"Cahoot has robust security measures which it constantly reviews to ensure customers remain protected at all times"
Shame about the plebs administering them....
A number of Cahoot customers were left mildly confused this week when they received an email from the bank asking them to confirm their, er, email address. The missive invited customers to "log in to your personal homepage at cahoot.com and select 'change my details' to check your information is correct". Apart from the …
My credit card provider sends emails to my email address with a button embedded in the email inviting me to log in. It is genuine, but could equally well be a phishing attack (for which clicking the button would take the user to a malicious web site), and most recipients would not be able to tell the difference.
The sad fact is that competition has become a pretext on which the marketing arms of financial services organisations seem increasingly prepared to put their CUSTOMERs in danger in order to further their own interests.
If you've come across "verified by visa", you may have noticed that it looks just like a phishing scam. It redirects to a third party domain, asking for various card and personal details.
So the banks are giving out the wonderful message of, "beware of phishing, unless it's our phishing..."
I would have thought it was obvious that Verified by Visa is not there for security reasons, it's there for liability reasons.
So you can agree that if your card is used fraudulently you have no claim because "Gee, it must have been you because you confirmed your details with VbV..." or some other bollox like that.
Not that, that would stand up in court under consumer law, but it does give the banks an extra layer of bureaucracy-firewall for you to punch through before you can assert your rights.
Many organisations use the complaints process as a line of defense and will keep pummelling the complainer with more procedure, obfuscation and stonewalling - until only the most doggedly persistent are left standing and get their legitimate compensation, or revert to the legal process.
Sent them a message using their website a couple of weeks ago. They replied via email asking that we send them account number & sort-code amongst other things _via email_.
Genuine email from them, not some phisher with good timing. When I pointed out that email isn't a suitable medium for sending that kind of data, they decided to side step the issue by saying "well we need that info to link your complaint to your account".
The best bit though? In the letter they eventually sent, they responded to my complaint that having to use their Securecode just to check my balance was a hassle by saying
"HSBC has opted to require securecode for all log-ins, as even account balances can provide identity thieves with valuable data, including sort-code and account details"
Whilst in the same letter trying to disregard my concerns about these same details being requested via email!
"They" (most banks) always say we will never ask you for bank details/personal stuff and you shouldn't send those details. So I wholeheartedly agree with Mr. B Tasker - good job I didn't call you Ben (whoops). Probably not your name anyway. Can you please reply with your bank details so I can (probably) put in a small contribution ;-)
I had exactly the same email,but for a credit card linked to a well known on-line book store only last week.
I dont know; one day they are telling us not to click links in emails, but to log in normally, the next they send us emails telling us TO CLICK ON THE LINK!!!
Is it an experiment to see how many people still click on the links???
> they send us emails telling us TO CLICK ON THE LINK!!!
I always set mail subscriptions to plain text. I generally dislike HTML mails, unless there is very good reason for them.
So I get mails from certain organisations - I'm looking at you, confused.com - giving me a bunch of links without any actual links. Yes, they do include the "unsubscribe" option in that :-(
Release a statement saying "you may think that what we did was stupid and unnecessary, but actually what we did was protect the world from the threat of the evil scum of the universe, so actually that makes us the good guys and makes you the illiterate and pleb-like."
Mind you, releasing a statement saying "yeah, pretty stupid wasn't it. Give a job to an apprentice and you see what you get. I told the boss that it wasn't a great idea, but he overruled us all, so there you go" is probably not going to be great either.
Where I used to work they would test the PA system by broadcasting a test message to all buildings and asking people to report if any speakers weren't working. They didn't even schedule a set time or day for this, it was random. I was so tempted to just keep phoning the office every five minutes asking, "Are you testing the PA? I can't hear anything."
I note that since opening my Santander business account and moving to the new online banking control panel from the old A&L one, the security is quite different, moving from one of mutual trust (we'll prove we're who we say we are, then you do the same) to one where I have to believe them to be who they say they are without a shred of proof, and submit customer ID, password and PIN in full. Progress? At least it's "so far so good" with the new account itself...
