In one of my domestic banks I have a socalled 'customer contact agent'. This individual already announced his assignment to me twice, with weeks aparts. "Congratulations, you've been assigned a new 'customer contact agent'. And today, in all his eagerness to please his employer, he sent me an offer for a 'free' seminar where I could learn more about pension plans. Oddly enough, in my e-mail box, there was another e-mail from the same contact 2 hours later, stating that the previous e-mail was recalled. Obviously this didn't work or had any effect in my e-mail client, and I guess it had no effect in several of the hundreds of others customers receiving the same e-mail.
After further inspection I saw that all the bank branch corporate customers were cc'ed on the e-mail. ALL OF THEM. Many with first name of the person responsible for banking stuff, with the company name behind, like
average.joe@lawyerfirm.com.
First off, a bank should never divulge information to any third party except when required by law. So I immediately called the bank and asked about talking to the head of IT Security, after lots's of fiddeling around by the receptionist, I was finally passed through to some person that absolutely did not have a clue, but who took my number and name, and then the branch manager called me back a few minutes later.
The only thing he could say about the incident is that he was ashamed and very sorry, but that the damage was already done. I told him how the information released could be used in numerous phishing scenarios, and how easy it is to extract information from other online sources, giving a contact persons name, name of company, and which bank they use. E-mail accounts could be hacked, and the hacker could gain access to information that could be used in new e-mail dialogues with the bank, or continued dialogs. With all the information that could be gleaned from such a leak, clever social engineering could be used for monetary gain as well.
I asked the bank to immediately remove my dedicated 'customer contact agent' and block all his access to my accounts. I'm stunned that a serious financial institution is not able to secure the customers information any better than this. Checking in my online banking account, there wasn't even a mention of my e-mail, which I immediately changed to another one, so this means that the bank is storing my e-mail in some other internal systems as well, that I have no chance to alter.
As this bank uses a pin code generator for login, and a dedicated user name for each account, which both are sent through the mail with no other verification, I'm wondering if an attacker simply could claim he had forgotten his pin, and then ask for a new pin generator sent to an address of his choice, or he could pose as the bank, and ask the customer to send the pin generator to a 'security company' quoting that there was something wrong with the pin generator security, and it needed to be adressed. Perhaps that would be a dead giveaway, but if somebody calls and adresses the customer by name, and present themselves as 'security administrator' of the bank, I think some may have been fooled.
Or, some clever hacker could simply make a man-in-the-browser attack and distribute the code to the customers through some recent exploits.
The bank claims they can never do any monetary transfers initiated by e-mail communication, but I wonder if all the countless bank clerks adhere to that rule, esp. for customers that they already have a high level of trust in.
If an attacker were to change the physical address of a bank account holder, I guess he could have a new pin generator and code sent to that address as well. With mule accounts, the money could rapidly be extracted from an ATM by some shady mule.
Some non-tech people may downplay the seriousness of this issue, but I think it's pretty serious, and that it shows that the bank doesn't have good enough routines to deal with customer data. I also wonder how the 'customer contact agent' happened to paste all those hundreds of addresses into the CC-field. Did he extract it from some internal system where he puts down notes on which customers to 'trick' next, ie. selling worthless overpriced products and so on. Perhaps he just stored all the adresses in a word-document ?
I think a serious bank should never have an incident like this, and actually there should be technical measures in place that prevented it from happening in the first place. Ie. if a bank clerk needs to send an e-mail to a group of people, this should be added to the e-mail program by IT, so the clerk just needed to select 'corporate customers', and then the message would go as bcc to each of those customers. There shouldn't be a possibility for a bank clerk to paste hundreds of e-mail message into the CC or TO field and press send.
I think this is extremely amateurish, and not something you would expect from a professional financial institution.
For those wanting a copy of the e-mail I received, I won't give it out, as I don't want to contribute to escalate the issue.
But this only goes to show that it's not only amateruish bitcoin shops that fucks up. Even large multi-million-dollar banks are not stronger than their
weakest point most incompetent employee.
