Saturday I got a letter that I thought I'd share. It's really interesting to me, since I've dealt a lot with phishing emails, and this real letter set does many of the things that both phisers, and unfortunately legitimate companies, do. If companies would stop doing these things, Phishing would get harder! This is gonna be a long post, please bear with me. Without further ado, I give you: The Car Registration Scam (which later turned out to be legit).

It's important to know my car is registered in Indiana, so this is not entirely random. If this was for, say, Kentucky, I'd obviously throw it out. However, you'll see that this letter could be changed for other states as wanted. The Indiana BMV website is here, for your reference.

First Impressions

First off, lets look at the envelope it came in. You'll notice a few things:


The postage:

  1. Its presorted, there's no postage stamp, or postmark.
  2. That it came from 46206 (Indianapolis), assuming that zip code in the upper right is correct.

Through the top window we see:

  1. That it uses an Indiana BMV titlehead that includes a zip code different from where the letter was mailed.
  2. There is a very poor seal on the titlehead, its low quality on the original as well.
  3. All of the information (including seal) on the titlehead comes from the BMV Homepage. Not just on the web... but on their front page, real easy to get at.

In the second window we see some more information:

  1. My name and address (blacked out here, please don't subvert the censoring, I was lazy, and yea, its bypassable) as I see on any amount of junk mail I get each week.
  2. Some nice tracking/payment information. Not know too much about the mail system, I'd guess that's how they know where to route/who to bill for the letter.
  3. Random Barcodes that one assumes go along with the name and address.

Already some things to think about. No postmark means we have to assume that zip in the upper right is correct and it isn't some fool in Nevada mailing these out. The fact that there's no stamp means these were probably sent legitimately, or that the mailer had access to the mail system. There is nothing on this envelope that even remotely suggests it came from who it supposedly came from.

The Information

Upon opening the envelope and seeing the letter, my suspicions grew deeper.

  1. Dear Valued Customer.... uh oh... they "know" my name, yet don't put it in here? Yea, studies have shown that users don't care how they're addressed, but I'd like to see this clearly directed at me.
  2. Recently modernized its databases.... geek speak that any user will accept, and comply with. Who wouldn't its making the BMV a better place to be! Oh, but what if they didn't?
  3. To ensure we can complete... holy crap, a threat! If I don't send this in I can't register my car by mail! Yes, phishers usually use veiled threats to prompt users into making a fast decision. It should be noted that the date they give (the 31st of January) was impossible, as I received the letter on the 2nd of Feburary. This would instill fear in the reader, and make them jump to send it in immediately.
  4. Customer Service Number... yes, it turns out if I look on their website this is a number listed to them, but not being near Indianapolis or from around there, I don't know those area codes. I assume this number was fake at first. Real customers want 1-800 numbers.
  5. Sincerely.... Note, there's no name here, just the Bureau as a whole. That bugs me as I can't call up and say "X person sent me Y letter.
  6. The expiration date... is wrong. Unless my hard copy documentation is wrong, this date is actually three days after my real expiration. Very interesting.

Also, there's some nice fancy numbers on there. I'd like to point out they ask for payment twice, and both places its bold. Sure they've got my correct information on there, but these values can be guessed!

  1. Make: If you see my car, you can read the make.
  2. Color: Same for color
  3. Township: Indiana uses the first two digits of each license to denote the county, so I can just pick the biggest township in that county as a safe bet. Better, you already KNOW MY ADDRESS. Just figure out the township from the full zip code.
  4. VIN: Ok, this one is harder to get, but I don't know my VIN offhand, and chances are good that I won't run out in the freezing weather to check each digit if the rest of this looks fine to me. Why should I? Its the BMV, and they already know it!. I linked to the VIN page though to show that one can guess a fair bit of the VIN and hope the victim stops checking after the first 5-10 digits.
  5. Money: Some nice figures on here, totaling $85.75... but where do they come from? If you got a bill for $85 from someone claiming to be your electric company, would you pay it?

It should be noted here that the only field of the registration NOT present on this letter is the social security number. Quite interesting, I think. Mainly because most people know their social right off the bat, and you'd have to get it absolutely correct for any credibility. Makese sene to me that crooks would leave it off, and good guys would put it on.


