The Bank of America: Please lower your defenses, we’re coming through

I wrote about the how the Bank of America are conditioning their customers to be more susceptible to phishing.

It seems they are actually trying to break a record here (or else their security guy quit and was replaced by a marketing person). I just got an email that said:

This email was sent to you by Bank of America. To ensure delivery to your inbox, please add bankofamerica@replies.em.bankofamerica.com to your address book or safe sender list.

My first assumption was that it was a phishing email – why on earth would the BoA legitimately try to convince me to open myself up for phishing? (after adding this email to my “safe sender list” every phisher in the world would set this as their “from” address). In fact, a friend made fun of me for thinking this was a legitimate email – clearly only phishers can think I’m that stupid. Unfortunately, it’s real – it was sent to an email used only by the BoA and unknown to anyone else.

Sad indeed.

Share
  • http://www.sanesecurity.com/clamav Steve Basford

    Actually… it’s been done aleady, check out the from address in this phishing example:

    http://p hishery.internetdefence.net/data/16659

  • http://security.eweek.com Larry Seltzer

    This is the “Get financially fit in the new year” message? I got the same damn e-mail.

    Banks are screwed when it comes ot e-mail; there’s no good way they can send it to their customers, but this was a bad one from BofA.

  • Chris Adams

    This reminds me of the ongoing “conversation” I’ve been having with Chase suggesting that it’s probably not a good idea to have https:// redirect to http:// or to tell users that some random lock icon in a login page means the form is secure. They keep sending back various marketing BS claiming that they use the latest security technology.

    Has anyone tried a legal or regulatory approach to this? One class action suit might be what we need to get the banks to use HTTPS more intelligently.

  • http://www.BeyondSecurity.com Aviram

    Steve – thanks for the update. I’m not surprised, but it gives me an alibi to prove I wasn’t the one that gave phishers that idea :-)

    Larry – yes it is. I agree banks can’t do much when it comes to email, but I’ve seen it done much better: even by the BoA in the past. Seems like the BoA is either in a downward slope when it comes to security or someone there gave marketing a free hand to do whatever they feel like (or both).

  • Yash

    I actually received the same e-mail yesterday from BOA, and I swear I spent at least 15 minutes analyzing the e-mail not willing to accept that it was not a phishing attempt.

    For a bank that has some of the smartest security features I have seen applied in a real world web based application, their security policies are EXTREMELY disappointing.

  • Pingback: Chuqui 3.0

  • Hendomatic

    Its the battle that wont go away. Bank Marketing folk have good intentions at heart, but without a solid feedback loop from the risk management team, these “helpful” messages are just ammo for the bad guys. Just about anything marketing can send in email that can be considered helpful for the customer can be turned around and used as a social engineering vector. This kind of info belongs in the monthly statement(for those banks that still send these out).

  • http://chovy.com Anthony Ettinger

    I left BofA because they suck.

    Marketing-driven “security” – what’s with the “orange ball” when I login? wtf does that do? A phisher isn’t going to give a shit what “security picture” i have.

    Also, their refussal to support OFX was another reason. Tired of keeping windows around for Quicken.

  • walt

    News for you, bofa does sucks. their employess, at least most of them, have tons of salary doing shit, and have no clue of customer service. if i were you, i would withdraw my fund before something do happen.
    again, MOST employees, NOT ALL. also, avoid any investment products from bofa. their analysts are bunch of i-fund expert wannabes, who got rejected from other IB firms, like citibank, goldman and other real IB companies.
    do you know why they tag you with hefty charges with small chump return??? ask their salaries, that’s why….

  • http://iWilbert.com Wilbert

    A confirmation email is pretty tame compared to my credit union’s practices of:
    * sending out email newsletters
    * Providing a third party with members’ email addresses
    * Encouraging members to click on links within email that go via a tracking service.

    Won’t bore you with the full details – have released the tension in my blog.

  • rhonny Farrell

    Bank of America has no concern about their customers… I was told that directly by one of thier employees, name date and time noted). It is obvious how much thay do not want to hear from their customers as they have no easy way to e-mail them any concerns.. it is all hidden. Once about two months ago I found a way to contact them thru e-mail but I have never found it again. At one point they told me they had not been receiving payments, when it was clearly being taken out of my bank account. When I asked who had been receiving those funds they tried to side step the question and I never did get an answer……