Author Topic: Why is it that banks are so bloody clueless about Internet security?  (Read 10789 times)

Dear Sir/Madam, [Santander Business Banking]

You have failed in most regards to help me to protect my identity with this email.

  • SpamAssassin running on my server gave the message a score of 3.0 and it treats anything that scores more than 2.0 as spam. The reasons are as follows:
    • 3.4 RCVD_ILLEGAL_IP Received: contains illegal IP address
      You have misconfigured your mail server and it is publicly announcing itself with the IP address 127.0.0.1 - i.e. localhost
    • -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
      -0.3 SPF_PASS SPF: sender matches SPF record
      -0.3 SPF_PASS SPF: sender matches SPF record
      OK, you are using SPF and have been credited for this
    • 1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
      This is just a stupid mistake - have all your servers get their time using NTP!
    • 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image area
      You weren't docked any points for this because of my current configuration, but a photo of some random happy-looking people at the top of the message adds nothing.
    • -2.5 BAYES_00 BODY: Bayes spam probability is 0 to 1%
      The fact that I use Bayes analysis has saved you from what would have been a much worse score.
    • 0.0 HTML_MESSAGE BODY: HTML included in message
      This could also have counted against you
    • RDNS_NONE Delivered to internal network by a host with no rDNS
      Make sure that all your servers have reverse DNS and obviously make sure they're not announcing themselves to the world as 127.0.0.1!
  • You have sent it from a silly domain name ("yoursantander.co.uk") which I have no reason to trust and used this same domain in the "View this email here" link within the email body and without even using HTTPS. When I opt to use HTTPS on that link, I discover that the certificate used is for localhost.localdomain. This is shockingly lazy and encourages phishing: if I wanted to, I could register "mysantander.co.uk" which is currently available and start sending emails out purporting to be from you within a couple of hours while looking just as trustworthy as "yoursantander.co.uk" to anyone who doesn't know how to wield the whois command. Use the domain santander.co.uk, which is clearly yours and has a valid SSL certificate - and only that domain.
  • You have used the second part of my postcode as a "security measure" when this information is public knowledge and easily obtainable.
  • If you want your emails to be secure, you should be PGP encrypting them, or at the very least PGP signing them. You most certainly shouldn't be including a padlock symbol at the top of the message when you are sending it across the Internet unencrypted. The padlock symbol represents the use of SSL encryption on the web and the clear expectation is that similar security measures are being taken in an email bearing this symbol.

While I'm on the subject of security, please stop advertising that ridiculous Trusteer Rapport software every time I log into the online banking website. I am not going to install it. If it can insert itself into a web browser and make claims about the security of websites, then so can malicious software. The way to tell if you are on the right site is to verify the SSL certificate and who owns the IP you are connecting to, not rely on whether some dodgy security company's middleware has turned an icon green.

Regards,

--
Denis Walker
Big Red Design

barakta

  • Bastard lovechild of Yomiko Readman and Johnny 5
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #1 on: 01 June, 2012, 01:10:45 am »
Please tell me you sent this? :)

My friend who is blind installed Rapport and it ate his JAWS screenreader. That was fun uninstalling that lot for him and removing its claws from his system so his screenreader would work again.

Valiant

  • aka Sam
    • Radiance Audio
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #2 on: 01 June, 2012, 03:00:42 am »
You have the right to remain silent. Anything you say will be misquoted, then used against you.

Support Equilibrium

Why is it that banks are so bloody clueless about Internet security?
« Reply #3 on: 01 June, 2012, 06:25:53 am »
What? A bank with the veneer of caring for its customers, not actually doing that, I'm shocked! :-)

That's great Dez, I also really hope you sent it! 

Jaded

  • The Codfather
  • Formerly known as Jaded
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #4 on: 01 June, 2012, 06:59:05 am »
Emails purporting to be from Santander represent about 75% of the banking spm that my customers get. You'd think they'd know this and act accordingly to make their own emails stand out.
It is simpler than it looks.


Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #6 on: 01 June, 2012, 09:33:30 am »
excellent stuff.

<i>Marmite slave</i>

barakta

  • Bastard lovechild of Yomiko Readman and Johnny 5
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #7 on: 01 June, 2012, 01:17:47 pm »
 :thumbsup:

Goodo, I look forward to hearing what their response is!   

Jacomus

  • My favourite gender neutral pronoun is comrade
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #8 on: 01 June, 2012, 02:26:44 pm »
:thumbsup:

Goodo, I look forward to hearing what their response is!

I reckon it'll look something like this...

Quote
Dear Denis,

Thank you for your letter about Santander Business Banking online security. We take your security online seriously and have a number of measure in place to protect you and your business.

Here are some easy steps you can take to keep your financial information safe online:

1) Download our Trustee Rapport software to help keep your financial details safe, it will alert you to the danger of malicious software that wants to steal your bank details, all from within your browser.
2) Make sure your anti-virus program is up to date.
3) Never give your bank details to someone via e-mail. We will never ask you for them.

If you have any questions, need help or want to learn more about keeping your money safe online, phone our premium rate line and talk to one of our call centre representatives.

