how to spot a fake bank website
I found one tonight, for a large New Zealand bank:
- it looks flashy and right on-brand, but the URL is nothing to do with the bank in question (I look in the URL bar);
- it has an SSL certificate, but it’s one that belongs to an outfit called “YALAMANCHILI SOFTWARE EXPORTS PRIVATE LIMITED” of Chennai in India (I double click on the padlock to check);
- and yes, the site appears to be hosted in India, too – a traceroute to the site disappears into Asia somewhere via Japan and Hong Kong (I use the command line, or else the venerable Kappa Crucis BBS traceroute page to check where the data goes);
- while the IP address of the site host belongs to a company in Mumbai (I check who owns any Asia Pacific IP address at APNIC);
- it might have lots of contact details for the bank in question, but these are actually sourced from another of the same bank’s websites, contained within an iframe;
- the domain registration does mention the bank… but the name of the bank staff member and the address given are different to the name and address used for the bank’s regular domains (I can find out who owns the names from the Domain Name Commissioner);
- the technical contact on the domain registration is someone called Yalamanchili Ramki, of Chennai (a solo operation, perhaps?) – and should we note now that this bank has no presence in Chennai?
So, would you be suspicious about entering your details on this website?
But hey! It turns out that apparently you shouldn’t worry. It’s a real website. It really does belong to the bank in question – it’s a sub-site for this product.
Well… I can’t say I feel reassured. It raises more questions really.
Like: what the hell are they thinking?
Robyn Gallagher
9 January 2009, 23:34 #
Their next step is to send out an email to all their valued customers that starts with “DEAR GRACIOUS FRIEND”.
Mr Reasonable
10 January 2009, 08:31 #
Ha ha ha, very good. What it shows is that it is too hard to design, build and host the site internally or through their NZ contacts (or costly I guess) and that the people that know about the web/security stuff were not consulted maybe…that would never happen, yeah right.
Integration to bank systems still the same issue it seems and no regard for the poor customer having to get yet another username/password. I seem to recall that you solved this technical issue about 10 years ago……
Nigel Ramsay
10 January 2009, 09:29 #
I suppose it comes down to banks not “getting it” in regard to the internet.
When you outsource your capabilities offshore, not only do you loose the ability to build these sites. You also loose the ability to discern if what is delivered is any good.
Lance
10 January 2009, 14:33 #
Oh this is good – well spotted, and nicely screwed up NBNZ.
Andrea
16 June 2009, 11:11 #
Hey there. Can anyone take a look at this website: www.newzealandinvestmentnetwork.co.nz
And tell me what they think about its legitimacy?. I am genuinely tring to use it. I want to post an add, but you have to pay $250 first. Also it keeps sending me emails saying I have interested investors but must pay $200 to get their details. I have requested a phone number for the website, but they say it is an internet portal only. I may just be being over cautious, but would appreciate someones input on the site before I hand over my $200! Thanks heaps.
Lance Wiggs
16 June 2009, 12:23 #
Andrea I’m not even going to go to that website before telling you to STOP – it’s a rip-off at best, scam at worst. The only people that could legitimately charge that sort of money would be the market dominant site – and we would have heard of them. The $200 to get details is classic scam behaviour – next it will be $1000 to sign papers, $5000 to release investments and so on.