We used to have a lot of people like this running businesses in the US before roughly 2012, but white (and black) hat hacking began spreading quickly and made generally short work of the problem.
There's almost a catch-22: setting good, effective policies tends to involve a lot of telling people "no". And it's hideously difficult to do that without ruffling the feathers of people who control promotions.
It doesn't make any sense to me because it's expensive to make sure your company's services are secure, but it's also expensive to not be secure. Perhaps it's less expensive to not worry about it because the loss-of-customers impact on revenue are still under the cost of doing it right. If that's the case it's a sad state for all of us.
I don't know of anything that can convince a group of leaders making money and doing fine to change besides fear. Perhaps the US with its lawsuit-happy culture helped propel such changes more quickly than in Western Europe.
We employees of the acquired company discussed the emails in Slack: we were sure that these emails were legitimate, but acting on them would have broken our security policies, so we all decided to all report them as phishing attempts. We understood that we were engaging in malicious compliance, but our actions were also a best practice, so we couldn't technically be criticized for it.
After a while of this, execs at the parent company would send out sometimes exasperated-sounding emails ahead of time, alerting us to the email that we should expect to receive and how they wanted us to respond. Of course, that led to discussions of how we know that that pre-email emails were legitimate. After a while, we all lost interest in this malicious compliance and adopted the much laxer security culture of the acquiring company.
The absolute last thing anyone competent does is train employees to receive communications like that in email and follow them. If they'd asked for 3 minutes at an all hands to prep employees, or announced in slack, or something similar then ok. Or some out-of-band announcement that this was legit.
- hostile to password managers.
- You cannot copy paste passwords.
- Client side password hashing
- Stupid requirements like the password cannot have more than 15 characters and even have a whitelist of character sets! (Looking at you HDFC)
- And of course, run of the mill spam
They are all stuck in the early 2000s.
I had to write 3 different "letters" (paper pen) to have a phone number typo (on their part) corrected.
That's something! My bank insists on exactly 6 numbers. Not characters, numbers.
They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.
"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!
Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.
When I see this kind of thing I suspect that it's a web app that's simply a proxy for some mainframe screens that were written in the 1990s (or earlier).
I was sure this was complete bullshit because even if everything is handled on the mainframe a user using their online banking would not be logging on to the mainframe. The online banking password is a credential for the bank's application(s) that run on top of the mainframe's system software.
When a new customer signed up for an account the bank would not create a new mainframe user account for that user. A bank customer account would just exist in the bank's database and would be completely independent of actual mainframe user accounts. If the online banking password needed to be stored on the mainframe it would be in one of the bank's tables, not wherever that mainframe's system software stores password.
I mentioned this somewhere and someone who actually worked on bank systems commented that some banks actually really do have a mainframe user account per bank customer account.
I think that doesn't actually change my point that blaming a short online banking password limit on mainframe system software limitations is complete bullshit.
Users are not asked for their password when they use non-online banking, such as at ATMs or through a teller at the bank. This shows that the bank does have interfaces that allow performing all the normal functions a customer needs to do without the customer needing to supply a login password.
Online banking is going through a web server. They web application should be using those interfaces that don't require a customer mainframe login to work. The password the customer supplies to the web interface should be a credential for the web interface and be completely separate from any mainframe login password.
Where I work, usernames are still limited to 8 characters because some old unix platforms didn't support more than that. I'm virtually certain that none of those are still in use today, but the requirement was baked into user provisioning in ways that would be expensive to change, so they keep with it.
But I don't see how a JS applet where you need to click on a bunch of numbers in plain view of whoever is curious to look over your shoulder helps with this. People have to type in their customer number in a regular text field anyway, so why not use the same thing for the password?
It's a French thing.
So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.
Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.
I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.
Forgive my ignorance, but what's wrong with this one?
If you hash the password on the server instead, then if the password database is breached, then an attacker needs to actually reverse the hash[0] and find the original password in order to log in, because that's all that the server will accept.
