A lesson some could learn the hard way: Don't fully trust your bank staff!

We all know that malware threats are real, and people who do home-banking should always be more careful than any other person.

I've been digging through some banks security pages, at my country, including the one where I have an open account and the ones where relatives also have open accounts. I wanted to see if they were offering apps like Prevx SafeOnline or Trusteer Rapport.

In my bank account security page, along side some very useful information there's also information that WILL lead their costumers to infect/install in their systems ROGUE antimalware applications.

Examples of such:

-http://www.urlvoid.com/scan/spywarebot.com
-http://www.urlvoid.com/scan/nuker.com
-http://www.urlvoid.com/scan/noadware.net

They do mention other well-known and REAL security applications, but nonetheless, how the hell does something like this happen? I would expect more investigation before advising anything to clients.

I wonder how many more banks out there are advising ROGUE software without realizing it?

Obviously, I'll be in touch with them! This is worrying!

 

OK. I've been until now in a web chat session with this bank staff; the other options were to pay a phone call or enter personal information in an insecure (http) form.

Surprisingly, the web chat form was in https.

They wanted me to "send" an e-mail with the info I had in possession by using the on-line form, which is under protocol http. No way! I've spent quite a few minutes explaining such form should and must be in https protocol, and explaining that was precisely the reason I wouldn't enter such information.

I kept asking for a real e-mail address, which they never ended up providing, but I was made the promise they were going to pass this information to the responsible team.

I'll give them some time until they fix it; if they don't, I'll start a new web chat session asking why not. If they do nothing, I'll look for the most convenient way of bringing this to this attention of their clients.

 

This is simply unbelievable.

A full week has passed us by, and the situation still wasn't solved! The bank is still providing information on what security applications their clients could get, and among them, rogue security software.

I provided them with more than enough information, explaining them that, in fact, we're dealing with rogue security software!

They did nothing to solve this unacceptable situation. I wonder, does it really take a week? In my book, it should had been solved in the next day after getting in touch with the technical support team (~1 AM).

They're endangering their clients! It's 100% unacceptable, and I gave them until now, so they could fix it. They clearly didn't care about it, otherwise why wouldn't 1 week suffice? I provided all the info it was required to show them we're dealing with rogue security software.

My next move, considering they didn't care less, will be to once again demand (It's my right, also as client, to demand this situation to be rectified.) it's fixed within 24 hours. If it's not, then I'll send an e-mail to the TV stations public channel and private channels explaining this situation. They're always up to scandals. And, for sure, this will make them not make these mistakes any more.

I did give them more than enough time to solve this mess!

Outrageous!

 

m00nbl00d, what you describe is amazing (I mean the rogue software part), but the inaction is not surprising.

Why not threaten them with changing banks? And advising your relatives to do the same? I am not convinced that even that would spur them into action, but I believe it speaks the loudest to them. I mean, look at it this way... if they were concerned about security, they wouldn't have the rogue software links on their website, right? It's like talking to a smoker about good health (sorry all you smokers out there!).

I applaud what you are doing. I only hope that you are in contact with an individual who is capable of comprehending what you are saying. I fear that may not be the case.

 

Yes, that may be the case that I talked to someone who lacks the knowledge, still I did provide links to plenty of information, clearly showing that we're dealing with rogue security software.

I'll be writing an e-mail to send to relatives, so that they also re-forward them as well to their friends who may be clients of the bank, and also provide them with the information I gathered, like analysis etc. Even if they're not geeks/expertized in these matters, it should be enough to show them without any mistakes what's happening.

In the very least, they'll be complaining to the bank and demand for answers. As a last resource, I'll be sending the info, as previously mentioned, to TV stations. They adore scandals. It's not like I didn't warn the bank first. I did warn them and provided all info I gathered, and gave them a week to solve this mess.

I'll also be in touch with the bank, once again, asking why it remains like this, and also to demand them that they send letters to all their clients explaining such situation and that if they did install such rogue security applications, to clean their systems.

This is a case to say (unfortunately), that I hope this bank clients are ignorant and didn't go check the bank's security suggestions. Hopefully, they have real security. So I hope!

 

One bright side to all this is that at least you and your family members have been alerted to the rogue security software links and will not be compromised in any way. Your concern at this point is for others.

It certainly is a bone-headed mistake on the bank's part.

 

Yes, indeed. I want to think others would be doing the exact same thing if I were in their shoes.

It's also amazing the difficulty anti-malware industry seems to have to flag this rogue crap. For example, one of the rogues sample was submitted in late 2010, and by now only half of the ones that figure VirusTotal detect it. (This is another matter, though. )

 

Good move ... newspaper's probably a good idea too, if you can find an appropriate contact there.

Too many commercial (and, for that matter, government) operations don't seem to realize that the most powerful weapon consumers can use is the media. Plus far too many in power don't seem to have woken up to the fact that in this internet era, public opinion can spread worldwide in seconds.

 

Absolutely correct!

Anyway, I've initiated phase 2 (phase 1 was getting in touch with bank, without any positive (re)action) - sent an e-mail to relatives and asked them to send to all their friends, even if not using the same bank, because they may have friends who do.

Hopefully, phase 2 will make phase 3 (media contact) stronger, if phase 2 fails to achieve the purpose - rectification of the links to rogue software.

I also asked in the e-mail I sent that the bank clients DEMAND for the all service to be provided in https and not http!

 

What is your bank called anyways? Just curious.

 

I hope you won't mind that I will not disclose such information. Also, as a way of safeguarding myself. Specially, but not only, considering this is not a forum from my country and therefore there would 0 interest (I'm seeing it from the bank's attorneys perspective!) mentioning the bank's name.

