Janet

@Janet

22/9/22

log inask
Janet
@Janet
TalenLee
@TalenLee
cathoderaydude
@cathoderaydude

Once a-fucking-gain: Legislate One Domain Per Business Or Phishing Will Never, Ever End

today i get a text on my phone from a local number (not an SMS quick number) i've never seen before in my life, saying my car payment is overdue. that's true, i did forget to pay it.

so i go to my browser and click the link I've been using to pay my loan for a year. naturally, it's not on the lender's website, because they're a podunk bank in the middle of WA state whose IT staff is probably the owner's son, so PCI compliance is out of the question. they use some godforsaken SaaS that took me a week to even get signed up for, because it is not their system.

i'll be making up the names of these vendors due to Privacy, but let's say the link I've been using since i bought the car is "paynow-bankname.loanpayment.com." it's a completely barebones site that feels very much like it's supposed to have a lot more Content, but since i'm not actually a member of the bank, huge swaths of the page have been deleted to only leave the loan payment options

which, in this case, are missing. there's just no button to pay my loan. it's always been there before, but it's gone now. i can see my payment history and payment methods, but there's no way to pay.

i go back to the SMS, because it said "for payment options click this link." maybe if you're almost-overdue they turn off the normal web payment link for some reason?

so i tap that, and it opens a browser to... "bankname.paybytext.com", a domain i've never seen before. it then asks me to input my date of birth and create a PIN.

if your proverbial grandmother came to you and said "i think this one's a phish," you'd high five her. great job! she followed your instructions to the letter: it's an SMS with very little information, sent from a number she doesn't recognize, linking to an unknown domain which her bank never previously told her about. there is no clearer indication of a phishing attempt. except this isn't one.

i went to the bank's website and found no mention of the old service, but there is a link to paybytext.com now. i cautiously followed the new-account flow with a different PIN than the old site, just in case, and was deposited into a new, legit-looking payment interface... which is totally unaware of all my payment methods or history. which, again, is a pretty strong suggestion that i've been phished, but hey, the bank says they're legit!

i click the button to add a payment method, and i get taken to ANOTHER domain i've never seen before, "paynow.com." and i realize that the old URL had "paynow-bankname" as the subdomain, meaning that

A) this whole thing is a twisted spiderweb of dozens of SaaS providers who don't talk to each other, don't even know each other exist, and aren't authorized to communicate on behalf of the bank. all the information is one-way

B) the reason all this happened is because, since the last time i paid, the bank finally got out of their contract with the last SaaS vendor (who they realized had fucked them weeks after they signed the contract, but they had to wait for it to expire) and signed up with a new one, but they had no power to make the old vendor put any kind of message on their site stating that it's been shut off, nor can they (or should they) compel them to get rid of any of my account data, so now there's this zombie account

C) the only possible way i could have known about this is if i opened the paper statements the bank keeps sending me even though i told them not to. i throw them straight in the trash as soon as i get them, and probably tossed some fucking "welcome to our Great new Website which solves no problem you were aware of (but switching to it sure did get us out of a shitty contract)" notice. they wouldn't have emailed me this because the bank does not know my email. i'm nothing more than an SSN and a street address to them. only the fucking SaaS sludge vendor knew my email.

this shit has to stop. fix it. i don't care how, just fix it. it's not my fucking problem to care about how hard it is. it will not be fixed until there's legislation that says "no business may conduct online commerce or communication of any kind through more than one domain name, optionally with any number of subdomains."

once that law exists - in the US at a federal level, and in the EU - the problem will, from my perspective, magically go away. yeah, thousands of people will have to be hired and put through daily stress year-round to keep whatever horseshit solution working - i can't overstate this: it's not my fucking problem, I don't fucking care, fix it.

Janet
@Janet

being a fan of tad williams' books otherland, i like how this looks like it would pan out kinda like in that story, sure, sans the evil plot pls, but u know, not some megacorpo owning the means of communications, but a naturally evolved sociesphere ontop the many old ones, many in parallel.

