Rants and Raves

Banking Scams

Colin Angus Mackay — Thu, 17 Jul 2008 21:16:51 GMT

Just now I got a spam email purporting to be from my bank. In fact, I get lots of these because I obviously have accounts with Barclays, NatWest, HSBC, HBOS, RBS, CitiBank, WellsFargo, Clydesdale, Caja Madrid, ING, and a whole host of others.

Obviously some people are still fooled by them, otherwise they wouldn't still be sending them out after all those years. In fact, the mails do look like they could be authentic. The from address appears to be from the right place, the wording looks like it could be from my bank, and it gives me a link that looks like the one I log on with. However, it is still a scam.

I'm guessing the normal readership of my blog, mostly software developers, would be able to spot a scam like this fairly easily, but for anyone arriving via Google direct to this page and are looking for some tips for spotting a scam here goes:

Here is the body of a scam email I received:

Dear Customer,
Royal Bank. always look forward for the high security of our clients. During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your account information.This might be due to either of the following reasons:
1. A recent change in your personal information.
2. Submitting invalid information during the initial sign in process.
Due to this, you are requested to please update and verify your information by clicking the link below:

https://www.rbsdigital.com/default.aspx?

*Important*
We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Security Advisor
Royal Bank Of Scotland.

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your Royal Online Bank account and choose the "Help" link on any page.
Royal Bank Email ID # 1009

I've highlighted some of the text in red, as I'm going to talk about it.

First off, "Dear Customer", really?! - how impersonal, surely you already know who I am? If the email is so general that they've used "Dear Customer" then they've obviously sent it to everyone and they really haven't a clue what there systems are doing. No bank should be that clueless.

Next is the dot after "Royal Bank". That's not the end of a sentence. It isn't even a sentence (it contains no verb). Perhaps they are using the "." to signify an abbreviation of sorts, but I've never seen any Royal Bank communication do that. In fact, I've never seen anybody do that for "Royal Bank".

"Look forward for" is grammatically incorrect, you look forward to things, not "for" them. And why would they be looking forward to the high security of their customers. Surely that already exists. The bank has been around for about 300 years, I imagine after all that time they must be doing something right with regards to security.

You also have to ask yourself, why would the banks processes be so bad as to cause an error for the reasons stated?

Next is the URL (the web address) given to you in order to log in. Hover over it and look in your browser's status bar. Did you notice that the status bar says something different to what you see on the page? I've altered the real address so people don't inadvertently use it, but you can see it doesn't match the bank's real address.

Now, they are asking for additional security information during the log in process. Many banks only ask for random bits of information during the log in process. Like one time they'll ask for your mother's name, the next they'll ask what the first school you went to was, and so on. The spammers obviously need to know all the information so that when they get presented with the real random question they'll be able to answer correctly.

Finally, why would they close your account temporarily? A bank would never actually close an account for a potential security violation. They may suspend it, or remove access to it, but never actually close it.

So, here are some tips:

If you receive an email purporting to be from your bank, don't click on any links in it.
If your banks log on procedure appears to be different from the previous time, check with the bank themselves. They may have updated their website, or it may be a scam, best to check.
When you log in, ensure that the address in your address bar is the one you expect, and that it is a properly secure connection. There will be a padlock on the address bar or in the status bar (depending on which browser you have)
Banks are generally fastidious about grammar and spelling in any communication they send out. It makes them look highly unprofessional if they weren't. So check any emails for grammatical or spelling errors.

Technorati Tags: scam,spam,bank,security

Data Protection Muppets

Colin Angus Mackay — Sat, 05 Apr 2008 22:43:32 GMT

I've mentioned this topic on my blog before with regard to the Royal Bank of Scotland and Intelligent Finance but this time it was related to an insurance claim. The insurance company put me in contact with a company that would do the repairs and all they had to do was arrange a time and date. However, it wasn't that simple.

Initially things seemed to be going well until the company in question phoned me to change the date because they wouldn't have the materials in time. However, first they wanted to go through security screening.

