Raboplus email fail.

Forums › Off topic › Raboplus email fail.

robbyp

1199 posts

Uber Geek
+1 received by user: 8

#64885 24-Jul-2010 16:41

ANyone who banks with rabobank get an email from raboplus over these last few days, and noticed that they included a login link in the email, to login to their online banking system. I would have thought that this was a massive fail on their part, due to the amount of phishing type emails of this type that include fake login links in them. They should not have included any link of any type. They should infact be telling people to type the address into their web browser. There is no way to even tell if this particular email is not itself a phishing email, however I suspect it is not.

1 | 2

1788 posts

Uber Geek
+1 received by user: 84

#355850 24-Jul-2010 17:09

The link goes to http://www.raboplus.co.nz/ (and all of the others do too)

rm *

robbyp

1199 posts

Uber Geek
+1 received by user: 8

#355852 24-Jul-2010 17:15

Detruire: The link goes to http://www.raboplus.co.nz/ (and all of the others do too)

Maybe it does, but any link can be made to look like it goes somewhere, but it infact goes somewhere else. eg. you can create a hyper link that displays as http://www.raboplus.co.nz/ , but the actual link tag goes to a phishing site, that looks identical to the raboplus website. The thing is they shouldn't have any links like that, especially when it is referring to logging into the website.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41029

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#355855 24-Jul-2010 17:23

Detruire: The link goes to http://www.raboplus.co.nz/ (and all of the others do too)

Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

robbyp

1199 posts

Uber Geek
+1 received by user: 8

#355859 24-Jul-2010 17:30

freitasm:
Detruire: The link goes to http://www.raboplus.co.nz/ (and all of the others do too)

Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.

Exactly. Maybe they are testing their customers, on their online banking procedures, and how their cusomters react when they get a phishing email with a link in it.

Detruire

1788 posts

Uber Geek
+1 received by user: 84

#355864 24-Jul-2010 17:36

freitasm: Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.

My post is in response to the OP's comment:

robbyp: There is no way to even tell if this particular email is not itself a phishing email, however I suspect it is not.

rm *

robbyp

1199 posts

Uber Geek
+1 received by user: 8

#355866 24-Jul-2010 17:43

Detruire:
freitasm: Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.

My post is in response to the OP's comment:
robbyp: There is no way to even tell if this particular email is not itself a phishing email, however I suspect it is not.

But that still doesn't prove that it isn't a phishing email.

Dell

Shop now for Dell laptops and other devices (affiliate link).

Detruire

1788 posts

Uber Geek
+1 received by user: 84

#355869 24-Jul-2010 18:17

Unless my email provider modified the URLs contained within the email, I don't see how an email linking only to the official site can be a phishing email in itself.

I can understand how it may be to set people up for a later phishing email, (trick them into thinking that the next one is safe), but that email in itself isn't trying to get my details.

EDIT: Email appears to be from 91.199.135.39 (Netherlands Zeist Cooperatieve Centrale Raiffeisen-boerenleenbank)

rm *

ahmad

1937 posts

Uber Geek
+1 received by user: 53
Inactive user

#355873 24-Jul-2010 18:37

Hi OP.

A few years ago when I first became a Rabo customer, I was sent an email as you describe with a link to the login page.

I contacted Rabo immediately and told them that such a security conscious bank (digipass, etc.) should not be linking from their emails due to the similarities between such a practice and phishing (as you correctly concur above).

They thanked me for the feedback and shortly afterwards changed their practice based on my concerns. Instead of linking to the LOGIN page, they would from that day onwards only ever link to www.raboplus.co.nz

I contacted them again, this time a little more irate, as I thought it was failed implementation and logic to use this as the "solution".

They did not take these concerns on board and said they would continue linking to www.raboplus.co.nz from their emails.

Perhaps it's time for another phone call. Do other banks link to their banking home page in emails?

Detruire

1788 posts

Uber Geek
+1 received by user: 84

#355898 24-Jul-2010 20:17

Other than this one from Raboplus, I don't think I've ever received and email from a bank.

rm *

robbyp

1199 posts

Uber Geek
+1 received by user: 8

#355909 24-Jul-2010 20:47

ahmad: Hi OP.

A few years ago when I first became a Rabo customer, I was sent an email as you describe with a link to the login page.

I contacted Rabo immediately and told them that such a security conscious bank (digipass, etc.) should not be linking from their emails due to the similarities between such a practice and phishing (as you correctly concur above).

They thanked me for the feedback and shortly afterwards changed their practice based on my concerns. Instead of linking to the LOGIN page, they would from that day onwards only ever link to www.raboplus.co.nz

I contacted them again, this time a little more irate, as I thought it was failed implementation and logic to use this as the "solution".

They did not take these concerns on board and said they would continue linking to www.raboplus.co.nz from their emails.

