Not a scam - But the Nz Govt should be ashamed.

Forums › Off topic › Not a scam - But the Nz Govt should be ashamed.

1 | 2 | 3 | 4

gzt

18690 posts

Uber Geek
+1 received by user: 7830

Lifetime subscriber

#943496 30-Nov-2013 20:21

Well he's not arguing against email response tracking. Only the fact it's done through a completely different URL than realme.co.nz - this is not something I have seen from any bank (or paypal but I'm not a regular user of paypal). It is very good general advice many users follow - do not click when the target URL does not match the purported source. Even more so in relation to financial information.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#943543 30-Nov-2013 23:11

gzt: Well he's not arguing against email response tracking. Only the fact it's done through a completely different URL than realme.co.nz - this is not something I have seen from any bank (or paypal but I'm not a regular user of paypal). It is very good general advice many users follow - do not click when the target URL does not match the purported source. Even more so in relation to financial information.

Westpac does it. Constantly. Their promotional emails, for example, have all links go via ct.thegear-box.com. So unfortunately yes, banks do do it.

Nil Einne

469 posts

Ultimate Geek
+1 received by user: 35

#943558 1-Dec-2013 02:41

nunz:

you need to read the post again - carefully. THe clue aobut what annoyed me is in the words types on the page - but just in case you miss it again....

DIA does charge for businesses to use the service.
I never mentioned a trusted windows cert - its a third party (ie DIA) cert that realme is using. provided by verisign but not for realme. (and remember realme is an IAAS provider - they need to be spot on with this stuff).
Third - Its a commercial email promoting businsses

FINALLY - THE BIG CLUE - I'LL TYPE THIS SLOWWWWLLLYYYY FOR YOU - it wasn't the commercial side that annoyed me, its the fact it actively encouraged people to do dumb link clicking for financial / identity transactions off a half assed email sent by a security flawed third party USa provider who has a history of leaking info to spammers and who should never be told anything by the NZ Govt re their dealings with Nz citizens.

If you want your Govt to teach people clicking on third party redirects is ok for identity and financial transaction then feel free to click here: https://realme.govt.nz/FAQ/Security

In your original message you said

The links take you to realme.govt.nz which is signed by a Verisign security certificate belonging to the Department of Internal Affairs.

and

Issue 2 - The https://realme.govt.nz uses a DIA Verisign signed security certificate. It strikes me a Monty Pythoesque that NZ Govts IAAS (Identiy As A Service) provider doesn't have its own security certificate and relies on a third party certificate to identify itself.

You seemed be making a big deal of it being Verisign signed security certificate. You will forgive people for thinking your problem was with it being Verisign signed (which as has now been thoroughly explained to you, is perfectly normal) rather than it being issued to the Department of Internal Affairs. Particularly since you said 'third party'. The only third party here is Verisign. The Department of Internal Affairs isn't a third party by any token. It's their service, in colloboration with NZ Post.

As has now been explained to you, Verisign, and probably pretty much any trusted CAs policies require an EV certificate to be issued to an organisation not a brand name. The organisation here is DIA. The certificate itself is of course issued for the website, realme.govt.nz which is run by the organisation DIA (okay this is a bit of a simplification of what the certificate means but good enough for here). If it were not issued for the website realme.govt.nz, any decent browser would have complained. Since you're making a big deal over security stuff, I presume you knew this later part about it being issued to realme.govt.nz from the beginning, even if the organisation part confused you. (If you didn't understand the certificate was issued for realme.govt.nz run by the DIA, it does explain a lot about your confusion. But any decent browser should have assured you it was indeed issued for the site run by the organisation when you checked out the certificate, so I don't see how this confusion could have arised anyway.)

I would note beyond your very confusing use of "third party" and your apparent limited of knowledge of CA requirements, your actual complaint seems a little flawed anyway. There is a reason for these policies. If I visit a website, particularly one I'm going to trust with my identity and important login information, I want to see the organisation behind it. Presuming I trust the CAs, this is what the certificate should tell me. Why on earth would I want to know the organisation is 'RealMe'. Who the heck is RealMe? Why should I believe their website telling me it's a DIA service when their certificate isn't even issued to the DIA but some weird organisation I may have never heard of, i.e. RealMe?

Okay it's .govt.nz which helps although shouldn't be sufficient for something as important as this. And either way, the general point remains. Think for example of a Microsoft or Google or whatever service. If I've never heard of this service before and it's not under a Google or Microsoft subdomain, the certificate being issued to Microsoft or Google or whatever is a reassurance and not an area of concern. (You do you refuse to accept that Youtube, Gmail, Livemail, Office365 etc are Google or Microsoft services and Google or Microsoft are not 'third parties' either?)

