back to article Bank emails punters asking for their, er, email address

A number of Cahoot customers were left mildly confused this week when they received an email from the bank asking them to confirm their, er, email address. The missive invited customers to "log in to your personal homepage at cahoot.com and select 'change my details' to check your information is correct". Apart from the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Facepalm

    Heeeheeee

    "Cahoot has robust security measures which it constantly reviews to ensure customers remain protected at all times"

    Shame about the plebs administering them....

    1. CD001

      Weakest elements in the security chain are those flesh organic parts.

      1. Tom 13
        Coat

        Yes, but even the fleshy organic parts are significantly stronger links

        than the marketing and PR links.

    2. Blitterbug
      Meh

      Muppets

      ...Fecking knob-jockey muppets. That is all.

  2. AnoniMouse
    Stop

    Financial Services companies are contributing to phishing dangers

    My credit card provider sends emails to my email address with a button embedded in the email inviting me to log in. It is genuine, but could equally well be a phishing attack (for which clicking the button would take the user to a malicious web site), and most recipients would not be able to tell the difference.

    The sad fact is that competition has become a pretext on which the marketing arms of financial services organisations seem increasingly prepared to put their CUSTOMERs in danger in order to further their own interests.

    1. Anonymous Coward
      Anonymous Coward

      Another phishing scam you may have come across...

      If you've come across "verified by visa", you may have noticed that it looks just like a phishing scam. It redirects to a third party domain, asking for various card and personal details.

      So the banks are giving out the wonderful message of, "beware of phishing, unless it's our phishing..."

      1. Ben Tasker

        @AC

        And of course the fact that VbV is completely pointless. It never remembers my password correctly so I always have to use the reset feature, which asks for details that any good crook would already have or could guess at (given they'd already have my card details).

        1. Anonymous Coward
          Anonymous Coward

          Victimised by Visa

          I would have thought it was obvious that Verified by Visa is not there for security reasons, it's there for liability reasons.

          So you can agree that if your card is used fraudulently you have no claim because "Gee, it must have been you because you confirmed your details with VbV..." or some other bollox like that.

          Not that, that would stand up in court under consumer law, but it does give the banks an extra layer of bureaucracy-firewall for you to punch through before you can assert your rights.

          Many organisations use the complaints process as a line of defense and will keep pummelling the complainer with more procedure, obfuscation and stonewalling - until only the most doggedly persistent are left standing and get their legitimate compensation, or revert to the legal process.

        2. pfw
          Facepalm

          VbV

          I had this for a while - eventually discovered that VbV does not check your password meets the rules as you set it - and the password length is surprisingly short....

          1. Anonymous Coward
            Anonymous Coward

            VbV

            VbV is completely useless as if you don't know the password all you need to reset it is to enter the card number, expiry date and 3 digit security number on the back of the card.

    2. Ben Tasker

      HSBC are no better

      Sent them a message using their website a couple of weeks ago. They replied via email asking that we send them account number & sort-code amongst other things _via email_.

      Genuine email from them, not some phisher with good timing. When I pointed out that email isn't a suitable medium for sending that kind of data, they decided to side step the issue by saying "well we need that info to link your complaint to your account".

      The best bit though? In the letter they eventually sent, they responded to my complaint that having to use their Securecode just to check my balance was a hassle by saying

      "HSBC has opted to require securecode for all log-ins, as even account balances can provide identity thieves with valuable data, including sort-code and account details"

      Whilst in the same letter trying to disregard my concerns about these same details being requested via email!

      Plebs

      1. sheep++;
        Thumb Up

        Can't believe that..

        "They" (most banks) always say we will never ask you for bank details/personal stuff and you shouldn't send those details. So I wholeheartedly agree with Mr. B Tasker - good job I didn't call you Ben (whoops). Probably not your name anyway. Can you please reply with your bank details so I can (probably) put in a small contribution ;-)

  3. Lloyd
    Devil

    Um

    But it's Santander? Surely this doesn't surprise anyone? They are formerly the most complained about bank in the UK (apparently they have now been overtaken by Barclays).

  4. madferret
    FAIL

    Lateral thinking

    I've had the odd email like that occasionally, bounced through to my gmail account from an old dedicated ISP email or an old work email. Gives me the opportunity to change it to a current one, so not so stupid after all.