Perhaps it's time for another phone call. Do other banks link to their banking home page in emails?

I know the national banks emails don't link back to their website, for this exact reason, and they even state this is the reason in those emails. As a rabobank cusomter, I am concerned that their experts aren't aware of the potential problems. Perhaps they don't believe phishing is that much of a problem and reimburse customers 100% if their customers fall victim to such emails.

Rabobank shouldn't actually be emailing about this change to online banking either, it should be done via snail mail, or via their secure email facility.

robbyp

1199 posts

Uber Geek
+1 received by user: 8

#355910 24-Jul-2010 20:49

Detruire: Other than this one from Raboplus, I don't think I've ever received and email from a bank.

You're right, I don't think I have received one either, and I bank with a lot of different banks, and I think it is the phishing risk that is the reason.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

ahmad

1937 posts

Uber Geek
+1 received by user: 53
Inactive user

#355917 24-Jul-2010 21:27

Let's be honest though. Assuming someone phished for your login details, and even if they were able to use your login token within the required 36 seconds or whatever it is, what could they do? All they could do is push money around YOUR accounts, and in fact the digipass would be required to do this once they got in.

I'm not saying it excuses it, but the system is pretty robust in terms of not letting you pay funds from these accounts into ANY account not previously approved/nominated.

tristanb

89 posts

Master Geek

ID Verified

#355940 24-Jul-2010 23:36

What I want to know is why Rabo is introducing the new security "feature" of having to enter the last 4 digits of the Digipass serial number. Surely this would be pointless unless someone has figured out a way to predict the response codes. So I assume the worst. I wish they would be a bit more transparent with their customers.

I remember one of their blog posts about the Digipass. They stated "while we do not want to give too much away for obvious reasons" then left us with marketing junk. Flipping the thing over, and Googling the patent numbers told me exactly how the device worked. Anyone with the considerable skill needed to hack one of these would know all about the mechanics of it. I don't know why they insulted their readers' intelligence by withholding a simple explanation.

Anyway robbyp, you should mention that email on their blog. Maybe then they'll get some idea about security, instead of buying rights to a clever password token and thinking their s**t don't stink.

The current post is ironically "Identity Fraud costs Australians approx $1.1bn". They state "for us security is paramount – security of your money and your identity."

Well as all their customers now expect emails from them, some criminal can start spamming RaboPlus address and account details updates, plus "the new feature of credit card transfers", and get a lot of useful information. Thanks Rabo, I guess your pretty defender isn't all that much upstairs.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#356070 25-Jul-2010 14:14

ahmad:

Perhaps it's time for another phone call. Do other banks link to their banking home page in emails?

Well, here's a typical account balance alert from Westpac (obviously, details are redacted):

*** Westpac Account Alert ***

The current balance of your ######## is $########.

Your money available is $######## at 7.00 AM on 26 Jun 2010.

To find out more please login to Online Banking.

----------------------------------------------------------------------

* You have received this message because you have subscribed to Westpac Alerts. If you no longer wish to receive this or other email alerts please change your alert settings within Online Banking.

* Please do not reply to this computer generated email as it will not be read or responded to.

* We will never send you email containing links to Online Banking. If you do receive an email claiming to be from Westpac that contains links to Online Banking you should delete it immediately.

* Remember that Westpac's Online Banking is covered by our Online Banking Guarantee.

The contents of this e-mail are confidential. If you have received this communication by mistake, please advise the sender immediately and delete the message and any attachments.
Nothing in this email designates an information system for the purposes of Section 11(a) of the New Zealand Electronic Transactions Act 2002. Westpac New Zealand Limited

Note the complate lack of any links. The email is sent in plain text format with no attachments, and they don't even give you the URL to the banking home page. They just tell you "log into Online Banking" - assuming you know the URL. Blasted good practice if you ask me.

What's not so good practice, is that from the 1st August they're letting you reset your password online, using three "security questions" (personally, I always think these should be called INsecurity questions, as they REDUCE security, not enhance it).

MikeHeath

1 post

Wannabe Geek

Trusted

#357549 28-Jul-2010 08:43

Hi

Let me introduce myself - I'm Mike Heath the GM of RaboPlus.co.nz

Apologies for joining this thread so late in the piece, but I thought it important to both acknowledge what has been said and to also clear up a small misunderstanding.

We don't provide a link to our login page in any of our eDMs, for many of the same reasons as have already been stated in this thread. The "Login" call-to-action/graphic always provides a link to our home page and not our banking login page.

That said I can see how our current practice may have caused some confusion so we'll take this feedback on board and we refrain from using the word "login" in any similar graphics/eDMs going forward.

Thanks for the feedback/comments.

Regards

Mike Heath
General Manager
RaboPlus.co.nz

http://www.raboplus.co.nz/blog/default.aspx

1 | 2