I found one tonight, for a large New Zealand bank:
- it looks flashy and right on-brand, but the URL is nothing to do with the bank in question (I look in the URL bar);
- it has an SSL certificate, but it’s one that belongs to an outfit called “YALAMANCHILI SOFTWARE EXPORTS PRIVATE LIMITED” of Chennai in India (I double click on the padlock to check);
- and yes, the site appears to be hosted in India, too – a traceroute to the site disappears into Asia somewhere via Japan and Hong Kong (I use the command line, or else the venerable Kappa Crucis BBS traceroute page to check where the data goes);
- while the IP address of the site host belongs to a company in Mumbai (I check who owns any Asia Pacific IP address at APNIC);
- it might have lots of contact details for the bank in question, but these are actually sourced from another of the same bank’s websites, contained within an iframe;
- the domain registration does mention the bank… but the name of the bank staff member and the address given are different to the name and address used for the bank’s regular domains (I can find out who owns the names from the Domain Name Commissioner);
- the technical contact on the domain registration is someone called Yalamanchili Ramki, of Chennai (a solo operation, perhaps?) – and should we note now that this bank has no presence in Chennai?
So, would you be suspicious about entering your details on this website?
But hey! It turns out that apparently you shouldn’t worry. It’s a real website. It really does belong to the bank in question – it’s a sub-site for this product.
Well… I can’t say I feel reassured. It raises more questions really.
Like: what the hell are they thinking?