[0] Note, this should be difficult[1] [1] In crypto, "difficult" should mean "impossible before the end of the universe"
If the client is hashing it without a salt the server could simply check a Rainbow table (https://en.wikipedia.org/wiki/Rainbow_table) to know which password it is. For short inputs this could be trivial.
If the server is compromised in any way, passwords could be exfiltrated. Companies are, sometimes, wildly incompetent. Zoom historically stored private keys on the same server as their "encrypted" data. I would not be surprised if your password is just stored for "convenience" or some other bullshit reason and just waiting to be breached.
I didn't know about it before my grandmother handed me an article from the local newspaper and told me some of her friends were worried about it. We laughed and I took the newspaper clipping to work and posted it on the wall of failures. Everybody in IT could immediately tell that this was a pretty bad idea, but we weren't asked.
I'd link the article and provide more details, but I'd have to visit my local library, and maybe later.
A week later, I phoned up the bank asking why everything was progressing so slowly and they said I'd failed the security check, so the process had been paused. I explained what had happened, and how it was ridiculous that they expected personal details without even saying they were from the bank, which they seemed to agree with, but said that was their procedure so it was my fault for not complying.
This is the most fascinating (infascinating? like, infamous/famous distinction? whatever) things about bureaucracies, to me: they sincerely expect everyone to follow their internal rules and procedures, even the people who are completely outside their jurisdiction by any stretch of imagination.
Like, "we require the application of your personal seal to the papers" — "Personal seal?.. we use signatures in this part of the world, you know" — "No, we don't accept signatures, it has to be a seal imprint" so then you just stamp some absolutely random rubber stamp and they accept it because even if they can't actually read Cyrillic, it's a stamp and that's all that matters.
I taught at a German university for a few years. And they way grades were handled was, you had to print a standardized piece of paper for every student with their name, date of examination, and grade, and drop them off at the secretary's office.
The secretary would stamp every such Schein with a rubber stamp. Then the students would pick up their Scheine at the secretary's office and bring it to the examination department themselves (!) to get the grade registered. Only at the very of my time there, they changed the system and I could hand in the grades directly to the examination department.
At any rate, the system was so stupid. It was trivial for students to print a new Schein with a better grade and register that (there must have been a lot of fraud). But the counter argument was 'no, it's very safe because the students do not have a rubber stamp'. Of course, the rubber stamp was just the university logo with something like the faculty name next to it. Trivial to copy (or make a rubber stamp for more enterprising students).
Probably the procedure had been followed since 1573, well before home printers, scanners, phone cameras, or get-your-own-rubber-stamp-for-a-few-bucks internet shops.
This is almost always how these seemingly silly bureaucracy hoops become established. They were created in a prior time where a third party obtaining "magic item Y" with which to authenticate was significantly difficult to near impossible. Then, over time, the world, and technology improve, to the point where anyone, willing to spend $9.99, can have an exact duplicate of "magic authentication item Y" manufactured via any one of 78 different makers. But the bureaucracy continues using the now outdated process because "this is the way it has always been done".
It is largely a real world example of "The Monkeys, Bananas and Ladder Experiment": https://psychologyfor.com/the-monkeys-bananas-and-ladder-exp...
When they could just cut out the middle man and just make fraud itself illegal and not require the magic item at all.
Sometimes it becomes truly ridiculous: I once had to apply for some thing, and was told I need to grab and provide them some certificate from a different government service to prove that I'm actually eligible. Okay, I do that, and then they spend two weeks verifying the certificate by physically mailing and inquiring info about me from that other service and waiting for them to respond (also by physical mail).
My entire career is predicted on the things I did with a stack of university letterhead 40 years ago.
They wanted a government issued identification document with both photograph of the individual as well as their physical address on it.
No such document exists for South Africans, I offered to get attestations from lawyers, police, but nothing was good enough.
Then I had to threaten charging back the credit card to get a refund (as opposed to credit) on the not-insubstantial fee for a service that their verification policies made impossible to be fulfilled by South African entities.
