Email address leaked by Santander

On the 5th of November 2013, I received 4 scam emails from "[The Federal] Tax Service" (containing a trojan executable) to an email address that has only ever been given to Santander (and is indeed unique to Santander, given that it has their name in it).

Some people will claim that this was caused by a brute force or dictionary attack and that it is a co-incidence that it only went to my Santander email address. The advantage of running my own email servers is that I can check the logs and see what other email was rejected. There were 4 rejected attempts to send email the day before to this address but nothing before that. On average there were 2 email attempts per day in November to completely unknown recipients, following a dictionary attack pattern. No one performs a brute force attack on email recipients, that would be ridiculous and take forever at the rate of 2 per day.

Apathy

As reported by The Register in Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?, I wasn't the only person to have this issue which implies that a number of other customers have had their personal data leaked too. Unfortunately in the UK the only practical way to enforce our data protection laws is by reporting issues to the ICO, and as usual they decided to do nothing.

Responses from Santander Executive Complaints

I complained to Santander about this issue and received nonsense back every time:

2014-01-29

Firstly I would like to apologise for the misunderstanding of your previous complaint, that the emails you were receiving were from someone claiming to be Santander. I now understand that this is not the case and you are unhappy with an email you received claiming to be from "The Federal Tax Service" addressed to an email account used specifically for Santander and you would like to understand how this email address was obtained by the third party.

As I confirmed within my letter of 3 January 2014, Santander has never supplied your personal details to an unauthorised third party. However, I can confirm that our Security Team were highlighted to attempts by third parties trying to obtain a large proportion of customer related emails who used a specific email address for their Santander accounts.

So attempts ... to obtain ... customer related emails (sic) who used a specific email address for ... Santander could be the plot for a movie because it's pure fiction. It's also amazing what Santander can know about these "attempts" that were supposedly unsuccessful.

2014-02-17

Thank you for coming back to me. I can confirm we detected the attempt to obtain personal details in time to ensure preventative measures were in place and as advised within my letter our IT and Security Team are aware that the National Crime Agency's National Cyber Crime Unit (NCCU) are working hard to identify the source.

Please be assured, none of your personal data has been stolen or compromised, the only data obtained was the Santander specific email address, which I understand you have now changed, to a more secure address.

So my personal data hasn't been stolen except for my email address which is personal data!?

Santander email practices

Reviewing all the legitimate email received from Santander, it either comes direct from servers owned by Santander UK PLC (relating to my account) or it's a general marketing email in which case it comes from servers owned by Marketing Source Limited (from the domain "yoursantander.co.uk" because nothing says trustworthy like using separate unverifiable domains to email your customers!).

It's possible that the personal data leak occurred from within Santander or within Marketing Source. Both companies have the personal data of customers (including postcodes used to "authenticate" the email). What's interesting is that all the general marketing email up to August 2013 (before the spam started) comes from "santander@info.yoursantander.co.uk" and all such email from June 2014 (after the spam started) comes from "santander@service.yoursantander.co.uk", so Marketing Source have changed something in that time period.

The long-term effect

What happens when you leak customers' email addresses to third parties? They receive junk email to that address forever. At its peak this was on average 4 emails per day but it has reduced to 1 every 3 days, as this graph illustrates:

Shrinking toilet paper

ASDA are at it again with the shrinkflation, this time with their own brand toilet paper "Shades So Soft". In August you could buy 24 rolls with a total area of 65.18m² for £8.00 but from September the same 24 rolls (also £8.00) have a total area of only 63.20m². That's about ¾ of a roll less paper for the same price.

Contents: 24 rolls, 2 ply tissue. Average 210 sheets per roll. Sheet size 122mm x 106mm. Total area 65.18m².
65.18m² for £8.00 (2016-08-12)
Contents: 24 rolls, 2 ply tissue. Average 210 sheets per roll. Sheet size 120mm x 104.5mm. Total area 63.20m².
63.20m² for £8.00 (2016-09-19)

Death of a Kindle

I turned my Kindle on last night on the train and most of the screen failed to update. Only a small area at the bottom now updates. I pre-ordered this when it first came out in the UK so it has lasted for 6 years and 1 month (the battery life is still very good).

