Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1363 posts

Uber Geek
+1 received by user: 281

Subscriber

# 136310 22-Nov-2013 15:02
3 people support this post
Send private message

I received an email from realme.govt.nz called Get Ready to use RealMe for banking.

It tells me to get ready to use RealMe to verify your identiy with organisations in banking and finance I'll never have to provide paaper work etc again. Use it for govt depts, insurance,banking  etc etc. just click here to get verified.

I was going to bin it as spam but took a second look. After cracking open a virtual machine I followed the web links. The links take you to realme.govt.nz which is signed by a Verisign security certificate belonging to the Department of Internal Affairs.


A call to the DIA later I found ut there is a Govt organisation called realme.govt.nz, it is an extention of the original govt identies / logon servcies and it does offer the services shown in the email newsletter. 

So why am I grumpy and concerned about this email?

Three reasons:
1 - It breaks every rule of communicating regarding financial information safely.
2 - It exposes us to a raft of security issues.
3 - It fails to adhere to the DIa spam act.

Let me explain.

It breaks every rule of communicating regarding financial information safely.

The DIA sites has information regarding how to keep yourself safe from scams and phishing. the rules ar pretty much what we teach people as well and are pretty standard. 


To quote:

Read the signs
It might be a scam if the caller or sender of the message: 
Is from an unknown or dubious source - prior to today I had never heard of realme and yet they tell me I have a realme logon Is a stranger who contacts you when you aren’t expecting it - Definitely didn't expect this. BTW - If I do have a realme logon then which govt Dept shared my info and signed me up without my consent? Is a stranger who asks for financial help (i.e. so they can pay debts or visit you) - not relevant gets your name wrong (i.e. refers to you as ‘My Dear’ or something generic) - not relevant - didnt even use my name says you need to claim money or prizes for a lottery or competition you never entered - not relevant says you have inherited money or possessions from someone you’ve never heard of - not relevant claims to be from a bank or other financial institution and requests your personal information - Very relevant. they have a link saying click here to verify your .....
asks you to visit a website or fill in a form and submit your personal information - Same as above.
by the DIA's standards this looks like a scam. Unsolicited, unknown user, getting me to go to a website to divulge my information.

I spend ages getting people not to respond to scams. I have cleaned up the mess after scammers have phished their way into old peoples lives and ripped them off for thousands of dollars. i get bombarded with questions regarding this type of email and now the Govt of Nz is trying to encourage people to do stupid things and trust this isn't a scam. 


It exposes us to a raft of security issues.

Issue 1: all the links in the email look like nice safe links (e.g. apply Online at www.realme.govt.nz, Unsubscribe here, Verify Here: Watch our video here) type links but underneath they all look like: 
http://links.nzpost.mkt4212.com/ctt?kn=4&ms=NzI0MDc5OQS2&r=Njg2OTM4MzM4MjQS1&b=0&j=OTkxOTU1NjIS1&mt=1&rt=0

It seems mkt4212 may be a legitimate mail service server but unlike me most people have not got the ability to figure out if it is legit or not. even the link to apply Online at www.realme.govt.nz  goes to via the type of URL mentioned above and that redirects you to https://realme.govt.nz   Seriously, they put a redirect to an https govt website as a redirected link through a marketing company. 

The links are manufactured the way they are to allow the marketing company who sent the emails on behalf od the NZ Post Office (the other half of realme) to track feed back to the campaign, but again, telling an overseas marketing company who is clicking on links to a new zealand govt website and where they are clicking from and allowing them to place cookies etc  - it reeks.  

Teaching Nz citizens to click on obfuscated links to access Govt websites, especially one that is setting itself up to be NZ's major Identity As A Service provider is DUMB with a capital D.

Issue 2 - The https://realme.govt.nz uses a DIA Verisign signed security certificate. It strikes me a Monty Pythoesque that NZ Govts IAAS (Identiy As A Service) provider doesn't have its own security certificate and relies on a third party certificate to identify itself. 

Issue 3 - The marketing company now has information on everyone who may or may not belong to RealMe, to who the Nz govt is talking to, our email addresses, ip addresses, and a raft of other information. what is the Nz govt doing giving an overseas marketing company this information? Is that legal under the privacy act?


