ENDitorial: Belgian railways – a case study in bad internet security

By EDRi · July 31, 2013

This article is also available in:
Deutsch: [ ENDitorial: Belgische Bahn – ein Paradebeispiel für mangelnde Sicherheit im Internet | ]

Earlier this year, we reported on the major data leak that was suffered
by Belgian railways. Following the release of the data – including
names, email addresses and even, in some cases, phone numbers and home
addresses – the company failed to notify their customers of the leak.

The company practices has unfortunately not improved since this episode.
In recent weeks, it sent out an e-mail asking clients if they wanted to
opt out of receiving marketing communications, without clarifying
whether they were referring to online or offline communications and
without clarifying what would happen (default opt-in or default opt-out)
if people decided to take no action.

The e-mail is impressive in that it manages to contain virtually every
characteristic of a fraudulent (“phishing”) e-mail:

1. The salutation in the e-mail is non-personal.
2. The reply-to e-mail address is different from the sender e-mail address.
3. Neither the reply-to nor sender e-mail address are obviously SNCB
e-mail addresses.
4. The e-mail contains links asking people to fill in an “online form”.
5. None of the links in the e-mail point to a website owned or
controlled by the SNCB.
6. Because the e-mail was sent in HTML, the characters do not decode in
all webmail services, making it appear that the text has been altered
automatically to bypass spam filters.
7. The subject-line (“information to clients”) is vague, increasing the
likelihood that it will be opened, in case it might contain important
8. The e-mail sets a time-limit for responding – if you do not act
within the deadline that you have to go through a more cumbersome procedure.

The logic behind the e-mail is baffling. If the SNCB were already
behaving appropriately with regard to their direct marketing, there
would be no obvious need to send this e-mail. People who receive the
e-mail are given a choice between taking the risk of clicking on the
links in the message or, it appears, passively giving their consent to
receiving unspecified numbers of marketing messages, via unspecified
media from unspecified sources, which they could only opt out of through
more cumbersome methods.

Whether the Belgian data protection authority would consider this e-mail
to be an acceptable opt-in, opt-out or something else is almost
irrelevant, because the authority has extremely weak enforcement powers
in any case.

The only thing that is certain is that any SNCB subscriber who did avail
of this opportunity to opt-out of direct marketing messages will have
been shown that e-mails that contain pretty much every possible
characteristic of a phishing e-mail may not, in fact, be a phishing
e-mail. So, next time they receive a phishing e-mail, it will probably
be okay to click on the link.

EDRi was able to verify the validity of the e-mail because one of us has
a “wildcard” e-mail system for a personal domain name. Whenever this
person gives their e-mail address to a company, the address given is
. As the e-mail was sent to sncb@, it
was easy to identify it as authentic. Or it would have been, if the
company hadn’t leaked it.

List of phishing e-mail characteristics

The SNCB e-mail

EDRi-gram 11.1: Major data leak at the Belgium railway company (16.01.2013)

(Contribution by Joe McNamee – EDRi)