Capital One 360 apologized for shutting my site down without warning or cause via e-mail today:
Jon, I’d like to apologize for our recent actions regarding your website. Customer security is our number one priority, and it is not something that we take lightly. One of your readers and one of our vigilant Customers alerted us to what he felt may have been a phishing scam. When presented with security concerns — such as a possible phishing scam– that may affect Customers’ personal information, we act swiftly and decisively to protect them. In the case with your site, we may have acted too quickly. After further review, we immediately reversed course and resolved the situation. We’re sorry for the inconvenience it caused you and your community, and we are working to make sure this type of situation doesn’t occur again.
Thanks for being a valued partner of Capital One 360. We look forward to continuing our successful partnership.
Sincerely
Robert Weaver
Head of IT Security
Capital One 360
I suppose that is something. I only wish it could have been “When presented with security concerns, we actually visit your site and verify the accusation before hiring a large security firm to scare your web host into shutting down your revenue-generating website.” I also disagree with “immediately reversed course” because only after my begging my hosting provider was my site brought back online and given 12 hours to comply to the demands.
Oh, and here’s the long, scary e-mail that was sent from RSA Security yesterday morning (after the jump). I think you’ll agree it was very accusatory and pretty offensive. They even demanded an entire download of all the contents of my site and server.
RSA , an anti-fraud and security company, is under contract to assist ING Bank, fsb (“Capital One 360”) and its related entities in preventing or terminating online activity that targets Capital One 360 clients as potential fraud victims. RSA has been made aware that you appear to be providing Internet Services to a fraudulent Web site, which is part of a “phishing scam”*. This activity violates Capital One 360’s copyright, trademark and other intellectual property rights and may violate the criminal laws of the United States and other nations.
E-mail messages have been broadly distributed to individuals by a person or entity pretending to be Capital One 360. These e-mails use Capital One 360’s name and identity (including trademarks) without authorization. The e-mails request recipients to verify and submit sensitive details related to their ING accounts. Within the fraudulent e-mail message, there is a link that leads the recipients to a fraudulent website displaying Capital One 360 copyrighted materials and trademarks.
The fraudulent website not only represents a misuse of Capital One 360 intellectual property; its purpose is to improperly obtain personal information of Capital One 360 customers in order to fraudulently access their bank accounts. The owners of those websites typically perpetrate identity-theft related activities, such as using customer’s credit cards or bank accounts without authorization. In addition, since the vast majority of all of the e-mails are not being sent to actual Capital One 360 customers, the actions serve to damage the reputation and image of Capital One 360.
Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.
We understand that you may not be aware of this improper use of your services and we appreciate your cooperation. We specifically would ask that you also take the following actions:
Please provide us with a tar/zip file of the source code for this site, so that we may analyze it to help prevent further attacks.If any customer data has been captured that is stored on your systems or equipment, please send us that data so that the customers to whom that data relates can be notified and take steps to protect their credit.
Please provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.
Thanks ING, for not entirely crushing what took me a significant part of five years of my life to create. 🙂
The Best Credit Card Bonus Offers – May 2024
Big List of Free Stocks from Brokerage Apps
Best Interest Rates on Cash - May 2024
Free Credit Scores x 3 + Free Credit Monitoring
Best No Fee 0% APR Balance Transfer Offers
Little-Known Cellular Data Plans That Can Save Big Money
How To Haggle Your Cable or Direct TV Bill
Big List of Free Consumer Data Reports (Credit, Rent, Work)
If you don’t already, this might be a good time to back up your site to an offline location…
ING threatened to my account with them twice in the same week for removing and adding a linked account. If I didn’t call them within 48 hours my account would be closed — all I did was use their website. Their rates have been behind other online banks for years. All I like is the overdraft line of credit.
This pretty much convinced me not to bother doing business with ING Direct ever. I LOVE the tone of the letter, and how you’re already guilty unless proven otherwise.
Those are also some of the most unreasonable demands I’ve ever seen. Agreed, it doesn’t seem like they even bothered to visit your site to verify the claims that were made against you.
