Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1328 posts

Uber Geek
+1 received by user: 269

Subscriber

Topic # 136310 22-Nov-2013 15:02
3 people support this post
Send private message

I received an email from realme.govt.nz called Get Ready to use RealMe for banking.

It tells me to get ready to use RealMe to verify your identiy with organisations in banking and finance I'll never have to provide paaper work etc again. Use it for govt depts, insurance,banking  etc etc. just click here to get verified.

I was going to bin it as spam but took a second look. After cracking open a virtual machine I followed the web links. The links take you to realme.govt.nz which is signed by a Verisign security certificate belonging to the Department of Internal Affairs.


A call to the DIA later I found ut there is a Govt organisation called realme.govt.nz, it is an extention of the original govt identies / logon servcies and it does offer the services shown in the email newsletter. 

So why am I grumpy and concerned about this email?

Three reasons:
1 - It breaks every rule of communicating regarding financial information safely.
2 - It exposes us to a raft of security issues.
3 - It fails to adhere to the DIa spam act.

Let me explain.

It breaks every rule of communicating regarding financial information safely.

The DIA sites has information regarding how to keep yourself safe from scams and phishing. the rules ar pretty much what we teach people as well and are pretty standard. 


To quote:

Read the signs
It might be a scam if the caller or sender of the message: 
Is from an unknown or dubious source - prior to today I had never heard of realme and yet they tell me I have a realme logon Is a stranger who contacts you when you aren’t expecting it - Definitely didn't expect this. BTW - If I do have a realme logon then which govt Dept shared my info and signed me up without my consent? Is a stranger who asks for financial help (i.e. so they can pay debts or visit you) - not relevant gets your name wrong (i.e. refers to you as ‘My Dear’ or something generic) - not relevant - didnt even use my name says you need to claim money or prizes for a lottery or competition you never entered - not relevant says you have inherited money or possessions from someone you’ve never heard of - not relevant claims to be from a bank or other financial institution and requests your personal information - Very relevant. they have a link saying click here to verify your .....
asks you to visit a website or fill in a form and submit your personal information - Same as above.
by the DIA's standards this looks like a scam. Unsolicited, unknown user, getting me to go to a website to divulge my information.

I spend ages getting people not to respond to scams. I have cleaned up the mess after scammers have phished their way into old peoples lives and ripped them off for thousands of dollars. i get bombarded with questions regarding this type of email and now the Govt of Nz is trying to encourage people to do stupid things and trust this isn't a scam. 


It exposes us to a raft of security issues.

Issue 1: all the links in the email look like nice safe links (e.g. apply Online at www.realme.govt.nz, Unsubscribe here, Verify Here: Watch our video here) type links but underneath they all look like: 
http://links.nzpost.mkt4212.com/ctt?kn=4&ms=NzI0MDc5OQS2&r=Njg2OTM4MzM4MjQS1&b=0&j=OTkxOTU1NjIS1&mt=1&rt=0

It seems mkt4212 may be a legitimate mail service server but unlike me most people have not got the ability to figure out if it is legit or not. even the link to apply Online at www.realme.govt.nz  goes to via the type of URL mentioned above and that redirects you to https://realme.govt.nz   Seriously, they put a redirect to an https govt website as a redirected link through a marketing company. 

The links are manufactured the way they are to allow the marketing company who sent the emails on behalf od the NZ Post Office (the other half of realme) to track feed back to the campaign, but again, telling an overseas marketing company who is clicking on links to a new zealand govt website and where they are clicking from and allowing them to place cookies etc  - it reeks.  

Teaching Nz citizens to click on obfuscated links to access Govt websites, especially one that is setting itself up to be NZ's major Identity As A Service provider is DUMB with a capital D.

Issue 2 - The https://realme.govt.nz uses a DIA Verisign signed security certificate. It strikes me a Monty Pythoesque that NZ Govts IAAS (Identiy As A Service) provider doesn't have its own security certificate and relies on a third party certificate to identify itself. 

Issue 3 - The marketing company now has information on everyone who may or may not belong to RealMe, to who the Nz govt is talking to, our email addresses, ip addresses, and a raft of other information. what is the Nz govt doing giving an overseas marketing company this information? Is that legal under the privacy act?


