I complained to Lufthansa. Then the phishing started.

How IT security now impacts every transaction in our lives, especially with GDPR.

I went to Italy a month ago and had a truly appalling flight experience with Lufthansa. Normally, I would probably have done nothing, but my wife flew Lufthansa on business a month before, and also had a terrible experience. So I figured it was time for a good ol’ complaint missive from me to the airline, in the modern-day David and Goliath battle we all fight and lose regularly.

Lufthansa, for what it’s worth, has a lousy website that stands as a monument to early 2000s web technology. It doesn’t work well on mobile, you can’t use forward and back buttons, and it loses state easily, thus achieving the holy trifecta of mediocre user experience that make most complainers want to give up. Instead of just making a simple feedback form like you’d find at companies like Amazon, it’s a good lunch-hour’s worth of hassle figuring out how to get a message to these people.

In fact, it’s the only company I’ve ever seen that requires you to provide your “Bank Account Information” just to send a message:

Naturally, I filled out this form with fake bank account information and sent the rest of my detailed complaint… and heard nothing back. Next, I researched how to complain to Lufthansa and from a travel forum somebody had found an email address that can get their attention, so I sent a shorter version of the same complaint to that email from my Gmail account.

Ironically, my central complaint about their service was the complete lack of communication when they cancel flights. I really emphasized poor communication as a problem so they sent me this email response 24 hours later:

I then took 3 months of night study in German classes to figure out how sorry they were. Or maybe I just used Google Translate, I don’t remember, but it turned out I would be hearing back soon. And then the fun started.

“We want to refund 800 Euros.”

About two weeks later, I received a phone call from a man at Lufthansa. He responded in detail to the items in my complaint, apologized profusely, and said the company wanted to refund 800 Euros, about a third of the cost of the flight. All he would need is my bank account information, which he noted had not been provided on the feedback form.

Hold. The. Phone.

Literally. I held the phone away from my face to check the caller ID and quickly tapped it in my Google desktop search — it was a German phone number, nondescript origin. He had an accent. But I have an accent too. I couldn’t tell if it was German or something else.

I asked why he needed the bank account. “It’s the only way we can provide discretionary refunds but you’re protected by German banking laws when we store your bank account data.”

I asked a few more questions and he seemed well prepared for them. But let’s be frank here — there’s no freaking way I’m ever giving you my bank account details. Ever.

The first clue that this wasn’t normal.

This isn’t the first time I’ve been phished and surely won’t be the last. Phishers have moved from the bulk email businesses into bulk phone spamming and thanks to spoofed phone numbers and cheaper voice-over-IP, it’s easier to con many people into releasing personal information over the phone.

Probably the first clue here was an airline wanting to refund something. I use a website called Service which offers to automate complaining to airlines when flights are delayed or canceled, supposedly to shake refunds out of them. After a truly special year of many delayed flights, I ain’t seen a penny or kind word out of any of them:

Airlines don’t care. They don’t. And if any of them want to give you a cash refund for something (and they didn’t beat you up first), something is seriously wrong. I can just about get $5 from Comcast if I ratchet up my complaint engine on a day when I’m really cranky, but the chances of getting a free drink coupon out of an airline is slimmer than me learning any German by a long way.

How Lufthansa helped the scammers.

Whether the scammers are sniffing email traffic to their complaints mailbox or somehow accessing the contents of a ‘secure form’ after it’s stored in their systems, who knows. Possibly both given the contents of my chat with Mr Phisher. But whatever security issues exist in that can of worms, there are bigger issues that Lufthansa should fix and any company can learn from.

The biggest of all is: don’t ask for sensitive information in a public web form. Just don’t. First, you set the expectation that it’s okay to broadcast order IDs, customer IDs or even credit card numbers, and guess who your customer will blame if these get compromised? Second, and more importantly, you provide ammunition for arming Mr Phisher in his social engineering efforts.

This is important to understand since so few people do. If a stranger called you randomly and asked for your work computer password, you would never fall for it. But if the stranger said, “This is Tom from IT, we’re having an issue with the Mercury printer server and doing a full reset while the building work is happening this weekend, can you give me your password so we can log you back in for Monday?” What now? You might know there is a Tom in IT, the printer server is called Mercury and building work is scheduled — this seems legitimate. Well, this is how social engineering works and it’s the most pervasive tool in the phisher’s vast array of options. So no, don’t give Tom the password.

Lufthansa’s process also makes it unclear what steps the company will take after you submit feedback — should I expect an email, a call, or a secure communication through a logged-in portal? By leaving this open, customers are more likely to accept any type of response and not be suspicious. Credit card companies are generally very good examples here — they set these expectations and usually will only respond through a secured mailbox in a private portal.

Do your customers know your authentication process? Whether you call a bank or a rental car company, all will verify your identity for both inbound and outbound calls. Luftansa’s process doesn’t clearly set what the customer should expect, allowing Mr Phisher to do a ‘fake screening’ with the limited information gleaned from social engineering, making the inbound call appear legitimate.

Finally, companies should provide open ways for customers to provide feedback so they won’t receive random emails with private information. Email is not secure. Despite padlocks in the browser window, you should assume anything you send is readable by anyone. Do your customers know that? If you frequently expect feedback (read: complaints) in your industry (and for airlines, this is going to be frequent), you should implement a clear, secure form for your customers that’s easy to find and submit.

Radio silence from the airline.

Well being the good technology Samaritan, I emailed Lufthansa with the phishing information long before writing this article. I received nothing, not even a polite German ‘go away’ response. I wonder how things might have turned out if I had provided bank account details, got scammed and then pressed for remediation.

A looming issue here is the impact of the new GDPR regulations. If Lufthansa had a leaky mailbox or online form, this is potentially a violation which could cost 2% of their annual worldwide revenue. While I doubt the EU would ever levy this fine, it remains that companies must all be much more careful about phishing scams which have gone from a minor nuisance to potentially an existential legal event.

The takeaways for the IT business are very clear — we must all double-down on efforts to educate end-users, build processes that support good security practices, and set expectations for communications with customers to shut down scams and bad actors.