Security warning: DCS claimants with EDGE Accounts

Posted 30/11/2009 - 11:57 by ng

Checking the DCS site today, I found this page entitled Notice to EDGE customers ...


If you have indicated that you have an EDGE account you will receive an email from Mike Fayle who will describe himself as the Scheme Agent.
The email address that this will come from is "mfayle(?)kpmg [dot] co [dot] im". The email will ask you to provide the details of the "nominated bank account" details that you were required to use in conjunction with the EDGE account.

Any email you receive apparently from Mike Fayle is probably genuine. However, asking depositors to trust email in this way is a bit risky:

  • Anybody can send an email apparently from mfayle(?)kpmg [dot] co [dot] im (or any other email address.) Be careful when trusting the claimed origin address without further evidence as to the authenticity of the message. This is the same situation as with typical phishing emails which claim to be from some organisation such as your bank, but in fact are sent by a third party. In general, exercise caution if you receive an email which asks you to provide any information, especially it asks you to reply via an unrecognised email address or web-site.

  • Standard email is insecure - its content could be intercepted en route to the destination.

In my opinion, the correct way for DCS administrators to be collecting this information would be by providing a secure form on their website.

Checking the authenticity of an email

The following information is rather technical, and I'm not suggesting that it would very practical to check your messages this way, just to let you know what's possible. Some reasonably effective checks as to authenticity of an email can be made by checking the headers of the email. To do this you need to tell your email program to display the headers of the message. Exactly how to do that depends on which email program you use. Some information on the subject is available on the Gmail website - click here

Among the headers, you will probably see something broadly similar to the following:

Return-path: mfayle(?)kpmg [dot] co [dot] im

This cannot be trusted. It is simply the claimed originating email address.

Then, various lines similar to:

Received: from sending.server.name ... by ... receiving.server.name

This is telling us that the message was sent by one machine and received by another on it's way from origin to final destination. However, initially we can only really trust the first one of these, as that is added by the mail system where you receive your mail (hotmail, gmail, etc.) It appears first in the list of headers, but represents the final stage of message routing. Any subsequent (earlier in time) "Received: lines could easily have been forged before the mail was delivered to its final destination. So, received from who?

In what I believe to be a genuine email from Mike Fayle:

Received: from exprod8og102.obsmtp.com ([64.18.3.84] helo=exprod8og102.obsmtp.com)

and in another:

Received: from exprod8og104.obsmtp.com ([64.18.3.88] helo=exprod8og104.obsmtp.com)

The names of these services cannot necessarily be trusted either, only the IP addresses. So I know one mail arrived at my final destination from IP address 64.18.3.84 and the other from 64.18.3.88.

Ok, so now I can check who these addresses are, e.g. at www.maxmind.com and so discover that those addresses belong to an organisation called (Postini)[http://www.google.com/postini/index.html] which is in fact a Google mail service. So, now I would probably decide to trust them, and so go on to trust the subsequent header line which tells me who they received the message from. By repeating the exercise, I can potentially validate each of the Received: lines right back to the origin.

5
Your rating: None Average: 5 (5 votes)
Email security part 2 I've

Email security part 2

I've now written a related article Email security part 2.

Posted by ng on Wed, 19/10/2011 - 17:54