I'm making use of the proper channels to make the bank rectify this situation. I already contacted a week ago and so far they did nothing. My next move was to send this alert via e-mail to relatives and for them to re-forward the e-mail to friends as well. Hopefully more clients of this bank will be aware of what is happening and demand for the bank to rectify it.

I'll wait a few days and see what the e-mail brings to light, which should also give more time to the bank to rectify the situation.

If nothing great comes out of this, then I'll contact the media for a much broader communication of what is happening. People from my country must be alerted for this situation; even if this was a smaller bank I'd be doing the same, but it's not such type of bank, and therefore millions of people are clients of this bank.

I merely stated at this forum what was happening, so that other people could also have the initiative of verifying what their banks advise as security measures (including what applications they mention) and be alert for any possibility of advising rogue security applications.

Again, I hope you understand.

 

You should E-Mail Dave Ramsey, a financial guru with some common sense.
He is in the media and will answer questions and would probably know whom to contact if your current channels are unproductive. He takes questions live on TV if you want to go the public media root, a very large following.

 

@m00nblood: I understand. Hope you'll be successful in the end.

 

I'd go to Cnet, they love this kind of story and should be able to keep up with the subject matter.

 

That's another good point that more banks should follow.
I don't think I'm risking any of my own security by saying I do all my banking through TD Canada Trust, one of the largest in Canada (from merger of Toronto-Dominion and Canada Trust something like 4 or 5 years ago). Their entire site, including front page which is primarily news release and general notices and some ads, is strictly HTTPS even if you don't get into personal-account areas.

 

This still isn't the news one were to except, but some great news also.

I decided to write an article explaining the situation and providing links regarding all my research done so far. The feedback has been great and a few suggestions also given to broadcast this situation even further, such as contacting the central bank, which controls every other bank.

I also contacted a few teams of bloggers (well known blogs here, that write about computers, software, security software, events, etc). One of them, already provided feedback and told me they're in the process of writing an article based on the research I've done.

These blogs/websites have a great amount of readers, and therefore it will create a greater exposure of such situation!

I just wanted to keep you posted on any evolution achieved so far.


Regards

 

GREAT NEWS!!!!

Yesterday, after posting this issue at two local forums (the two most visited and greatest forums) and also a team of bloggers posting about it, the afluence of visitors to their site must have been so great that it finally got their attention.

Result?

Moments ago, I was alerted by an user from one of those forums that the information regarding the rogue applications has been removed!

Coincidence?

 

Not coincidence, but the results of a group effort led by you.

 

There's still one issue that remains to be solved, but I guess this one will take longer. It's regarding https. Some parts of the bank's site are provided in http, and specially one where clients need to input their name, street address, zip code, phone number, email and IRS number (I'm not sure what's the English name for it.). This is simply unacceptable.

I'll wait like a month or two, and see what happens. It should be enough for them to get the money for the secure connection and digital certificates.

 

Social Security Number in the U.S., SIN (Social Insurance Number) here in Canada.

 

Yes, so I was told, regarding U.S, at least. Here, our Social Security Number is not related to SSN (United States) and SIN (Canada). Our NIF is the equivalent to SSN and SIN. Great to learn something new.

Botton line, different name, same purpose - track us down!

 

Only now it stroke me one tiny detail. It's true that the information regarding the rogue security software has finally been removed, but there's still one problem that remains to be solved regarding this situation: There's no idea to know if and how many clients have downloaded and installed such rogue security software.

This made me decide to want to insist on this rogue security software issue, and make pressure, to the most extent possible, so that the bank decides to send a letter to all clients explaining such situation and that if they have any one of the mentioned (by me) rogue security software, and if they can't solve the problem by themselves, they should go to a computer shop or even format it. One never knows what these rogue security applications do behind the scenes.

At least, I would never trust a machine infected with a rogue security application, even after removing it, without being sure it's 100% clean.

Would this be the most wisest move to do? Or, would it become too much for a one-man show?

-edit-

Personally, I don't think the idea is too crazy, considering the bank does send some crappy magazine from time to time, and even advertisement with it. If they can afford to send such crap to their clients, they sure can afford to send such letter informing their clients about the mess they created.

 

I don't remember when, but a few weeks ago I went to the bank's website, and it still wasn't 100% covering https, including an initial login. It was as always.

Moments ago I went to the website and it's now in https.

The website was also redesigned. It's appealing now.



So, now I can say my quest is over.

-edit-

It seems they also learnt their lesson. Now they're not suggesting any security software. Only general security tips.

 

Well, I hope so... Because, I think I've found a new fight!!

Quite some time ago I made contact with a consumer protection association, due to something. After a while, my e-mail address started to be spammed by them.

I got in touch with them, and I was told they were going to put my e-mail address in a database that would automatically exclude me from such spamming (I actually demanded for my e-mail address to be erased from their database.).

They said it would take 3 months (something to do with legal stuff, according to them) to take effect.
I waited the 3 months, and nearly on 4th month, I'm still getting spammed, and I've sent a new e-mail, a few days ago, asking why such is still happening. No answer.

I'm going to expose this situation. It's an abuse. The real problem is that they probably sold/gave away (I doubt about the latter option) my e-mail to the advertisement companies WITHOUT my consent!

I'm pretty sure this is illegal! I'm going to expose this, by providing parts of the e-mails sent and received, including the spam and the promise they would fix this mess.

Now, let's see if they will enjoy (bad) advertisement against them.