Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1163 posts

Uber Geek


Topic # 64885 24-Jul-2010 16:41

ANyone who banks with rabobank get an email from raboplus over these last few days, and noticed that they included a login link in the email, to login to their online banking system. I would have thought that this was a massive fail on their part, due to the amount of phishing type emails of this type that include fake login links in them. They should not have included any link of any type. They should infact be telling people to type the address into their web browser. There is no way to even tell if this particular email is not itself a phishing email, however I suspect it is not.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
1260 posts

Uber Geek
+1 received by user: 64


  Reply # 355850 24-Jul-2010 17:09
Send private message

The link goes to http://www.raboplus.co.nz/ (and all of the others do too)




rm *




1163 posts

Uber Geek


  Reply # 355852 24-Jul-2010 17:15

Detruire: The link goes to http://www.raboplus.co.nz/ (and all of the others do too)


Maybe it does, but any link can be made to look like it goes somewhere, but it infact goes somewhere else. eg. you can create a hyper link that displays as http://www.raboplus.co.nz/ , but the actual link tag goes to a phishing site, that looks identical to the raboplus website. The thing is they shouldn't have any links like that, especially when it is referring to logging into the website.

 
 
 
 


BDFL - Memuneh
61794 posts

Uber Geek
+1 received by user: 12443

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 355855 24-Jul-2010 17:23
Send private message

Detruire: The link goes to http://www.raboplus.co.nz/ (and all of the others do too)


Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.







1163 posts

Uber Geek


  Reply # 355859 24-Jul-2010 17:30

freitasm:
Detruire: The link goes to http://www.raboplus.co.nz/ (and all of the others do too)


Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.



Exactly. Maybe they are testing their customers, on their online banking procedures, and how their cusomters react when they get a phishing email with a link in it.

1260 posts

Uber Geek
+1 received by user: 64


  Reply # 355864 24-Jul-2010 17:36
Send private message

freitasm: Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.


My post is in response to the OP's comment:
robbyp: There is no way to even tell if this particular email is not itself a phishing email, however I suspect it is not.






rm *




1163 posts

Uber Geek


  Reply # 355866 24-Jul-2010 17:43

Detruire:
freitasm: Regardless... No bank should EVER send an email and ask customer to click in a link. This creates a bad precedent, and customers will be less worried about clicking links in further emails - the ones that could potentially be scams and phishing.

It's the wrong thing to do.


My post is in response to the OP's comment:
robbyp: There is no way to even tell if this particular email is not itself a phishing email, however I suspect it is not.





But that still doesn't prove that it isn't a phishing email.

1260 posts

Uber Geek
+1 received by user: 64


  Reply # 355869 24-Jul-2010 18:17
Send private message

Unless my email provider modified the URLs contained within the email, I don't see how an email linking only to the official site can be a phishing email in itself.

I can understand how it may be to set people up for a later phishing email, (trick them into thinking that the next one is safe), but that email in itself isn't trying to get my details.

EDIT: Email appears to be from 91.199.135.39 (Netherlands Zeist Cooperatieve Centrale Raiffeisen-boerenleenbank)




rm *


1937 posts

Uber Geek
+1 received by user: 53
Inactive user


  Reply # 355873 24-Jul-2010 18:37
Send private message

Hi OP.

A few years ago when I first became a Rabo customer, I was sent an email as you describe with a link to the login page.

I contacted Rabo immediately and told them that such a security conscious bank (digipass, etc.) should not be linking from their emails due to the similarities between such a practice and phishing (as you correctly concur above).

They thanked me for the feedback and shortly afterwards changed their practice based on my concerns. Instead of linking to the LOGIN page, they would from that day onwards only ever link to www.raboplus.co.nz

I contacted them again, this time a little more irate, as I thought it was failed implementation and logic to use this as the "solution".

They did not take these concerns on board and said they would continue linking to www.raboplus.co.nz from their emails.

Perhaps it's time for another phone call. Do other banks link to their banking home page in emails?

1260 posts

Uber Geek
+1 received by user: 64


  Reply # 355898 24-Jul-2010 20:17
Send private message

Other than this one from Raboplus, I don't think I've ever received and email from a bank.




rm *




1163 posts

Uber Geek


  Reply # 355909 24-Jul-2010 20:47

ahmad: Hi OP.

A few years ago when I first became a Rabo customer, I was sent an email as you describe with a link to the login page.

I contacted Rabo immediately and told them that such a security conscious bank (digipass, etc.) should not be linking from their emails due to the similarities between such a practice and phishing (as you correctly concur above).

They thanked me for the feedback and shortly afterwards changed their practice based on my concerns. Instead of linking to the LOGIN page, they would from that day onwards only ever link to www.raboplus.co.nz

I contacted them again, this time a little more irate, as I thought it was failed implementation and logic to use this as the "solution".

They did not take these concerns on board and said they would continue linking to www.raboplus.co.nz from their emails.