Now, the conversation to this point had gone something like this:

Me: Hello
Them: Hello, is that Colin Mackay [pronounced kae - I HATE that!]
Me: Mackay [pronounced correctly - its a diphthong, a sliding or gliding vowel that goes from 'ah' to 'ee'] Yes.
Them: This is Martindales. We just need to ask you some security questions before we proceed.
Me: How do I know you are who you say you are?
Them: We are Martindales, your insurance company has appointed us...

The conversation went from bad to worse as I tried to explain that what they are doing is socially conditioning people to hand out sensitive information and was then told that they "had to" ask these questions because of the data protection act. The act makes no such requirement. What they have to do is ensure that they are speaking to the correct person so they don't divulge potentially sensitive information to the wrong person. However, the way they are going about it, while technically in line with the act, is most certainly not within the spirit of the act.

What made it worst was that when I was asked how they could continue the conversation and I gave the solution they had to ask me no fewer than 3 times how they were going to continue the conversation even although I had given them a solution. After that incident they decided they must not have like my simple solution and refused to communicate with me at all for a while.

My solution, incidentally, was this. They would phone me and indicate that they need to speak to me. I would then get the phone number from existing documentation (i.e. a trusted source) and phone their switchboard and ask to be put through to the person that needed to talk to me. They can then go through the security questions as I will then know I am talking to the correct party. When they phone me I have no way of knowing who I am talking to. They could be making it up. If they give me a phone number to use I won't use it. I will only use trusted sources like documentation from my insurance company, or from the booklet that the insurance assessor left me.

Anyway, Martindales eventually decided that they did need to communicate with me about yet another change in date and sent me a letter. Pity it didn't arrive until two days after the guy was supposed to show up. In fact he did almost arrive, and I only knew about it because they phoned me just to say that he was running a little late. Muppets!

Technorati Tags: identity theft,fraud,data protection act

Always show the solution, Dammit!!!

Colin Angus Mackay — Sat, 08 Dec 2007 20:01:21 GMT

This has got to be the most pointless setting in Visual Studio. I can't imagine why any reasonable person would want to hide the solution. Maybe it is for those "Morts" I keep hearing about who bundle everything into one ~~giant ball of mud~~ project so have no need to know about mundane things such as solutions.

I suppose what gets me most is that I like my right-click. I like to right-click on things and get context sensitive menus. I also normally create a new blank solution then add projects to it. The solution disappear when the number of projects equals one. When there are zero projects the solution shows, but as soon as I add one it disappears so I can't right-click and add another until I sort this setting out. It was the same in Visual Studio 2005, I was hopping they might have changed the default for VS2008, but no - the mob rule of the Morts wins.

Yes, I realise that I can go to the file menu to add a new project from there, but if I'm already focused in the solution explorer, I want to stay there. I don't want to make giant leaps across the screen to do these things. I want everything I need within easy reach.

Technorati Tags: visual studio 2008,visual studio 2005,solution explorer

Stupid Thunderbird

Colin Angus Mackay — Fri, 05 Oct 2007 01:10:51 GMT

A few hours after Thunderbird decided that it really MUST download all the messages all over again for my Yahoo account. It has now decided that it must do so AGAIN! Why?! Was the thrill of downloading 16000 emails not enough the first time round? Must it do so again? And how often will I find my email box bulging with more duplicates of 4 year old emails?

Rant: I'm so frustrated I can't even think of a title!!!

Colin Angus Mackay — Sat, 22 Sep 2007 02:44:23 GMT

My copy of IT Now, the magazine of the British Computer Society arrived earlier this week. I've only just got around to reading it. Their careers section got me thinking. There is a link to http://www.jobstats.co.uk in there and I had a little look around. According to that site roughly 10% of all IT jobs are for C# while 7.5% are for VB (any flavour). Staggeringly 1% of jobs still require VB6!

For C# developers the UK average is £39K. On the face of it, you could say that it is lop sided because it includes the salaries in the south east of England. However, you also have to remember that the figures will include graduate salaries from across the rest of the UK also.

