Hand / Brain co-ordination: Security hotline fail.

So, I have an account with a particular brand of bank. They are quite large, and trade under a variety of names. I don’t often hear from them, other than a monthly statement. In fact, I never hear from them other than the monthly statement! It was a surprise to receive an e-mail to let me know that my e-mail address had been changed. This was unexpected news. As you can imagine, I was somewhat wary – but I’m also into security. In fact, I built a bit of a career out of it it.

With my “paranoid security analyst” hat on, I looked carefully at the message. The From address was from a trusted address at the bank. The content (viewed without it being able to access the Internet) was written in perfect English. No hint of confused tenses, no spelling mistakes. Expected warnings and disclaimers included. It looks legit.

The next step was to dissect the Links and Internet derived content. Again, these all pointed to the bank domain. Every single one. Not a hint of malicious code about it. This made me much more intent on interrogating this arrival. Next step: Analyse the headers. Every e-mail ever sent has a set of “Headers” included. These aren’t displayed by default, though you sometimes see them on forwarded messages as part of the body text.

The Headers are a security analysts playground. Some things can be forged, but some things cannot. Said bank implement decent security. All of their messages are signed, using a key which is available to all receiving mail servers. If your mail server supports signed messages (twoup.it provide this on all hosted mail packages), you will see a header entry marking that the signature was valid.

These signatures are linked to policies, which can affect how your mail server handles the message. For instance, where the signature is not valid messages can be deleted without user intervention or handed off as spam. The signature was valid, verified against the banks own servers (inside their wn very large public IP space). Other headers indicated that the message had originated from a mail security appliance, which received the message from a host – all within the banks address space. Not a single flaw in the message. It clearly came from the bank.

So, the next sensible step would be to contact the bank. From a clean device, I went to the banks website and got the appropriate number. I called them, and found myself listening to the usual droll hold music. After a period on hold (see old man rant below), the call was answered by a young man who introduced himself as (we shall call him John) from (other brand of the same bank) and requested my 16 digit debit card number.

This is the first mistake with the banks security policy. The initial question should never be to ask for personal information. Where possible, all enquiries should be handled with the least amount of personal information exchange. Even on a fraud hotline, it is possible to handle some queries without personal information.

I explained that I did not have a card number to hand, but had received an e-mail from them advising my e-mail address had been amended. This was not news to “John”. It seems he had received a few similar calls today. His immediate response was to tell me that this was a Phishing e-mail, to ask if I had clicked on any links, to tell me not to click on any links. I should delete the message immediately.

This fails basic security analysis spectacularly. There was an immediate declaration that this was a Phishing e-mail. Whilst the rendered advice was not bad, the immediate conclusion was. There was no basic analysis of the e-mail, and no request to send a copy for analysis. Said analysis should then guide the advice being given to callers at any given time. Where there is a widespread attack, provide basic front-line analysis without need for further samples. Analytic process can guide service provision policy in a dynamic fashion, improve customer opinion. Believe it or not, it can also improve customer experience!

As you can imagine, this was not received well. I explained my position, explained my experience and analysis. If this was a phishing e-mail, please “John” – do tell me this. How come the message came from inside the bank? How come it came to an address I’ve only ever given to you? This could indicate a potentially much more serious problem.

At worst, the bank could have open or compromised mail relays running on their network, which are being exploited by “l33t h4xx0rz”, which would mean they don’t fully understand much beyond “the computer screen says…”. Those “l33t h44xorz” must also have access to your customer e-mails from your database… Or, something has changed on my account. Which is it, “John”, I’d like to know if someone is trying to steal my identity.

I don’t want you to assume I’m an old man who doesn’t understand e-mail. I want you to provide reasonable support. I understand that to do that, you need support too. your management need to understand that even basic security training is fundamental for anyone acting in a front-line security capacity. Management and security teams need to communicate with one another to be able to provide a sensible response.

Of course, it could be a legitimate e-mail and someone has managed to compromise my account with you. Or you might have just refreshed some records (hence not the first call “John” received). It is clear, however, that something is amiss and the front-line team are left with no real idea on how to handle the call successfully – for both the bank and the caller. Now, Should I copy the bank themselves in on this…

PSA

Comments are closed.