It's time my Friday afternoon rant. But seriously, this is so appalling it really makes me wonder.
Here's some background first. The New Zealand Bankers' Association have recently updated their code of practice, it now includes several key points that relate to loss (and who is subsequently liable) in regards to someone having their account hacked, phished or account details stolen after being infected with a virus. e.g. key logging software.
The key additions to this code of practice is
You may be liable if an Unauthorised Transaction occurs after you have received the means to access Internet Banking, if for example, (but not limited to) you have breached our terms and conditions by doing the following :
You have used a computer or device that does not have appropriate protective software and operating system installed and up to date;
You have failed to take reasonable steps to ensure that the protective systems such as virus scanning, firewall, anti-spyware, operating system and anti-spam software on your computer are up to date;
OK, that seems fair.
We reserve the right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer or device and safeguard your secure information in accordance with this Code. If you refuse our request for access then we may refuse your claim.
Ummmm, OK, that seems fair, but I have plenty of reservations over who sets the standards, and who is responsible for the computer forensics experts who will be investigating your machine.
But you see, all this is well and good assuming the banks themselves follow what I would describe as reasonable protocol. But they are not doing this, and if this is a trend that continues, I would argue that the banks themselves are always going to have liability. Their own negligence is socially engineering people into accepting that they may see, be part of, or asked to interact with a banking system that operates outside of recommended guidelines.
Now, if you're wondering what on earth am I on about, take this email I just received.
First thing, my bank, in this case is
Kiwi Bank www.kiwibank.co.nz
Today I receive an email from
Sam Knowles, the CEO from Kiwi Bank
But the email address used is survey@colmarbrunton.co.nz
OK, that's not good, but being a knowledgeable type person, I know that Colmar Brunton does polls....I think....I'm actually not sure.
The email goes on to read.
As part of our commitment to providing you with the best possible service, we survey our customers from time to time so we can obtain valuable feedback. Your name has been selected at random from our customer base, and we very much hope you will find some time to complete this survey from our research company, Colmar Brunton.
Please click on the link below to go straight to the survey. (If you do not wish to complete this survey, please reply to this email.)
http://survey.cbrak.co.nz/scripts/dubinterviewer.dll/frames?Quest=1007<removed>
If you are asked for your code and password these are:
Code: <removed>
Password: <removed>
If you have any questions about this survey please call us on:
Auckland 336 1133, Wellington 473 1133, from anywhere else 0800 11 33 55
I've obviously removed the code and password they gave me, but who the heck is http://cbrak.co.nz and why is http://colmarbrunton.co.nz sending me emails about my bank. Aren't I told to only trust Kiwi Bank when the website is http://kiwibank.co.nz
To anyone who knows about such things, they'll spot this for exactly what it is, complete and utter junk. To others who aren't as internet savvy, they'll perhaps consider this standard practice. But my question is then, if people accept this as standard practice, and banks continue to operate in this manner, who is responsible for falling victim to a phishing attack ? The user for entering their details, or the bank for allowing me to believe I should trust sites I've never heard of.
Now I know that this is only a survey, but it's a legitmate survey email, using terrible email practice. It's educating users in entirely the wrong manner, and is going to cause more confusion in an already confusing world.
Glad you are enjoying our programs Walter :)
The problem I really have here is that this survey email was legitimate, no-one was trying to scam me or rip me off, instead my own bank emailed me and asked me to visit websites I've never dealt with before. Granted they weren't asking for my bank details, but it's a practice I don't think any user should ever have to tolerate, especially after the fact New Zealand Banks have decided more liability should be placed on the user.
If the Banks email us and encourage us to visit other websites, how long before someone receives an actual scam email, but falls victim thinking it 'not out of the ordinary'
Use an oz banking system and credit card-yhe it may be a little more expensive but at least the wont try to half inch you're hard earned cash then try to blame a scammer.
It's interesting that many of the New Zealand Banks who are implementing this policy are owned by Australian Banks. The social commentary suggested that this change in the policy in New Zealand will be something of a test before they try to implement the same in Australia. And with good reason I believe, as why should the same banks treat their customers differently depending on what side of the ditch they live on.
Colmar brunton is a market research company from New Zealand that does importent client-satisfaction survey for the Kiwibank. The link mentioned above will do nothing more but open the questionnaire.
I'm more interested in the cbrak domain you mentioned. Domain name records show that this belongs to "Ali Abou Jabein" with a Takapuna mailing address and an Aussie email address. I'd be upset if my bank started referring me to third party websites like this, especially as the cbrak.co.nz domain only produces a page loading error. It's not very professional.
Hi ya;
I get this type of crap all the time, from supposed legit banks, that someone with very limited intelligence seems to think that I use. I have gotten them from my own bank, and have contacted them in regards to same and was told that yes they used the company in question but why they were contacting me privately on an email address that I do not use except for job searches they had no idea. I get them from banks in the U.S. wanting my information for logging in as well as other banks that I am familiar with but don't use here in Canada. I have contacted a couple of them and have their security department email address to whom I immediately send the mail asking for my information to. Here though they ask for you to go to such and such a web site via the enclosed link and update my online access agreement, which I know is a phony as there is none in place in any bank. The other missives I receive are the one wherein the fraudster claims to be a lawyer or someone who has just passed on son asking for help in getting their fathers millions out of the country. Those and others like them I immediately consign to the trash bin. I regularly use FireTrust's MailWasher and benign to keep my mail safe and I'm very glad that I took the time to try it.
Regards,
Walter Reinhart