I just got an e-mail from Bank of America:
During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information. This might be due to either of the following reasons:
1. A recent change in your personal information (i.e.change of address).
2. Submiting invalid information during the initial sign up process.
3. The services look that was changed recently:
Bank Of America .
failure to update your account at least 24hrs of notice might lead to account being locked and access will be restricted.
I'll ignore the fact that I do not have a Bank of America account for the sake of this post, as that's just too easy.
So let's review the signs thus far:
Sign #1: "Either" of the following reasons, followed by three, not two, reasons.
Sign #2: Poor grammar: The services look that was changed recently
Sign #3: Poor punctuation: failure to update your account at least 24hrs of notice might lead to account being locked and access will be restricted.
Sign #4: The fact that the URL in the e-mail resolved to this site in Poland, which is hardly where I believe the Bank of America is located:
So I clicked on it (having a Mac gives you little fear when it comes to checking out phishing sites) and got a relatively legit looking Bank of America login page. Not running in SSL.
Sign #5: No SSL for username & password.
I "signed on" with a bogus name and password, and lo and behind, it accepted it!
Sign #6: A completely made up username and password somehow work.
Now that I'm authenticated, the URL has changed to include both the username and password which I provided:
Sign #7: Your password shows up - in clear text - in the URL
Now I am presented with a form that is asking for all kinds of personal information - checking account number, SSN, online ID (which I just provided), ATM card number and PIN, and bank routing number.
Sign #8: Your bank asks YOU for its routing number.
At this point, if I just submit the page without providing any information, it goes on to the next step.
Sign #9: Not a lick of validation is included anywhere in the site.
Finally - the inspiration for this post - is one of the last pieces of information that the site asked me for:
Third from the bottom, I am asked to provide my Father's Maiden Name - a piece of information so secure, that not even he knows what it is!