Shortsighted Bankers Add to the Fraud Problem

A friend received a surprising email today that let me know just how shortsighted bankers can be.

Previous to receiving the email my friend had logged into an online banking site to transfer funds to another customer of the bank. Shortly after the online transfer took place my friend received a confirmation email from the bank supposedly alerting him that the transfer had taken place. The message contained his email address (of course), the name of the bank, the exact amount of the transfer, as well as the time and date of the transfer. The message also contained contact info for the bank's fraud department for use in the event that the transfer was deemed to be fraudulent.

The problem here is that with the bank's attempt to help stem the tide of online fraud they've actually opens doors that could make the problem worse. First of all the bank's email message wasn't digitally signed, so how can a customer know that the message is truly legitimate? Secondly the banks aren't using encryption to protect sensitive information in email to their customers. As a result they've sent sensitive information in clear text email over the Internet, and as you know it's incredibly simple to sniff clear text traffic. If the traffic were sniffed then the person sniffing the traffic would know the customer's name, their private email address, the bank that they use, that a transfer was recently made and in what amount, and thus they'd also have some indication of how much money the customer had in the bank recently. A savvy scam artist could use that info to create a really effective spoofed email that could trick a bank customer into revealing even more sensitive information, such as the actual account numbers. Who knows what that could lead to?

Seems to me these banks are adding to the fraud problem.