You must log in to comment.

in reply to @cathoderaydude's post:

softchassis
@softchassis

Business as a whole just need a crash course in Not Looking Like Obvious Scams since governments worldwide have no interest in doing anything about them. I recently had to switch over to another medicare company because the one I was using stopped covering my pharmacy and all of their phone calls are so fake sounding and are from a new number each time. I just don't pick up now. If it's something vital they can send me paper mail, the only remaining way a service can look legitimate now.

login to reply
cathoderaydude
@cathoderaydude

it is absolutely astonishing how 99% of the people at any business have no fucking clue how to behave professionally in proximity to a computer. They wouldn't tolerate having to send letters to customers on 15 different letterheads, but they'll happily let their company be represented by payfastnow.notascam.biz

login to reply
polymath
@polymath

We definitely do need legislation on this, or at least some good case law, because eventually someone will refuse to use something that is obviously (but not actually) a phishing scam, get hit by a nonpayment fee, and sue. The system mustn't be allowed to be "we can ask for your money in deliberately sketchy ways and charge anyone who doesn't trust them". Legislation (or a sensible outcome to that lawsuit, which seems unlikely) is the only way I can think of to make being good at this pay better than being bad at it.

login to reply
cathoderaydude
@cathoderaydude

it's funny, because... you're right, this sort of precedent-setting civil case could theoretically put a chill down the spine of all these companies, yet i know it won't happen. and i think the reason it won't happen is: there is a direct correlation between the size of a company, and how much they do this nonsense.

when microsoft or apple charge my credit card, i'm on microsoft dot com or apple dot com. they pay the big bucks to get people to write PCI compliant merchant services code. but my (national) bank is a bit smaller than Apple when it comes to online footprint, and about 5% of their website is links to obnoxiously untrustworthy third parties. meanwhile, my car payment is through a very "local community" bank nobody has ever heard of that's probably 500 miles away and has 4 branches, and their shit is a mess. and if you go even further down the food chain, you find yourself going through three broken login pages and then getting redirected to a Stripe page for "John Logan-Smith"

the fact is that this is very hard. it's not that companies don't know they should do it correctly, it's that it's very expensive. well: that sucks for them. businesses are always on the power-holding end of any transaction, and if we're going to make someone's life hell, it should be theirs by definition. it's really fucking hard for John Q Localbusiness to get a merchant services page without just dropping a static link into his Squarespace. that has to change. we have to create Market Pressures that will put John out of business if he doesn't find a less stupid way to do this, and that will cause SaaS vendors who do this right to spring up instantly to try to solve John's problem

"wait a minute. i've just reinvented capitalism from first principles."

it's kind of incredible how capitalism, if it actually followed its stated principles, wouldn't be half as damaging as the hell reality we have that calls itself capitalism. it would still be bad, just not as bad as this shit

login to reply
wolf-apparatus
@wolf-apparatus

broke: we can't have communism because every time anyone's tried communism they fucked it up and it went to shit instead of working like it's supposed to
woke: we can't have capitalism because every time anyone's tried capitalism they fucked it up and it went to shit instead of working like it's supposed to

login to reply
NireBryce
@NireBryce

no joke, Social Security Administration's phone tree sounds more like a scam than when you transpose the last two digits and hit an actual scam tree.

they also haven't done anything about that number in 3 years regardless of all the reports to the line that the official phone tree constantly insists exists during your 5 hours of hold

login to reply
magenta-luna
@magenta-luna

Okay but consider that they will just put the SaaS stuff on a subdomain that will redirect to them, or just hangs out there.

It's technically on their domain as you said, but it isn't their system and they have no clue what is going on there

Would make switching vendors better, unless the vendor enforces own brand being in the url...

login to reply
arkflash
@arkflash

hanging out there is still better though because for that to happen it needs to serve an SSL cert that's valid under their own domain. redirects would be bad but i think that would still be illegal under gravis' proposal. it should actually say "sketchysaas.localbank.net" in the chain and no cert vendor worth their salt will issue those certs to a malicious party, and we could actually tell our grandparents to never trust and that's not under "localbank.net". it's way easier to teach and for less technically literate people to validate.

we had a solution for this in the 90s, it's the ’’. that's all the first party site needs to serve, to put their own wrapper around whatever garbage fire they want to delegate handling your money too

login to reply
cathoderaydude
@cathoderaydude

Yeah like, the ideal outcome would be "you don't have to use saas sludge that's so loosely coupled to the company you're actually doing business with that it forces you to make a separate account." But I don't have any illusions that it's possible for "bank in the tri cities with 1,000 customers total" to reliably find staff who can write secure payment processing software, and even if we forced them to buy third party software and then self host it, finding competent security staff that'll work for $11/hr isn't a winning strategy either

The bare minimum here is: there should be precisely zero links on chase banks website that send me to another domain, unless they're simply ads for that other company. They should never send me an email from another domain, or an email with a link to another domain, or ask me to send support requests to "supportbymail dot com."

I should never email a business and then get a reply from another domain, and we should be able to issue memos at work that say "if you click a link to a domain you don't recognize, you're fired" and have it be a reasonable demand, instead of an unwinnable situation.

login to reply
lexi
@lexi

and you literally just have to add 1 (one) cname record and a tiny bit of code for the SaaS provider and you would have solved the whole thing. it is not that fucking hard

login to reply