It fails to adhere to the DIa spam act.
The NZ spam Act states:
1 - you must allow a person to unsubscribe in the same manner as they were contacts. IE if by txt, using txt, if by email, using email, if by web, using web. This doesnt allow that - you have to use an obfuscated / third party link to unsubscribe yourself from anorganisation you never subscribed too.
2 - you must identify who authorised the email - "This email has been sent on behalf of the Department of Internal Affairs" does not cut it as far as the Spam Act is concerned.
3 - This email was unsolicited as far as I am concerned - i dont deal with Realme.govt.nz. 
4 - Identify the business responsible for sending the commercial electronic message and how they can be contacted - no contact details. 
The act says:
10Commercial electronic messages must include accurate sender information

 

     

  • A person must not send, or cause to be sent, a commercial electronic message that has a New Zealand link unless—

     

       

    • (a) the message clearly and accurately identifies the person who authorised the sending of the message; and

       

    • (b) the message includes accurate information about how the recipient can readily contact that person; and

       

    • (c) the information referred to in paragraph (b) complies with any conditions specified in the regulations; and

       

    • (d) the information referred to in paragraph (b) is reasonably likely to be valid for at least 30 days after the message is sent.
    Compare: Spam Act 2003 s 17(1) (Aust)

Lastly - I would suggest this email is illegal as:

 

  • It breaks the spam act, 
  • It infers that cliet identity has been passed between govt departments (post office, dia, realme  etc) without consent
  • It divulges personal information to a third party , overseas marketing company, information that is held and divulged by an Nz govt department (or two) without exlpicit consent. 
I've contact DIA and let them know of my concern in no uncertain terms. Unfortunately this type of gross negligence is becoming more and more common in govt Departments. It is not the first time I've had a Govt Department up about this type of breach of privacy and security. i'll let you know what they say.






nunz

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
14803 posts

Uber Geek
+1 received by user: 2007


  # 939091 22-Nov-2013 15:12
Send private message

I got one of these emails too, and thought it looked a bit like a phishing email, as it was budget looking, so I just binned it.

I believe government departments are exempt from the unsolicited email act.

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  # 939093 22-Nov-2013 15:16
Send private message

My realme email went straight into the spam box so I deleted it without reading it

 
 
 
 


3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  # 939098 22-Nov-2013 15:19
Send private message

It's pretty dire.  Surely this is the sort of thing they should be engaging the GCSB on?  Any security expert worth his salt would be saying this was a very poor approach to take, especially for a service designed to protect personal information...

14744 posts

Uber Geek
+1 received by user: 2745

Trusted
Subscriber

  # 939106 22-Nov-2013 15:25
Send private message

Agree re the spam stuff and a lot of what you said. You not being aware or RealMe isn't their problem though. RealMe is a joint effort from DIA and NZPost.

gzt

10706 posts

Uber Geek
+1 received by user: 1759


  # 939110 22-Nov-2013 15:30
Send private message

Besides entrusting clicks to a 3rd party...

They also broke the 3rd party's TOS:

An e-mail is SPAM if:

1. The contact's personal identity and context are irrelevant because the message is equally applicable to many other potential contacts; AND
2. The contact has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND
3. The transmission and reception of the message appears to the contact to give a disproportionate benefit to the sender.

If you have questions or concerns regarding this policy, please forward a copy of the e-mail in question to abuse@silverpop.com.

OP, you should file a TOS abuse complaint based on #2 and consider #3 also : ).



1363 posts

Uber Geek
+1 received by user: 281

Subscriber

  # 939112 22-Nov-2013 15:33
Send private message

timmmay: Agree re the spam stuff and a lot of what you said. You not being aware or RealMe isn't their problem though. RealMe is a joint effort from DIA and NZPost.


sure it's their problem - three reasons.

1 - They emailed me - unsolicited from an organisation I dont have a relationship with - that's their problem
2 - I never gave consent for realme to divulge personal information to a third party such as dia, post office or the marketing company used by the post office to send this email.
3 - If they want me to sign up with them it is up to them to introduce themselves. To say it isnt their problem is like saying coke doesn't need to make itself known in order to attract me to buy their product. 

lastly - Realme is setting itself up as IAAS for NZ. to do that they need my trust and buy in. they wont have thatif i dont know them - its a big marketing failure to spam me as a way of saying hello, let us run your identiy for you.






nunz



1363 posts

Uber Geek
+1 received by user: 281

Subscriber

  # 939114 22-Nov-2013 15:36
Send private message

gzt: Besides entrusting clicks to a 3rd party...

