Digital Security

Beware of Habib Metro’s digital security lapse

Habib Metro bank has a digital security loophole which makes it impossible for its customers to distinguish their emails from the spoofing and fishing attacks. In the monthly bank statements that Habib Metro sends via email to its customers, one can see a warning alert indicating something like this:

This email has failed its domain’s authentication requirements. It may be spoofed or improperly forwarded! Learn more.

habib-metro-alert
Screenshot of the alert

What does this mean?

This essentially means that Habib Metro’s email address estatements@habibmetro.com has failed the domain name validation check and for the customers there’s no way to find out if the email is actually from Habib Metro or from someone spoofing them.

This also opens the door for phishing and spoofing attackers to mimic a similar email from Habib Metro and send the customers to potentially hack them and their account.

How do I know this email is from Habib Metro

Because I checked the attachment — after scanning for threats — and it was indeed a bank account statement of the said individual.

What should Habib Metro customers do

Habib Metro’s customers should exercise extra caution and until the bank fixes it, should avoid clicking on the links or attachments.

What can Habib Metro do?

Habib Metro should belong to 2019 first of all and upgrade their tech including digital security. Imagine if they are this casual about their email addresses, what else are they being casual about?

It’s worth noting that Pakistan has had its worst banking data breach in November last year when the Federal Investigation Agency (FIA) revealed that data from almost all banks was stolen in the attack.

Did you receive similar alerts from one of the services that you use? Would you like to tell your story? Write to us at farhan [at] voiceofinternet [dot] com.

I have written to Habib Metro for their version and will update this post when we receive that

0 comments on “Beware of Habib Metro’s digital security lapse

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: