Process: insecurity in Internet email-to-fax services
(This has also been submitted to Risks Digest and may appear there in edited form).
Dallman Ross (RISKS-24.23) wrote about the possibility of "Joe-jobbing" someone via the email-to-fax services that only authenticate the e-mail "from" address when sending (expensive) faxes.
The risks appear to be mitigated such that real financial damage to a target is impractical, but the devil is in the details as I've just confirmed in examination of a large fax/voicemail service:
- This service (and JFax as well) once offered concerned customers (me) the option to place a text password inline at the top of the email body, eg: {password="SendMyFax007"}. However, I noticed the password string sometimes leaked into the sent message, and its absence didn't always prevent a message going out. This "feature" doesn't seem to be publicly documented and was never user-configurable. I don't know if it's still available.
- The service under study this morning seems to update its authentications after a huge delay, if at all. I removed all references to an account's formerly authorized email address via the web page at 8:14am and replaced it with another. At 9:17am the service is still sending faxes received from the deleted e-mail address. So, even removing a compromised address doesn't stop the attack immediately. Inexplicably, it's referencing a "free trial account" now (the account was started as a free trial years ago). But it's charging the faxes against a real account, and logging them there.
- The services top-up a debit balance held at the service, then run it down before charging the credit card again. If you keep a low refill amount, this would throttle an attack, but the victim remains dependent on the company to "do the right thing" to reimburse.
- There is no way to stop faxes going out, and no way to remove stored credit card data or to stop the auto-charging of same. Attempts to erase credit card details yield a "you have entered an invalid credit card number" error. The service's contract requires that it be allowed to store credit cards and auto-charge both fixed monthly fees and per-use fees.
- The company cannot be easily reached by telephone, even in an emergency.
- The service allows account holders to disable notification of sent faxes. Presumably large account holders (those topping up with $100 or $250 per occurrence) thus wouldn't learn about an attack quickly. Thus the most valuable accounts (with high balances) are perhaps the least likely to catch an attack quickly.
- The service allows broadcast faxing on approved accounts, the fax equivalent of a spam relay.
I discussed these risks in 2002 with an architect of JFax, who is also a principal at another fax service. His (anonymized) comments below shed some light on their reasoning. He, and JFax before, considered this design necessary and reasonable given the limitations of both technology and customers. He's troublingly confident about the utility of "tracing an email back to where it came from" as a means of solving the problem.
Quote from fax service architect, Feb. 20, 2002:
"Yes, we've been through this one about a thousand times in the past. When we started (the service) back in 1996, we used to make the sender place their customer ID and password in the subject line of the email. We lost a lot of business because most folks could never figure out how to send a fax.
"We do send a confirmation to your email address every time a fax is sent on your behalf, so if someone is scamming your account, you should know fairly quickly. Please inform us immediately and we'll credit your account and trace the mail trail back to find out where the email came from.
"This is a small risk that we have to face in order to do business in our market. Fortunately it hasn't been too big a problem (stolen credit cards seems to be a much more real issue for us to deal with). In my dealings with J2 (JFax)... I learned that they really hadn't had any issues with this type of issue either. We'll keep our eyes open though."
Dallman Ross (RISKS-24.23) wrote about the possibility of "Joe-jobbing" someone via the email-to-fax services that only authenticate the e-mail "from" address when sending (expensive) faxes.
The risks appear to be mitigated such that real financial damage to a target is impractical, but the devil is in the details as I've just confirmed in examination of a large fax/voicemail service:
- This service (and JFax as well) once offered concerned customers (me) the option to place a text password inline at the top of the email body, eg: {password="SendMyFax007"}. However, I noticed the password string sometimes leaked into the sent message, and its absence didn't always prevent a message going out. This "feature" doesn't seem to be publicly documented and was never user-configurable. I don't know if it's still available.
- The service under study this morning seems to update its authentications after a huge delay, if at all. I removed all references to an account's formerly authorized email address via the web page at 8:14am and replaced it with another. At 9:17am the service is still sending faxes received from the deleted e-mail address. So, even removing a compromised address doesn't stop the attack immediately. Inexplicably, it's referencing a "free trial account" now (the account was started as a free trial years ago). But it's charging the faxes against a real account, and logging them there.
- The services top-up a debit balance held at the service, then run it down before charging the credit card again. If you keep a low refill amount, this would throttle an attack, but the victim remains dependent on the company to "do the right thing" to reimburse.
- There is no way to stop faxes going out, and no way to remove stored credit card data or to stop the auto-charging of same. Attempts to erase credit card details yield a "you have entered an invalid credit card number" error. The service's contract requires that it be allowed to store credit cards and auto-charge both fixed monthly fees and per-use fees.
- The company cannot be easily reached by telephone, even in an emergency.
- The service allows account holders to disable notification of sent faxes. Presumably large account holders (those topping up with $100 or $250 per occurrence) thus wouldn't learn about an attack quickly. Thus the most valuable accounts (with high balances) are perhaps the least likely to catch an attack quickly.
- The service allows broadcast faxing on approved accounts, the fax equivalent of a spam relay.
I discussed these risks in 2002 with an architect of JFax, who is also a principal at another fax service. His (anonymized) comments below shed some light on their reasoning. He, and JFax before, considered this design necessary and reasonable given the limitations of both technology and customers. He's troublingly confident about the utility of "tracing an email back to where it came from" as a means of solving the problem.
Quote from fax service architect, Feb. 20, 2002:
"Yes, we've been through this one about a thousand times in the past. When we started (the service) back in 1996, we used to make the sender place their customer ID and password in the subject line of the email. We lost a lot of business because most folks could never figure out how to send a fax.
"We do send a confirmation to your email address every time a fax is sent on your behalf, so if someone is scamming your account, you should know fairly quickly. Please inform us immediately and we'll credit your account and trace the mail trail back to find out where the email came from.
"This is a small risk that we have to face in order to do business in our market. Fortunately it hasn't been too big a problem (stolen credit cards seems to be a much more real issue for us to deal with). In my dealings with J2 (JFax)... I learned that they really hadn't had any issues with this type of issue either. We'll keep our eyes open though."
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home