Regards,
Santander Business Banking Team

 ;D
"The most difficult thing is the decision to act, the rest is merely tenacity." Amelia Earhart

Kim

  • Timelord
    • Fediverse
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #9 on: 01 June, 2012, 03:53:18 pm »
Or you'll get a visit from the ossifers because you've been hacking their SSL certificate :)

Cudzoziemiec

  • Ride adventurously and stop for a brew.
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #10 on: 02 June, 2012, 11:10:23 am »
While I'm on the subject of security, please stop advertising that ridiculous Trusteer Rapport software every time I log into the online banking website. I am not going to install it. If it can insert itself into a web browser and make claims about the security of websites, then so can malicious software. The way to tell if you are on the right site is to verify the SSL certificate and who owns the IP you are connecting to, not rely on whether some dodgy security company's middleware has turned an icon green.[/color=green]
Doubtless true, but as most people (including me) probably don't know anything about SSL certificates and how to verify them, this Rapport software might perhaps be better than nothing. Having said that, several other banks are pushing it too and I downloaded it a couple of years ago, found that it wanted me to remove my firewall (or something - can't remember exactly) so I deleted it.
Riding a concrete path through the nebulous and chaotic future.

rogerzilla

  • When n+1 gets out of hand
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #11 on: 02 June, 2012, 08:12:36 pm »
What's Spanish for "we don't care, nanana"?

Anyway, it's all your fault for dealing with such a shower in the first place.  As one of our non-exec directors observes, Santander is the Ryanair of banking.
Hard work sometimes pays off in the end, but laziness ALWAYS pays off NOW.

Cudzoziemiec

  • Ride adventurously and stop for a brew.
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #12 on: 02 June, 2012, 09:07:54 pm »
Also - businesses which cover themselves in a bright red colourscheme are the equivalent of the redtop press. There is, I'm told, psychological reasoning behind this in the way we perceive and react to certain shades.
Riding a concrete path through the nebulous and chaotic future.

Kim

  • Timelord
    • Fediverse
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #13 on: 03 June, 2012, 12:27:45 am »
And their logo looks like a steaming turd (or it did on the Euston Road in the dark through wet glasses one time, and I haven't been able to un-see it).

ian

Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #14 on: 03 June, 2012, 12:52:41 pm »
To be fair, the problem for real people is that email isn't secure. We're conditioned to receiving letters and believing them. They have the company's letterhead etc. Obviously, that wasn't secure either, but it took effort to mess with, so it's a safe bet that if a letter landed on your door mat claiming to be from Company X, it came from Company X. Online that breaks because it's trivial for anyone smarter than a nematode to generate authentic-looking email from whomever (though I'll admit it helps to have fingers). Solutions like PGP signing fail because they're too complicated. Once you are forced to use acronyms like SSL and HTTPS and PGP, you might as well impale yourself on the giant stick of FAIL and make sucky-sucky dying noises as your remaining clue dribbles out and soaks into the ground. Can anyone normal deal SSL certificates? Sure, click the padlock, navigate a labyrinth of nested dialogues, and then what am I supposed to do? It doesn't help that about the certificates on the net seem to be wrong (my own beloved ISP does the same, I was Pipex, it's now TalkTalk - whose the certificate still for? Tiscali, after their brief dalliance). Should I stop sending email?

Email is HTTP these days and people will put their responses at the top. Other than sullenly insisting on repositioning my cursor at the bottom of messages (thus ensuring that most of planet think I suffer from premature email despatch, and are thus receiving blank messages), I'm rolling with it. Stupid shit like munging domain names and setting their clocks, welcome the world of marketing emails. The people who press the SEND button just assume it's set-up. If you dealt with our IT people, you'd know why that's a dangerous assumption.

I'm not sure what the solution is, other than like all solutions, it should be at least 50% commonsense, and whatever portion is technological should be friction free.

Santander are shit though. They have our mortgage (since that swallowed up Alliance & Leicester) and never manage anything right. I think it took about eight letters and 72 hours on the phone to get them to reverse the inclusion of our last rearrangement fee from the loan. We clearly stated several times that we wanted to simply pay the fee. Even ticked a box to that effect.

Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #15 on: 03 June, 2012, 01:04:46 pm »
They don't help the situation by doing stuff like sending out genuine emails that ask you to click on a link ... when the other arm is trying to tell you how to avoid getting phished. It's about as brain-dead as phoning you up then asking to "take you through security".

The issue with emails is not that they're easy to fake - anyone with a colour printer or access to a copy shop could run off a convincing letterhead - the difference is being able to send a million copies for nothing. If somehow email was charged per item, even 0.1p, this would stop overnight.
Quote from: tiermat
that's not science, it's semantics.

rogerzilla

  • When n+1 gets out of hand
Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #16 on: 03 June, 2012, 01:54:34 pm »
Email is HTTP these days and people will put their responses at the top. Other than sullenly insisting on repositioning my cursor at the bottom of messages (thus ensuring that most of planet think I suffer from premature email despatch, and are thus receiving blank messages), I'm rolling with it.
To be fair, the top posting thing was Microshaft's arrogance/error in the first place.  Netscape Communicator, Mozilla and Thunderbird have always bottom-posted.  This, of course, leads to an unreadable mess when a person using one e-mail package communicates with someone using the other.
Hard work sometimes pays off in the end, but laziness ALWAYS pays off NOW.

Re: Why is it that banks are so bloody clueless about Internet security?
« Reply #17 on: 07 June, 2012, 08:15:21 pm »
I reckon it'll look something like this...

So far, it's absolutely nothing. Them not even being competent enough to bother responding is strangely reassuring somehow.