If you want to drill in to Scotland and Glasgow the rates naturally come down. £33K seems to be the average. After all the interviewing we've been doing recently I've come to the conclusion that average means the ability to push buttons on wizards and copy and paste code snippets and then spend hours wondering why it doesn't work. Average means not being able to read a simple 3 table ER diagram with some relationships. Average means not understanding a UML static class diagram with a base class and two derived classes on it.

In April this year, an article was published on the BCS website that stated that "Employers are finding it increasingly difficult to find job candidates with the right IT skills, putting the candidate in a strong position." We are finding exactly that. We are getting quite a few candidates that are just in to get a second offer to play two companies off each other. However, after two months, we've not found anyone suitable enough to put an offer out to. I can't help but think that there are some companies that are taking on board people that really don't have the necessary skills to do the job properly.

I am increasingly of the opinion that software developers need to be licensed, at least for certain pieces of development, due to the risk of fraud or damage if the system breaks.

Earlier this week I was going through some code as part of a migration. The code was written before my time and by an outsourcing company. This was before the company I work for decided it was getting such a raw deal that it wanted to in-source its software development. I was searching the code base for a reference to a stored procedure that failed to script properly... And I found it... In the presentation layer!

Not only that, but it was referenced on line numbers exceeding 1500! Hadn't these people heard of custom controls, user controls, 3-tier architecture, and the like.

What really got me was that the application was very much like another one that was being migrated. There were several places where some common functionality could have been extracted out, put in its own class then referenced from both projects. But where's the profit in that! No point doing anything sensible like that when you can charge twice to fix the same bug.

I wonder how much it cost to get these things developed. I wonder what the TCO (Total Cost of Ownership) actually is.

Why not to sign up with Quechup

Colin Angus Mackay — Tue, 04 Sep 2007 11:15:26 GMT

There isn't a lot that I can say about this that hasn't already been said countless times before. It you search for quechup on the 'net you'll find hundreds of people complaining about it.

However, I'd never even heard of it until this morning when I received an email from Simon Harriyott. It said:

Simon Harriyott (**email address**)
has invited you as a friend on Quechup...
...the social networking platform sweeping the globe

And in the small print:

You received this because Simon Harriyott (**email address**) knows and agreed to invite you. You will only receive one invite from **email address**. Quechup will not spam or sell your email address

Except Simon didn't invite me, the sign up process seems to spam your contacts list.

So, hopefully you will see this before you receive an invite from someone and accidentally spam your contact list.

Simon also has a blog entry on the subject if you want to read more on how bad Quechup are.

Tags: quechup spam

Article Theft

Colin Angus Mackay — Sat, 01 Sep 2007 22:36:05 GMT

It seems there is a website out there called BuzzyCode. Naturally it is a software development website and it contains lots of information about how to do certain things in software. All very well and good so far, except for one thing. There is a lot of plagarised work on the site.

A few days ago, the site was discovered by a member of Code Project, and he soon discovered that it contained a lot of ripped off articles that were originally written by people who are members of Code Project. Some members of Code Project managed to speak to (or otherwise communicate with) the people that run the site and it would appear that their story doesn't add up.

Original	Real Author	Plagarised Copy
PleaseWaitButton ASP.NET Server Control	Mike Ellison	Stolen
ASP.NET Query control	Mike Ellison	Stolen
Dynamically Loading a DLL - MC++	Nishant Sivakumar	Stolen
Displaying an empty value in a combo box in a C# Windows application using MS Access	Johann Lazarus	Allegedly Stolen
A Sample Chat Application using Mike Schwarz's AJAX Library	K.sundar	Allegedly Stolen
Passing an Object between Two .NET Windows Forms	Larry1024	Allegedly Stolen
Ye Aulde Application Starter	miklovan	Allegedly Stolen
Pocket 1945 - A C# .NET CF Shooter	Jonas Follesø	Allegedly Stolen

Heck they even seem to steal from each other (or perhaps forgot that an article had already been copied and added it under a different author's name). For example: http://www.buzzycode.com/ShowArticles-id_493.aspx and http://www.buzzycode.com/ShowArticles-id_596.aspx are almost identical - Mostly the formatting is different.

