Over the past month, Internet banking customers of NatWest, Lloyds TSB, Barclays, Citibank and Halifax have received emails that appear to be from their bank. The emails contain a link that redirects the user to a replica of the bank's official Web site, which has been set up in order to extract the customers' usernames and passwords.
The National Criminal Intelligence Service (NCIS), which works with the UK's law enforcement agencies to fight organised crime, is concerned about this growing phenomenon because the general population is often not computer-literate enough to tell the difference between a spoof email or Web site and a genuine one. According to the NCIS, this lack of education makes it relatively simple for organised criminals to target online banking customers in an attempt to gain access to their accounts.
A spokesman for the NCIS, who requested anonymity so his name would not be used in future email scams, said companies should work towards reducing the risk of their corporate identity being abused.
Basic precautions could start with a company ensuring it owns all the different permutations of its name. For example, if a customer received an email from or was redirected to a Web site using the "barclays-banking.com" domain, they might believe it to be genuine, but Barclays does not own that address; at the time of writing, it is available for anyone to buy. Similarly, although Lloyds TSB owns "lloydstsb.co.uk", it does not own "lloydstsb-bank.co.uk", which could easily be used in a future 'phishing' trip.
The NCIS spokesman told ZDNet UK that people need to get to know the email systems as well as they know the traditional postal system. "People know that stamps are perforated, business envelopes look a certain way and if they get a handwritten envelope from a business, they think 'that's a bit strange'. But with email, although those indicators are present, people have not yet learned to look for them," he said.
Nigel Miller, commerce and technology partner at law firm Fox Williams, said banks are in a tricky position because on one hand they encourage customers to migrate to online banking services and try to convince them they are safe, but with the other hand they have to warn them of the risks. "What is the responsibility of the bank to educate their customers? It doesn't sound very good when you are trying to sell them a service, but have to tell them how risky it is," he said.
One as yet unanswered question is where the lists of customer email addresses used by the attackers came from. According to Miller, if evidence could be found that the lists were leaked from the banks themselves, they could face serious criminal charges for breach of the Data Protection Act: "If there has been a leak, it could give rise to compensation claims or criminal liability under the Data Protection Act," he said.
Talkback
I don't believe the banks gave out email addresses as we received 'bank' letters from two banks we don't even use. The more irritating factor in all this is that we are again being punished for being law abiding by feeling forced to spend on additional domain names to prevent fraud. A certain amount of 'training' in internet use is advisable but why should the people who are providing a service be forced to try and install common sense into its users. As long as people are gulible enough to fall for these scams despite numerous warnings, the only thing more pressure on the companies providing the information will do is pressure them into reducing the information available to prevent it getting into the wrong hands. We are taught not to trust people turning up at the door asking questions, why should email be any more trusted when asking suspicious questions.
Some banks have been guilty of releasing data to third parties that they have retained to carry out surveys on their behalf.
This in itself is a breach of the Data Protection Act and is indicative of the attitude shown by some organisations keen to make profit from information held by them.
Any organisation which "sells" a service based on the premise of being a "secure" online process, has a duty of care to ensure that the user is instructed on how to use it securely and protect their interests.
I am a victim of identity theft, my identity was used to make me appear as American Indian and the father of my child to repay all costs of contracts he made through his tribe with my State for benifits paid from funds paid to the tribe for health, education, and welfare of the indians, paid to others in our daughters and my name. He appears with my social security number and me with his on support checks issued to me by the county DA after 1999.
When he formed a communitty (his own tribe)under his tribes constitution and by laws and Corporate Charters with attorney's that the US Government, State,County, municipality,person, corporation, association, can join or make contracts with.
My identity stolen or given to him as well as all my individual accounts that no one in this State will even look into because their interests lie in the corporation or contracts and I repay all the costs of from misuse of trusts and IM accounts opened in my child and my name from property taken in our name paid from tribal funds when I am not Indian after the State court had her father execute an assignment of any proceeds he is entitled to through his tribe to me for his non payment of child support without jurisdiction over funds or land of the Tribe that any proceeds of hteirs is for their land claims. So what do you do when your identity has been used fraudulently over 40 times according to linda foley from id theft clearinghouse in san diego and your child exploited by her father hidding behind tribal laws? Your State has stated several times will never look into it. Refuses to look into my individual accounts attacked or child support checks my name was forged to the bank returned to me in an affadavidt of check fraud. Why my social security number is being switched back and forth by the State with my childs father or why the DA made all my individual accounts joint with him when we were never married or shared any accounts together ever. I believe from documents provided to me from different State and County offices in my State has aided in on the theft of my identity to keep any just compensation paid from others from contracts made in our daughters and my name from tribal funds, and property taken in our name from a order issued by a State court for the father to execute an assignment of tribal proceeds he is entitled to from his tribe to me a non indian for his non payment of child support. And used to take property in my name and apply a State tax and rent and tax to me again from the tribe for holding land of the indians.Our child has been made a son and dead and other people use her identity to get free medical or benifits her father gets from tribal funds this is fraud and is not done within the limits of the law as the constitution and by laws and corporate charters of his tribe read. And our identity should not be used fraudulently for any corporation formed by or with her father, the county, state, municipality, or tribe, or person. Or allowed if state and federal governments prosper from it.
Man, that sucks.
Er... what?