They also broke the 3rd party's TOS:

An e-mail is SPAM if:

1. The contact's personal identity and context are irrelevant because the message is equally applicable to many other potential contacts; AND
2. The contact has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND
3. The transmission and reception of the message appears to the contact to give a disproportionate benefit to the sender.

If you have questions or concerns regarding this policy, please forward a copy of the e-mail in question to abuse@silverpop.com.

OP, you should file a TOS abuse complaint based on #2 and consider #3 also : ).


he he - NZ anti spam Govt Dept gets taken to overseas court for sending illegal spam to Nz citizens - damn , that's more twisted than Dee Schnieder.

I'll assume SilverPop is the third party mailer service.





nunz

1130 posts

Uber Geek
+1 received by user: 205

Subscriber

  # 939117 22-Nov-2013 15:38
Send private message

Were any of you users of the old iGovt service? If so, all iGovt users were emailed.

gzt

10706 posts

Uber Geek
+1 received by user: 1759


  # 939121 22-Nov-2013 15:57
Send private message

nunz:
gzt: Besides entrusting clicks to a 3rd party...

They also broke the 3rd party's TOS:

An e-mail is SPAM if:

1. The contact's personal identity and context are irrelevant because the message is equally applicable to many other potential contacts; AND
2. The contact has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND
3. The transmission and reception of the message appears to the contact to give a disproportionate benefit to the sender.

If you have questions or concerns regarding this policy, please forward a copy of the e-mail in question to abuse@silverpop.com.

OP, you should file a TOS abuse complaint based on #2 and consider #3 also : ).


he he - NZ anti spam Govt Dept gets taken to overseas court for sending illegal spam to Nz citizens - damn , that's more twisted than Dee Schnieder.

Not going to happen. Their own provider will not be taking them to court. But SP should reasonably respond to your abuse complaint.

nunz: I'll assume SilverPop is the third party mailer service.

Yes, SilverPop:

FBI agents looking into the theft of customer data belonging to McDonald's are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems.

Can we please not be providing NZ government data to 3rd parties?

5460 posts

Uber Geek
+1 received by user: 1463

Moderator
Trusted
Lifetime subscriber

  # 939128 22-Nov-2013 16:12
One person supports this post
Send private message

Funnily enough I tried to logon to Birth, Death's and Marriages yesterday to order my birth certificate - i set up Real Me a while ago, verified and everything. It worked fine a few months ago. Tried to use it to logon yesterday and now I'm being told the username is invalid.

LOL. I give up.

759 posts

Ultimate Geek
+1 received by user: 194


  # 939138 22-Nov-2013 16:29
Send private message

allan: Were any of you users of the old iGovt service? If so, all iGovt users were emailed.


exactly this, they likely also agreed in the iGovt terms to email contact(even from marketers on their behalf) about new products/offers(however this is planned to be more a direct replacement of iGovt from my understanding).

3449 posts

Uber Geek
+1 received by user: 451

Trusted

  # 939144 22-Nov-2013 16:40
One person supports this post
Send private message

I hardly think this breaks the laws around spam as it isn't commercial - its a communication from the government....

It's probably not a good look with inviting links etc. but you are taking this complaint way overboard.....





1130 posts

Uber Geek
+1 received by user: 205

Subscriber

  # 939152 22-Nov-2013 16:46
Send private message

loceff13: exactly this, they likely also agreed in the iGovt terms to email contact(even from marketers on their behalf) about new products/offers(however this is planned to be more a direct replacement of iGovt from my understanding).

Yes it is a direct replacement

gzt

10706 posts

Uber Geek
+1 received by user: 1759


  # 939155 22-Nov-2013 16:50
Send private message

Zeon: I hardly think this breaks the laws around spam as it isn't commercial - its a communication from the government....

Laws or not, it's commercial. Banks and other businesses are paying RealMe to use the service.


 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41


Nokia 9 PureView available in New Zealand
Posted 6-May-2019 09:06


Motorola Solutions joins local partners to deliver advanced communications network in New Zealand
Posted 30-Apr-2019 21:50


Micron launches high-performance NVMe SSDs for cloud and enterprise markets
Posted 30-Apr-2019 10:27


Jaguar Land Rover trials in-vehicle smart wallet technology
Posted 29-Apr-2019 21:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.