I’d note that they mentioned that a customer/money blog reader flagged your site as suspicous. They were perhaps heavy handed about it, but I’m glad they acted quickly to a customer concern.
I think this timely apology from someone in a position of responsbility at ING is a better response than you’d see from 98% of large companies out there.
And here we thought ING could do no wrong… what a whopper. Glad to see your site is still in action bro! That’s 5 years of awesomesauce right there.
“Dear Jane Q. Public, we are very sorry about the loss of your loved one. However, it is the policy of our police department to shoot first, and ask questions later. We do this in the interest of public safety. Thank you for your understanding. Signed, Anytown Police Department.”
You know, I’m starting to get a little sick of the way banks are handling security these days. Rather than building better security into their system, they use heavy-handed tactics like shutting down accounts, websites, etc.
I had a credit card that would shut my account down every month when my childcare charge would come through. Granted, it’s a few thousand bucks (3 kids), but it’s not like the charge is out of the ordinary. It’s the same amount from the same company on the same day, every single month.
One month when I spoke with their fraud department, I told them if they flag me again I’m closing my account. They said they’d put a note on my account, but sure enough, they flagged me again the next month.
So I canceled my Fidelity Visa, and now that I know how ING handles security, I just transfered all of my money out of there. I will close that account as soon as the transfer completes.
I’m voting with my wallet now, you obnoxious banks.
To expand on the above, you know who has great security? Bank of America.
I could provide my login details to every phisherman out there, and they couldn’t do a darned thing to my account, due to SafePass. Unless they have physical possession of my phone to receive a text message, they’re not logging into my account, adding a billpay payee, etc.
This is the type of security that works. Take notes from your competitors, ING. They’re doing it right–you’re doing it wrong.
Good one jules.
You wanted public apology and they issued it. One problem that people have is letting go. A post like ING apologized and I am putting this all behind, would have been nice and would have put in you in good light 🙂 Dont get me wrong. I do understand your plight.
You should consider suing ING, RSA and your Internet Host for lost revenue
It is good to see they actually apologized. People make mistakes and it takes some character to accept responsibility for the mistake.
I am a little bit shocked that this incident started because someone decided to report on you. It seems like the person might have been jealous of this wonderful site you have mentioned in the past five years.
I agree, they apologized. This junk happens on the internets. Your content was always safe, even if your ISP did turn the switch for a few hours. Get an ISP that will contact you before turning the switch.
It’s scary to think they have the power to shut down a large media website preemptively and without cause. You would think that you would have to at least have some form of evidence -not just hearsay from one person- before you can close down a media outlet.
Somebody should owe you money for lost revenue.
There’s another interesting thing to note on this issue. Should other bloggers who offer ING Direct refer-a-friend bonuses continue to do this? I see you still have your ING Direct referral page down.
Also, I wonder how problematic have ING Direct phishing attacks been. Their refer-a-friend bonus is nice, but since it depends on emails, I could see how it could be very susceptible to fraud.
It’s nice that ING apologized; I hope that their “working to make sure this type of situation doesn’t occur again” now includes actually going to the website that’s in question and verifying the problem before coming to any conclusions. But I wouldn’t be surprised if it’s just spin and damage control. IMO it would not be a good idea to put the ING referral page back up since you don’t really know whether it’ll happen again or not.
I agree with Frankie. If I were in your shoes, I would still look for another hosting provider now; one who actually has the guts to say, “F* off, let me talk to my client [you] first,” when presented with a letter of demands like the one from RSA and who doesn’t simply roll over. After all, you’re their paying customer, not RSA.
I am a regular reader of your blog and an information security professional. One thing to keep in mind John, your site is unique. In most cases RSA may run across websites where the owner wasn’t involved but the website was compromised! In your case I understand that wasn’t the case. That is why they were probably asking for source code in a tar/zip (all kind of cool sounding names) format.
Disclaimer: I am biased towards RSA although I have no dealings with this particular email or department.
Wow. You should send an e-mail to Arkadi Kuhlmann (Prez/CEO) about this. He’s actually very responsive. I once had a serious problem that customer service couldn’t/wouldn’t resolve, so I e-mailed him and got a personal response a few hours later (at 11:30PM on a Friday night). The following Monday one of his assistants followed up and fixed everything. It wouldn’t be unreasonable to expect reimbursement for 12 hours worth of revenue given that they shut you down without a valid reason.
