Terrible email from Lloyds

Herbalus

B_G_B wrote: »

I would not suggest for one moment that Archi would paste a dodgy link on here but……..

……. come on folks. Own up. Who has clicked on it?

I clicked on it. But as I said earlier, I always review the url that I'm about to visit to see what it is. There's nothing suspicious about the link.

And I have a mac, which means I wouldn't care if an .exe file was downloaded. They don't work. I tried once with a programme I wanted.

masonic

Herbalus wrote: »

But personally I have a mac, which are unaffected by these types of virus. I also use the spacebar function (shows a snapshot of a file without opening it) to view files before I open them. I suppose that's not much help if you have Windows though.

Simply previewing a document is sometimes enough to trigger a vulnerability, for example this RTF file exploit in Outlook (http://www.darkreading.com/vulnerabilities-and-threats/outlook-users-face-zero-day-attack/d/d-id/1127891).

Attacks targeting Mac/Linux users are very uncommon, but they are not impossible. Always best not to be complacent.

ceredigion

So who else got this email then? Surely there must be more than two of us. Has anybody actually read the revised T`s and C`s yet and knows what the changes are. No I've not opened the files but I have asked LLoyds to send me paper copies whilst explaining my concerns regarding their system.

matttye

grumbler wrote: »

I am pretty sure pdf files are absolutely safe.
So are many other common formats, if not most.

In fact, very few formats can be dangerous. Mainly it's exe (including self-extracting zip) and doc/xls (if you enable macroses that are disabled by default).

ETA: it's a norm for, say, insurance and travel companies to send pdf attachments. Why do banks have to be different?

http://en.wikipedia.org/wiki/Buffer_overflow

Fairly technical wiki page, but shows that ANY software can be vulnerable to at least one type of vulnerability.

If you have a look at the example given, it shows how unaccounted for input can change the behaviour of a program.

These are often exploited in software.

Even companies like Microsoft can be seen to regularly patch these kinds of security holes in their software if you read Windows Update logs.

Archi_Bald

B_G_B wrote: »

……. come on folks. Own up. Who has clicked on it?

The link I posted is not to a PDF document. Also, launching a PDF in a browser is different to double clicking on a PDF (or file purporting to be a PDF) sent as an attachment.

Which is even more reason why no company should be sending any attachment by email. Even if the user has been able to decide that the email is genuinely from the company it looks to be from, the user has no means of verifying that the attachment is clean. How are we to tell that the attachments are safe to use? Whilst it is unlikely that a bank would be sending out infected .pdf files, nothing is impossible. A corrupt bank employee could package horrible things like ransomware into a PDF and long have left the country by the time the issue gets detected. I would not want to have to prove to a bank it was their attachment that sent my PC into meltdown, lost me all my data, and cost me my livelyhood.

One particularly nasty piece of ransomware is CryptoLocker

CryptoLocker typically propagates as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by legitimate company; or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection.[9] A ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension.

http://en.wikipedia.org/wiki/CryptoLocker


I notice there is absolutely nothing in the Lloyds email that says they guarantee the contents of the PDFs are free of viruses and malware, or how many attachments there should be, or anything else that could reassure the user that there is nothing untoward in these attachments.

masonic

Archi_Bald wrote: »

The link I posted is not to a PDF document. Also, launching a PDF in a browser is different to double clicking on a PDF (or file purporting to be a PDF) sent as an attachment.

Well yes, insofar as it is opened by your browser instead of your PDF reader. In the browser, you don't have the issue of the file masquerading as a pdf when it is in fact an executable, but you still have a problem if the PDF is malicious. (One of the first things I do when setting up a PC is turn file extensions back on - why Microsoft decided that shouldn't be visible by default I don't know)

I notice there is absolutely nothing in the Lloyds email that says they guarantee the contents of the PDFs are free of viruses and malware, or how many attachments there should be, or anything else that could reassure the user that there is nothing untoward in these attachments.

How reassuring could any statement made in an unsolicited email claiming to be from your bank be? Banks say they'll never send emails asking you to click a link. The situation with attachments isn't much different.

Thrugelmir

Archi_Bald wrote: »

I am staggered that Lloyds seriously expect people to open email attachments. Have filed a formal complaint with them.

Sounds like the death knell for free online banking. As lenders will still be required to invest in the entire machinery required to mail out letters. As well as maintain 24/7 computer systems.

masonic

Thrugelmir wrote: »

Sounds like the death knell for free online banking. As lenders will still be required to invest in the entire machinery required to mail out letters. As well as maintain 24/7 computer systems.

Several banks have secure messaging systems. These can't cost much to run.

Edit: Or make the documents available through online banking and send out an email letting people know where to go to find them (without a link).

Thrugelmir

masonic wrote: »

Several banks have secure messaging systems. These can't cost much to run.

Edit: Or make the documents available through online banking and send out an email letting people know where to go to find them (without a link).

I imagine banks are running numerous legacy systems. Outages are growing more frequent. As a result of a lack of capital investment over many years.

masonic

Thrugelmir wrote: »

I imagine banks are running numerous legacy systems. Outages are growing more frequent. As a result of a lack of capital investment over many years.

I can't argue with that.

It's just such a shame the banking industry isn't very profitable or they'd be able to modernise their infrastructure and potentially save themselves some money in the long run supporting the old stuff.