little bit of bandwidth?
But there's a significant downside to mobile access for security-sensitive sites, namely, that the user can lose his or her phone; and there are plenty of clueless users who store their passwords on their phones (either in the browsers or in separate text files) and don't secure the phones. In addition, the IP assignments for phones and other wireless devices are wildly dynamic, whereas most landline IP assignments are relatively static. When I lived in Queens, I had the same "dynamic" IP address on my cable Internet connection for almost five years. It only changed when I replaced my router.
My credit union notices when I use my laptop to log in from a different place from my home office (where I have a static IP), and texts me a code that I have to enter into the login page to continue. That makes sense to me. But when I log in to the mobile version of their site from my BlackBerry, they also text me a code that I have to enter to continue. Now tell me, what good does that do? If I'm logging in from my BlackBerry, that means that I have the phone in my hand; so of course I'll receive and be able to enter the texted security code. That would hold true regardless of whether it's me or someone else accessing the site.
So if I were dumb enough to have the passwords stored on my BlackBerry, literally anyone could log into my credit union account. The only security beyond the password is a code that they conveniently text to the phone.
The truth is that the very nature of mobile devices adds additional security considerations and risks. They can be worked around, and they can be managed; but in the end, we're still talking about mobile devices that can be (and are) lost on a regular basis, and some of whose owners are less sophisticated about data security than one might hope. So the risks can be mitigated, but never completely eliminated.
To me, that means that if I were in charge of Web access for a bank, I would look at mobile access as something we offered because our users demanded it. But it also would be something that I would just as soon they didn't use. It wouldn't be something I would aggressively push them to use.
That leaves me wondering why almost every financial company I deal with is pleading with me to use their mobile sites and apps, and why Google and everyone else is imploring me to provide my cell phone number so they can text me if I lose my password.
My personal suspicion is that cell phone numbers are marketable commodities. Even if these entities don't necessarily plan to sell my cell number, at least they won't have to buy it.
A buddy of mine used to work as a collection agent, and he once told me that cell phone numbers are very valuable pieces of information. Most of them can be had rather easily, despite what the carriers claim. But some are almost impossible for collectors to obtain, particularly those numbers attached to prepaid accounts (which don't require that subscribers provide their real names, addresses, or other information).
So I have to wonder why a company like Google -- which has my real name, address, home phone number, work phone number, alternate email addresses, social security number (because I'm an Adsense publisher), and heaven knows what other information about me -- is so insistent that I provide my cell phone number that they stop me cold every so-many login attempts, demand that I provide it, and cause a bogus "login error" page to display if I don't.
The error page is bogus because once I see that page, I'm logged in. All I have to do from there is go to the root of any Google-owned site and I can proceed as a logged-in user. But they want it to look like I'm not. Why? So I will relent, press the "Back" button, and give them my cell phone number?
I have had the same cell phone number for years, and I've managed to keep it a secret from all but my family and friends. It's a prepaid number that's registered to a nickname (I thought it would be cute coming up on the caller ID, but it doesn't work), and the provider doesn't have my address. The only financial entity that has the numnber is my credit union's Web site, and only for security verification purposes when I log in from a different IP. They tell me that the credit union itself doesn't have it on file, which I'm inclined to believe because when I call the CU from my home or office number, they know who I am; but when I call from my cell number, they don't.
So... I'm not a paranoid person by nature, but I wonder: Is the absence of a cell number from my financial and retail marketing files such a gaping hole that everyone from Google, to my various credit card issuers, to Firestone Tires (which also incessantly begs for it every time I log on to pay my bill or set up a service appointment) considers it a challenge to fill that hole, by any possible means?
It just seems to me that our whole lives and every detail about them have become pieces of a marketing puzzle which, when complete, is a valuable commodity to both "legitimate" businesses and nefarious enterprises.
I'm sometimes tempted to buy the cheapest prepaid cell phone I can find, register it in my own name, prefill it with the absolute lowest amount of money that will keep the number active, provide that cell number to every company that asks for it, and then toss the phone in my sock drawer and never answer it, just to stop these companies from stopping me cold and demanding my cell number when I'm trying to log in to pay my bill.
-Rich
In addition, banks, credit card companies, and other financial entities are aggressively pushing their various mobile apps and sites and urging me to log in from my phone. This makes me scratch my beard a bit.
As a Web developer, I build mobile sites for the convenience of potential customers for my clients, to attract more business for them. But I frankly don't give a rat's hindquarters which version of the site they access, or what device they use to access it, except in terms of that knowledge helping me to make the sites friendly to different devices. Other than that, what difference does it make to me? A little bit of bandwidth?
But there's a significant downside to mobile access for security-sensitive sites, namely, that the user can lose his or her phone; and there are plenty of clueless users who store their passwords on their phones (either in the browsers or in separate text files) and don't secure the phones. In addition, the IP assignments for phones and other wireless devices are wildly dynamic, whereas most landline IP assignments are relatively static. When I lived in Queens, I had the same "dynamic" IP address on my cable Internet connection for almost five years. It only changed when I replaced my router.