It fails to adhere to the DIa spam act.
The NZ spam Act states:
1 - you must allow a person to unsubscribe in the same manner as they were contacts. IE if by txt, using txt, if by email, using email, if by web, using web. This doesnt allow that - you have to use an obfuscated / third party link to unsubscribe yourself from anorganisation you never subscribed too.
2 - you must identify who authorised the email - "This email has been sent on behalf of the Department of Internal Affairs" does not cut it as far as the Spam Act is concerned.
3 - This email was unsolicited as far as I am concerned - i dont deal with Realme.govt.nz. 
4 - Identify the business responsible for sending the commercial electronic message and how they can be contacted - no contact details. 
The act says:
10Commercial electronic messages must include accurate sender information

 

     

  • A person must not send, or cause to be sent, a commercial electronic message that has a New Zealand link unless—

     

       

    • (a) the message clearly and accurately identifies the person who authorised the sending of the message; and

       

    • (b) the message includes accurate information about how the recipient can readily contact that person; and

       

    • (c) the information referred to in paragraph (b) complies with any conditions specified in the regulations; and

       

    • (d) the information referred to in paragraph (b) is reasonably likely to be valid for at least 30 days after the message is sent.
    Compare: Spam Act 2003 s 17(1) (Aust)

Lastly - I would suggest this email is illegal as:

 

  • It breaks the spam act, 
  • It infers that cliet identity has been passed between govt departments (post office, dia, realme  etc) without consent
  • It divulges personal information to a third party , overseas marketing company, information that is held and divulged by an Nz govt department (or two) without exlpicit consent. 
I've contact DIA and let them know of my concern in no uncertain terms. Unfortunately this type of gross negligence is becoming more and more common in govt Departments. It is not the first time I've had a Govt Department up about this type of breach of privacy and security. i'll let you know what they say.






nunz

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
14720 posts

Uber Geek
+1 received by user: 1987


  Reply # 939091 22-Nov-2013 15:12
Send private message

I got one of these emails too, and thought it looked a bit like a phishing email, as it was budget looking, so I just binned it.

I believe government departments are exempt from the unsolicited email act.

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 939093 22-Nov-2013 15:16
Send private message

My realme email went straight into the spam box so I deleted it without reading it

 
 
 
 


3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 939098 22-Nov-2013 15:19
Send private message

It's pretty dire.  Surely this is the sort of thing they should be engaging the GCSB on?  Any security expert worth his salt would be saying this was a very poor approach to take, especially for a service designed to protect personal information...

BDFL - Memuneh
62987 posts

Uber Geek
+1 received by user: 13562

Administrator
Trusted
Geekzone
Lifetime subscriber

14635 posts

Uber Geek
+1 received by user: 2719

Trusted
Subscriber

  Reply # 939106 22-Nov-2013 15:25
Send private message

Agree re the spam stuff and a lot of what you said. You not being aware or RealMe isn't their problem though. RealMe is a joint effort from DIA and NZPost.

gzt

10672 posts

Uber Geek
+1 received by user: 1747


  Reply # 939110 22-Nov-2013 15:30
Send private message

Besides entrusting clicks to a 3rd party...

They also broke the 3rd party's TOS:

An e-mail is SPAM if:

1. The contact's personal identity and context are irrelevant because the message is equally applicable to many other potential contacts; AND
2. The contact has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND
3. The transmission and reception of the message appears to the contact to give a disproportionate benefit to the sender.

If you have questions or concerns regarding this policy, please forward a copy of the e-mail in question to abuse@silverpop.com.

OP, you should file a TOS abuse complaint based on #2 and consider #3 also : ).



1328 posts

Uber Geek
+1 received by user: 269

Subscriber

  Reply # 939112 22-Nov-2013 15:33
Send private message

timmmay: Agree re the spam stuff and a lot of what you said. You not being aware or RealMe isn't their problem though. RealMe is a joint effort from DIA and NZPost.


sure it's their problem - three reasons.

1 - They emailed me - unsolicited from an organisation I dont have a relationship with - that's their problem
2 - I never gave consent for realme to divulge personal information to a third party such as dia, post office or the marketing company used by the post office to send this email.
3 - If they want me to sign up with them it is up to them to introduce themselves. To say it isnt their problem is like saying coke doesn't need to make itself known in order to attract me to buy their product. 

lastly - Realme is setting itself up as IAAS for NZ. to do that they need my trust and buy in. they wont have thatif i dont know them - its a big marketing failure to spam me as a way of saying hello, let us run your identiy for you.






nunz



1328 posts

Uber Geek
+1 received by user: 269

Subscriber

  Reply # 939114 22-Nov-2013 15:36
Send private message

gzt: Besides entrusting clicks to a 3rd party...