    Good story, but an El Reg FAIL for not thinking...

  5. Anonymous Coward
    WTF?

    They are not alone

    I had exactly the same email,but for a credit card linked to a well known on-line book store only last week.

    I dont know; one day they are telling us not to click links in emails, but to log in normally, the next they send us emails telling us TO CLICK ON THE LINK!!!

    Is it an experiment to see how many people still click on the links???

    1. Vic

      Re: They are not alone

      > they send us emails telling us TO CLICK ON THE LINK!!!

      That's nothing.

      I always set mail subscriptions to plain text. I generally dislike HTML mails, unless there is very good reason for them.

      So I get mails from certain organisations - I'm looking at you, confused.com - giving me a bunch of links without any actual links. Yes, they do include the "unsubscribe" option in that :-(

      Vic.

      1. Anonymous Coward
        Anonymous Coward

        @Vic

        I especially like the ones who send their emails with no plain-text at all, so I see a blank email.

  6. AaronG
    WTF?

    Security Detail

    "Cahoot, like all other banks, would never send a customer an email asking them to enter, reconfirm or change their security details such as account numbers"

    Is account number a security detail?

    Since when has anyone ever asked, needed or been able to change account numbers?

    1. Ken Hagan Gold badge

      Furthermore...

      If I've read the article correctly, Cahoot *did* send a customer an email asking them to reconfirm their security details. So, erm, their statement is an instant lie.

  7. TheOtherJola
    WTF?

    I hate the way banks do this

    Release a statement saying "you may think that what we did was stupid and unnecessary, but actually what we did was protect the world from the threat of the evil scum of the universe, so actually that makes us the good guys and makes you the illiterate and pleb-like."

    Mind you, releasing a statement saying "yeah, pretty stupid wasn't it. Give a job to an apprentice and you see what you get. I told the boss that it wasn't a great idea, but he overruled us all, so there you go" is probably not going to be great either.

    1. Robert E A Harvey

      The correct response would be:

      "Yeah. Dumb. We'e told the useless twat that if he does it he will be out. Keep an eye on him, and let us know, will you?"

  8. Proud Father
    FAIL

    Hi there,

    Let me know if you don't get this email.

    Thanks.

    1. The Infamous Grouse
      WTF?

      Real world example

      Where I used to work they would test the PA system by broadcasting a test message to all buildings and asking people to report if any speakers weren't working. They didn't even schedule a set time or day for this, it was random. I was so tempted to just keep phoning the office every five minutes asking, "Are you testing the PA? I can't hear anything."

  9. Anonymous Coward
    Anonymous Coward

    Santander shenanigans

    I note that since opening my Santander business account and moving to the new online banking control panel from the old A&L one, the security is quite different, moving from one of mutual trust (we'll prove we're who we say we are, then you do the same) to one where I have to believe them to be who they say they are without a shred of proof, and submit customer ID, password and PIN in full. Progress? At least it's "so far so good" with the new account itself...

    Also, my wife received a series of spam phone calls on her mobile which turned out to be Santander. They would refuse to divulge the purpose of the calls until she had confirmed her postcode etc, but they were just trying to flog home insurance. The only reason they had my wife's number at all was because she had submitted it for on-line funds transfer verification - the new in-thing after those funky keypad things you never remember to keep with you.

  10. Alan B

    How stupid

    The idiots at the top of the banking ladder get millions in bonuses for coming up with these infantile ideas!

  11. CT

    Isn't that what the banking home page is for?

    or whatever you call the page you get to after logging in?

    Surely better to remind people when they log in, as my bank repeatedly does (we haven't got a mobile number for you...).

  12. George Nacht
    Joke

    Surely nobody suspects Santander

    ...to be in cahoots with some phishers!

  13. Anonymous Coward
    Anonymous Coward

    Nothing but an amateur shower......

    Cahoot / Santander are the biggest shower I'ver ever met - I wouldnt trust them with my kids pocket money.

    After a week of telephone calls to resolve an issue of unauthorised direct debits they ask for details to be sent via email, then reply to the email (addressed to the wrong name) saying they cannot deal with it by email because email is insecure...... please call us. The person they asked to call in the email does not exist and staff refuse to give anything but a first name and NEVER call back when they say they will.