Also, my wife received a series of spam phone calls on her mobile which turned out to be Santander. They would refuse to divulge the purpose of the calls until she had confirmed her postcode etc, but they were just trying to flog home insurance. The only reason they had my wife's number at all was because she had submitted it for on-line funds transfer verification - the new in-thing after those funky keypad things you never remember to keep with you.
Cahoot / Santander are the biggest shower I'ver ever met - I wouldnt trust them with my kids pocket money.
After a week of telephone calls to resolve an issue of unauthorised direct debits they ask for details to be sent via email, then reply to the email (addressed to the wrong name) saying they cannot deal with it by email because email is insecure...... please call us. The person they asked to call in the email does not exist and staff refuse to give anything but a first name and NEVER call back when they say they will.
The only reason they are not the most complained about bank is after 6 or 7 phone calls to the complaints department no complaint had been logged...... One email to the CEO later and magically things get sorted, and a complaint is opened - after spending nearly £50 on phone calls from a mobile. Avoid these amateurs and use a real bank - if such a thing exists these days!
anonymous as I'm supposed to be working :-)
Only way to check if a syntactically correct email is valid is to send a probe message and see the response.
While you do that, you might as well say something, even if "is this you?" :)
The phishing epidemic has destroyed email's usefulness as a bank communication method.
As useful as email is, perhaps no bank should send emails to their customers for any reason, so that anyone receiving any mail from any bank is phish by default.
If a bank really wants to use email, then it must be fully protected by restricted SPF (-all not ~all) and DKIM with the proper ADSP policy. If recipients enforce checking, then the phish doesn't stand a chance.
A scary number of banks are still in the 18th Century and don't use spf or dkim, so they should be liable for the consequences.
In addition, from the get go, MS Outlook should have displayed the original ip address, resolved version and country of origin so even an idiot can tell that a well constructed phish if sent from Vietnam is obviously fake at a glance.
At the start of work day, our work server went down and the IT help desk told everyone who rang to stop ringing up and they would let us know when the service was restored.Que a really early, long lunch and an afternoon of even more outrageous office games (desk aircraft carrier anyone?) before going home early.
Apparently service had been resumed within an hour of going down and they had informed everyone immediately by sending out an email. The email had included the instructions that to resume receiving email we had to restart our PCs.
"The bank added that it would have contacted those customers whose email bounced back through some other means."
i set up my own mail server that doesn't bounce ANY mail.
if its addressed to a known address then it is processed properly (including blacklist filtering and such), however if it is addressed to an unknown address then the mail is sent complete with headers directly to spamcop and phishtank.
It may come as a shock to you to know that there are some people who do not set up their own mail servers - perhaps even a significant-enough percentage that being aware of bounces could help.
Also, some people don't use Linux.
I'll go now; I understand that you may need some quiet time to digest this information.
What's this Linux that people keep talking about. I thought it was some sort of medical condition. (Kidding really - I used to have a Red Hat) Mind you, at least it will get the Microsofties annoyed.
On a side note, I do think that "Linux" is a great Viking warrior name, whereas Microsoft is (obiously) a small softy thing/person.
Anonymous because I earn my living doing IT in the financial sector.
I've pointed out, & demonstrated just how insecure, sending HTML emails and so requiring HTML mode to be switched on, and the idiocy of the instruction of 'Add me to Your Trusted List', makes their clients, but it's nearly always been fingers in ears time, or 'We have to do that for Branding' (tm).
Unfortunately, some of the worst culprits are my fellow 'IT' workers.
Why would I want my bank to e-mail me anyway?
E-mail is too slow to be any use in an emergency (such as when they suspect my account's security has been breached), and too insecure to be trusted with sensitive information (like how much money I've got or to whom I'm paying it). I can't see any valid reason for a bank to even record its customers' e-mail addresses, much less use them.
Biting the hand that feeds IT © 1998–2019