In a case where my bank launches a new service under a different domain, it would be even stupider for my bank to have the organisation name as the name of their new service, and not the bank's name. (Although in such cases it may also be best to check that the main bank secured website has a link to or at least mention of the new service.)

In fact, your original comment seemed to suggest you could do with the reassurance as well, since you mentioned how you called the DIA to find out of they were really running RealMe. The certificate provided this reassurance. If you didn't trust the certificate, perhaps because you don't trust the CA even though your OS or browser developers may do so, that's fine but it seems to me you've still illustrated why having the certificate properly issued to the organisation DIA for the website RealMe.govt.nz is far better than having the certificate issued for the organisation RealMe for the website Realme.govt.nz.

P.S. I'm not sure that anyone was claiming the commercial side annoyed you per se. The main point was the 'commercial' side is likely operating under a cost recovery basis, in other words it isn't truly set up as a commercial business but as a government service. And the way it's set up almost definitely means anything the government sends you about it would be exempt from the act governing unsolicited emails, no matter what you may claim about it promoting businesses. (Although I have an igovt login, I don't seem to have receive this email, or at least I can't find it. Perhaps I opted out of receiving the emails or something I don't know. So I haven't actually seen the email but I still strongly doubt it won't be exempt since there's nothing to suggest the goverment can't mention companies involved in their services.) Of course, this is almost definitely a moot point anyway since as plenty of people have pointed out by now, you undoubtedly agreed to receive these email when signing up for igovt.

It's possible you have a point on the links to a third party tracker (although as others have pointed out, it's undoubtedly common). But your decision to mention the irrelevant and seemingly flawed stuff like third party security certificates or to try and to suggest it was covered by the Unsolicited Electronic Messages Act 2007, and continue to argue these points when challenged; always meant that your whatever you wanted your main point to be, it was always likely to get partially lost in the discussion over the other stuff you said. If you didn't want this to happen, you didn't need to type slowly. All you needed to do was to avoid mentioning stuff which was either very likely wrong or at least highly confusing, and particularly avoid trying to defend it when people pointed out the problems with your claims.

MikeB4

MikeB4
18776 posts

Uber Geek
+1 received by user: 12769

ID Verified

Trusted

Subscriber

#943575 1-Dec-2013 06:06

nunz:
KiwiNZ: This all looks...much ado about nothing

Then dont waste your time reading or commenting on it - thanks for nothing, literally.

Because I don't support your point of view and don't see your mountain where a Mole hill is I am not allowed to voice an opinion?

Here is a crazy notion, lets give peace a chance.

gzt

18690 posts

Uber Geek
+1 received by user: 7830

Lifetime subscriber

#943662 1-Dec-2013 11:52

Kyanar:
gzt: Well he's not arguing against email response tracking. Only the fact it's done through a completely different URL than realme.co.nz - this is not something I have seen from any bank (or paypal but I'm not a regular user of paypal). It is very good general advice many users follow - do not click when the target URL does not match the purported source. Even more so in relation to financial information.

Westpac does it. Constantly. Their promotional emails, for example, have all links go via ct.thegear-box.com. So unfortunately yes, banks do do it.

Ok, that surprises me. Westpac should review that approach imho. It is training users to accept clicking on links which do not point to the purported source, which in turn makes phishing attempts a whole lot easier and more likely to succeed. Westpac is essentially placing reliance on user anti-spam and making it a little more difficult for users to assess the risk if a real phishing attack gets past anti-spam.

I have checked some ASB mail and cannot find any instance of ASB doing that. Maybe others can comment on other banks.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#943821 1-Dec-2013 20:19

charsleysa:
nunz:
insane: I see on their website they are even advising about the mail out

"Look out for our email

RealMe is emailing its login customers (up until Friday 6th December) encouraging customers to upgrade to a RealMe verified account. The email is sent from noreply@realme.govt.nz.

Please note: RealMe will never send you an email asking you for your password."

On a scale of one to ten this isn't too bad, I've seem far more sloppy efforts. I'd rather them not waste more $$$$ on consultants per mail out, that would IMO be even worse.

I'm not a realme customer. no logon, no relationship with realme as far as I can tell. they got me email address from another Govt dept. and they dont need to ask for my password. Scammers just need to get people to put their usernames nad passwords into a site to get what they want.

Have you ever used iGovt? As it is now RealMe.
Also all Studylink accounts have been ported to RealMe ready accounts AFAIK.

