Tell me what you think of the following series of events:
- I receive an email with a link in it, promising money.
- I click on the link and see a screen purporting to be my bank and asking for my username and password.
- Not trusting the page to actually be my bank, I go independently to my bank site and authenticate.
- Clicking again on the link from my email, I hope to see that the bank authentication page is gone, and that I am taken directly to the step where I answer the “security question” and get my money. Instead, however, I find that even though I have an existing valid bank session set up in my browser, I am still taken to a login page and forced to re-enter my credentials before the transaction will work.
I know what you’re saying! Don’t do it! It’s a phishing attack! Sadly, this is actually what happens if you are the recipient of a Certapay INTERAC email money transfer in Canada. It is a phisher’s wildest dream come true, don’t you think? Even those familiar with the process will eventually stop looking at URLs and just click through the brightly colored screens to enter their banking credentials.
The whole setup is ripe for abuse. Why, dear god, is there no way to accept a payment without typing in your banking credentials? There certainly needs to be an authorization step, but forcing an authentication step to be bundled is both lazy and dangerous. The worst part is that the banks are complicit in this.
The best irony of all is the email fraud section of their website security page, under the “How to Protect yourself” section says:
- Do not share or provide your personal information.
Oh, you mean like my usernames and passwords for my entire BANK ACCOUNT????