My friend Jan read this post and asked if I was sure the emails were really sent on the request of my bank? I was 99.9%, which is not enough, so I contacted them to verify.
They offer great customer service via WhatsApp. I sent a screenshot of the email and the reply was: “That survey indeed comes from us :-)”.
My next question was if they thought about security implications of having an external agency send surveys on their behalf? Surveys can be spoofed. After some pushing I was put in contact with someone from the security team.
The security person explained in detail that spoofing is almost impossible because the email is sent from a domain that includes a Sender Policy Framework (SPF) in the DNS. I insisted that my worry is that at some point the survey will be spoofed, not the sender. However, this is something they do not view as a risk. The bank only use two suppliers to send emails on their behalf and copying an email in such a way that it passes spam filters is extremely difficult. In summary, they will continue to send surveys via external parties.
How this could be used for phishing.
Exploiting the questionnaires would not be simple, but with the amount of money in play a sophisticated black hat group is willing to invest. Imagine, for instance, that they lay the groundwork and launch a legitimate market research company. Next they purchase certificates so that this new venture can send emails that pass spam filters.
They then prepare a survey in the look & feel of the bank. For good measure they remind people at the beginning of the questionnaire to never give their username or password. After some basic questions they ask for help improving the banks Ux / testing a new platform that is loaded in an iFrame….
Customers of the bank are already used to receiving survey emails from external parties, which lowers the percentage of cautious recipients. If the criminals also launch their attack in parallel with a real survey, and have a bit of luck, the first suspicious customers who contact customer service might even get the same reply I got: “That survey indeed comes from us :-)”
Easy prevention.
I am not a security expert, so the example above is probably not the best. But if my assertion that these surveys can be abused is correct, prudent policy would be to only send questionnaires in app or within the online banking environment.
The bank does not share these concerns and will continue to send surveys via external parties. At some point this might facilitate a phishing attack, but I hope I am wrong.