Neither that I know of.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#943826 1-Dec-2013 20:37

Kyanar:
nunz:
I'm not a realme customer. no logon, no relationship with realme as far as I can tell. they got me email address from another Govt dept. and they dont need to ask for my password. Scammers just need to get people to put their usernames nad passwords into a site to get what they want.

Did you, or did you not, have an iGovt account? You seem to be very careful to avoid answering that question which you were asked three times. If yes, then you do indeed have a relationship with the Department of Internal Affairs (who operate Realme, stop trying to refer to it as a separate organisation to confuse the issue - it is DIA). Having a Studylink account means you have one, by the way - for the avoidance of doubt.

If yes (and the answer will be Yes, because otherwise the government with the exception of the GCSB doesn't have your email address) then they are perfectly entitled to email you, even via third party contract agencies - as per the terms of service you agreed to.

It's probably important to note that Realme promotional emails are a lot difference from the transactional emails. Transactional emails are always sent directly from them, and do not include link tracking. Only the promotional emails (which do not really entice you to do anything but look at the site) actually include the link tracking being argued against. And this is par for the course - Westpac, ASB, and so forth also do this. Hell, even PayPal does it now (no, seriously. Sigh).

Side note, saying you're taking this overboard is by no means a personal attack, simply a statement of opinion. However, saying "I'LL TYPE THIS SLLLLOOOOOWWWWLLLLYYYY FOR YOU" is a direct attack on the intelligence and literacy of the person you are speaking to, and therefore is a personal attack. For the avoidance of doubt, what this means is that your post was a personal attack. Apology accepted.

As far as I am aware I do not have an iGovt account. I did sign into companies.govt.nz years ago to set up my company, I do have a login with the IRD but not the iGovt as far as I am aware.
Study link - 1 - I dont know what that is and 2 - i havent been a student in over 15 years so I doubt it.

does that satisfy you - no avoidence intended.

Only the promotional emails (which do not really entice you to do anything

If that was all they did I wouldn't be so concrerned. But they didnt they went further.

They toldthe recipients of the email to click on links and join in - sign in with user names nadpasswords.

It is one of the basic phisihing techniques to make a site that looks like one thing and get people to sign in with their user names and passwords. from there those passwords nad possibly user names will be tested on the real version of the site they think they logged into, on bank accounts, on the email address they sent from, facebok, twitter etc.

This then allows social high jacking of others accounts, breach of trust attacks and perusing emails / cell phones etc to gather more information. It is also an excellent way to possibyl break into the place peopel work as many people have the same email address or passwords in may places. - I'll wrtie a short anatomy of a hack article some time soon and explain it further there.

In short - simple rules we teach people.:
1 Never ever follow third party links to get to a trusted site.
2 Never ever log into a secured site such as banking, email, govt etc etc unless you have types in the url yourself from the address bar in the web browser.
3 - If you are not expecting an email from a trusted provider (e.g. bank ,govt, microsoft {hahahaha}, ISP or other) assume it is a phishing scam
4 - These people will never email you unless you contact them first.: Microsoft, apple, PC support companys from india,
5 - THese poeple will probably never email you unless you contact them first. the Govt, banks, ird ....

The email from the Govt blew through most of those rules nad even failed the DIa basic tersts for if it is probably a scam.

Lastly - and I cannot say this enough - No Govt Dept should be handing our details to any third party provider. No exceptions without consent. Itis illegal!!!! It is against legislation. Heck, they aren't even allowed to provide those details to each other without specific legal exemptions. THe provider chosen by PostOffice / IRD is know to be flawed and giving them access to our emails is not only stupid, dumb and bad etiquette but probably illegal.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#943827 1-Dec-2013 20:38

Kyanar:
gzt: Well he's not arguing against email response tracking. Only the fact it's done through a completely different URL than realme.co.nz - this is not something I have seen from any bank (or paypal but I'm not a regular user of paypal). It is very good general advice many users follow - do not click when the target URL does not match the purported source. Even more so in relation to financial information.

Westpac does it. Constantly. Their promotional emails, for example, have all links go via ct.thegear-box.com. So unfortunately yes, banks do do it.

And I wrote and phoned into their IT people and slammed them for it. Dumb dumb dumb dumb dumb!!!!!!

Are they even allowed to hand our details to third party marketing people? Breach of privacy?

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#943833 1-Dec-2013 20:56

Nil Einne:

In your original message you said

The links take you to realme.govt.nz which is signed by a Verisign security certificate belonging to the Department of Internal Affairs.

and

Issue 2 - The https://realme.govt.nz uses a DIA Verisign signed security certificate. It strikes me a Monty Pythoesque that NZ Govts IAAS (Identiy As A Service) provider doesn't have its own security certificate and relies on a third party certificate to identify itself.

