18 February 2018
visit www.nextgenbanking.co.uk/

RSA tries to silence blogger who exposed security flaw

14 August 2009  |  8091 views  |  1 shark

Security vendor RSA has demanded a blogger takes down a post exposing a vulnerability with the Web site of one of its customers, Navy Federal Credit Union, accusing him of trademark infringement.

Last month Scott Jarkoff posted a blog on TechMiso, warning that the Navy Federal Credit Union site lets customers enter their online banking passwords directly into an unsecured home page, rather than making them go to a secure log-in page.

"This is a huge security risk because it is ripe for phishing. By allowing users to login to an online bank from an unsecure, unverified site, those same customers could be tricked in to entering their credentials from just about any domain," he says.

Days after posting his blog, Jarkoff received an e-mail from RSA's Anti Fraud Command Center, which is contracted by the credit union to help monitor and prevent fraudulent activity on the site.

The e-mail - which Jarkoff has posted - claims the blog's domain name "violates Navy Federal Credit Union's copyright, trademarks and other intellectual property rights".

In addition, RSA claims the blog - warning about a vulnerability to phishing - "may become a host to a phishing attack, or other fraudulent scams against the bank and the bank's clients".

"Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website," says the e-mail.

Jarkoff replied, refusing to take down the blog post before receiving a second message from RSA.

This e-mail makes no mention of intellectual property rights, instead asserting: "The problem with the material on the blog is that it suggests that Navy Federal's website is not secure."

The e-mail also says the credit union has asked RSA to get the blog taken down, yet someone purporting to work in public relations for Navy Federal has commented on Jarkoff's post, thanking him for pointing out the vulnerability and revealing plans to address the security issue raised.

Despite this, Jarkoff has now received an e-mail from his hosting company notifying him that RSA has sent it a complaint and asked for the post to be taken down, claiming trademark infringement.

Jarkoff says the claim probably relates to a screenshot of the bank's site on the post.

He has again refused to remove the blog, saying: "I am very interested in pursuing this and seeing how far the rabbit hole leads and where we end up."

An RSA spokesman told Finextra the firm is unable to comment on the issue at present.

Read Jarkoff's blog here.

Comments: (1)

A Finextra member
A Finextra member | 14 August, 2009, 16:45

Surely exposing this poor security is educational and fair use would come into play?

Aren't RSA the security arm of EMC and aren't they the storage company which provides services for that stock exchange where it was found all sorts of information was unsecured for ages?

Didn't they come up with some encryption thing in the early days of computing. Is it obsolete now? What do they actually do now, apart from police copyright infringment?

Seems a little foolish to attack the blogger, pehaps actually providing some security for the client would be more productive than trying to chase a blogger for alleged copyright infringement which is the last bastion of the censor and snake oil salesman.

If RSA were worried about their logo appearing on the bloggers screen capture of their client's insecure site they should have made sure it was at least supercficially secure before they sold themselves.

Embarrassed about putting your name on an insecure site? Too late for that.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Goldmansachs666 blogger sets sights on JP Morgan

Goldmansachs666 blogger sets sights on JP Morgan

04 August 2009  |  5666 views  |  0 comments
Phishing attacks surge in 2008

Phishing attacks surge in 2008

20 February 2009  |  12465 views  |  2 comments

Related company news


Related blogs

Create a blog about this story (membership required)
visit http://info.nice.comVisit www.vasco.comvisit www.nextgenbanking.co.uk

Who is commenting?

Top topics

Most viewed Most shared
Saudi central bank provides sandbox for banks to try out Ripple techSaudi central bank provides sandbox for ba...
10883 views comments | 16 tweets | 11 linkedin
Aussie real-time payments platform goes liveAussie real-time payments platform goes li...
8482 views comments | 15 tweets | 42 linkedin
ECB launches staunch defence of cashECB launches staunch defence of cash
8271 views 10 comments | 21 tweets | 26 linkedin
hands typing furiouslyHow can Blockchain Help with AML KYC
7926 views 3 | 9 tweets | 6 linkedin

Featured job

Competitive base + commission + benefits
London, UK

Find your next job