New Zealand Banks have not got a clue

Submitted by chris on Fri, 07/20/2007 - 17:23

It's time my Friday afternoon rant. But seriously, this is so appalling it really makes me wonder.

Here's some background first. The New Zealand Bankers' Association have recently updated their code of practice, it now includes several key points that relate to loss (and who is subsequently liable) in regards to someone having their account hacked, phished or account details stolen after being infected with a virus. e.g. key logging software.

The key additions to this code of practice is

You may be liable if an Unauthorised Transaction occurs after you have received the means to access Internet Banking, if for example, (but not limited to) you have breached our terms and conditions by doing the following :

You have used a computer or device that does not have appropriate protective software and operating system installed and up to date;
You have failed to take reasonable steps to ensure that the protective systems such as virus scanning, firewall, anti-spyware, operating system and anti-spam software on your computer are up to date;

OK, that seems fair.

We reserve the right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer or device and safeguard your secure information in accordance with this Code. If you refuse our request for access then we may refuse your claim.

Ummmm, OK, that seems fair, but I have plenty of reservations over who sets the standards, and who is responsible for the computer forensics experts who will be investigating your machine.

But you see, all this is well and good assuming the banks themselves follow what I would describe as reasonable protocol. But they are not doing this, and if this is a trend that continues, I would argue that the banks themselves are always going to have liability. Their own negligence is socially engineering people into accepting that they may see, be part of, or asked to interact with a banking system that operates outside of recommended guidelines.

Now, if you're wondering what on earth am I on about, take this email I just received.

First thing, my bank, in this case is

Kiwi Bank www.kiwibank.co.nz

Today I receive an email from

Sam Knowles, the CEO from Kiwi Bank
But the email address used is survey@colmarbrunton.co.nz

OK, that's not good, but being a knowledgeable type person, I know that Colmar Brunton does polls....I think....I'm actually not sure.

The email goes on to read.

As part of our commitment to providing you with the best possible service, we survey our customers from time to time so we can obtain valuable feedback. Your name has been selected at random from our customer base, and we very much hope you will find some time to complete this survey from our research company, Colmar Brunton.

Please click on the link below to go straight to the survey. (If you do not wish to complete this survey, please reply to this email.)

http://survey.cbrak.co.nz/scripts/dubinterviewer.dll/frames?Quest=1007<r...

If you are asked for your code and password these are:

Code: <removed>
Password: <removed>

If you have any questions about this survey please call us on:

Auckland 336 1133, Wellington 473 1133, from anywhere else 0800 11 33 55

I've obviously removed the code and password they gave me, but who the heck is http://cbrak.co.nz and why is http://colmarbrunton.co.nz sending me emails about my bank. Aren't I told to only trust Kiwi Bank when the website is http://kiwibank.co.nz

To anyone who knows about such things, they'll spot this for exactly what it is, complete and utter junk. To others who aren't as internet savvy, they'll perhaps consider this standard practice. But my question is then, if people accept this as standard practice, and banks continue to operate in this manner, who is responsible for falling victim to a phishing attack ? The user for entering their details, or the bank for allowing me to believe I should trust sites I've never heard of.

Now I know that this is only a survey, but it's a legitmate survey email, using terrible email practice. It's educating users in entirely the wrong manner, and is going to cause more confusion in an already confusing world.

chris's blog

Hi ya; I get this type of

Submitted by Walter Reinhart (not verified) on Tue, 07/24/2007 - 05:34.

Hi ya; I get this type of crap all the time, from supposed legit banks, that someone with very limited intelligence seems to think that I use. I have gotten them from my own bank, and have contacted them in regards to same and was told that yes they used the company in question but why they were contacting me privately on an email address that I do not use except for job searches they had no idea. I get them from banks in the U.S. wanting my information for logging in as well as other banks that I am familiar with but don't use here in Canada. I have contacted a couple of them and have their security department email address to whom I immediately send the mail asking for my information to. Here though they ask for you to go to such and such a web site via the enclosed link and update my online access agreement, which I know is a phony as there is none in place in any bank. The other missives I receive are the one wherein the fraudster claims to be a lawyer or someone who has just passed on son asking for help in getting their fathers millions out of the country. Those and others like them I immediately consign to the trash bin. I regularly use FireTrust's MailWasher and benign to keep my mail safe and I'm very glad that I took the time to try it. Regards, Walter Reinhart

Glad you are enjoying our

Submitted by chris on Tue, 07/24/2007 - 15:54.

Glad you are enjoying our programs Walter :)

The problem I really have here is that this survey email was legitimate, no-one was trying to scam me or rip me off, instead my own bank emailed me and asked me to visit websites I've never dealt with before. Granted they weren't asking for my bank details, but it's a practice I don't think any user should ever have to tolerate, especially after the fact New Zealand Banks have decided more liability should be placed on the user.

If the Banks email us and encourage us to visit other websites, how long before someone receives an actual scam email, but falls victim thinking it 'not out of the ordinary'

Use an oz banking system and

Submitted by Anonymous (not verified) on Sat, 08/11/2007 - 06:00.

Use an oz banking system and credit card-yhe it may be a little more expensive but at least the wont try to half inch you're hard earned cash then try to blame a scammer.

It's interesting that many

Submitted by chris on Sat, 08/11/2007 - 14:36.

It's interesting that many of the New Zealand Banks who are implementing this policy are owned by Australian Banks. The social commentary suggested that this change in the policy in New Zealand will be something of a test before they try to implement the same in Australia. And with good reason I believe, as why should the same banks treat their customers differently depending on what side of the ditch they live on.

In Canada the bank security

Submitted by toronto immigration lawyer (not verified) on Sat, 06/07/2008 - 09:17.

In Canada the bank security is really good compared to some other countries.

Colmar brunton is a market

Submitted by Anonymous (not verified) on Thu, 12/06/2007 - 21:04.

Colmar brunton is a market research company from New Zealand that does importent client-satisfaction survey for the Kiwibank. The link mentioned above will do nothing more but open the questionnaire.

Yeah I do get it :) My point

Submitted by chris on Mon, 12/10/2007 - 15:36.

Yeah I do get it :)

My point is that it was done really badly

I'm getting scam

Submitted by Anonymous (not verified) on Sat, 01/12/2008 - 23:04.

I'm getting scam emails almost daily.

I'm more interested in the

Submitted by Alf West (not verified) on Thu, 07/10/2008 - 18:02.

I'm more interested in the cbrak domain you mentioned. Domain name records show that this belongs to "Ali Abou Jabein" with a Takapuna mailing address and an Aussie email address. I'd be upset if my bank started referring me to third party websites like this, especially as the cbrak.co.nz domain only produces a page loading error. It's not very professional.

I'm glad to hear that if my

Submitted by Johanna (not verified) on Tue, 11/04/2008 - 00:33.

I'm glad to hear that if my account is getting phised I might recover the lost amount. Still, I don't really trust banks as they say one thing before you become a customer, and another thing when you actually find your account empty. They have all those fine prints on the contract that no one reads. Anyway, they delay anything they can for as long as they can. I needed a loan to buy an Apple notebook and even if they said I'll get it in a week it took two months. In this time I could have saved up and buy the damn thing without paying any interest.

Interesting blog. Colmar

Submitted by Ali Abou Jabein (not verified) on Wed, 02/04/2009 - 19:39.

Interesting blog. Colmar Brunton is a research organisation with offices in Australia, New Zealand and other countries. I am the IT Director for Colmar Brunton, based in Sydney/Australia, and had managed the NZ network operation and domain names for some time. However, the NZ and Aust businesses has been separated for many years, and interesting the NZ IT team has not updated the contact details for their domain name, even though the domain name could be one of the most valued part of your organisation's online presence. Thanks guys for bringing this up and I will pass on the message to the NZ Colmar Brunton IT manager. By the way, CBRAK stands for Colmar Brunton Auckland (nice city). Ali Jabein

Thanks for the reply

Submitted by chris on Wed, 02/04/2009 - 19:55.

Thanks for the reply Ali. As you would well know, banks present users a strong disciplined etiquette to help protect themselves online, so it would be great to see research companies who commonly deal with participants via email, help reinforce those teachings.

Regards

Chris