[Kindle with partially frozen screen]

Restoring a Garden Bench

I've started restoring my garden furniture as the existing paint is now peeling off everywhere. I'm using an electric sander which is a lot easier than sanding by hand. Some mahogany wood stain has then been applied with a paintbrush to the bench, floor covering and my clothes.

The first bench is now complete:

[Bottom side of the bench after sanding] [Seat bars before sanding]

[Top side of the bench after sanding] [Bottom side of the bench after partial painting]

[Top side of the bench after completion of painting]

Shrinking shampoo bottles

Alberto Balsam have brought out "new" 350ml bottles of shampoo that ASDA sell for the same price (£1) as the previous 400ml bottles, so you now pay the same price for less. What makes it worse is that when they originally replaced the ASDA branded product with the Alberto Balsam equivalent, it had a "same 400ml fill" label despite it being smaller than the 500ml ASDA version.

ASDA Essentials Coconut Shampoo (500ml) [Source: mySupermarket.co.uk]
500ml
£0.80 (2013)
Alberto Balsam Coconut and Lychee Shampoo (400ml) [Source: Tesco]
400ml
£1.00 (2015)
Alberto Balsam Coconut and Lychee Shampoo (350ml) [Source: Ocado]
350ml
£1.00 (2016)

Garage Roof

The roof on my garage had been leaking for over a year; it has now been replaced by Taylor Joinery Services.

[Original garage roof with felt] [Garage without roof]
[Garage with wood roof only] [New rubber garage roof]

[European Championships Landyachting 2015]

Last week ago I was in Oostduinkerke, Belgium to watch the Scottish team compete. I took plenty of photos and some video of the event. The top 10 sees France moving back up the rankings but The Netherlands are still in first place.

We had a Prehistoric Theme Night hosted by Z.C. De Krab which included a performance of the evolution of prehistoric landyachting.

Adafruit Proto Cape Kit for Beagle Bone

I bought one of Adafruit's Proto Cape Kit for my Beagle Bone Black so that I could put 3 relay circuits and pin headers on it. The double-sized PCB is supplied with separate pin headers that you have to solder on yourself.

It provides access to all of the pins but only SYS_5V is provided as a set of power lines and not VDD_5V, so limited current is available. However, this doesn't matter too much given that there is very little space for components.

I had to really squash everything in and use a lot of wires because there was no chance of creating an optimal layout:

Paym Mobile Payments

I don't usually carry any cash with me (my wallet has nowhere to keep coins). People are reluctant to give out their bank account details to receive money. If the recipient needs to be sure that they've been paid then they'd have to login to online banking - not very convenient.

I keep getting told that sending money using PayPal is free. It's only free if you allow them to take money by Direct Debit from your bank account, at which point all payments then default to using this payment method (instead of a Debit/Credit Card). So for the ability to make ad-hoc free payments I then have to be careful to change the payment method on every other transaction - not very convenient.

Paym appears to solve both of these problems. As long as the recipient has registered to use Paym, anyone can send money to the mobile number of the recipient. The bank account details of both sides remain private. For confirmation that money has been paid, a text message is sent to the recipient at the time the transaction occurs stating the sender, reference and amount.

In my testing (which requires two mobile numbers) the Faster Payment transaction took 7 seconds to complete and the text message arrived 1 second later:

To S Arlott: S Arlott sent you �1.00 'Test' paid into your account ending XXXX. (1 min via SMS)

The minimum transaction amount is £1 and the limit per day is £250.

Solar Eclipse

Photos of today's 93% Solar Eclipse:
93% Solar Eclipse through the clouds

Find recent content on the main index or look in the archives to find all content.

Content authored by myself is just my honest opinion. If you find any words or pictures menacing or offensive, stop reading now.

Jabber

simon@arlott.org.uk
  • Linux
  • Get Firefox!
  • Get Thunderbird!