Old Mutual sends confidential banking email without password protection

[Kevin Lancaster]

Old Mutual sends confidential banking email without password protection

Old Mutual said it is in the process of applying password protection to all its electronic contracts and statements.

 

[mintydroid]

Pretty much all of the financial institutions don't apply passwords.

 

[Petec]

Security to these institutions, means locking the stall door when going to the loo.

 

[ToxicBunny]

The bigger problem I've found with most of these institutions isn't their own security policies, its the fact that their minions that interact with customers on a day to day basis are just absolutely clueless about these things.

I have had a banker ask me to send a completed credit card increase document with all my personal details etc in an open email to a non-bank email address, and she was very very unimpressed with me when I just went straight over her head to her boss and complained.

 

[Adenoid Hynkel]

Pretty much all of the financial institutions don't apply passwords.

Amex statements are password protected.

 

[km2]

I don't know if I like them password-protecting the statements with my ID number. The search space for password cracking an ID number is relatively small considering the format YYMMDDPPPPQRC.

YYMMDD = 100 years * 365 days + leap year days = 36525
PPPPQR = 1 000 000 possibilities at best (even though Q is the country identifier and probably always 0 for South Africa, and the other PPPP values are heavily weighted towards 0000 or 5000)
C = check digit and is guaranteed to be a specific value based on the rest of the ID number

So needing 1 000 000 * 36 525 = 36 billion possibilities which is relatively easy on a modern system, especially if they're using PDF 1.4 like Nedbank uses.

The problem is that doing it this way they get not only my bank statement, but also my ID number which they wouldn't have had without the password helping.

 

[Adenoid Hynkel]

Well, you could always barricade yourself in your house, cancel all your cards and stash your moola under your mattress

One thing you forgot in your calculation above. Whoever wants access to your mail in order to view the statement, first needs to crack your Windows/other OS password or email password if no direct access to your mail app. If you save your statements to disk, sure, it will be easier to get access to it once your laptop is stolen.

Either way, it will be a lot of hard work getting to open my statements, not sure any one would want to anyway.

 

[km2]

Well, you could always barricade yourself in your house, cancel all your cards and stash your moola under your mattress

One thing you forgot in your calculation above. Whoever wants access to your mail in order to view the statement, first needs to crack your Windows/other OS password or email password if no direct access to your mail app. If you save your statements to disk, sure, it will be easier to get access to it once your laptop is stolen.

Either way, it will be a lot of hard work getting to open my statements, not sure any one would want to anyway.

What I'm getting at is that if you have someone who is already going to the effort of intercepting your mail, accessing your computer, accessing your email etc in order to get hold of your statement to potentially defraud you, having the password be an easily calculate-able ID number just seems to be making it easier for the fraudster. If they get hold of my bank statement they gain my name, account number and address... why let them get access to the ID number too.

 

[Thor]

I don't know if I like them password-protecting the statements with my ID number. The search space for password cracking an ID number is relatively small considering the format YYMMDDPPPPQRC.

YYMMDD = 100 years * 365 days + leap year days = 36525
PPPPQR = 1 000 000 possibilities at best (even though Q is the country identifier and probably always 0 for South Africa, and the other PPPP values are heavily weighted towards 0000 or 5000)
C = check digit and is guaranteed to be a specific value based on the rest of the ID number

So needing 1 000 000 * 36 525 = 36 billion possibilities which is relatively easy on a modern system, especially if they're using PDF 1.4 like Nedbank uses.

The problem is that doing it this way they get not only my bank statement, but also my ID number which they wouldn't have had without the password helping.

When I read stuff like this I start to wonder.

How the heck can they even consider this if a bloak on a internet forum literally just cracked it easily.

And the scary part the guy who came up with this probably gets paid more than you, yet they are this clueless.

 

[supersunbird]

You know what's really bad? That their system allows same e-mail address to be used for different customers...

 

[Adenoid Hynkel]

What I'm getting at is that if you have someone who is already going to the effort of intercepting your mail, accessing your computer, accessing your email etc in order to get hold of your statement to potentially defraud you, having the password be an easily calculate-able ID number just seems to be making it easier for the fraudster. If they get hold of my bank statement they gain my name, account number and address... why let them get access to the ID number too.

I get what you're saying. Perhaps raise your concerns with them.