Perhaps it's time for another phone call. Do other banks link to their banking home page in emails?


 

I know the national banks emails don't link back to their website, for this exact reason, and they even state this is the reason in those emails. As a rabobank cusomter, I am concerned that their experts aren't aware of the potential problems. Perhaps they don't believe phishing is that much of a problem and reimburse customers 100% if their customers fall victim to such emails.

Rabobank shouldn't actually be emailing about this change to online banking either, it should be done via snail mail, or via their secure email facility.





1163 posts

Uber Geek


  Reply # 355910 24-Jul-2010 20:49

Detruire: Other than this one from Raboplus, I don't think I've ever received and email from a bank.


You're right, I don't think I have received one either, and I bank with a lot of different banks, and I think it is the phishing risk that is the reason.

1937 posts

Uber Geek
+1 received by user: 53
Inactive user


  Reply # 355917 24-Jul-2010 21:27
Send private message

Let's be honest though. Assuming someone phished for your login details, and even if they were able to use your login token within the required 36 seconds or whatever it is, what could they do? All they could do is push money around YOUR accounts, and in fact the digipass would be required to do this once they got in.

I'm not saying it excuses it, but the system is pretty robust in terms of not letting you pay funds from these accounts into ANY account not previously approved/nominated.

81 posts

Master Geek


  Reply # 355940 24-Jul-2010 23:36
Send private message

What I want to know is why Rabo is introducing the new security "feature" of having to enter the last 4 digits of the Digipass serial number. Surely this would be pointless unless someone has figured out a way to predict the response codes. So I assume the worst. I wish they would be a bit more transparent with their customers.

I remember one of their blog posts about the Digipass. They stated "while we do not want to give too much away for obvious reasons" then left us with marketing junk. Flipping the thing over, and Googling the patent numbers told me exactly how the device worked. Anyone with the considerable skill needed to hack one of these would know all about the mechanics of it. I don't know why they insulted their readers' intelligence by withholding a simple explanation.

Anyway robbyp, you should mention that email on their blog. Maybe then they'll get some idea about security, instead of buying rights to a clever password token and thinking their s**t don't stink.

The current post is ironically "Identity Fraud costs Australians approx $1.1bn". They state "for us security is paramount – security of your money and your identity."

Well as all their customers now expect emails from them, some criminal can start spamming RaboPlus address and account details updates, plus "the new feature of credit card transfers", and get a lot of useful information. Thanks Rabo, I guess your pretty defender isn't all that much upstairs.

3044 posts

Uber Geek
+1 received by user: 467

Trusted
Subscriber

  Reply # 356070 25-Jul-2010 14:14
Send private message

ahmad:

Perhaps it's time for another phone call. Do other banks link to their banking home page in emails?


Well, here's a typical account balance alert from Westpac (obviously, details are redacted):

*** Westpac Account Alert ***

The current balance of your ######## is $########.

Your money available is $######## at 7.00 AM on 26 Jun 2010.

To find out more please login to Online Banking.


----------------------------------------------------------------------


* You have received this message because you have subscribed to Westpac Alerts. If you no longer wish to receive this or other email alerts please change your alert settings within Online Banking.

* Please do not reply to this computer generated email as it will not be read or responded to.

* We will never send you email containing links to Online Banking. If you do receive an email claiming to be from Westpac that contains links to Online Banking you should delete it immediately.

* Remember that Westpac's Online Banking is covered by our Online Banking Guarantee.

The contents of this e-mail are confidential. If you have received this communication by mistake, please advise the sender immediately and delete the message and any attachments.
Nothing in this email designates an information system for the purposes of Section 11(a) of the New Zealand Electronic Transactions Act 2002. Westpac New Zealand Limited


Note the complate lack of any links. The email is sent in plain text format with no attachments, and they don't even give you the URL to the banking home page. They just tell you "log into Online Banking" - assuming you know the URL. Blasted good practice if you ask me.

What's not so good practice, is that from the 1st August they're letting you reset your password online, using three "security questions" (personally, I always think these should be called INsecurity questions, as they REDUCE security, not enhance it).




I finally have fibre!  Had to leave the country to get it though.


1 post

Wannabe Geek

Trusted

  Reply # 357549 28-Jul-2010 08:43
Send private message

Hi

Let me introduce myself - I'm Mike Heath the GM of RaboPlus.co.nz

Apologies for joining this thread so late in the piece, but I thought it important to both acknowledge what has been said and to also clear up a small misunderstanding.

We don't provide a link to our login page in any of our eDMs, for many of the same reasons as have already been stated in this thread.  The "Login" call-to-action/graphic always provides a link to our home page and not our banking login page.

That said I can see how our current practice may have caused some confusion so we'll take this feedback on board and we refrain from using the word "login" in any similar graphics/eDMs going forward.

Thanks for the feedback/comments.

Regards





Mike Heath
General Manager
RaboPlus.co.nz

http://www.raboplus.co.nz/blog/default.aspx



 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.