[Mailman-Users] ARC

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Wed Aug 1 02:49:36 EDT 2018

Jordan Brown writes:

 > Wasn't this in the context of signature-checking schemes that detect
 > forged origin metadata?

Context, yes.  The question is did Intuit need extreme accuracy for
that?  Maybe they did, but I see no evidence for that need.

Intuit was not a financial intermediary.  It sent bills, it did not
collect payments AFAIK (if it did, that would be a different matter).
The reason it got into billing is that it has the invoice data anyway,
since it was doing accounting and tax preparation for these businesses
(Intuit is the company that sells TurboTax).  So you receive a bill
from Intuit, your response is not to click on a link in the bill, it's
to go to your banking site and authorize a transfer to the vendor.

You could argue that the bad guys could find some way to abuse the
system because the From address isn't aligned with Intuit's DKIM
signature (I thought of two while typing this sentence), but as far as
I know they haven't implemented yet.  They did implement spear-
spamming "from" Yahoo! and AOL customers.  Doesn't prove there's no
profitable way to exploit Intuit, but it's suggestive.

 > So the vendor has to notify their customers who they use to do
 > their billing, and every time that they change billing vendors?

Probably not.  My guess is that Intuit did, in a footer.  Again, this
works well enough as long as Intuit isn't collecting money for the
vendor, and the vendor's customers are expecting to use a different
channel already set up to make payment.  I don't think these folks
would change billing vendors very often, since that probably implies
changing accountants and tax preparer, too.

 > Ofttimes, the goal is that the billing vendor is completely
 > invisible to the end customer.

Sure.  But it can't be completely invisible here.  Remember, these are
businesses that don't have their own domains or are so technically
clueless that they're billing from yahoo.com, not their own domain.

I doubt very many customers (of the vendors using Intuit) paid any
attention to who was sending the bills, vs who was asking for money.

 > Having your billing vendor be visible is, like having your company
 > e-mail address be @gmail.com

Exactly (but it was @yahoo.com. :-)  There are many people out there
who don't think very hard about these things.  The only thing they
fear enough to buy help for is the IRS.  Therefore, Intuit.

 > Not anywhere near as hard as it is for a full-scale e-mail vendor.
 > Google secures a database of millions of users' secrets, and must
 > have internal and external controls that keep the wrong people from
 > sending mail that pretends to come from those users.

It's unfair to refer to Google and ignore Yahoo! and AOL here.  My
point is that if I were Intuit's CISO, I would want to be securing
customers' accounting and tax records, not their mail service.  One
doesn't want to have to expend Google-like resources for a service one
doesn't need to provide.

More information about the Mailman-Users mailing list