I have received three emails today all claiming to be from Yahoo. The first and last had the subject “Your password has been successfully updated” and read like this:

Dear user john_94501,

You have successfully updated the password of your Yahoo account.

If you did not authorize this change or if you need assistance with your account, please contact Yahoo customer service at: webmaster@yahoo.com

Thank you for using Yahoo!
The Yahoo Support Team

+++ Attachment: No Virus (Clean)
+++ Yahoo Antivirus – www.yahoo.com

The second one was a little different. It had the subject “Important Notification” and read like this:

Dear Yahoo Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The Yahoo Support Team

+++ Attachment: No Virus found
+++ Yahoo Antivirus – www.yahoo.com

All three had a ZIP file attached. In the file was a file with a name that had either a .exe or .pif extension, but cunnningly separated from the name by a lot of spaces (and a fake .htm extension attached to the name to try to fool people). Regardless of the name, the contents are the same Windoze executable file (MD5 = bf389ebd4b5a057259395f6a633f110f).

So what you ask? Well, the first of these landed in my mailbox this morning. Tonight, over 12 hours since I first saw this, as you can see from the screen grab above, Yahoo’s anti-virus system is still not catching this threat.

I tried to report it this morning, but had every email message bounced as unacceptable. One because I forwarded the offending message to them so they could pass it on to the anti-virus people; the next attempt, without the attachment, I don’t understand why it bounced (no reason provided). This afternoon I tried the web form and got an auto-response (case KMM38976014V69174L0KM), but apparently they are still not blocking this attachment.

An article on the BBC website made me think about possible improvements to the security of credit cards. Let’s face it, the current scheme is pathetically outdated and the credit card companies (the likes of Visa and Mastercard) do nothing about it.

So how about a better scheme? Signatures are outdated (and they never check them anyway). A time-based rolling number, like that provided by the RSA SecurID Token that must be entered manually and is only valid for a few minutes (and one transaction) might help. Or perhaps smart card technology (already in use in Europe) that can digitally sign transactions (although this would need card readers for home users so that they can continue to shop online). One-time-use numbers might help online, but they have problems (they cannot be used where a physical card is needed to pick up the item, such as when ordering movie tickets or airline tickets online) and they don’t guard against the card processing firms “losing” the numbers they are sent by stores.