2012/10/30
HSBC pays little attention to the prevention of email phishing.
I received an email from HSBC about annual service fee. Usually, if I receive an email from a bank, I will open the email header to identify if it is really coming from a bank or it is just a phishing email. For the HSBC's email, the sender domain is checked ok. However, there is no DKIM messages in the email header. To probe further on email protection, I tried to dig the SPF records of hsbc.com.hk. Oh no, its SPF is based on "soft fail". That is a poor setting. Without the proper use of SPF and DKIM, I can conclude that HSBC pays little attention to the prevention of email phishing.
Subscribe to:
Post Comments (Atom)
2 comments:
There is no convenient way to check it. Hope there will be a browser plugin, like DNSSEC.
All websites and email services of banks should be supported by DNSSEC. However, we still need for .hk registry to be DNSSEC-signed.
Post a Comment