RSA’s letter is clearly a form letter (insert Bank Name Here) as the accusations do not relate to any actual facts about this site.
Jonathan, I see the ING referrals are gone from your site. Are they gone forever?
BTW, in my opinion ING was not the blameworthy, careless party, it was RSA.
If your host wasn’t so willing to shut you down on a moments notice after getting a form letter form a 3rd party then you wouldn’t have felt any inconvenience over this.
made an error, took corrective action, apologized.
we’re keeping our accounts. I can live with errors from the OCCASIONAL over zealous and/or detail deficient employee if SOMEONE in the org has a head that works and can correct it asap. provider is wimpy but face it: size matters 🙂
Really dude? That RSA Security email is CLEARLY a form letter, and given the size of ING their email is probably a form letter too. These companies (rightfully) invest a lot of money in fraud prevention and in 2010 a lot of that is automated. Stop taking it personally – this probably happens to tons of sites, and clearly shows that your readership is not as brilliant as you may feel. And if you can’t grow up and accept the nature of the business you’ve chosen to get involved in (financial asset development and management), get a better host that doesn’t bend over so quickly.
Based on ING’s behavior in this matter, I can confidently say that I will never do business with them ever. Futhermore, I will pass this story and my sentiments along to anyone I know who is considering doing business with them.
ING – you are jerks. The response to MyMoneyBlog is not acceptable. You should offer some special monetary compensation to this website for your actions. I have already pulled all my money out of your bank. You have lost my trust.
If I hadn’t already started my automatic plan with Sharebuilder, I would sell my ETF positions and go to Scotstrade or something. But thanks to this site (not Fat Wallet, THIS SITE), I have 5 free trades with them and plus I pay $12 a month to get 6 orders of 6 ETFs at $20 a clip. I had planned on using the trades to buy the same ETFs at a 100 within the next few months before it expires. Now I’m not so sure.
Having said all that, listen Jon, mistakes happen. By no means what they did was right, but at the same thing, they were erring on the side of caution. In this case you were just on the wrong side. Your site has definitely given me some free stuff and great tips with how I should grow my money and I THANK YOU for it, but lets just be thankful that the situation got rectified and (not to sound callous about it, believe me) but move on. You got an e-mail back from the Head of IT Security as opposed to some peon, so that in itself is something. This blog is great and I am glad that nothing worse ending up happening.
Thank you Jon and the rest of mymoneyblog.com. 🙂
I was close to opening a Sharebuilder (ING) account, but after seeing the way ING and RSA treated you, no way am I going with them now!
ING = I’m Not Giving you my money.
I think you should sue them…
Interesting…
On the plus side, it is nice to see such aggressive actions taken toward actual phishing sites.
I kind of put this in the same category as going through the full body search at airports. As citizens, we occasionally you have to deal with things that are a pain or inconvenience, but it is because they are trying to make the world safer for everyone…
Jonathan, that was definitely a form letter that you received. I know because I have written similar letters for my clients. It was good of ING to apologize, but make no mistake about it, the only reason they did so was because they wanted more referrals from you.
I understand other posters’ sentiments about letting bygones be bygones, but in this case, when a company inconveniences you and your readership for over 12 hours and subjected you to emotional and physical stress over an important source of income, I would NOT refer another reader to ING.
Send them a letter and say something to this effect, “I appreciate your apology. However, due to my bad experience with your fraud department, I have removed any referrals to ING from my website. There are many other banks to which I can refer my readers and I choose not to send any more money to a company that has caused me so much stress and inconvenience.” And follow through. They were heavy handed with you; why not do the same to them?
The next step is to find a better RSA who won’t capitulate so quickly when they get a similar cease and desist request from another bank. I would send a similar letter to your RSA. You can say that “my attorney advised me to take this action.”
@Maury
“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
-Ben Franklin
Way to Tea-Party that up Mike Z. LMAO.
