Security worries me... and Standard Bank.

Having just had my mind leveraged open to dodgy sounding technical words like Scroogle and CSS History Snooping (Angelina Jolie in Hackers couldn't have been that good - she never said shit like that!)... I was astonished to find the following mail slithering into my office InBox.


Look, I never click on this kind of stuff anyway - it just looks off. But hell man. "Turn on your Javascript and CSS". Alarm bells ringing in my new found security knowledge bank (please turn on the crappy features in IE that let us run external scripts on your computer). Then a nice looking button promising a more secure login? My mother would click on that.

What confuses me slightly... Are you allowed to run scripts inside email? If not, how did the button get there? And, surely most corporate filters will pick this up?

Nevertheless. Warning ladies and germs. There's a Standard Bank Email Scam on the go - and this one looks pretty good...

Comments

  1. Hi Cowboy

    Nice posting. Yes, it is always better to call your own bank if you are not sure of the authenticity of a mail or bank communication. Below is a press release that we sent out on Monday. We also sent all of our customers a letter warning them of the scam.

    Fraudsters have launched a new sophisticated phishing attack on Internet banking customers.

    Phishing attacks occur when fraudsters, pretending to be from financial institutions, send an email to Internet banking customers to trick them into revealing personal banking information. The recipient is usually told to visit a web site where they are asked to enter information such as Personal Identification Numbers (PINs), bank card details or bank account numbers. The fraudulent web site is generally identical to the financial institutions and customers would find it difficult to distinguish them.

    Peter Schlebusch, Deputy Chief Executive, Personal and Business Banking says," this latest attack is very high tech. The fraudsters ask customers to divulge very specific information like card and PIN numbers as well as e-mail addresses. The fraudsters have generated a carbon copy of Standard Bank's website to fool customers into believing they are on the Standard Bank website. Customers are lured to this site via an email. Standard Bank will under no circumstances ever ask its customers for this type of information. PINs are secret and only customers should know their own number."

    Several customers have, unfortunately, divulged their information and have had their accounts compromised. However no customers have suffered any losses.

    Standard Bank advises customers not to divulge personal information like card numbers and PINs to third parties.

    "Customers should view e-mails from strange sources with the same amount of suspicion as they would the person behind them in an ATM queue. Your personal details are just as vulnerable in cyber space as they are in the real world if the correct precautions are not taken. Customers acting responsibly by keeping their personal details confidential are our first line of defence against online fraudsters. Knowing and understanding the security environment is important so as to not fall victim to these syndicates," says Schlebusch.

    Standard Bank remains committed to protecting the integrity of its customers banking details and urges them to take effective security measures when transacting over the Internet. Customers should make use of the bank's free security and authentication offerings. Customers are urged to adopt the following security features and practices:
    Treat unsolicited email with suspicion
    Never divulge sensitive information.
    One-time password is a unique, compulsory and time-sensitive password used as added security on selected Internet banking transactions. The password will be sent by email or SMS and is valid for one Internet banking session. This service is free.
    My Notification is an email or SMS service that informs customers when profile amendments, new beneficiary additions, amendments to existing beneficiaries and once-off payments are carried out on Internet banking.
    Payment confirmation is a notification that informs both the payer and payee that a transfer or payment has been successfully completed.
    Standard Bank is the only local bank to offer McAfee Antivirus software free to its entire Internet banking customers. This antivirus and firewall software can be downloaded directly from Standard Bank's Internet banking website.

    Customers who are concerned that their personal details may have been compromised, should contact Standard Bank on 0800 020 600 or +27 11 299 4114, if they are calling from outside South Africa. Standard Bank's lines are open 24 hours a day. Customers can also email the bank at Standardbank-e-mailunit@standardbank.co.za.

    Regards
    Ross Linstrom
    Standard Bank Media Relation

    ReplyDelete
  2. The quick response to this is, don't view your e-mail in HTML. Plain text is the way to go with e-mail. You can turn this feature on in Outlook by:

    * Click Tools -> Options
    * Ensure the 'Read all standard mail in plain text' option is ticked.

    Then, if you get a mail which plainly has all sorts of fancy HTML that you *need* to see, turning HTML on *for just that mail* is two clicks away as the option is placed under the sender's name in the mail.

    To answer your question, CSS and JavaScript is allowed in mail, but mail clients go to all sorts of length to only allow 'nice' JavaScript, which just makes hackers try and find ways to trick it. It is far safer to disable it.

    ReplyDelete
  3. Really takes the pretty out of rich text, doesn't it?

    ReplyDelete

Post a Comment

Popular Posts