We succeeded with DigiCert, was a bit involved including getting sign off by a certified security consultant that we had appropriate procedures in place to protect the private key, but eventually got through the process.
They were a _little_ more cooperative about it though.
"Hi this is <Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"Who is this?"
"<Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"No, you may not. What's this regarding?"
"I can't discuss that with you until you verify your identity."
"Okay, well I have no idea who you are so I'm not about to do that."
"Well, I can't tell you anything else until you confirm your identity for me."
"Okay."
"So can I get your name and date of birth please?"
"No."
"..."
"..."
"..."
"..."
"Can you tell me what _day_ in January of 1970 were you born?"
(Turns out the ISP did their usual ISP thing and failed to mark that I'd returned my modem when cancelling service a few months prior then told no one and sent it to collections. The debt collector was very adamant that I needed to set up a payment because this wasn't going away. I walked into one of the ISP's retail outlets, told them what happened, they sighed heavily because this comes up _constantly_ and called in to have it marked returned and I never heard from anyone ever again. The end.)
Spectrum did this to me. They sent a single "hey, you owe us for this thing" email before sending it to collections.
The best was that certain sections were circular, so it would start to ask the same questions again but displaying answers prefilled in - yet it would arbitrarily forget particular (different) details on each loop, defaulting to values other than what you'd entered before, so there were only certain points you should exit the loop at, to be sure it would submit the right information!
On the plus side, despite their system woes, they had very competitive rates, so it was definitely financially worth spending another 20 minutes and accepting their idiocy!
Three guesses on how you log in to the service.
Hardly. The company shouldn't have XSRF-vulnerable software, if your browser is vulnerable you have bigger problems and what you actually shouldn't do is enter your credentials or download stuff after clicking on that link.
But of course there's an internal "phising test" that penalizes you for clicking on links... links that have been obfuscated by some email-modifying link-tracking security software that makes it nearly impossible to figure out to which domain the link even goes.
Then why even click on it in the first place (and risk your email address getting flagged as active in some illicit database?)
Generally clicking on the link is not what gets you compromised (except for some spearphishing involving zero-days...). It's actions following that which might. So they're barking up the wrong tree and penalize people for that. That's just chicanery.
Do as I say, not as I do.
When my father calls his bank, they actually verify him by sending a 2FA code to his email that he reads back.
Called my local bank and they confirmed this was legit, I almost went off on a full rant about how bad their protocol is for this.
It’s kinda nice because while doing this, they also educate their customers to never trust such a call and to rely on official information to contact them.
The Dutch ING now has a new thing where you can verify in the banking app if it's them calling you:
https://www.ing.nl/de-ing/veilig-bankieren/wat-kan-je-zelf-d...
(I guess in some sense it's a step back because the bank is calling you again, but it's nice that you can verify it live in the app.)
A few days later I found out the call really was from the bank, and the bank had blocked my account, in a way that took a long time to unblock (don't get me started...). As ever, I found out the hard way, when I needed to use the account for something in real-time and it wasn't available.
But the call was from a different department than general customer support, the department's number wasn't known to customer service, and the account status change wasn't visible to customer service either.
So the bank's own customer service thought it was a scam call!
Even better when it's a bank you don't use and the number on their site goes to an automated system that won't let you access it without an account number, so you have to scrounge for alternative phone numbers to get to talk to someone.
The example that comes into mind is making transfers to my wife, where every time I do it, they ask me to confirm a bunch of questions to make sure it's not a scam/fraud, which fine, good idea. Once I confirm, they display another notice telling me they won't ask for a confirmation/2FA code because I make transfers to that account so frequently.
The only reason I can come up with why it is like that, is because there isn't a single person/group responsible for the full experience.
I saw some bank from Florida, that I'd never heard of, calling me on my cell. I assumed it was some sort of scam and ignored it. They're too stupid to get a phone number which has caller id set up to read the name of credit union with whom I did business.