Look, what if mymoneyblog.com was in fact a phising site (and for the uneducated, no I AM NOT SAYING IT IS!). We would be applauding RSA’s and ING’s actions instead of vilifying them. Would you have rather they did nothing?
Look it was an honest mistake and a apology was given. Jon didn’t take down (as of this writing) any posts or banners that point to ING/Sharebuilder. If anything, you guys should be clicking on those banners just so that Jon can get paid (even if you plan on not using them). Aside from a few hours of Jon being down, what damages did he suffer?
I think folks need to really calm down and breathe a bit. They jumped the gun, saw that they jumped the gun and fixed what needed fixing and then apologized for it. Since we are all in a quoting mood, perhaps I should do some of my own…”
“Lest he who is without sin, cast the first stone.”
🙂
The damages that Jonathan suffered were emotional and physical stresses and the fact that he may have lost money during the 12 hours that his site was down.
I agree with whomever it was on here that suggested some other competing blogger could have very easily made a false claim to ING about phishing on this site. I would contact ING and ask them to start a full investigation into the accuser (and promptly shut down any websites the accuser runs in the meantime).
Bottom line is ING thought you were frauding them but in reality it was the accuser that frauded them.
It is important for a bank to act when there are allegations of phishing or fraud involved, however it does not mean that they can “shoot first, ask questions later”.
This is unacceptable for John and if he can do something about it (without taking a hit financially of course), he should.
Come on, how hard can it be for their IT security firm to first check and see if there was some actual activity going on before shutting down the website?
If the bank policy is to take rapid action first and review later as a way of “protecting their customers”, then they should also offer proper compensation in the cases where they incorrectly red-flagged somebody.
I like how you guys are pushing Jon to sue, as if you were going to get a cut of it or something (although in Jon’s defense, I’m sure he would do something nice with it to say thank you to all of us but nothing that would give all of us a free month on our mortgage.).
I have said more than my piece. I’m sure there are others who feel the same way and perhaps be more eloquent. Good luck Jon with whatever you choose to do (regardless of what it is, I am on your side. 🙂 ).
Idea: Reformat the letter and send it to any ISP that might be carrying ING Direct ads, or their hosting service, if any. You can send your apology letter later.
I’m in IT and find RSA’s letter repugnant. Demanding proprietary data is pretty low and unethical, and hopefully your ISP isn’t that gullible.
I think your ISP forgot who their customer is. They know good and well that they will not be legally held responsible for the contents of this site, no matter how phishy you are, and have obligation to directly confirm T&C violations before taking action.
ING may be lame (I have 2 accounts with them) and it should have taken action to block this site on its own servers, which it has every right to do. But your ISP should be the biggest worry here for site availability.
There’s a bunch of firm’s that help banks with phishing. RSA is one. The others are MarkMonitor, InternetIdentity. It might be a good idea to get yourself on their “whitelist” so that this doesn’t happen again. Just send them an email and ask to be put on their “whitelist”. You can reference your compete.com metrics for proof that you are a valid site.
The letter from RSA seems quite libelous. I don’t think you let them off so easy just because they apologized for their mistake. The statements they made about your site are clearly false and damaging. They should be taught a lesson that they will remember to actually investigate before firing off such a letter and damaging someone. Please do something to save others from similar or worse treatment.
i guess they wrote the apology after seeing the responses to the previous posts where some people threatened to move their money if they don’t apologize. i already moved my money out of ING. I’d sue for the 12hrs and emotional and physical distress if i were you. I’m not a litigious person but this is just annoying. Someone needs to teach them a lesson. Whatever you do, i’m on your side.
You’ve been at this a long time Jonathan and both ING and your ISP should have contacted you first. It’s too bad that your ISP gave in so quickly without checking first. IMO, they bear the most responsibility for shutting you down based on someone’s suspicions.
I’d say discuss a settlement with both your ISP and ING, but since they didn’t extend the courtesy of talking to you beforehand, why be nice to them? It may be worth your time to talk with a lawyer.
I was just thinking about my post, when I realized that I wrote ISP, when I actually meant your blog hosting provider.
BUT, you already knew that. 😉