Sponsor's Message

After my column of last Thursday I received this response from the bank and I notice that IDG is carrying the bank's rebuttal of claims made in Australia last week.

Let's deal with the response to my column(s) first...

The initial phishing scam to hit NZ started arriving in people's mailboxes late Friday October 31 2003. Over that weekend, thousands of fraudulent emails purporting to be from the bank and designed to dupe those people into disclosing their details were delivered.

Despite security being a 24/7 obligation, the bank didn't do anything to warn customers about this very specific threat until the following week.

For more than three days, there was no specific warning on the bank's website and no notification to customers.

As a result, some 300 customers were reportedly caught out by the scam.

Readers Say Got something to say about today's column, or want to see what others think?  Visit The Forums

Indeed, when the bank did finally get around to emailing its customers with a specific warning, it was too little, too late. I didn't get my warning email until six days after the fraudulent emails began arriving.

In respect to the website warnings -- I have to admit that although I do use the online banking facility offered by the bank, I'm not a "regular" visitor so must have missed the warnings that were supposed to have appeared on the front page as of March 2003. I would wager that I'm not alone in my usage patterns and it would appear that at least 300 others also failed to see those warnings.

With the latest round of phishing emails hitting people's mailboxes last week, the bank was a little quicker off the mark and I got my warning email just three days after the scam started.

I find it a little ironic that the email says "never follow an e-mail link to a site where you will need to disclose secure information such as your ID or Password" -- and then proceeds to include two links to pages on the bank's website where the online banking login is just one click away.

So I would say that yes, the bank may have tried to be pre-emptive back in early 2003, but as a typical customer I wasn't aware of it -- and neither were any of the other Westpac customers I've spoken to in the past week.

Yes, the bank did inform customers of the specific risks associated with the first NZ phishing scam -- but their response was "too little too late."

Yes, the bank is getting better in its response times -- but they're still woefully inadequate, as witnessed by the three day delay this time.

It's also a little naive of Mr Gregory to claim that "it doesn’t matter how sophisticated these emails get. The customers are well versed in how we do business with them and they know these are fake". That's like believing that nobody ever clicks on an unsolicited email attachment any more and therefore there's no way a virus will propagate this way -- or that nobody in this day and age would fall for the Nigerian scam.

Let's face it -- far too many people are just plain stupid and because of this, things like email viruses, spam, scams, and phishing expeditions are very much alive and well. To assume your customers represent a demographic which is totally devoid of idiots is a very dangerous thing to do.

Banks have a duty of responsibility when it comes to looking after other people's money and, to some degree, protecting those people from their own ignorance or stupidity.

When it comes to online banking the problems are manifold and quite wide-ranging. Not only do we have phishing scams but also key-loggers, trojans and a raft of other ways in which criminals can get their hands on other people's "safely" banked loot using the Net.

I would invite Westpac not to lay back and believe that their customers are now well-informed and vigilant. They should instead be working very hard on reducing the lead time involved in identifying new threats and informing their customers of them within *HOURS* of those threats appearing.

New Forums!
Yes folks, good news. The grotty ezboard forums have been replaced with a new phpBBS-based system that won't assault you with a myriad of pop-ups and other flotsam.

A big thanks to Managed Internet Solutions for offering to provide this service.

You can access the new forums over at aardvarkforums.co.nz

If you feel that this is a good thing and/or you hold a "geniune affection" for yours truly -- then you are welcome to gift me some money using the buttons provided. In gifting this money you accept that no goods, service or other consideration is offered, provided, accepted or anticipated in return. Just click on the button to gift whatever you can afford. NOTE: PayPal bills in US dollars so don't accidentally gift more than what you were intending :-)

Contacting Aardvark
I'm always happy to hear from readers, whether they're delivering brickbats, bouquets or news tip-offs. If you'd like to contact me directly, please this form. If you're happy for me to republish your comments then please be sure and select For Publication.

Other media organisations seeking more information or republication rights are also invited to contact me.

Just add a couple of lines of JavaScript to your pages and you can get a free summary of Aardvark's daily commentary -- automatically updated each and every week-day.

Aardvark also makes a summary of this daily column available via XML using the RSS format. More details can be found here.

Contact me if you decide to use either of these feeds and have any problems.

Linking Policy
Want to link to this site? Check out Aardvark's Linking Policy.

Did you tell someone else about Aardvark today? If not then do it now!