If you're really that paranoid, don't save your statements. Save them to Dropbox or whatever online file system you use and delete the mails and don't let your browser save your passwords and history. While you're at it, disconnect completely from the www

 

[km2]

I get what you're saying. Perhaps raise your concerns with them.

The insecurity of it doesn't really bother me, it's mostly that it's banks playing security theater. If it was sent in plain text (as it was to the person in the Old Mutual email) it's clear just how insecure it is and that the email itself should be carefully protected and that the banks have to be exceptionally careful in their processes to make sure it goes to the correct recipient. When the bank adds this encryption people are more likely to feel that it's safe, e.g. having a statement going to the wrong address isn't a problem because it's unreadable, when in reality it's no more secure than before.

 

[markings]

ID numbers and your bank account details are everywhere anyway.
Why should that information be encrypted?

Sending out the password to your account information they store on their system would be another matter.

 

[zululami]

It happens a lot. FNB sends me statements of an individual who has the same initials as I do. On a monthly basis. I can see how much the guy earns, what he spends his money on. What other accounts he has with FNB - the strange part is that I have written to FNB previously to tell them I am the wrong guy to send it to - but they continued. SO I just choose to ignore these lately, but it's an indictment on the part of FNB that - even after having been told that they are sending statements to the wrong person - they still do. I am sure this guy is not the only one affected. And get this - I do not even bank with FNB.

 

[Adenoid Hynkel]

It happens a lot. FNB sends me statements of an individual who has the same initials as I do. On a monthly basis. I can see how much the guy earns, what he spends his money on. What other accounts he has with FNB - the strange part is that I have written to FNB previously to tell them I am the wrong guy to send it to - but they continued. SO I just choose to ignore these lately, but it's an indictment on the part of FNB that - even after having been told that they are sending statements to the wrong person - they still do. I am sure this guy is not the only one affected. And get this - I do not even bank with FNB.

How is this even possible? Do you share the same email account? Or are you talking about statements in the post?

I highly doubt this is managed by a group of people. Emails and the post happens electronically where a system spits out the address and prints it, so I fail to see how X can receive Y's statements unless they share the same Po Box or email address? Enlighten me.

 

[zululami]

How is this even possible? Do you share the same email account? Or are you talking about statements in the post?

I highly doubt this is managed by a group of people. Emails and the post happens electronically where a system spits out the address and prints it, so I fail to see how X can receive Y's statements unless they share the same Po Box or email address? Enlighten me.

I do not know. We do not have the same e-mail account - I do not think so - we do not have same names even - I get it via e-mail. We can't possibly have because mine is (initialsurname)@gmail.com and our surnames are completely different...

 

[ISP cash cow]

How is this even possible? Do you share the same email account? Or are you talking about statements in the post?

I highly doubt this is managed by a group of people. Emails and the post happens electronically where a system spits out the address and prints it, so I fail to see how X can receive Y's statements unless they share the same Po Box or email address? Enlighten me.

maybe someone put the wrong email address into the electronic system for sending out statements.

 

[Adenoid Hynkel]

I do not know. We do not have the same e-mail account - I do not think so - we do not have same names even - I get it via e-mail. We can't possibly have because mine is (initialsurname)@gmail.com and our surnames are completely different...

So you're getting his statements via email. The only possibility I see why this could happen is that he used your email address. You don't bank with fnb so there shouldn't be a profile of you on the system. If no profile, how can the system send you the mails?

If you're really receiving Mr X's statement and are not even a fnb client, this is concerning. I also highly doubt they will try and help you seeing that you're not a fnb client. Perhaps try fnbs Facebook channel. Send them a message. That RJ Jacobs is usually very helpful. He can perhaps point you in the right direction.

 

[czc]

Security to these institutions, means locking the stall door when going to the loo.

My standard bank statements are password protected.

 

[kokzn]

I do not know. We do not have the same e-mail account - I do not think so - we do not have same names even - I get it via e-mail. We can't possibly have because mine is (initialsurname)@gmail.com and our surnames are completely different...

I suspect it is a gmail issue, called the "dot issue"
http://gmail-tips.blogspot.co.za/2014/07/not-my-email.html

Maybe this person, is a female, recently married, so they changed their surname, but the original surname is same as yours, as well as initial.

My wife has same issue, her email address is [email protected]. Very common name as surname. She receives mails from SARS regularly, not addressed to her.