Skeetre
New Member
- Reaction score
- 8
- Location
- United States
Ok...have a question that probably belongs somewhere else, but due to my "low output" as a member, I am posting here in the hopes that someone can redirect me and/or my post. So, thanks in advance.
Also, the situation I describe below is not about my work as a tech; rather, it's about my recent encounter with what I consider to be a serious security flaw and auditing process by my credit union. So I am coming at this from the perspectives of both a tech and a member of the credit union.
Here goes....
The credit union sent out last week an e-mail (to me; some members got actual letters while some got e-mails) regarding an upcoming election of their Board of Directors. The e-mail was, I believe, a near-textbook example of a phishing e-mail: it did NOT originate from the credit union; it referenced and claimed to be sent on behalf of the credit union; it provided a link to a third-party site which requested parts of member information; there was no prior e-mail-based announcement regarding such an e-mail being sent to members on behalf of said credit union.
My concern, obviously, was that an attempt was being made to collect some member information from me, as well as other credit union members. And that the credit union was not aware of this and needed to be made aware.
So, I set out to do just that, culminating (at least, so far) today with a 45-minutes-long conversation with the credit union's "Chief Audit Executive."
Prior to today's conversation with Mr. CAE, I had sent via e-mail a list with 13 questions/concerns about not only the "phishing e-mail," which Mr. CAE claimed was actually an approved and legitimate e-mail, but about the linked-to site from that e-mail. (The site was given a "F" at SSL Labs.)
Mr. CAE and I went over the bulk of that list. And the outcome, yet to be experienced, will be a separate issue.
However, during our discussion, Mr. CAE indicated to me that the CU had thought long and hard about how to provide relatively easy access to voting in the election WITHOUT compromising member information (and admirable goal, of course). This e-mail, something Mr. CAE acknowledged to me in our conversation looked like a phishing e-mail, was the result of the CUs many discussions.
I suggested that there must be some way to create a unique ID for each voting member that would keep the member's account/personal information private. (In this case the CU provided the third-party site with the last three of the member's zip code, last four of their SSN and their full date of birth. I objected to all of these, even though the first two items were not, in and of themselves, really enough to (probably) be troublesome. The third-party site also had members' names and e-mail addresses, something to which I did object.
So again, what I thought could be done was to provide each voting CU member a unique, one-time-use ID that would be passed along to the third-party site WITHOUT having to divulge ANY of the members' personal information.
This, then, is the question: is this possible?
My thought (I'm not a programmer and know nothing of website construction or the like) would be to provide a link ON THE CREDIT UNION SITE that is available to a member AFTER LOGIN. This, presumably, would: 1) keep the members' information local (such as it is); 2) ensure that the ID is being issued to the real member ON A TRUSTED SITE; 3) be passed on to the appropriate third-party site WITHOUT THE PASSING ALONG OF MEMBER INFORMATION; 4) perhaps have even other benefits of which I'm not aware.
Anyway, I would like to be able to come back to Mr. CAE with a viable solution that benefits both the CU and us members.
So again, what I'm wondering is: is it possible to create a one-time-use only, unique ID for a website's users? I'm sure it is, but I think I need a programmer or someone like that to help me (help myself).
Sorry for the very long (and inappropriately placed) post. But it would be awesome if some kind soul(s) would point me in the right direction.
Also, if I need to clarify something or whatever, don't hesitate to let me know.
Thanks so much!
Also, the situation I describe below is not about my work as a tech; rather, it's about my recent encounter with what I consider to be a serious security flaw and auditing process by my credit union. So I am coming at this from the perspectives of both a tech and a member of the credit union.
Here goes....
The credit union sent out last week an e-mail (to me; some members got actual letters while some got e-mails) regarding an upcoming election of their Board of Directors. The e-mail was, I believe, a near-textbook example of a phishing e-mail: it did NOT originate from the credit union; it referenced and claimed to be sent on behalf of the credit union; it provided a link to a third-party site which requested parts of member information; there was no prior e-mail-based announcement regarding such an e-mail being sent to members on behalf of said credit union.
My concern, obviously, was that an attempt was being made to collect some member information from me, as well as other credit union members. And that the credit union was not aware of this and needed to be made aware.
So, I set out to do just that, culminating (at least, so far) today with a 45-minutes-long conversation with the credit union's "Chief Audit Executive."
Prior to today's conversation with Mr. CAE, I had sent via e-mail a list with 13 questions/concerns about not only the "phishing e-mail," which Mr. CAE claimed was actually an approved and legitimate e-mail, but about the linked-to site from that e-mail. (The site was given a "F" at SSL Labs.)
Mr. CAE and I went over the bulk of that list. And the outcome, yet to be experienced, will be a separate issue.
However, during our discussion, Mr. CAE indicated to me that the CU had thought long and hard about how to provide relatively easy access to voting in the election WITHOUT compromising member information (and admirable goal, of course). This e-mail, something Mr. CAE acknowledged to me in our conversation looked like a phishing e-mail, was the result of the CUs many discussions.
I suggested that there must be some way to create a unique ID for each voting member that would keep the member's account/personal information private. (In this case the CU provided the third-party site with the last three of the member's zip code, last four of their SSN and their full date of birth. I objected to all of these, even though the first two items were not, in and of themselves, really enough to (probably) be troublesome. The third-party site also had members' names and e-mail addresses, something to which I did object.
So again, what I thought could be done was to provide each voting CU member a unique, one-time-use ID that would be passed along to the third-party site WITHOUT having to divulge ANY of the members' personal information.
This, then, is the question: is this possible?
My thought (I'm not a programmer and know nothing of website construction or the like) would be to provide a link ON THE CREDIT UNION SITE that is available to a member AFTER LOGIN. This, presumably, would: 1) keep the members' information local (such as it is); 2) ensure that the ID is being issued to the real member ON A TRUSTED SITE; 3) be passed on to the appropriate third-party site WITHOUT THE PASSING ALONG OF MEMBER INFORMATION; 4) perhaps have even other benefits of which I'm not aware.
Anyway, I would like to be able to come back to Mr. CAE with a viable solution that benefits both the CU and us members.
So again, what I'm wondering is: is it possible to create a one-time-use only, unique ID for a website's users? I'm sure it is, but I think I need a programmer or someone like that to help me (help myself).
Sorry for the very long (and inappropriately placed) post. But it would be awesome if some kind soul(s) would point me in the right direction.
Also, if I need to clarify something or whatever, don't hesitate to let me know.
Thanks so much!