The back of the letter is where you actually fill in your credit card information. Also another warning of "you'll have to pay more money" if you don't send it in before the time limit. And that you're a criminal if you don't do this. Geez, its like card swiping, but the slow version! That phone number's on the back again, as well as a form identification number. That's funny, I googled for a few minutes and that didn't form number show up. I checked the BMV website, it didn't show up... Approved by the State Board of Accounts, sure, but how do I verify that without calling them up?

The Analysis
Where to begin...

  1. There's some nice discrepancies in here. Three different zip codes used. Form numbers that are fake. Phone numbers that appear fake.
  2. How could the real DMV get my expiration date wrong? (I actually found why this would be thought of as my renewal date, doesn't change the fact that my registration says otherwise).
  3. This letter uses many of the technique a phisher uses, and we're trying to train people to be wary of those techniques, so why should I assume this is legitimate?
  4. Any letterhead that low quality does not seem to be from the real company. I'm willing to bet that graphic was downloaded (in color) from the website, and just turned greyscale.
  5. All information regarding the BMV on here can be found on their website. On the front page, in fact.
  6. In addition I could *not* find much regarding mailings for renewals, besides in passing reference. They hype up their online system much more than this mailing.

Over all this letter, to a security researcher, looks completely fake. Sure, they got my VIN but that's one piece of information. When dealing with my real identity, the burdon of proof is on you to convince me I should give you information, not on me to prove that you're fake.

The Conslusion
Well, I found out today when I drove to the closest BMV to me that these are legit. Indiana decided to outsource their mailings, and this company that's doing them just has no clue what their doing.

But who cares? Well, for one, if a company can do this with Indiana's approval, what's to stop them from doing it without? They've already got the means, and it'd yield at least $85 per person that mails it in. You have the usual problems of laundering the money, so you'd probably want to only accept checks, as a credit card takes 60 days to clear. Due to the fact that until a very short number of years ago many drivers license databases were open to the world, it would not be hard to grab a bunch of records, and assume anyone over 25 is at the same address. If they're not, its no real cost to the attacker.

Grabbing vehicle information seems to be the hardest, but I'm willing to bet someone can social engineer that information from a DMV or police station quite easily. I'm really tempted to see if I can put together this letter for a random person, just to prove its possible. Of course, if that's illegal I'm going on record as saying I would never think of doing it.

I guess what I'm rying to roundaboutly say is this. Indiana is making its BMV customers used to getting mail from random third parties with no advance warning, and having them conduct what should be secure transactions via open mail.

The Solution
in order to fix this, the BMV (and any companies that outsource their mail) should do the following. Look at snail mail like email.

  1. If you wouldn't send mail from a domain other than your root domain, why are you sending mail from an address other than your company HQ? If you wouldn't have a random domain in the reply to field, why are you having me ship my mail to a different TOWN than your HQ is in? I want to see consistancy.
  2. Why even have people pay this way at all? You wouldn't give a link for people to click on in email, you'd say "Go to our website, then do X". Ok, why not say "Hey, its time to renew your plates, please go to your local BMV."
  3. If you say something in your email, you'll want it to be true, as users can just google the datum in question. Likewise, make sure everything in your mailing is correct, or verifiable. Now, sure this MAY be legitimate form 46741, but I have no easy way of verifying that. Which to me says "fake".
  4. Make sure everything looks legitimate. You have a TLD so your customers know its you, right? You wouldn't want to tell people to go to chase.freehosting.com, it'd just look bad, not to mention fake. So when I see a phone number, I expect it to be a toll free number since those seem more legitimate.

The Fine Print
Yes, it did turn out this was a legitimate mail. Ok, rather it turned out that the BMV does contract out their mailing, so there's a chance this is legitimate mail. I have not, nor do I plan to scam anyone out of money, or credentials using a scam based off the details above. I have a tendency of being paranoid, so perhaps I read too much into the above, let me know what you think.

Share and Enjoy:
  • Slashdot
  • del.icio.us
  • digg
  • Technorati
  • Facebook