A number of Cahoot customers were left mildly confused this week when they received an email from the bank asking them to confirm their, er, email address. The missive invited customers to "log in to your personal homepage at cahoot.com and select 'change my details' to check your information is correct". Apart from the obvious …
"Cahoot has robust security measures which it constantly reviews to ensure customers remain protected at all times"
Shame about the plebs administering them....
Weakest elements in the security chain are those flesh organic parts.
...Fecking knob-jockey muppets. That is all.
Yes, but even the fleshy organic parts are significantly stronger links
than the marketing and PR links.
Financial Services companies are contributing to phishing dangers
My credit card provider sends emails to my email address with a button embedded in the email inviting me to log in. It is genuine, but could equally well be a phishing attack (for which clicking the button would take the user to a malicious web site), and most recipients would not be able to tell the difference.
The sad fact is that competition has become a pretext on which the marketing arms of financial services organisations seem increasingly prepared to put their CUSTOMERs in danger in order to further their own interests.
Another phishing scam you may have come across...
If you've come across "verified by visa", you may have noticed that it looks just like a phishing scam. It redirects to a third party domain, asking for various card and personal details.
So the banks are giving out the wonderful message of, "beware of phishing, unless it's our phishing..."
HSBC are no better
Sent them a message using their website a couple of weeks ago. They replied via email asking that we send them account number & sort-code amongst other things _via email_.
Genuine email from them, not some phisher with good timing. When I pointed out that email isn't a suitable medium for sending that kind of data, they decided to side step the issue by saying "well we need that info to link your complaint to your account".
The best bit though? In the letter they eventually sent, they responded to my complaint that having to use their Securecode just to check my balance was a hassle by saying
"HSBC has opted to require securecode for all log-ins, as even account balances can provide identity thieves with valuable data, including sort-code and account details"
Whilst in the same letter trying to disregard my concerns about these same details being requested via email!
And of course the fact that VbV is completely pointless. It never remembers my password correctly so I always have to use the reset feature, which asks for details that any good crook would already have or could guess at (given they'd already have my card details).
Victimised by Visa
I would have thought it was obvious that Verified by Visa is not there for security reasons, it's there for liability reasons.
So you can agree that if your card is used fraudulently you have no claim because "Gee, it must have been you because you confirmed your details with VbV..." or some other bollox like that.
Not that, that would stand up in court under consumer law, but it does give the banks an extra layer of bureaucracy-firewall for you to punch through before you can assert your rights.
Many organisations use the complaints process as a line of defense and will keep pummelling the complainer with more procedure, obfuscation and stonewalling - until only the most doggedly persistent are left standing and get their legitimate compensation, or revert to the legal process.
I had this for a while - eventually discovered that VbV does not check your password meets the rules as you set it - and the password length is surprisingly short....
Can't believe that..
"They" (most banks) always say we will never ask you for bank details/personal stuff and you shouldn't send those details. So I wholeheartedly agree with Mr. B Tasker - good job I didn't call you Ben (whoops). Probably not your name anyway. Can you please reply with your bank details so I can (probably) put in a small contribution ;-)
VbV is completely useless as if you don't know the password all you need to reset it is to enter the card number, expiry date and 3 digit security number on the back of the card.
But it's Santander? Surely this doesn't surprise anyone? They are formerly the most complained about bank in the UK (apparently they have now been overtaken by Barclays).
I've had the odd email like that occasionally, bounced through to my gmail account from an old dedicated ISP email or an old work email. Gives me the opportunity to change it to a current one, so not so stupid after all.
Good story, but an El Reg FAIL for not thinking...
They are not alone
I had exactly the same email,but for a credit card linked to a well known on-line book store only last week.
I dont know; one day they are telling us not to click links in emails, but to log in normally, the next they send us emails telling us TO CLICK ON THE LINK!!!
Is it an experiment to see how many people still click on the links???
Re: They are not alone
> they send us emails telling us TO CLICK ON THE LINK!!!
