Are We Really Still Doing This in 2010?

Friday, August 20, 2010

Andy Willingham


Well something finally got my goat enough to cause me to sit down and write a blog post. Maybe it will become my muse and get me to writing again.

Today I received an email from one of the banks that I have an account with. It was a marketing email wanting me to sign up for electronic billing for those companies who offered it.

It’s not a bad idea except for the fact that if I don’t have the physical bill sitting on my desk I forget about it and end up being late with my payment. Still electronic billing has it’s merits. It saves money, paper, trash, etc….

What got me though was the email was filled with links.

“Click here to sign up.”

“View our list of billers”

“Click here to …..”

Of course my first thought was that it was a phishing email but it wasn’t. I did my research and testing and it’s all legitimate. This bothers me for a couple of reasons.

First, it’s just plain bad practice for a Financial Institution to send out email with links in them that take you to a log in page. It teaches users to “trust” that the message really came from the bank and it’s OK to click on the link and put in your credentials.

Secondly, when we are trying to teach users good internet and email habits this goes against our teaching. It’s hard enough to teach them but especially when they are getting mixed messages.

The Third thing that bothered me was that the links were not apparent that they were going to the bank when you viewed the URL. They were redirected from a 3rd party marketing site. So now you have users who receive an email from their bank that has links in it that go to a different site than the link shows.

Hmmmm, sounds an awful lot like what the phishers do doesn’t it? 

Of course since it worked the way it was supposed to this time the users are getting numb to the danger. So when they do get a phishing email why won’t they trust it since the bank is teaching them to trust emails that come from them?

I’m hoping that this was done without any IS oversight and/or approval. I know that often marketing departments have the freedom to do such things without running it by security and I hope that is what happened.

If it was approved by security I have a real problem. Enough so that I may have to close my account. If they let things such as this get by then who knows what else they are letting by that may really cause me problems.

Cross-posted From AndyITGuy

Possibly Related Articles:
Post Rating I Like this!
Don Walrus Andy,

As I was reading through your post, I kept saying "This *couldn't* have gone through IT/IS approval...". Let's hope not...
Adron Hall You're asking why the banks are sending that crap out, I gotta ask why you're still using snail mail to get your bills.

That really begs the query, "Are we still doing this in 2010" ?!?!?!

You know how much that nonsense costs banks, and in addition that how much fuel, wasted paper, and other non-technically advanced mess it eats up?

Modernize just a little bit and start using electronic bill pay, and prospectively, write to the IT/Security Department and tell them they need to get their act together.

..but really, you're complaining about something that you appear to be part of the problem for. If people would use the intelligent tools available, some dunce wouldn't be sending you a insecure mess of an e-mail.

...just sayin'.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.