Private bank e-mail goes awry

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2598782,00.html

By Bob Sullivan, MSNBC
July 6, 2000 5:25 AM PT

What do a tiny bulletin board service in Virginia and one of Spain's
largest banks have to do with each other? Far too much. Jim Caldwell
has been running Bulletin Board VA -- BBVA.com, for short -- for about
four years, with a steady trickle of Web traffic. But last fall, when
Banco Bilboa Vizcaya of Spain merged with Argentaria SA, the two
formed BBVA. And ever since, Caldwell, in his tiny rural Virginia
BBVA.com office, has been receiving hundreds of e-mails -- some with
sensitive bank information destined for Spain.

It's a case of mistaken identity, Internet style, and the story brings
together a rural Virginia man who publishes a weekly shopper with a
circulation of 10,000 and one of the world's 20 largest banks.

Banco Bilboa Vizcaya Argentaria is an international banking powerhouse
on the move; in addition to last fall's merger, it's also in the
process of acquiring Bancomer SA, Mexico's second-largest bank. It's
now listed on nine different exchanges and operates in 37 countries.

But all this activity has raised at least one technological hurdle,
which points out some of the perils of business communication in the
Internet age.

Apparently, hundreds of bank employees and outside vendors have
mistakenly assumed that, since the bank is now known as BBVA, any
e-mails sent to employees should end in "@bbva.com."

'When all this e-mail started coming in I didn't know who to contact.
I didn't know who to talk to. To me it is beyond the stage of being
funny.'|Jim Caldwell But instead of landing with the right person in
Spain, they land on Jim Caldwell's e-mail server -- between 50 and 70
messages a day, every day since October, and he's not happy about it.

"When all this e-mail started coming in I didn't know who to contact.
I didn't know who to talk to," he said. "To me it is beyond the stage
of being funny."

That's because Caldwell says he's receiving confidential notes that
are intended for bank officials. He's shared several of the messages
with MSNBC -- many are harmless general correspondence, but at least a
few contained bank account numbers and amounts, some attached to
account adjustment requests from customers.

"These people are walking around with a hand grenade with the pin
out," Caldwell said. Ironically, the problem has come to light only
months after the bank announced plans to develop a multimillion-dollar
international Internet banking initiative.

"I'm concerned something is going to happen, and I don't want to be
standing in the middle. Somebody is going to get hurt before this is
over with in a major fashion. I don't want to be made responsible for
that."

Bank merger talks revealed The most interesting piece of e-mail viewed
by MSNBC was a note from an employee at Credit Suise First Boston
dated June 22 offering to broker a deal in which Banco Bilboa Vizcaya
Argentaria would acquire Brazilian financial institution Banco
Bandeirantes from Caixa Geral de Depositos. It is not known if the
bank is actually interested in such a deal, and bank officials would
not comment.

They did confirm the ongoing mishap, however.

"The mistake is in our side," said Jesus Pertejo, manager of
international corporate communications for the bank. "People are
lazily saying if this is BBVA bank it must be bbva.com. We have 50,000
or 60,000 people, and we have to get the message out to use the
correct address."

The correct domain name, at the moment, is grupobbva.com, but the bank
is in the process of switching to bbva.es, the top-level domain
reserved for Spanish Web sites. According to Caldwell, there have also
been brief negotiations about the bank acquiring the bulletin board's
domain name. Pertejo said he was unaware of any talks that may have
taken place; he added that he didn't think Caldwell was
cybersquatting.

Understandably annoyed "I know they have been operating for several
years," he said. "We know that they are in some way angry. This is
because they are fed up with receiving messages destined for everyone
in the bank."

And it's that anger that convinced Caldwell to go to the press -- not
a desire to drive up the price of the domain name, according to
Caldwell. He's endured the e-mail deluge for nearly nine months and
says he's gotten nowhere by directly contacting the bank.

"There're ignoring me, and I'm deleting them," he said. He wouldn't
estimate how much the extra Web traffic and e-mail have cost him, but
says he can spend up to two hours a day clearing out his e-mail
server. He's also received several viruses from misdirected bank
e-mail.

Bank officials in Spain told MSNBC they are in the process of
contacting Caldwell in an attempt to clear up the situation. But
Caldwell, who says he first tried to complain to the banks months ago,
is doubtful there will be a quick solution.

"If they had come and talked to me, had approached me directly and
told me what was going on, well, I probably would not have wanted to
sell (the domain)," he said. "But had they persisted, they would
probably have gotten it a lot cheaper than they will now."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".