I always set mail subscriptions to plain text. I generally dislike HTML mails, unless there is very good reason for them.
So I get mails from certain organisations - I'm looking at you, confused.com - giving me a bunch of links without any actual links. Yes, they do include the "unsubscribe" option in that :-(
I especially like the ones who send their emails with no plain-text at all, so I see a blank email.
"Cahoot, like all other banks, would never send a customer an email asking them to enter, reconfirm or change their security details such as account numbers"
Is account number a security detail?
Since when has anyone ever asked, needed or been able to change account numbers?
If I've read the article correctly, Cahoot *did* send a customer an email asking them to reconfirm their security details. So, erm, their statement is an instant lie.
Let me know if you don't get this email.
Real world example
Where I used to work they would test the PA system by broadcasting a test message to all buildings and asking people to report if any speakers weren't working. They didn't even schedule a set time or day for this, it was random. I was so tempted to just keep phoning the office every five minutes asking, "Are you testing the PA? I can't hear anything."
I hate the way banks do this
Release a statement saying "you may think that what we did was stupid and unnecessary, but actually what we did was protect the world from the threat of the evil scum of the universe, so actually that makes us the good guys and makes you the illiterate and pleb-like."
Mind you, releasing a statement saying "yeah, pretty stupid wasn't it. Give a job to an apprentice and you see what you get. I told the boss that it wasn't a great idea, but he overruled us all, so there you go" is probably not going to be great either.
The correct response would be:
"Yeah. Dumb. We'e told the useless twat that if he does it he will be out. Keep an eye on him, and let us know, will you?"
I note that since opening my Santander business account and moving to the new online banking control panel from the old A&L one, the security is quite different, moving from one of mutual trust (we'll prove we're who we say we are, then you do the same) to one where I have to believe them to be who they say they are without a shred of proof, and submit customer ID, password and PIN in full. Progress? At least it's "so far so good" with the new account itself...
Also, my wife received a series of spam phone calls on her mobile which turned out to be Santander. They would refuse to divulge the purpose of the calls until she had confirmed her postcode etc, but they were just trying to flog home insurance. The only reason they had my wife's number at all was because she had submitted it for on-line funds transfer verification - the new in-thing after those funky keypad things you never remember to keep with you.
The idiots at the top of the banking ladder get millions in bonuses for coming up with these infantile ideas!
Surely nobody suspects Santander
...to be in cahoots with some phishers!
Isn't that what the banking home page is for?
or whatever you call the page you get to after logging in?
Surely better to remind people when they log in, as my bank repeatedly does (we haven't got a mobile number for you...).
Nothing but an amateur shower......
Cahoot / Santander are the biggest shower I'ver ever met - I wouldnt trust them with my kids pocket money.
After a week of telephone calls to resolve an issue of unauthorised direct debits they ask for details to be sent via email, then reply to the email (addressed to the wrong name) saying they cannot deal with it by email because email is insecure...... please call us. The person they asked to call in the email does not exist and staff refuse to give anything but a first name and NEVER call back when they say they will.
The only reason they are not the most complained about bank is after 6 or 7 phone calls to the complaints department no complaint had been logged...... One email to the CEO later and magically things get sorted, and a complaint is opened - after spending nearly £50 on phone calls from a mobile. Avoid these amateurs and use a real bank - if such a thing exists these days!
anonymous as I'm supposed to be working :-)
So what's wrong with that?
Only way to check if a syntactically correct email is valid is to send a probe message and see the response.
While you do that, you might as well say something, even if "is this you?" :)
The phishing epidemic has destroyed email's usefulness as a bank communication method.
As useful as email is, perhaps no bank should send emails to their customers for any reason, so that anyone receiving any mail from any bank is phish by default.
If a bank really wants to use email, then it must be fully protected by restricted SPF (-all not ~all) and DKIM with the proper ADSP policy. If recipients enforce checking, then the phish doesn't stand a chance.
A scary number of banks are still in the 18th Century and don't use spf or dkim, so they should be liable for the consequences.
