74 comments

[ 2.9 ms ] story [ 73.7 ms ] thread
For me, the money shot is Chapter 4: the bank needs to be held legally accountable of gross negligence for sending phishing-resembling emails to customers.
How do you hold someone legally accountable for a non-crime with no identifiable victims? Especially for "gross negligence", when the negligence is very clearly minor.
The naive people in decision-making positions often don't realize the risks involved in their behavior until they or someone near to them gets hurt -- in this case scammed or sued.

We used to have a lot of people like this running businesses in the US before roughly 2012, but white (and black) hat hacking began spreading quickly and made generally short work of the problem.

User facing tech and marketing practices at banks are the worst. Every Indian bank login form I've ever had to use is

- hostile to password managers.

- You cannot copy paste passwords.

- Client side password hashing

- Stupid requirements like the password cannot have more than 15 characters and even have a whitelist of character sets! (Looking at you HDFC)

- And of course, run of the mill spam

They are all stuck in the early 2000s.

Heh, we did something similar at the bank where I work. Our marketing department, tasked with getting people to complete some "ongoing due diligence" (a bank term, part of KYC), sent out a bunch of SMS' with links to a page (on a non-core business domain) where we then asked customers to enter a bunch highly personal information. The SMS contained a lot of scary language about your account getting blocked and stuff.

I didn't know about it before my grandmother handed me an article from the local newspaper and told me some of her friends were worried about it. We laughed and I took the newspaper clipping to work and posted it on the wall of failures. Everybody in IT could immediately tell that this was a pretty bad idea, but we weren't asked.

I'd link the article and provide more details, but I'd have to visit my local library, and maybe later.

My bank uses a fraud detection system that calls you if suspicious activity is detected on your account. It then asks you to call back a number to verify the account activity. Every time they call, they provide a different callback number. Searching for the callback number online yields only one result, which is the fraud detection systems web page telling you to NOT trust phone calls of any kind (their advice is solid, but it tells you to not respond to their own legitimate calls)!
More. I work with a bank that sends text messages asking if you issued a check for $x amount.

Problem is, one of the most common check frauds is check washing. The PTO line is changed to a fraudulent name, and the amount stays the same. So, yes, the amount matches a legitimate payment, but who was paid? Ha!

Speaking of normalizing bad habits, does anyone else remember when you were supposed to only ever enter your password into a site if you'd entered the address yourself (or used a bookmark), because if some other site had redirected you there it might be a fake?

And then now we've got OIDC.

Consumer-facing financial services in Germany are really bad at this, and it is not just Sparkassen: a few years ago an email supposedly from our corporate credit card provider to all of the foreign nationals at our company asking for scans of their passport photo pages triggered a deluge of phishing reports to IT, who had to subsequently inform everyone that yes, the email did indeed look exactly like a phishing attempt, but no, it was real.

I don't really know why the situation is so terrible -- there are many good and competent security professionals working in corporates in Germany -- but perhaps as the post alludes to it is due to a lack of legal or regulatory pressure to date.

My bank has implemented suggestions I've given them in the past (USAA), but recently they used a different domain for a legitimate-seeming email (the email was about something I just did, and it was to an address I only use with that bank), and I called them up and spoke with someone in their fraud department to ask about it. I told them either they were hacked, or they were training their customers to fall for phishing, and asked them to create a ticket.

They said that domain name was not theirs, and they only use usaa.com in their emails. They locked my account without telling me. I had to call them back to get them to unlock my account, and I think that person in their fraud department understood the issue and they said they created a ticket.

We shall see...

Do these banks not have insurance companies looking at this liability and saying "no you goddamned idiots, we are not covering you."
My bank:

“Hello this is your bank can I please confirm your personal details?”

To verify your account during online customer service calls, Comcast will text you a six digit 2FA looking auth code which you must provide to the Comcast customer support. Guys.
> “Here is your Sparkasse. A very important document is waiting for your signature. Please visit paperless.io/548fkjgd7f to continue.”

I mean this is just ... incredible. Are they living on the moon? Many real phishing messages are even more sophisticated than this.

