Tuesday, December 07, 2004

President's Choice Financial Sets It's Customers Up for Identiy Theft and Fraud

I've gotten my fair share of phishing attacks for American Banks that I'm not a customer of. They are easy to spot as I'm not a customer of these banks. I just delete them, no big deal. This email did catch my attention

Dear David King,

This email is to inform you that you have not logged into your President's Choice Financial MasterCard online account for 32 days. In order to ensure your online account status remains in an active state, please click here www.pcfinancial.ca or www.pcfinance.ca (for Quebec residents) and log into your account.

Regards,
Customer Service
President's Choice Financial
1-866-246-7262


It follows the classic Phising Attack Formula,

Dear Customer,

Due to [random technical reason] We ask that you to sign into your account, please click [url].


The only variant is that I do have a MasterCard with President's Choice Financial, so I called their 1-800 number from the back of my card. Turns out they do indeed send out these messages. This is just plain dangerous. They are setting up their customers to fall for Phishing Attacks.

Banks will tell you that they will never, under any circumstance, ask for your bank card PIN number. Anyone claiming to be from the bank and asking for your PIN is a fraud. It's a simple easy to understand rule.

The same logic should apply to emails asking you to log into your account. By sending out legitimate emails asking people to log into their account to keep them active President's Choice Financial is making fraud much easier. Ironicaly President's Choice attempte to warn it's customer about the dangers of Identity Theft.

I've tried to report the issue to Presiden't Choice with little success. The customer service people get very confused, one told me I needed to send a screen shot of the security issue.

Security needs to be more than 128 bit encryption and browser settings, it needs to be a culture.

- Peace

1 comment:

Dave King said...

I was thinking about the people getting ripped off after falling for a phishing attack; having been trained to respond by the bank. But clearly we should stop and think about those poor mathimaticians.

Is this why they seek math that can't be applied, cause mortals just mess it up?

- Peace