In addition, from the get go, MS Outlook should have displayed the original ip address, resolved version and country of origin so even an idiot can tell that a well constructed phish if sent from Vietnam is obviously fake at a glance.
So what's wrong with that?
Andrew says "Only way to check if a syntactically correct email is valid is to send a probe message and see the response.
While you do that, you might as well say something, even if "is this you?" :)"
Legally the "is this you?" is fun but no barrier to a dishonest person :)
A probe is only useful in a tiny timeslot when a 'signed in' recipient is requesting the email & expected to be sitting waiting to answer the probe email. AND THE RECIPIENT & SENDER know what immediate remedial action to take if the probe does not arrive or get replied within the few minutes delivery slot!
This is an Internet age where email addresses can be REPURPOSED without warning.
Any phisher, idiot, young child, granny, hacker or autoreply could freely validate the email and could be given the keys to the kingdom. Eg password reset, change email setting etc
Lots of "folks & celebs" have had their "domains" hijacked inc associated email when phishers contact various no clue, ISP's, Registrars, Social Networking sites with Googled maiden name...etc
Every place has one
At the start of work day, our work server went down and the IT help desk told everyone who rang to stop ringing up and they would let us know when the service was restored.Que a really early, long lunch and an afternoon of even more outrageous office games (desk aircraft carrier anyone?) before going home early.
Apparently service had been resumed within an hour of going down and they had informed everyone immediately by sending out an email. The email had included the instructions that to resume receiving email we had to restart our PCs.
"The bank added that it would have contacted those customers whose email bounced back through some other means."
i set up my own mail server that doesn't bounce ANY mail.
if its addressed to a known address then it is processed properly (including blacklist filtering and such), however if it is addressed to an unknown address then the mail is sent complete with headers directly to spamcop and phishtank.
It may come as a shock to you to know that there are some people who do not set up their own mail servers - perhaps even a significant-enough percentage that being aware of bounces could help.
Also, some people don't use Linux.
I'll go now; I understand that you may need some quiet time to digest this information.
What's this Linux that people keep talking about. I thought it was some sort of medical condition. (Kidding really - I used to have a Red Hat) Mind you, at least it will get the Microsofties annoyed.
On a side note, I do think that "Linux" is a great Viking warrior name, whereas Microsoft is (obiously) a small softy thing/person.
re. Security Detail
The account number is not a security detail. You give it to anyone to whom you give a cheque or direct debit mandate or standing order form, or whom you ask to send you an on-line payment.
Someone doesnt understand sarcasm........
Banks & Security & Email
Anonymous because I earn my living doing IT in the financial sector.
I've pointed out, & demonstrated just how insecure, sending HTML emails and so requiring HTML mode to be switched on, and the idiocy of the instruction of 'Add me to Your Trusted List', makes their clients, but it's nearly always been fingers in ears time, or 'We have to do that for Branding' (tm).
Unfortunately, some of the worst culprits are my fellow 'IT' workers.
Why would I want my bank to e-mail me anyway?
E-mail is too slow to be any use in an emergency (such as when they suspect my account's security has been breached), and too insecure to be trusted with sensitive information (like how much money I've got or to whom I'm paying it). I can't see any valid reason for a bank to even record its customers' e-mail addresses, much less use them.
I have to say anyone using Santander is at risk in all aspects of their lives. I HAD THE DISPLEASURE OF HAVING DONE BUSINESS WITH THEM & THEY ARE DEFINATELY NOT TO BE RECOMMENDED! That they have done something so stupid just confirms what I have written.
Stay away from them.
- Apple stuns world with rare SEVEN-way split: What does that mean?
- Special report Reg probe bombshell: How we HACKED mobile voicemail without a PIN
- RIP net neutrality? FCC boss mulls 'two-speed internet'
- Sony Xperia Z2: 4K vid, great audio, waterproof ... Oh, and you can make a phone call
- Pic Tooled-up Ryobi girl takes nine-inch grinder to Asus beach babe