Attempted PIN theft

Discussion in 'privacy problems' started by Paul Duffey, Nov 20, 2005.

Thread Status:
Not open for further replies.
  1. Paul Duffey

    Paul Duffey Registered Member

    Joined:
    Jun 29, 2005
    Posts:
    7
    Over the past few days, Norton Internet Security has blocked attempts to steal my PIN number. The sites the information was to be sent to were:
    http://207.46.5.13/gateway/gateway.dll?Action=poll SessionID=744486711.****3
    which I traced to Microsoft Corp and
    http://by101fd.bay101.hotmail.msn.com/CGI-bin/premail/8261

    I have e-mailed the abuse sites for Microsoft and MSN, but I wonder if there is some Trojan horse or other malware on my computer sending this. Any suggestions? I have updated Norton Internet Security and Spyware Doctor and run them and Spybot Search & Destroy, and didn't find anything. Am I a candidate for Hijack This log? o_O
     
  2. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Generally, the way that these content based alerting features work is the firewall or anti-spyware tool scans all outgoing packets for any data pattern that you tell it you want to keep secure. If it sees that pattern of data (like a PIN, social security or credit card number, for example), then it usually blocks the connection and pops up an alert. The problem is that there is a simple flaw in the design of these monitors. If the data you have it monitor is too small, (like such a sequence of numbers), or likely to occur naturally in a connection with a website, then you'll get a lot of mistaken alerts (i.e. false positives).

    I don't know the specific feature in NIS, but if it is anything like Zone Alarm's, then this thread at DSLR might help explain it a little more...

    http://www.dslreports.com/forum/remark,8581299

    Most PINs are a fairly short series of numbers. Since many series of numbers are sent in the data stream when communicating to websites, it is very likely that you'll receive alerts that are merely coincidences. A four digit PIN of say 2736 would be very likely to be seen in packets sent to websites, so alerting on something that short would be prone to bogus alerts. When this feature was first added to Zone Alarm, we had a large number of people getting such alerts even on social security and credit card numbers, which are a longer set of numbers, still it happened often enough to have many topics on the subject. (Also, to make the problem worse, some of these tools monitor on just pieces of the data, not always the whole thing. So, in some cases if it even sees the last 4 digits of say a social security number, it may alert.)
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It is also worth noting that such "private data filtering" cannot work on encrypted data (easily demonstrated by entering "private data" on an encrypted https: webpage). Since more sophisticated malware does use encryption, this feature should not be relied upon for total security - if you have truly private data, don't store it on your computer in the first place.
     
Loading...
Thread Status:
Not open for further replies.