They also broke the 3rd party's TOS:

An e-mail is SPAM if:

1. The contact's personal identity and context are irrelevant because the message is equally applicable to many other potential contacts; AND
2. The contact has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND
3. The transmission and reception of the message appears to the contact to give a disproportionate benefit to the sender.

If you have questions or concerns regarding this policy, please forward a copy of the e-mail in question to abuse@silverpop.com.

OP, you should file a TOS abuse complaint based on #2 and consider #3 also : ).


he he - NZ anti spam Govt Dept gets taken to overseas court for sending illegal spam to Nz citizens - damn , that's more twisted than Dee Schnieder.

I'll assume SilverPop is the third party mailer service.





nunz

1122 posts

Uber Geek
+1 received by user: 203

Subscriber

  Reply # 939117 22-Nov-2013 15:38
Send private message

Were any of you users of the old iGovt service? If so, all iGovt users were emailed.

gzt

10672 posts

Uber Geek
+1 received by user: 1747


  Reply # 939121 22-Nov-2013 15:57
Send private message

nunz:
gzt: Besides entrusting clicks to a 3rd party...

They also broke the 3rd party's TOS:

An e-mail is SPAM if:

1. The contact's personal identity and context are irrelevant because the message is equally applicable to many other potential contacts; AND
2. The contact has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND
3. The transmission and reception of the message appears to the contact to give a disproportionate benefit to the sender.

If you have questions or concerns regarding this policy, please forward a copy of the e-mail in question to abuse@silverpop.com.

OP, you should file a TOS abuse complaint based on #2 and consider #3 also : ).


he he - NZ anti spam Govt Dept gets taken to overseas court for sending illegal spam to Nz citizens - damn , that's more twisted than Dee Schnieder.

Not going to happen. Their own provider will not be taking them to court. But SP should reasonably respond to your abuse complaint.

nunz: I'll assume SilverPop is the third party mailer service.

Yes, SilverPop:

FBI agents looking into the theft of customer data belonging to McDonald's are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems.

Can we please not be providing NZ government data to 3rd parties?

5404 posts

Uber Geek
+1 received by user: 1438

Moderator
Trusted
Lifetime subscriber

  Reply # 939128 22-Nov-2013 16:12
One person supports this post
Send private message

Funnily enough I tried to logon to Birth, Death's and Marriages yesterday to order my birth certificate - i set up Real Me a while ago, verified and everything. It worked fine a few months ago. Tried to use it to logon yesterday and now I'm being told the username is invalid.

LOL. I give up.

754 posts

Ultimate Geek
+1 received by user: 189


  Reply # 939138 22-Nov-2013 16:29
Send private message

allan: Were any of you users of the old iGovt service? If so, all iGovt users were emailed.


exactly this, they likely also agreed in the iGovt terms to email contact(even from marketers on their behalf) about new products/offers(however this is planned to be more a direct replacement of iGovt from my understanding).

3446 posts

Uber Geek
+1 received by user: 441

Trusted

  Reply # 939144 22-Nov-2013 16:40
One person supports this post
Send private message

I hardly think this breaks the laws around spam as it isn't commercial - its a communication from the government....

It's probably not a good look with inviting links etc. but you are taking this complaint way overboard.....





1122 posts

Uber Geek
+1 received by user: 203

Subscriber

  Reply # 939152 22-Nov-2013 16:46
Send private message

loceff13: exactly this, they likely also agreed in the iGovt terms to email contact(even from marketers on their behalf) about new products/offers(however this is planned to be more a direct replacement of iGovt from my understanding).

Yes it is a direct replacement

gzt

10672 posts

Uber Geek
+1 received by user: 1747


  Reply # 939155 22-Nov-2013 16:50
Send private message

Zeon: I hardly think this breaks the laws around spam as it isn't commercial - its a communication from the government....

Laws or not, it's commercial. Banks and other businesses are paying RealMe to use the service.


 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.