Just amazing.
> I think they don't have any people working on the full UX flow
In Gmail or Thunderbird they don't just show the PDF and since they display the sender differently it makes it obviously a scam.
Sometimes it feels like companies are just helping scammers and I don't know why.
There's a lot of similarities to scamming and marketing. In particular, they both have essentially the same desire for well-designed messages.
Mine actually tries to ask for PII and I tell them to kindly fuck right off and go to my bank website and ask them what the fraud number is.
And then now we've got OIDC.
In the government/banking/etc space - there is at least FIDO/WebAuthn/Passkeys which also resolves it. But it's a fair criticism.
I don't really know why the situation is so terrible -- there are many good and competent security professionals working in corporates in Germany -- but perhaps as the post alludes to it is due to a lack of legal or regulatory pressure to date.
They said that domain name was not theirs, and they only use usaa.com in their emails. They locked my account without telling me. I had to call them back to get them to unlock my account, and I think that person in their fraud department understood the issue and they said they created a ticket.
We shall see...
They had by far the most competent cybersecurity group I've witnessed. Things have changed in a decade maybe.
But, they still use proprietary TOTP from Symantec which is annoying.
They at least used to, but I'm not sure they still do.
(And when they did, I was able to copy the key into a MFA app of my choice.)
But now as an end-user, it's all built in to their own banking app. I don't use the code from the app though, because I just use my personal 4 digit pin (after entering in my unique password from my password manager).
Eh?
Mitchell and Webb has a good commedy skit on this subject: https://www.youtube.com/watch?v=CS9ptA3Ya9E
“Hello this is your bank can I please confirm your personal details?”
then of course i have to call them back, sit on hold (and maybe get the same call center agent!) to verify their identity and conduct whatever business they originally called about. thanks, your bad practice just cost me an afternoon to deal with the inefficiencies of a private industry i think shouldn't even exist.
I mean this is just ... incredible. Are they living on the moon? Many real phishing messages are even more sophisticated than this.
The other is that Germans seem very bad at this kind of stuff. Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?
This way the government doesn't have to release information to the public (think FOIA) about it. Moving central part of government operation into a private GmbH wholly owned by the government has (sadly IMHO) become a somewhat common strategy for the government. Not just Governikus (the one with the passport) but also the Telematik (Health system) and probably some more.
At least for Switzerland the federal government puts its sites under the domain admin.ch . And the Cantons have their own domains, e.g. zh.ch for Zurich.
Once I got a vaccination, and in order to do it I had to fill out a form where I chose the arm. The form said to circle either "right or left."
The word "right" was on the left and "left" was on the right.
I pointed this out to the nurse and she laughed, and then realized her error, because she made the form.
I think the problem is, someone in the IT department understands the high risk associated with handing out subdomains, so they refuse to do it. So other parts of the company "work around" this by registering their own domain name.
I wonder how companies like Google handle this. A subdomain of google.com is probably the most valuable hack target in the world, but google does use subdomains occasionally (...or maybe more than occasionally! https://gist.github.com/abuvanth/b9fcbaf7c77c2954f96c6e55613...)
The issue is that marketing is organizationally separate from IT and doesn't want to interact with them. IT is probably behind a slow, outsourced ticket based process and will take weeks to do a simple thing. They may also have random opinions about stuff marketing doesn't want them to have opinions about. So building out promos like this is delegated to SaaS services or contractors who also have no relationship with corporate IT. Then nobody in marketing really knows or cares what a subdomain is, because everything they do is just searching Google or clicking links. They never look at the address bar because it's always full of meaningless junk so why would they or anyone else care what's in it?
Anti-phishing training doesn't make sense, when you look at how people really use the internet. Not many people look at the actual text of a URL. The best anti-phishing training is "go to google and type what you're looking for, only click links from there" and not "carefully examine the domain name to try and intuit if it's owned by the organization you think it is".
I don't know if he ever truly understood how he took out all company e-mail for nearly a week.
