evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
Santander's security is fucked:
http://ramblingrant.co.uk/2013/12/10/santander-another-demonstration-of-how-not-to-handle-security/
Today I have found evidence of a data breach myself.
I received spam addressed to two separate email accounts that I use only with Santander. The emails contained personal information associated with two separate Santander accounts. To clarify: I have two bank accounts, and for each bank account the contact email address is unique.
The email addresses themselves are not easily guessable and the only organisation that would have this information linked to these email addresses is Santander. This is not brute force or an educated guess. This is not a coincidence. It is without question a data breach.
A quick look on Facebook and Twitter shows I am not alone.
Just to be clear - the issue is not the spam, but the fact that my personal information, which I entrusted Santander to look after, is in the hands of people it shouldn't be.
They are of course vehemently denying it, but I would encourage you to make some noise as well or they probably won't do anything about it other than assume the data breach is down to user error - as I'm sure a lot of you cretins on here will automatically assume this is somehow my fault. I can assure you - it isn't.
If the security of your personal information is important to you, you might want to vote with your feet and switch banks.
[Edited on 25-01-2014 by evilrob]
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
here we go
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by willay
here we go
Have a read of this:
http://ramblingrant.co.uk/2013/12/10/santander-another-demonstration-of-how-not-to-handle-security/
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
TL;DR - Don't bank online with Santander or its subsidiaries. Don't send payments to any company which uses Santander's BillPay system as a payment gateway.
[Edited on 24-01-2014 by evilrob]
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
I've got a santander account and haven't had anything like this.
|
Ben G
Member
Registered: 12th Jan 07
Location: Essex
User status: Offline
|
You sound like a paranoid mess, Rob.
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
Read the article posted above.
|
andy1868
Member
Registered: 22nd Jun 06
Location: Burscough, Lancashire
User status: Offline
|
oh well, looks like nobody is paying their income tax before next week then as the HMRC use BillPay for that 
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
Now I think about it - I just did my return the other day.
|
baza31
Member
Registered: 19th Apr 03
Location: yorkshire
User status: Offline
|
So how do you know it's not billpay or a virus etc on your PC . I get this shit on a daily basis I just delete all emails . If they want me bad enough they will have to call me and even then I'd go to a branch
|
Ben G
Member
Registered: 12th Jan 07
Location: Essex
User status: Offline
|
Same baza. My bank called me one to tell me my card had been cloned and wanted some details.
I told them I would phone the number on my card before giving any details over.
it ended up being genuine, but you can't be too careful nowadays.
had a paypal scare over christmas due to a dodgy email. A momentary lapse meant I had to quickly change my password and remove all my linked cards. Luckipy I done it before anything was taken.
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by baza31
So how do you know it's not billpay or a virus etc on your PC.
It's definitely not a virus as I am extremely vigilant about good online practice; I never install pirated software or software from unknown sources and I check the MD5 hash where possible, I typically reformat every six months from genuine installation discs, I buy all my media rather than torrenting, I install all new security patches as soon as they are available, I disable Flash unless I have no other option, I don't go to dodgy websites, I'm running the latest Bitdefender firewall and antivirus and I don't install browser extensions.
I also use site-specific browsers:
http://en.wikipedia.org/wiki/Site-specific_browser
And I don't use unsecured public wi-fi as a rule, nor do I do any internet banking over 3G.
In short: I have taken every reasonable step to ensure that I don't do anything which might expose usernames, passwords, or other sensitive information.
I'm pretty sure it's not Santander's bill pay service to blame - that might explain the leakage of data from one account but not two different ones.
quote:
Originally posted by baza31
I get this shit on a daily basis I just delete all emails . If they want me bad enough they will have to call me and even then I'd go to a branch
I get as much spam as anyone else; this situation I'm describing is different though due to the unique e-mail addresses and personal information for two separate Santander accounts.
For any online service I have a distinct e-mail address and I never use the same password twice. So if I order something from Amazon, I would use my Amazon-specific email address which might be amazon.ABC.563746@mydomain.com. If I want to order a pizza from Dominos online I would use my Dominos-specific email address - e.g. dominos.CBA.684756@mydomain.com.
By doing this I can track who is selling my information to who or who has had their systems compromised if/when I receive an email to amazon.ABC.563746@mydomain.com which is from anyone other than Amazon.
Each Santander account for which I have received spam containing personal information has its own email address. This is why I'm certain there has been some lapse at Santander's end, or a lapse on the part of someone they've entrusted with customer data.
[Edited on 25-01-2014 by evilrob]
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
You've got far, far too much spare time. I use one email address for absolutely everything and don't have any of those problems. Also don't really care who is selling my information as long as Google continue to correctly profile spam.