My credit union notices when I use my laptop to log in from a different place from my home office (where I have a static IP), and texts me a code that I have to enter into the login page to continue. That makes sense to me. But when I log in to the mobile version of their site from my BlackBerry, they also text me a code that I have to enter to continue. Now tell me, what good does that do? If I'm logging in from my BlackBerry, that means that I have the phone in my hand; so of course I'll receive and be able to enter the texted security code. That would hold true regardless of whether it's me or someone else accessing the site.
So if I were dumb enough to have the passwords stored on my BlackBerry, literally anyone could log into my credit union account. The only security beyond the password is a code that they conveniently text to the phone.
The truth is that the very nature of mobile devices adds additional security considerations and risks. They can be worked around, and they can be managed; but in the end, we're still talking about mobile devices that can be (and are) lost on a regular basis, and some of whose owners are less sophisticated about data security than one might hope. So the risks can be mitigated, but never completely eliminated.
To me, that means that if I were in charge of Web access for a bank, I would look at mobile access as something we offered because our users demanded it. But it also would be something that I would just as soon they didn't use. It wouldn't be something I would aggressively push them to use.
That leaves me wondering why almost every financial company I deal with is pleading with me to use their mobile sites and apps, and why Google and everyone else is imploring me to provide my cell phone number so they can text me if I lose my password.
My personal suspicion is that cell phone numbers are marketable commodities. Even if these entities don't necessarily plan to sell my cell number, at least they won't have to buy it.
A buddy of mine used to work as a collection agent, and he once told me that cell phone numbers are very valuable pieces of information. Most of them can be had rather easily, despite what the carriers claim. But some are almost impossible for collectors to obtain, particularly those numbers attached to prepaid accounts (which don't require that subscribers provide their real names, addresses, or other information).
So I have to wonder why a company like Google -- which has my real name, address, home phone number, work phone number, alternate email addresses, social security number (because I'm an Adsense publisher), and heaven knows what other information about me -- is so insistent that I provide my cell phone number that they stop me cold every so-many login attempts, demand that I provide it, and cause a bogus "login error" page to display if I don't.
The error page is bogus because once I see that page, I'm logged in. All I have to do from there is go to the root of any Google-owned site and I can proceed as a logged-in user. But they want it to look like I'm not. Why? So I will relent, press the "Back" button, and give them my cell phone number?
I have had the same cell phone number for years, and I've managed to keep it a secret from all but my family and friends. It's a prepaid number that's registered to a nickname (I thought it would be cute coming up on the caller ID, but it doesn't work), and the provider doesn't have my address. The only financial entity that has the numnber is my credit union's Web site, and only for security verification purposes when I log in from a different IP. They tell me that the credit union itself doesn't have it on file, which I'm inclined to believe because when I call the CU from my home or office number, they know who I am; but when I call from my cell number, they don't.
So... I'm not a paranoid person by nature, but I wonder: Is the absence of a cell number from my financial and retail marketing files such a gaping hole that everyone from Google, to my various credit card issuers, to Firestone Tires (which also incessantly begs for it every time I log on to pay my bill or set up a service appointment) considers it a challenge to fill that hole, by any possible means?
It just seems to me that our whole lives and every detail about them have become pieces of a marketing puzzle which, when complete, is a valuable commodity to both "legitimate" businesses and nefarious enterprises.
I'm sometimes tempted to buy the cheapest prepaid cell phone I can find, register it in my own name, prefill it with the absolute lowest amount of money that will keep the number active, provide that cell number to every company that asks for it, and then toss the phone in my sock drawer and never answer it, just to stop these companies from stopping me cold and demanding my cell number when I'm trying to log in to pay my bill.
-Rich
Last edited:
rainsux
Line Up and Wait
Whenever somebody insists that I provide
them info that I do not want them to have;
I find it easier to give'm info that the back-end
ETL system will almost certainly discard:
Cellphone: 202-456-1414 (White House)
SSN: 078-05-1120 (Most abused SSN in history)
Address: (Wrigley Field)
1060 West Addison St.
Chicago, IL 60613
If it is somebody that I do wish to talk to once
(maybe twice), Ring Shuffle is a terrific iPhone
appl that will give you a free phone number for
one [1] week.
them info that I do not want them to have;
I find it easier to give'm info that the back-end
ETL system will almost certainly discard:
Cellphone: 202-456-1414 (White House)
SSN: 078-05-1120 (Most abused SSN in history)
Address: (Wrigley Field)
1060 West Addison St.
Chicago, IL 60613
If it is somebody that I do wish to talk to once
(maybe twice), Ring Shuffle is a terrific iPhone
appl that will give you a free phone number for
one [1] week.
Last edited:
TangoWhiskey
Touchdown! Greaser!
Fascinating story. Hadn't heard it before, that I recall. In today's world, you'd have a pretty solid case against your employer.