D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Email encryption, was Re: www.dcglug.org.uk

 

On 28/04/13 12:52, Martijn Grooten wrote:
> On Sun, Apr 28, 2013 at 12:30 PM, Brad Rogers wrote:
>> If banks adopted encryption, banking communication would be a good deal
>> safer.  I've seen banks send passwords to customers in clear text.  Dumb,
>> *really* dumb.

Mine sends a bit by email, and the other bit via another channel when
resetting password. Fair enough.

> I've actually seen more people say "I've seen banks do [something bad
> email related]" than I've actually see banks do something bad.

Okay I vouch that NatWest verified by Visa implementation mandates less
than 16 character password, and complains you have special characters
without saying which characters they are objecting to. It also
authenticates a transaction on the values you just set up, so all you
need are date of birth (hard to find not) for the first time through
(reminds me of the reason for HSTS).

I was writing a rant, but decided I didn't know enough to comment other
than the whole scheme stinks through out. Oh and they encourage you to
enter critical data in an iframe embedded in another window. They had a
404 on the critical page as well "debug1.gif" or some such, inspiring
confidence it is genuine as the phisher are more careful.

I suspect the issue is a combination of complexity, and if they deem it
enough to transfer liability than liability is transferred.

Can you tell I hit the first site that mandated it recently? ;)

This guy noted a more pertinent error as well.
http://dreamlayers.blogspot.co.uk/2010/03/verified-by-visa-sucks.html

Natwest are also really good at sending me emails that fail the rules
they told me they would always follow when sending me emails. However I
think no one told their marketing department what the rules were as they
are definitely from a machine under the banks control and look terribly
genuine in all respects.

I noted also they (graphically) sign many of these marketing emails with
a different job title for the director whose signature they use than in
the press release on his appointment.

I could go on, but they aren't paying me for the research.

 Simon

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq