Monday, June 17, 2013

We are here.

Dear anyone who operates websites & services online, who operate in various channels to keep in touch with your customers: PLEASE give me easy options for verifying that you are actually... you. If you dont, it is very easy for paranoid people like me to disregard almost anything appearing as "you" as phishing or malware attempts.


I went online to one of my banks today, to do some of the tasks we have to do periodically. As soon as the webpage appeard on screen, I also got a popup asking me if I wanted to do a quick customer survey in order to help the bank improve their website. Anonymously of course (...), but still with a chance of winning NOK 500,- (USD 100,-).Woohoo!

But first; security. After all, you probably care more about the security part than see me win NOK 500,-, right? :-)

Risk-loving me, I clicked "Yes".

(Running Chrome in a disposable VM is usually a good idea).
Mind you; I don't like popups at all - I always get suspicious about them - are they legit, or the product of some fancy-schmancy malware-phishing trickery?

 I have chosen to drop the name of the bank in question, and focus on the general root cause instead for this blog post. Here's the first screenshot I made:
[click for full size]
Hm. It seems as if this is powered by SurveyMonkey (top left), but URL doesn't indicate at. Oh, and no HTTPS, so everything is sent in the cleear. At the bottom there are URLs to Customercarewords, who does this survey in cooperation with Netliferesearch.

We Are Here.

I wondered if the bank had any information on their webpage, confirming their use of Customercarewords or Netliferesearch, for the purpose of running surveys - or anything else. NO SUCH LUCK, their own search engine as well as Google shows ZERO results connecting the bank to these services. crap.

In their defence, you really need to look hard to find websites that will tell you which channels they operate in, especially their use of third-party services to communicate with their customers.

"Could you please set up and maintain a webpage where you list third-parties you are using, and for what purposes?"


It's simple: I prefer secured connections before I respond to surveys & other services that "guarantees" me privacy & anonymity, so I added https to that URL above.

BOOO! The layout suddenly changed, and something is very wrong with that SSL certificate. The links to Customercardwords and Netliferesearch  at the bottom of the page are also gone:

[click for full size]

Closer look, part 1:

[Certificatename  does not match site name. Surprise, surprise!]

In fact the certificate has been issued for *, which is something quite different:

[click for full size]

Closer look, part 2:
So this stinks of hosted services, with mix-ups of IP addresses, DNS addresses, SSL certificates and what-not. Just to go one step further, I ran the * through SSLLABS, with a grade B result:

[Click to view a veerrrrryyyyy long image :-)]

 Anyway, to end by quoting myself from above:

"Could you please set up and maintain a webpage where you list third-parties you are using, and for what purposes?"

It would be very helpful to aid in the protection of your customers, instead of adding to the global problem of Fear, Uncertainty & Doubt, which again leads to more and more successful phishing attempts.


And here are 2 wonderful examples in Norway, showing exactly what I would recommend anyone to do:

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.