Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
1937 posts

Uber Geek
+1 received by user: 53
Inactive user


  Reply # 357560 28-Jul-2010 08:55
Send private message


MikeHeath: Hi

Let me introduce myself - I'm Mike Heath the GM of RaboPlus.co.nz

Apologies for joining this thread so late in the piece, but I thought it important to both acknowledge what has been said and to also clear up a small misunderstanding.

We don't provide a link to our login page in any of our eDMs, for many of the same reasons as have already been stated in this thread.  The "Login" call-to-action/graphic always provides a link to our home page and not our banking login page.

That said I can see how our current practice may have caused some confusion so we'll take this feedback on board and we refrain from using the word "login" in any similar graphics/eDMs going forward.

Thanks for the feedback/comments.

Regards

Hi Mike, thanks for your post.

I acknowledge that you made the change from linking to your LOGIN page to your HOME page, but from my point of view (and it seems others here do agree), by inviting people to click links from email to even your HOME page, you are inviting trouble by going against the "best practice security advice" that is provided to mum and dad users - that being that you should never click links from emails to get to banking websites.

I think it goes against the logic and security advice to provide ANY links to your pages.

The way I see it, I could create a SPAM/phishing email which purports itself to be from RaboPlus and invites people to click to the "HOME" page which is not actually your page (ie. some phishing site). From there I could provide a site looking exactly the same as Raboplus.co.nz, including a "login" link which would obviously have users believing that they are at the official RaboPlus login site.

If I am wrong with anything I've said here I am more than happy to be corrected.

Thanks again for taking the time to read and respond.

Yours sincerely,
Loyal RaboPlus customer.



1163 posts

Uber Geek


  Reply # 357828 28-Jul-2010 16:59

ahmad:
MikeHeath: Hi

Let me introduce myself - I'm Mike Heath the GM of RaboPlus.co.nz

Apologies for joining this thread so late in the piece, but I thought it important to both acknowledge what has been said and to also clear up a small misunderstanding.

We don't provide a link to our login page in any of our eDMs, for many of the same reasons as have already been stated in this thread.  The "Login" call-to-action/graphic always provides a link to our home page and not our banking login page.

That said I can see how our current practice may have caused some confusion so we'll take this feedback on board and we refrain from using the word "login" in any similar graphics/eDMs going forward.

Thanks for the feedback/comments.

Regards

Hi Mike, thanks for your post.

I acknowledge that you made the change from linking to your LOGIN page to your HOME page, but from my point of view (and it seems others here do agree), by inviting people to click links from email to even your HOME page, you are inviting trouble by going against the "best practice security advice" that is provided to mum and dad users - that being that you should never click links from emails to get to banking websites.

I think it goes against the logic and security advice to provide ANY links to your pages.

The way I see it, I could create a SPAM/phishing email which purports itself to be from RaboPlus and invites people to click to the "HOME" page which is not actually your page (ie. some phishing site). From there I could provide a site looking exactly the same as Raboplus.co.nz, including a "login" link which would obviously have users believing that they are at the official RaboPlus login site.

If I am wrong with anything I've said here I am more than happy to be corrected.

Thanks again for taking the time to read and respond.

Yours sincerely,

Loyal RaboPlus customer.


 

Totally agree. It is good see Rabobank repsonded, however I am concerned they don't see the potential security issues with having any form of hyper link in their email. Other banks don't do this, for this exact reason. Having hyper links in the email is a major issue, as that means that phishing systems that target banks cusomters, may produce an email that looks identical to rabopus's emails, and have a link in them that goes to their own phishing website. Whether it is a link to login page or not, is irrelevent, becuase once a cusomter has clicked on a link, and is on the phishing website, the phishing website may then have it's own login page, which will then be used to harvest login details. The good thing about raboplus, is that they do have the security token system which perhaps solves the phishing problem, but that shouldn't be used as an excuse for best practice.

I know someone who got the raboplus email and asked me whether it was legitimate, as they had heard about these phishing scams, and they saw the email had a link. I told them to delete it to be safe, because any important information a bank sends you should not be sent via unsecured email.



 
 
 
 


1256 posts

Uber Geek
+1 received by user: 163


  Reply # 357842 28-Jul-2010 17:17
Send private message

Agree with the posters before me, having a hyperlink in a bank email is bad for two reasons.

1. It trains people to click links in bank emails.  Now they are also trained to click links in phishing emails that vaguely resemble bank emails.  And since the phishers know which bank puts links in it's emails.....

2. Internationalization/Unicode type attacks where a carefully crafted phishing URL containing particular unicode characters can look for all the world like the valid ASCII URL for the phish target, even if you look real close.  

Links in emails from banking organisations are bad mm'kay.




---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.