And trust links from Google? Keep up with the times! Sometimes the first hit is the scammers.
Like, companies are making it so easy for scammers to pretend to be them.
The system will surely rectify itself eventually when their spammy, manipulative, promotional banker campaigns do not produce results (is that a bad thing?) and they seek out firms that do produce results based on knowing what they are doing.
The author could even use it as an opportunity to promote his or someone else’s services and use this write-up as an artifact of evidence.
I don’t want to get too generalizing, but it is a perspective that does not surprise me coming from what seems to be a German, for better or worse. Complaints about not being in compliance with universal norms instead of taking advantage of a presented opportunity to break ranks for one’s their own individual advantage, strikes me as a very German perspective; like I said, for better or worse, without judgement, since both of these perspectives have their advantages and disadvantages.
Some of them are larger and pretty well organised, but there are also a lot of small ones that just don't have the people and expertise for things like proper IT security practices. But customers trust them, because they position themselves as these local neighbourhood banks, even though most of them are pretty incompetent and will rip you off with high fees on accounts and shitty, underperforming investment products.
Unfortunately, the medical world is caught between a rock and a hard place in this case. Can't give any info to anybody but the patient--which means they can't identify themselves when they call as the practice name directly reveals their specialty, or the doctor (google will reveal their area of practice.) And the office that's doing this is an area where some patients would want it confidential.
I think maybe it could be resolved by having the medical world go to a correct horse battery staple model--on first contact you're given a set of random words that will be used as an identifier for future contacts. Each patient gets different words so all anyone else can infer is that it's a medical provider.
I much prefer the places that go with don't leave a message/leave a brief message/leave a detailed message. No need to add security to situations that don't need it.
This is NOT a reason to distrust a website.
From a compliance, regulatory & risk perspective, definitely.
The EV certificate often comes with additional liability protection to cover any end customer claims related to certificate issues (i.e., if the authority is compromised and the customer's PII becomes exposed).
I personally would trust something signed by Lets Encrypt more readily than many other certificate providers. They appear to know what they are doing.
[0] https://www.troyhunt.com/extended-validation-certificates-ar...
> While everyone can register for free on Let’s Encrypt, only (or mostly) serious companies pay money to register on DigiCert, GoDaddy, and so on.
GoDaddy is not a serious anything. DigiCert perhaps, but GoDaddy has repeatedly shown themselves to be scummy and untrustworthy.
That said, I do see the value in having an entity like a bank pay for a stricter cert with identity validation versus leveraging Let's Encrypt's free infrastructure which only validates domain/site control.
However every time I use it, instead of answering through the secure channel, they try to call me on the phone.
Now they've put out security warnings about scammers impersonating bank staff making calls to customers.
Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.
Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.
You should only reveal an MFA code to someone that you have called, knowing that it is the right person.
If you’re thinking that - for example - someone is attempting to log into my account online and simultaneously call me pretending to be the bank. They are presented with an MFA check and tell me they initiated it. I give it to them unwittingly, and note they are in.
My understanding is that isn’t possible here, because this “MFA check” is different than the login one. The login one is the “Google Authenticator, 6 numbers”. This is a different code entirely. Obviously I didn’t specify that in the original post. My bad.
If that wasn’t what you were thinking and you can think of how this fails, I need to know and learn more!
Don't they allow you to manually enter the bank routing number and account number, then verify it by depositing and withdrawing a few cents?
I own a business that works directly in this space.
I also had to deal with a medical device recall, which was terrible. I had to trust some skeezy domains.
This isn't hard to fix, all you need to do is list on your website your "partner domains."
My personal security protocol was to search a .gov website for contact info of financial institutions, go to the domain listed, look for a customer service number, and call that to find out what domains to trust. Customer service people thought I was weird.
At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
"Yeah? Give me two minutes, and mine will say the same. So, will you give me your personal info?"
Huh? I got my mortgage thru a mortgage broker and I only dealt with a single person.
Domain insanity aside, or course.
