An online survey of the Royal Air Force’s website aimed at journalists has invited would-be participants to send their banking details using unencrypted email to third-party organisers.
Independent experts told El Reg that the badly thought-out advice left media pros exposed to a heightened risk of fraud.
The survey invite – "Journalist/media pros tracking news events? Use our site for info? Please support research to develop our site" – was enthusiastically promoted through the Royal Air Force’s official Twitter feed last week.
El Reg came across the offer and the security risks it carried after one of our staffers responded to the pitch, on the promise of payment of £20 if he participated in the exercise.
Would-be participants were invited to send their bank details or PayPal account details in the clear, by return of email. This seems to El Reg to be bad advice.
Chris Boyd, a senior malware intelligence analyst at Malwarebytes, agreed with our assessment, adding that emailing bank account details in the clear was a well-understood risk.
“I wouldn't advise emailing bank account information, as once people get into the habit they may assume doing so is ‘secure’ and develop additional bad habits as a result,” Boyd told El Reg.
“Jeremy Clarkson had a £500 direct debit set up after publishing his bank details in a newspaper to prove that internet scams weren't a major threat, and if someone is requesting this data by email you can't guarantee they aren't going to multiply insecure practices by sending it on to somebody else,” added Boyd.
“A copy of your bank details is going to pass through every server en route to the destination, and that's before we stop to consider if you're sending it while using insecure public Wi-Fi. We need to avoid sending potentially sensitive information by insecure methods, and bank details by email is one of the main offenders,” he added.
The survey – which invited people to complete a form hosted on Google Docs within a tight deadline – was organised by Saros Research, although the payment for participating side of the exercise was run through another outfit, Lagom Strategy.
In response to queries from El Reg a representative of Saros Research said that the payment advice didn’t come from it, directing our query on the matter to Lagom Strategy.
Saros does not request that people to send us their bank details by email, normally the participants we recruit are paid directly in face-to-face events.
It was the requirements of our clients at Lagom Strategy, that participants should email their bank details to them (not reply to Saros) for administration of this project we are recruiting – they are paying the participants directly and we are not involved in that aspect of the project, therefore we cannot comment further.
We followed up Saros’s response with a query to Lagom Strategy, asking whether or not it’s prepared to review its practices about request payment information from online survey participants. We’re yet to hear back but will update this story as and when we hear more.
We also contacted the folks behind the RAF Twitter feed, pointing out that their third party researchers were asking would-be participants to do something rather ill-advised.
As our staffer put it: “It just seems odd that a firm hired by the RAF, who I thought would have known a thing or two about basic infosec, were asking for bank details to be sent to a third-party firm.” ®