?

Log in

No account? Create an account

Online banking - John C. Kirk

Mar. 3rd, 2010

09:33 pm - Online banking

Previous Entry Share Next Entry

Comments:

[User Picture]
From:johnckirk
Date:March 4th, 2010 12:04 am (UTC)
(Link)
The basic idea of phishing emails is that people won't notice a fake website if it's sufficiently similar to the real one. Looking in today's spam emails, I've got a message which claims to be from egg.com but actually takes me to:
http://www.yuhantool.co.kr/yuboard/skin/board/support/img/index.htm
The real website is:
https://your.egg.com/security/customer/login.aspx?URI=https://new.egg.com/customer/youraccounts
The URLs looks completely different, but the websites look quite similar.

Another approach is to make the URL look similar to the real one, e.g.
https://welcome27.co-operat1vebank.co.uk/
(I.e. an "i" replaced with a "1".)

Or:
https://welcome27.co-operativebank.example.co.uk/
(Sub-domain of different site.) I see that some enterprising company has registered the bank.com domain; if they were malicious (or got hacked), it would be pretty simple to set up convincing sub-sites, e.g.
www.barclays.bank.com

In your case, I'm sure that you do check the URL each time you log in, and you would spot a fake one. However, other people aren't so technically literate.

The catalyst for this post is that a couple of my work colleagues have wound up with fake anti-virus software installed on their machines. In one case I was able to clean up the laptop for her. The other person tried to "buy" the software, but it insisted on a zip code (which she didn't have), so she wound up paying Dell to clean the machine for her. Anyway, I've spent some time with both of them, trying to inform them about security. (I agree with what you've said before about user education.)

Ideally, I would just say to them "Always type 'https' at the start of the address, and make sure that you see the padlock. If you don't see the padlock, don't type in your password." So, for HSBC or PayPal, that's easy. For the Co-op, I have to say "Look closely at the address of the website, and make sure that it matches what you'd expect it to be", which is a harder skill.

For Santander, it's even worse, because the login page is on a completely different domain. I don't bank with them, so I vaguely remember seeing some posters about "Bank X is now Santander", and I assume that they used to be Abbey National, but I shouldn't have to research the corporate history before I log in.
(Reply) (Parent) (Thread)
[User Picture]
From:gaspodog
Date:March 4th, 2010 01:39 am (UTC)
(Link)
More importantly than checking the URL, you just don't click links in unsolicited emails - most real banks state in their terms that they will never email you directly asking for any of your security details. In fact, the sensible ones never ask you to enter your whole password at any point in their login process either.

My bank remind me of this fact pretty much every time I log in. I'd have to be pretty unobservant not to have read this advice by now. I tend to be of the opinion that beyond a certain point, users have to take some responsibility - good advice on sensible practice is trivially easy to find.

I still can't believe anybody actually clicks links in unsolicited email... But then, some people give their bank details to the 419 scammers too.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 02:29 am (UTC)
(Link)
Yes, I agree completely about "don't click links in emails". However, if there are people who do that (and don't notice the wrong address) then they would also be at risk from a fake (http) website that redirects them to a fake (https) login page.
(Reply) (Parent) (Thread)
[User Picture]
From:alexmc
Date:March 4th, 2010 08:31 am (UTC)
(Link)
If you have been an abbey customer then you would have been bombarded with stuff telling you that they are now Santander. No "research" required.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 10:22 am (UTC)
(Link)
That's not really the problem; if I used to be with Abbey then I'd recognise their old domain anyway. But what if I'm a brand new Santander customer - would they bombard me with stuff saying "We used to be called Abbey National"?
(Reply) (Parent) (Thread)
[User Picture]
From:alexmc
Date:March 4th, 2010 10:54 am (UTC)
(Link)
If you were a new Santander customer then everything you see would now be Santander, not Abbey/Abbey National.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 10:59 am (UTC)
(Link)
No, you don't - that's my whole point! As I said in the post above, here is the link for the secure login page on the Santander website:
https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare

Note that the domain there is "abbeynational.co.uk" rather than "santander.co.uk". So, as a new customer, should I be concerned that a completely different website is asking for my bank password?
(Reply) (Parent) (Thread)
[User Picture]
From:alexmc
Date:March 4th, 2010 11:19 am (UTC)
(Link)
ah, I see. Thanks.
(Reply) (Parent) (Thread)