Mobile and Secure.Com

McDonald’s announcement that it will be offering free Wi-Fi to its UK customers from this December started me thinking about the security implications. Not just the fact that people will try to get free Wi-Fi anyway without buying anything - how near to a Mickey D’s do you have to be in order to pick up a signal? Do you have to buy say, fries every hour in order to get free access on the premises? - But also that some of the patrons may actually be tempted to check their email accounts, access their online bank accounts, and generally use the free internet connection as they would normally use it from home or work, while enjoying their happy meal.

McDonald’s may just end up being the new hangout for identity thieves.

Sometimes even those of us in the computer security field can make stupid mistakes when carrying out a task that they have done a thousand times before, without really thinking. In this case I decided to fire off a quick email at a clients site to my personal email account just to remind me about something or other I had to do later that day. Normally I’d stick a reminder in my mobile phone calendar, but I was sat in front of an email client and it just seemed quicker.

Later that day when typing another email, the ever helpful email client suggested from its history file a selection of similar email addresses based on the characters I had typed so far into the to: field. That is when I noticed that I’d typed my personal email address incorrectly earlier that day as the client had remembered what I’d typed, and it was wrong. In this case the typo was in the domain name. This could be bad.

Now bearing in mind that I’m at a clients site, I’m not about to type the typo domain name into my browser to see if it actually exists, because it just might be a site that could get me into a whole lot of trouble. So I did a whois lookup and just my luck, the site exists. What was worse was that the registered contact name for the site owner was ‘SpamKing’ at the domain name in question.

So for the rest of the day I’m kicking myself for making such a stupid lazy mistake. I may have just handed my work and personal email addresses to a spammer.

Luckily not long after, my email server returned an error saying that it was unable to deliver the email after repeated attempts.

This stupid mistake started me thinking about email address typos. How easy it would be for spammers to register domain names for every possible typo of a popular web email domain name that they can think of, then set up an email server to collect all the email addresses they receive from those of us in such a rush that we don’t check what we just typed before hitting send.

So don’t just check your message content before sending, make sure you also check the spelling of the recipients addresses.