Security vendor RSA has demanded a blogger takes down a post exposing a vulnerability with the Web site of one of its customers, Navy Federal Credit Union, accusing him of trademark infringement.
Last month Scott Jarkoff posted a blog on TechMiso, warning that the Navy Federal Credit Union site lets customers enter their online banking passwords directly into an unsecured home page, rather than making them go to a secure log-in page.
"This is a huge security risk because it is ripe for phishing. By allowing users to login to an online bank from an unsecure, unverified site, those same customers could be tricked in to entering their credentials from just about any domain," he says.
Days after posting his blog, Jarkoff received an e-mail from RSA's Anti Fraud Command Center, which is contracted by the credit union to help monitor and prevent fraudulent activity on the site.
The e-mail - which Jarkoff has posted - claims the blog's domain name "violates Navy Federal Credit Union's copyright, trademarks and other intellectual property rights".
In addition, RSA claims the blog - warning about a vulnerability to phishing - "may become a host to a phishing attack, or other fraudulent scams against the bank and the bank's clients".
"Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website," says the e-mail.
Jarkoff replied, refusing to take down the blog post before receiving a second message from RSA.
This e-mail makes no mention of intellectual property rights, instead asserting: "The problem with the material on the blog is that it suggests that Navy Federal's website is not secure."
The e-mail also says the credit union has asked RSA to get the blog taken down, yet someone purporting to work in public relations for Navy Federal has commented on Jarkoff's post, thanking him for pointing out the vulnerability and revealing plans to address the security issue raised.
Despite this, Jarkoff has now received an e-mail from his hosting company notifying him that RSA has sent it a complaint and asked for the post to be taken down, claiming trademark infringement.
Jarkoff says the claim probably relates to a screenshot of the bank's site on the post.
He has again refused to remove the blog, saying: "I am very interested in pursuing this and seeing how far the rabbit hole leads and where we end up."
An RSA spokesman told Finextra the firm is unable to comment on the issue at present.
Read Jarkoff's blog here.