Do You Trust Your Bank Not to Spam You? Read This

6562.jpgBanks seem to be getting an awful lot of media attention these days, and for all the wrong reasons. Take, for example, back in 2013, when scandalous news broke that several large banks in the UK were infected with Conficker, their systems zombified on a botnet and spamming like good little zombies. That’s horrific news for anyone who actually uses a bank to keep their money safe, and as for your personal information, forget about it. That ship sailed a long time ago – banks will sell you down the river for a few meager sheckels.

But shouldn’t the role of banks be toprotect your hard-earned money and your information? Like other systems that require super-duper protection (air traffic control systems, power generation grids, nuclear missile silos, for example), bank data centers should be some of the most secure sites in the world, right?

Common sense meet miserly bankers. You see, that type of hardware and software requires some serious bucks, and if the UK banking model is any example, then it appears that they’d still be using IBM Selectrics if they had a say in the matter. In fact, we’ve seen activity on their servers dating back to 2011 that suggest malicious users have settled in for the long haul. And if you think you’ll be protected by El Regulatory bodies that are supposed to ensure the banks don’t get away with murder, just take a look at what happened at the Information Commissioner’s Office (ICO), per The Register.

According to a recent article, the ICO declined a chance to launch an inquiry into Santander Bank. The Boston-based bank has a footprint in the UK, and in 2013, it became public that the company has a bit of a Trojan problem. And we’re not talking about contraceptives. According to El Reg, Santander customers were getting deluged with “trojans and other junk to email addresses exclusively used with the bank.” SC Magazine reported in November that Santander Bank and NatWest FastPay were both investigating allegations of security breaches, so it’s safe to say that they knew about the breaches long before they became public.

But now it’s April 2014, and the beleaguered customers of Santander are still being spammed with junk and malware from Santander, and at least two users have filed complaints with the ICO, according to El Reg. Great, you say, now we’ll see some results, right?

That’s a big fat no. The ICO, normally associated with action and still fines against anyone with the audacity to spam strangers, said they won’t proceed with an inquiry because they lack “sufficient evidence,” according to El Reg. Santander, of course, has decided to run dark and run deep, and hasn’t responded to repeated requests for comment.

The Register reports that “attacks against unique email addresses registered with Santander bank have continued since [November], giving rise to concerns that the bank may have had a data breach. Some of the emails feature the surname of recipients, a piece of information not included in the unique email address itself of one affected customer.”

The breach was first detected by Belgian security firm MX Lab, and it wasn’t hard to track down the offending zombie sites because the email addresses being used should only have been known to Santander, the UK Government Gateway, and NatWest FastPay.

“I’ve received an invite for what looks to be a ‘money mule’ job sent to the leaked email address … but rather scarily the subject field is populated with my SURNAME (which doesn’t form any part of the email address),” Santander client Andrew told El Reg. “So it appears rather likely that REAL NAMES leaked with the email addresses. This takes the leak to a whole new level. I wonder whether phone numbers and addresses leaked too?” It’s difficult to say whether Andrew’s fears are justified, but The Register points out that there’s “no suggestion that there’s any problem with Santander’s online banking system. Instead the issues centres on unaddressed fears that email addresses supplied to the bank somehow leaked out.”

Of course, there’s always the risk of user error here, but that’s unlikely. The sheer number of people with similar circumstances and experiences pretty much debunks the idea that users gave themselves up to exposure. There’s an ongoing discussion board at Money Saving Expert where users have been sharing their frustrations.

Irrespective of the reason why, the more disturbing thought now is the ICO’s refusal to delve into the issue. And that may be in part due to a recent court ruling in the UK. It’s pure speculation, but it’s not like the ICO to take this lying down.

Leave a Reply