You seemed be making a big deal of it being Verisign signed security certificate. You will forgive people for thinking your problem was with it being Verisign signed (which as has now been thoroughly explained to you, is perfectly normal) rather than it being issued to the Department of Internal Affairs. Particularly since you said 'third party'. The only third party here is Verisign. The Department of Internal Affairs isn't a third party by any token. It's their service, in colloboration with NZ Post.

<snip>
I would note beyond your very confusing use of "third party" and your apparent limited of knowledge of CA requirements, your actual complaint seems a little flawed anyway.

<snip>

<snip>
Okay it's .govt.nz which helps although shouldn't be sufficient for something as important as this. And either way, the general point remains. Think for example of a Microsoft or Google or whatever service. If I've never heard of this service before and it's not under a Google or Microsoft subdomain, the certificate being issued to Microsoft or Google or whatever is a reassurance and not an area of concern. (You do you refuse to accept that Youtube, Gmail, Livemail, Office365 etc are Google or Microsoft services and Google or Microsoft are not 'third parties' either?)
<snip>

In fact, your original comment seemed to suggest you could do with the reassurance as well, since you mentioned how you called the DIA to find out of they were really running RealMe. The certificate provided this reassurance. If you didn't trust the certificate, perhaps because you don't trust the CA even though your OS or browser developers may do so, that's fine but it seems to me you've still illustrated why having the certificate properly issued to the organisation DIA for the website RealMe.govt.nz is far better than having the certificate issued for the organisation RealMe for the website Realme.govt.nz.

Where to start:
1 - ive never made a big deal out of it being Verisgin - that is your emphasis not mine. I made a big deal that NZ's IAAS doesnt even have its own certificate to identify itself.
Imagine a Monty Python Skit.

Ding ding - bell rings as door opened.
< Hello sir may I help you?
> Why yes , is the the NZ Govt identity Dept?
< Why yes it is
>Can you please show me some ID to prove that?
<Well no but I do have an ID I borrowed from my friends in DIA ....
curtain closes to billowing laughter.

2 - I got to the site via an obfuscated link through a USA marketing company using domains names that were not their real domain name and that used redirects under a different URL to what was shown in the email.
3 - My browser did pop the certificate up for me to have a look at. As I had no idea who realme.govt.nz was it worried me they had an NZ govt cert on their site.
4 - It worried me further that I had just possibly been hi-jacked with a hosts file hack, proxy hack or similar.
5 - I know how to hack verisgn security certificates via a proxy for a man in the middle attack so assume others can too.
6 - given the state of security in some NZ govt depts it wouldn't suprise me if a cracking group did complete a scam like this.
7 - Why wouldnt I be suspicious if an unknown email through overseas redirects claiming to be from the Govt using another Govts certficate appears on my screen?

Lastly - if I was to perform a phisihng attack like this I possibly would use a dia site url, hosts file / proxy attack and use iFrame or similar to inject my own details in the middle of it. Think of it as greasemonkey meets proxy attack meets gullible clickers of weird links.

I know, I know.... you say you cant fake verisgn certificates - but you can. Check out the article at GRC.com amongst others.

Anonymous made a similar attack against both CBS and an FBI offshoot using their real sites etc to garner personal information. I believe my caution is justified. They have alos compromised govt DNS in other countries and added their own .govt type sites. .govt means nothing without decent credentials and only if gotten too directly, not via third party obfuscated links.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#943834 1-Dec-2013 21:02

KiwiNZ:
nunz:
KiwiNZ: This all looks...much ado about nothing

Then dont waste your time reading or commenting on it - thanks for nothing, literally.

Because I don't support your point of view and don't see your mountain where a Mole hill is I am not allowed to voice an opinion?

NO! But seriously ... NO!

My mother always said, if you cant say something nice don't say nothing at all. That's what my mumma said. Just coz you don't care about the same things I do don't mean y'all can go a beating on me.
But like my mumma always says, "Some people have got to be aflapping their gums even if there aint nothing but hot wind coming out." That's what my mumma says and I always does alisten to my mumma.

bigreddog

236 posts

Master Geek
+1 received by user: 117

Subscriber

#943840 1-Dec-2013 21:39

As far as I am aware I do not have an iGovt account. I did sign into companies.govt.nz years ago to set up my company, I do have a login with the IRD but not the iGovt as far as I am aware.

Suggest you go take a look at companies.govt.nz (which is actually http://www.business.govt.nz/companies/) See the bit there about logging in using iGovt/Realme?

Hope this clears up the mystery for you.

Tauranga
Quic Fibre (use R213449EPZJ3R for free setup)

1 | 2 | 3 | 4