I received an email from realme.govt.nz called Get Ready to use RealMe for banking.

It tells me to get ready to use RealMe to verify your identiy with organisations in banking and finance I'll never have to provide paaper work etc again. Use it for govt depts, insurance,banking  etc etc. just click here to get verified.

I was going to bin it as spam but took a second look. After cracking open a virtual machine I followed the web links. The links take you to realme.govt.nz which is signed by a Verisign security certificate belonging to the Department of Internal Affairs.


A call to the DIA later I found ut there is a Govt organisation called realme.govt.nz, it is an extention of the original govt identies / logon servcies and it does offer the services shown in the email newsletter. 

So why am I grumpy and concerned about this email?

Three reasons:
1 - It breaks every rule of communicating regarding financial information safely.
2 - It exposes us to a raft of security issues.
3 - It fails to adhere to the DIa spam act.

Let me explain.

It breaks every rule of communicating regarding financial information safely.

The DIA sites has information regarding how to keep yourself safe from scams and phishing. the rules ar pretty much what we teach people as well and are pretty standard. 


To quote:

Read the signs
It might be a scam if the caller or sender of the message: 
Is from an unknown or dubious source - prior to today I had never heard of realme and yet they tell me I have a realme logon Is a stranger who contacts you when you aren’t expecting it - Definitely didn't expect this. BTW - If I do have a realme logon then which govt Dept shared my info and signed me up without my consent? Is a stranger who asks for financial help (i.e. so they can pay debts or visit you) - not relevant gets your name wrong (i.e. refers to you as ‘My Dear’ or something generic) - not relevant - didnt even use my name says you need to claim money or prizes for a lottery or competition you never entered - not relevant says you have inherited money or possessions from someone you’ve never heard of - not relevant claims to be from a bank or other financial institution and requests your personal information - Very relevant. they have a link saying click here to verify your .....
asks you to visit a website or fill in a form and submit your personal information - Same as above.
by the DIA's standards this looks like a scam. Unsolicited, unknown user, getting me to go to a website to divulge my information.

I spend ages getting people not to respond to scams. I have cleaned up the mess after scammers have phished their way into old peoples lives and ripped them off for thousands of dollars. i get bombarded with questions regarding this type of email and now the Govt of Nz is trying to encourage people to do stupid things and trust this isn't a scam. 


It exposes us to a raft of security issues.

Issue 1: all the links in the email look like nice safe links (e.g. apply Online at www.realme.govt.nz, Unsubscribe here, Verify Here: Watch our video here) type links but underneath they all look like: 
http://links.nzpost.mkt4212.com/ctt?kn=4&ms=NzI0MDc5OQS2&r=Njg2OTM4MzM4MjQS1&b=0&j=OTkxOTU1NjIS1&mt=1&rt=0

It seems mkt4212 may be a legitimate mail service server but unlike me most people have not got the ability to figure out if it is legit or not. even the link to apply Online at www.realme.govt.nz  goes to via the type of URL mentioned above and that redirects you to https://realme.govt.nz   Seriously, they put a redirect to an https govt website as a redirected link through a marketing company. 

The links are manufactured the way they are to allow the marketing company who sent the emails on behalf od the NZ Post Office (the other half of realme) to track feed back to the campaign, but again, telling an overseas marketing company who is clicking on links to a new zealand govt website and where they are clicking from and allowing them to place cookies etc  - it reeks.  

Teaching Nz citizens to click on obfuscated links to access Govt websites, especially one that is setting itself up to be NZ's major Identity As A Service provider is DUMB with a capital D.

Issue 2 - The https://realme.govt.nz uses a DIA Verisign signed security certificate. It strikes me a Monty Pythoesque that NZ Govts IAAS (Identiy As A Service) provider doesn't have its own security certificate and relies on a third party certificate to identify itself. 

Issue 3 - The marketing company now has information on everyone who may or may not belong to RealMe, to who the Nz govt is talking to, our email addresses, ip addresses, and a raft of other information. what is the Nz govt doing giving an overseas marketing company this information? Is that legal under the privacy act?


It fails to adhere to the DIa spam act.
The NZ spam Act states:
1 - you must allow a person to unsubscribe in the same manner as they were contacts. IE if by txt, using txt, if by email, using email, if by web, using web. This doesnt allow that - you have to use an obfuscated / third party link to unsubscribe yourself from anorganisation you never subscribed too.
2 - you must identify who authorised the email - "This email has been sent on behalf of the Department of Internal Affairs" does not cut it as far as the Spam Act is concerned.
3 - This email was unsolicited as far as I am concerned - i dont deal with Realme.govt.nz. 
4 - Identify the business responsible for sending the commercial electronic message and how they can be contacted - no contact details. 
The act says:
10Commercial electronic messages must include accurate sender information

 

 

• A person must not send, or cause to be sent, a commercial electronic message that has a New Zealand link unless—

   

   

  • (a) the message clearly and accurately identifies the person who authorised the sending of the message; and

   

  • (b) the message includes accurate information about how the recipient can readily contact that person; and

   

  • (c) the information referred to in paragraph (b) complies with any conditions specified in the regulations; and

   

  • (d) the information referred to in paragraph (b) is reasonably likely to be valid for at least 30 days after the message is sent.
  Compare: Spam Act 2003 s 17(1) (Aust)

Lastly - I would suggest this email is illegal as:

 

• It breaks the spam act, 
• It infers that cliet identity has been passed between govt departments (post office, dia, realme  etc) without consent
• It divulges personal information to a third party , overseas marketing company, information that is held and divulged by an Nz govt department (or two) without exlpicit consent. 

I've contact DIA and let them know of my concern in no uncertain terms. Unfortunately this type of gross negligence is becoming more and more common in govt Departments. It is not the first time I've had a Govt Department up about this type of breach of privacy and security. i'll let you know what they say.