I know this from sport events but often the lottery or prize draw are organised by external marketing companies. So likely this is one reason for not making it a subdomain.

The other is that Germans seem very bad at this kind of stuff. Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?

I find there are a lot of people who just don't "get" written communication.

Once I got a vaccination, and in order to do it I had to fill out a form where I chose the arm. The form said to circle either "right or left."

The word "right" was on the left and "left" was on the right.

I pointed this out to the nurse and she laughed, and then realized her error, because she made the form.

This seems like it was correct - the view of the front of the body shows a third-person view. The labels are relative to the subject (first-person).

Or in other words, looking at me, my right arm is on your left.

> So the next idea is to register the domain as a subdomain

I think the problem is, someone in the IT department understands the high risk associated with handing out subdomains, so they refuse to do it. So other parts of the company "work around" this by registering their own domain name.

I wonder how companies like Google handle this. A subdomain of google.com is probably the most valuable hack target in the world, but google does use subdomains occasionally (...or maybe more than occasionally! https://gist.github.com/abuvanth/b9fcbaf7c77c2954f96c6e55613...)

Google handles it in the same shitty way. They send mails that could be phishing mails and use not only google.com but many other weird domains like goo.gl or foobar.google and so on.

Terrible. The times were one could rely on them have long passed.

gewinnen-mit-wero.de: It is pretty common to use a dedicated domain for a large campaign so that the spam complaints don't hurt the deliverability of your main domain.
Some of the worst practices I've seen are from FedEx. When you order an international package, you get a text from some random FedEx employee's personal mobile number, containing a link to a website where you're meant to enter your credit card details to pay import duties. WTF? NO. I've called up about it and the support team were just like "ugh, yes, I know, yeah that's actually probably legit."
It seems to me the better and simpler solution is to continue teaching your users that this pattern this bank engages in is in fact still the pattern of hostile actors and let the bank deal with the consequences.

The system will surely rectify itself eventually when their spammy, manipulative, promotional banker campaigns do not produce results (is that a bad thing?) and they seek out firms that do produce results based on knowing what they are doing.

The author could even use it as an opportunity to promote his or someone else’s services and use this write-up as an artifact of evidence.

I don’t want to get too generalizing, but it is a perspective that does not surprise me coming from what seems to be a German, for better or worse. Complaints about not being in compliance with universal norms instead of taking advantage of a presented opportunity to break ranks for one’s their own individual advantage, strikes me as a very German perspective; like I said, for better or worse, without judgement, since both of these perspectives have their advantages and disadvantages.

I know of a bank that it asked for every piece of PPII they have on you for account validation. This allows their phone support folks to have every piece of information to steal your identity.
I see Conway's Law at work here. The marketing department must have its own IT department separate from the IT that maintains the core website and business functions. It's impossible for them to get on the same web domain (much less build something in the phone apps). Instead, they built their own disparate site and experience.
My bank used to call me with random marketing crap, and insisted on telling them my birthday and my mother's name before they can reveal their latest exclusive offer or some other crap. They were always dumbfounded when I retorted that it is them who need to prove that they're really calling from my bank first.
Between '06 and '19 I was a client of bank that proudly bear the title of "pioneer of online banking" here and tbh, they actually were. You won't met anybody in Poland who wouldn't have contact with that brand one way or another.

I opted-out for all marketing purposes once they allowed to do so but yet, I was getting random calls from bank and 3rd parties. One day I called them because I had login issues on Windows Phone. I did mention to consultant that I was getting these calls and in return lady hit me with quite a revelation: they had a single opt-out that was only available if you called them.

> "The SSL certification is from Let’s Encrypt and not from one of the major root CAs"

This is NOT a reason to distrust a website.

My bank has a secure messaging system inside their website and app.

However every time I use it, instead of answering through the secure channel, they try to call me on the phone.

Now they've put out security warnings about scammers impersonating bank staff making calls to customers.

I use USAA for banking.

Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.

Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.

This is pretty bad, but not as bad as Plaid asking for my bank account log-in credentials.