Finally, in a wonderfully ironic twist their website contains an article on reasons to offshore development to India which contains this titbit: "Indians are also known for their honesty and integrity therefore you can be rest assured that all intellectual and other virtual property will not be infringed upon and belong to the original party." Maybe they should have added "except those that set up this website"

More information can be found on Code Project as many threads started up regarding the problem:

Thread	Date
BuzzyCode JOTD	16:31 31-Aug-2007
Grumble mumble	07:09 31-Aug-2007
Vasudevan Deepak Kumar	04:47 31-Aug-2007
BuzzyCode = dotnetspider	07:48 30-Aug-2007
Who is BuzzyCode.com ????	09:39 29-Aug-2007
Hey Nish - Look at this	06:24 29-Aug-2007

(Note: Times are local to Toronto, Canada)

In short, the website in question hardly shows the community spirit it claims to. If they are indeed unaware that they there are a large number of plagarised articles on their site (which is what they claim) and they genuinly want to do something about it by the time they get through deleting the copies I don't think there will be much left.

I hate motoway service stations

Colin Angus Mackay — Sat, 28 Jul 2007 08:57:16 GMT

I hate motorway service stations. Even the new one at Norton Canes on the M6-Toll just caused irritation. Also the service station that I used to like stopping at, because it was just different, at Tebay in the Lake District was poor.

So, what is the problem with all these services stations?

First they are all pretty much alike (except Tebay, which at least has some character). Now, I don't mind identikit facilities if they supply what I want, but they pretty much don't.

On a long drive I'll have to stop for a meal at some point, yesterday I managed to wait until I got to Tebay for my evening meal and by that point I was really quite hungry. They at least supplied a decent meal although not my preferred choice (my choice of Chilli con Carne with Chips was really the best of a bad bunch) I had to wait a few minutes, as did others for the chips, but once I sat down it was actually acceptable. My main problem with food at service stations is the amount of stodgy high carb food they serve. And the more carbs you eat the more the body has to work to process them causing drowsiness - For someone driving alone this is not good. I try and avoid those food but often there is just no choice. A programme I saw last year the MD of one of the motorway service companies was saying they supplied what the public wants. Well, this member of the public does NOT want food that will make him fall asleep at the wheel. I want a decent meal, but one which won't make me drowsy.

Next up is the price of everything. Once at the service station they've got you. If you don't know the local area you are not going to wander off to find something better priced. If you are in a hurry you are not going to go off the motorway to find a better priced place for lunch. Given the poor quality of everything and the amount of people passing through they must be raking it in.

If I don't have any passengers in the car to talk to then I like to listen to audio books. Unfortunately, if the selection I take with me runs out I have a look at what the service stations offer, and it isn't much. A selection of has-been comedians and abridged populist novels. In short, there is practically nothing of worth in the selection. Even with it being the release of the final Harry Potter book last week, I would have expected to see the audio book of Harry Potter and the Deathly Hallows somewhere.

Finally, the general cleanliness of the service stations leaves a lot to be desired. Some are okay, like Norton Caines and Oxford because they are quite new. But even those really need to work on getting the state of the toilets up to a good standard. Often I find that cubicle doors have broken locks which need to be fixed, wash basins are filled with dirty water, there are never enough hand driers.

The one posititive thing I will say is that you can at least buy Irn-Bru in all the service stations I stopped at, even the ones in the south of England.

Just to enumerate the service stations I stopped at on my trip to Maidenhead and back:

Southbound
- Abington
  - Refueled
  - Bought snacks
- Keele
  - Looked for dinner (failed - nothing looked nice)
- Norton Canes
  - Got dinner (turned out to be dried out chicken, yet it was from a brand new batch!)
  - Refuelled
Northbound
- Oxford
  - Used toilets
  - Looked for audio book (failed)
- Norton Canes
  - Used toilets
  - Looked for audio book (failed)
  - Refuelled
- Burton-in-Kendal
  - Looked for audio book (failed)
  - Looked for food (failed - all looked poor quality)
- Tebay
  - Looked for audio book (failed)
  - Got dinner (passable chilli con carne)
  - Used toilets (three attempts to find a usable cubicle - but there was a plumber trying to fix them)

I stopped a couple of other places on each journey to buy drinks and use the facilities, but I don't recall which service stations they were.

