Habib Metro bank has a digital security loophole which makes it impossible for its customers to distinguish their emails from the spoofing and fishing attacks. In the monthly bank statements that Habib Metro sends via email to its customers, one can see a warning alert indicating something like this:

This email has failed its domain’s authentication requirements. It may be spoofed or improperly forwarded! Learn more.

Screenshot of the alert

What does this mean?

This essentially means that Habib Metro’s email address estatements@habibmetro.com has failed the domain name validation check and for the customers there’s no way to find out if the email is actually from Habib Metro or from someone spoofing them.

This also opens the door for phishing and spoofing attackers to mimic a similar email from Habib Metro and send the customers to potentially hack them and their account.

How do I know this email is from Habib Metro

Because I checked the attachment — after scanning for threats — and it was indeed a bank account statement of the said individual.

What should Habib Metro customers do

Habib Metro’s customers should exercise extra caution and until the bank fixes it, should avoid clicking on the links or attachments.

What can Habib Metro do?

Habib Metro should belong to 2019 first of all and upgrade their tech including digital security. Imagine if they are this casual about their email addresses, what else are they being casual about?

It’s worth noting that Pakistan has had its worst banking data breach in November last year when the Federal Investigation Agency (FIA) revealed that data from almost all banks was stolen in the attack.

Did you receive similar alerts from one of the services that you use? Would you like to tell your story? Write to us at farhan [at] voiceofinternet [dot] com.

I have written to Habib Metro for their version and will update this post when we receive that