Skype numbers in online bank statements confuse customers

If you were to discover a note saying "Please Call Skype" decorated with a Senegalese flag in your online banking account overview, you might, given the prevalence of phishing attacks, get a little hot under the collar. This is exactly what recently happened to a customer of the German Sparkasse bank, who, fearing an attempted fraud, worriedly consulted the bank's security team. The bank, however, were already familiar with the problem - this was not a phishing attack, as the Sparkasse Hannover support centre promptly informed the customer. The customer was kindly requested to disable Skype, after which any dodgy phone numbers would disappear.

In fact, the Skype Web Toolbar in Firefox and Internet Explorer attempts to interpret any sequence of numbers in a web page as a Skype number (number recognition / number highlighting) and offers the user the facility to call such number directly using Skype. In addition, Skype displays the country flag for the number - in this case Skype interprets the number as being a subscriber in Senegal. Clearly Skype is none too selective in recognising numbers and may also transform information such as customer numbers, invoice numbers or order numbers in bank statements into Skype numbers so that they are displayed in the online account overview.

According to Sparkasse Hannover, such cases have been extremely rare - to date just three customers have reported this problem. A query regarding this problem from the heise Security editorial team sent to Skype has so far received no reply. In order to protect themselves from confusion, users can, for example, uninstall the Skype extension for Firefox (Web Toolbar) or deactivate number highlighting.

(ehe)