    The only reason they are not the most complained about bank is after 6 or 7 phone calls to the complaints department no complaint had been logged...... One email to the CEO later and magically things get sorted, and a complaint is opened - after spending nearly £50 on phone calls from a mobile. Avoid these amateurs and use a real bank - if such a thing exists these days!

    anonymous as I'm supposed to be working :-)

  14. Anonymous Coward
    Anonymous Coward

    So what's wrong with that?

    Only way to check if a syntactically correct email is valid is to send a probe message and see the response.

    While you do that, you might as well say something, even if "is this you?" :)

    The phishing epidemic has destroyed email's usefulness as a bank communication method.

    As useful as email is, perhaps no bank should send emails to their customers for any reason, so that anyone receiving any mail from any bank is phish by default.

    If a bank really wants to use email, then it must be fully protected by restricted SPF (-all not ~all) and DKIM with the proper ADSP policy. If recipients enforce checking, then the phish doesn't stand a chance.

    A scary number of banks are still in the 18th Century and don't use spf or dkim, so they should be liable for the consequences.

    In addition, from the get go, MS Outlook should have displayed the original ip address, resolved version and country of origin so even an idiot can tell that a well constructed phish if sent from Vietnam is obviously fake at a glance.

    1. This post has been deleted by its author

  15. peter 45
    FAIL

    Every place has one

    At the start of work day, our work server went down and the IT help desk told everyone who rang to stop ringing up and they would let us know when the service was restored.Que a really early, long lunch and an afternoon of even more outrageous office games (desk aircraft carrier anyone?) before going home early.

    Apparently service had been resumed within an hour of going down and they had informed everyone immediately by sending out an email. The email had included the instructions that to resume receiving email we had to restart our PCs.

  16. G2

    "The bank added that it would have contacted those customers whose email bounced back through some other means."

    i set up my own mail server that doesn't bounce ANY mail.

    if its addressed to a known address then it is processed properly (including blacklist filtering and such), however if it is addressed to an unknown address then the mail is sent complete with headers directly to spamcop and phishtank.

    1. Anonymous Coward
      Coat

      It may come as a shock to you to know that there are some people who do not set up their own mail servers - perhaps even a significant-enough percentage that being aware of bounces could help.

      Also, some people don't use Linux.

      I'll go now; I understand that you may need some quiet time to digest this information.

      1. sheep++;
        Facepalm

        Linux?

        What's this Linux that people keep talking about. I thought it was some sort of medical condition. (Kidding really - I used to have a Red Hat) Mind you, at least it will get the Microsofties annoyed.

        On a side note, I do think that "Linux" is a great Viking warrior name, whereas Microsoft is (obiously) a small softy thing/person.

  17. Richard Porter
    FAIL

    re. Security Detail

    The account number is not a security detail. You give it to anyone to whom you give a cheque or direct debit mandate or standing order form, or whom you ask to send you an on-line payment.

    1. Anonymous Coward
      FAIL

      I THINK

      Someone doesnt understand sarcasm........

  18. Anonymous Coward
    Anonymous Coward

    Banks & Security & Email

    Anonymous because I earn my living doing IT in the financial sector.

    I've pointed out, & demonstrated just how insecure, sending HTML emails and so requiring HTML mode to be switched on, and the idiocy of the instruction of 'Add me to Your Trusted List', makes their clients, but it's nearly always been fingers in ears time, or 'We have to do that for Branding' (tm).

    Unfortunately, some of the worst culprits are my fellow 'IT' workers.

    Oh well....

  19. veti Silver badge
    Facepalm

    Why would I want my bank to e-mail me anyway?

    E-mail is too slow to be any use in an emergency (such as when they suspect my account's security has been breached), and too insecure to be trusted with sensitive information (like how much money I've got or to whom I'm paying it). I can't see any valid reason for a bank to even record its customers' e-mail addresses, much less use them.

  20. Inselaf
    Thumb Down

    Santander again!!!

    I have to say anyone using Santander is at risk in all aspects of their lives. I HAD THE DISPLEASURE OF HAVING DONE BUSINESS WITH THEM & THEY ARE DEFINATELY NOT TO BE RECOMMENDED! That they have done something so stupid just confirms what I have written.

    Stay away from them.

This topic is closed for new posts.

Other stories you might like