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by John
You've got far, far too much spare time. I use one email address for absolutely everything and don't have any of those problems.
It takes no time at all - and, while I appreciate you don't care, because you use one email address for everything, you can't verify whether or not you're receiving emails from an organisation you never gave your email address to, or who you originally gave your email address to for it to ultimately end up in the hands of the unsolicited organisation.
I do only have one e-mail inbox - I just have a catch-all domain so anything@mydomain.com will be accepted, but I automatically delete any emails that have been sent to addresses other than my list of 'known' e-mail addresses, and for each website I supply an email address to, I make it unique and identifiable.
quote:
Originally posted by John
Also don't really care who is selling my information as long as Google continue to correctly profile spam.
That's a perfectly valid approach to take.
I prefer to simply not do business with anyone who doesn't look after my personal information, so I want to know how my data is being passed on and by whom.
[Edited on 25-01-2014 by evilrob]
|
baza31
Member
Registered: 19th Apr 03
Location: yorkshire
User status: Offline
|
Evil Rob . Have you ever come across a female genitalia
Chill out , who gives a fuck it's the times . You will get absolutely no where . As long as your bank account hasn't been emptied then why worry .
You probably need to join a yoga class or something
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by baza31
Evil Rob . Have you ever come across a female genitalia
I prefer to come into it.
quote:
Originally posted by baza31
Chill out , who gives a fuck it's the times . You will get absolutely no where . As long as your bank account hasn't been emptied then why worry .
You probably need to join a yoga class or something
I'm not agitated - all I was trying to do was warn others that Santander's data security is not up to scratch. If that's not important to you, fine. For anyone who is concerned about this stuff, they can consider their options.
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by Ben G
Same baza. My bank called me one to tell me my card had been cloned and wanted some details.
I told them I would phone the number on my card before giving any details over.
Just to be clear - this is not a phishing scam as such. The emails weren't posing as Santander - the content was not bank-related at all and did not contain any trojan-laced attachments. The issue is: these emails were sent to e-mail addresses that only Santander had, containing personal information that only Santander had.
|
Ben G
Member
Registered: 12th Jan 07
Location: Essex
User status: Offline
|
Jesus Christ, quit smoking the reefa man.
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by Ben G
Jesus Christ, quit smoking the reefa man.
I'm not paranoid - I'm dealing with facts here.
By all means continue to be lackadaisical about your personal information on or off the internet. I'm sure there are people out there who do outrageously stupid things with their personal information like throwing their bank statements and pre-populated credit card applications straight in the bin every month their entire life and have not fallen victim to identity theft, but I choose to be a bit more careful about what I share and with whom, and I get annoyed when they are careless with it.
You might feel I am too careful - and I'm OK with that; that's your opinion and you're entitled to it. What I am saying is that in my case, Santander have definitely not taken care of my personal information and that pisses me off.
We're talking about an organisation who, it turns out, up until the middle of December 2013 would send out password reminders in plain text via e-mail:
If you don't understand why that is not a good thing, you shouldn't be on the internet.
[Edited on 25-01-2014 by evilrob]
|
A2H GO
Member
Registered: 14th Sep 04
Location: Stoke
User status: Offline
|
Jesus, are you using corsasport through a proxy? Is your name even Rob?
Sometimes I worry about how much data I'm giving to Google as they'll take your soul given half a chance and never use my real number on anything but aside from that I'm not fussed. You probably forgot to tick a box somewhere on a form and gave Santander the right to share your data.
|
djgritt
Premium Member
Registered: 1st Nov 07
Location: Dorset Drives: Focus ST / Hyundai i20N
User status: Offline
|
This is proper Tinfoil hat stuff.
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by A2H GO
I never use my real number on anything but aside from that I'm not fussed
My e-mail setup is exactly the same principle - I don't give anyone my *actual* e-mail address. If an e-mail address I have given a company ends up on some marketing list and I start getting promotional emails I don't want, I can simply disable that address.
quote:
Originally posted by A2H GO
You probably forgot to tick a box somewhere on a form and gave Santander the right to share your data.
For a lot of people, this might be a fair point. I can assure you this is not the case here.
In any case, these e-mails I received to my Santander-specific e-mail accounts were not from a legitimate source; i.e. it's not a case of marketing or whatever, which would still piss me off but to a lesser extent.
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
quote:
Originally posted by djgritt
This is proper Tinfoil hat stuff.
I'm not talking about aliens or conspiracies here. 
|
evilrob
Premium Member
Registered: 16th Mar 12
Location: Your mum's house
User status: Offline
|
It's not just me:
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Notice its only weirdos who have separate accounts for everything.
|