I have a strong anti-mortgage-broker bias. Mostly because of that one bad apple.
I got an email with a header that was obviously badly scanned from a paper document. It demanded that I provide proof of insurance or my car loan would be canceled. It had the name of the bank and my name and my email, but nothing else of import.
The only URL was to a domain unrelated to the bank.
I ignored the first couple, and finally looked into it the third time.
It was legit.
When I told them all the ways this looked like phishing, they couldn't understand my concerns.
I gave them the info they wanted in person at a local branch. I soon after paid off that loan and got away from them.
All the other times, they just ask for my verbal password to verify me.
I reported it and they said they created a ticket, but a month later when I called for a follow-up on the ticket, they said they had no idea what I was talking about :-/
(If anyone from Chase reads this, I have the recordings of those calls if you want them.)
- HTML emails where links and remote images obfuscate the 'real' content of the email.
- URLs which are not clearly and easily human-readable.
- A workflow where my normal and expected daily behavior is to receive valid emails that I don't recognizes with URLs from vendors, and then I'm meant to click on those URLs, go to web pages, and enter my credentials.
The fact that _any_ normal products or business processes expect this means phishing will always eventually succeed. No, I don't have all the UIs and URLs for every vendor memorized. I'd have no way to know if they changed validly, and my job trains me on a daily basis to click on emails and enter my credentials. It's just that _every so often_ this same scenario is set up by a bad actor.
A few years ago, I got a postcard that said "renew your alarm licence on-line" and the domain wasn't the .ca.gov domain the city uses, but something like "alarm-renewal-online.info"
I had to spend 30 minutes on the phone with my city to verify that this was a legitimate way to renew the alarm. They had contracted with an outside company to do the payment servicing. In the end, I just decided to mail them a check.
Is this some kind of meta-level play to sound less fake?
They use so many different domains. I'm not talking about redirects either. Like their landing page is at rbcroyalbank.com and then the login is at secure.royalbank.com. for ages rbc.com was another website for ages, but now also appears to be the Royal Bank (or is it?). I forget under which domain the dashboard is hosted.
Like, I get buying all the variations of your bank name, but please just redirect to one cannonical one! Marketing should also be for one domain. Way to easy to be scammed by royalbankofcanada. com or rbcbank.ca, because who the heck knows what their actual site is!
(i had on issue with PNC in the US where they kept calling and asking for a 2FA code. Totally indistinguishable from phishing. Clearly they lack proper infosec, so I moved to Schwab and have not looked back.)
I've mistakenly deleted from our mail quarantine multiple times as spam/phishing. Imho it's wilful négligence toynkeep such a system operating in 2025.
[1] https://archive.org/details/33C3-Shut_Up_and_Take_My_Money
Training about this kind of thing is mandatory for bank employees in my country, as far as I know.
The site also uses a Let's Encrypt certificate, which seems strange. This appears to be a massive, coordinated and not very well-executed effort to promote this Wero service. My guess is that the sites were all build by the same advertising agency.
"We'd like to confirm this wire. We just need some details."
"Okay, I am me, that's true. But I should probably call Chase back for this right? This is textbook scam stuff. What do I tell them to get to you as fast as possible."
"All right, sir. That's fine. Let me just make a note on the account. You should be able to find the phone number on the website"
And then I usually just find my way. It's funny, but you kind of have to be disciplined.
→ "Oh, ok"
→ "Before we get started, I need to verify your social security number/address/other personal information"
→ "Yeah, you called me and I have no way of knowing if you are who you say you are. I'm not going to give you that information. Can you give me your name, and I'll call the number on the website and ask for you?"
→ "Flabbergasted Well, our system doesn't work like that, so you'll have to submit another request"
→ Repeat ¯\_(ツ)_/¯
They call, they say I can call back and wait in a queue, but that’s stupid.
Also crazy they don’t have a TOTP (e.g. Google Authenticator)based two-factor authentication. It’s just way more secure than email or phone number.
Rygian•7h ago