I'm also sending an email to each of these service stations to afford them a right-of-reply.

Tags: motorway motorway service area msa services norton caines oxford burton-in-kendal keele abington tebay

It happens every time!

Colin Angus Mackay — Sun, 01 Jul 2007 08:56:38 GMT

Every time I go to Microsoft at TVP something goes wrong with my travel plans. This time it was for DDD5 (Developer Day 5)

The previous time it was because the M6 was shut, the time before that I got as far as the South Lakes before I realised I'd forgotten my medication. This time I was held up at Heathrow because the doors on the aircraft got jammed shut at the had to get an engineer to "look" at it for 40 minutes.

Now I'm just about to check out of my hotel and take fly back to Glasgow only to find that some nutter has driven their flaming car into the Main Terminal at Glasgow airport and the airport it shut and now my flight is cancelled as a result. I'm furious!

ddd5 glasgow airport terrorist

To be scammed, or not to be scammed

Colin Angus Mackay — Sat, 23 Jun 2007 14:34:34 GMT

A little while ago I wrote about the poor security procedures that some banks had in place. The BBC have an article on today's edition of their news website about tactics scammers use called "How to stay off the suckers list". The common theme is that you have to be constantly vigilent about the situation or the scammers will get away with your money or belongings. However, how do you tell the difference. One reader summed it up succinctly:

The thing that always amazes me is when your bank rings up and asks you to answer some security questions. They could be anyone, and yet they always seem surprised when you ask them to prove who they are.
John James, London

And another wrote:

A further bit of advice when checking oseut credentials is not to ring the number on the ID card shown but to get the official number via the telephone book.
Peter Lockwood, Loughborough

I totally agree with both these sentiments. As I mentioned previously when my bank's fraud department rang, I verified the phone number left in the voicemail message and when I couldn't correlate it to any existing correspondance I had with my bank I phoned their customer service department. I spoke at length about the security implications of what they had done, but despite the assurances of the person I spoke to, I still have the nagging feeling that it wasn't going to be taken any further.

NOTE: This was rescued from the Google Cache. The original was dated: Tuesday, 7th February 2006.

Tags: scam bank fraud security

Original comments:

We got cold-called today by some kind of business directory company. I didn't talk to them, my colleague did. Towards the end of the conversation, as a 'security question' he got asked his place of birth. He refused to give it. The telesaleswoman said that she calls 400 people every day and he's the first to refuse. He refused again and asked why she needed it. Allegedly it was to confirm to her supervisor, should he call, that she had indeed spoken to us.

In the end to get rid of her he simply lied.

My dad says that for his online bank account, he actually hasn't answered any of the questions as stated. Instead he's supplied other information which he can remember based on the information he was asked for. I'm not that smart - I couldn't even remember the right answers to some of the questions (e.g. 'memorable name' - clearly not that memorable!)

2/7/2006 10:48 PM | Mike Dimmick

I completely agree with John James' comments too about two way verification. If I get called by my bank, telco etc, I always request certain information from them to make sure they are who they say they are. It absolutely works both ways. I am also always surprised when they do not expect it. Recently, BT receoved a call from my partner to report a fault on our line. She is not the account holder, nor is she documented anywhere as living there (apart from council tax, data BT does not have access to) however BT were more than happy to disclose details about my account and even went so far as to divert calls to her mobile number (big security risk - what if I was having an affair or what if she wasn't indeed my partner - easy trick to pull off!!!). Obviously, this is all going in my letter to them (they finally managed to fix my fault after 6 weeks).
Anyway, back to work for me.
Thanks Colin for the SQL injection attacks article on codeproject.com

2/10/2006 4:16 PM | Andrew Lewis