Tuesday, September 4, 2012
 
 

MBNA are at it again! This time, it’s with a QR Code…

February 23rd, 2012 in "Spear" Phishing / Phishing
Skip to comments (1) ↓
 


Regular readers will remember that last year we criticised credit card giant MBNA for sending out emails that flew in the face of their own security advice by including links for the recipient to log into their account. If you haven’t seen that article, you’ll find it here

Today, they’ve REALLY outdone themselves.

What’s the problem then?

It’s that black block thingy – the one that looks like this:

Scan me with your phone to see what I do...

What is it?

It’s a QR code, and if you scan it with your phone’s camera, it’ll take you to the MBNA mobile site, where you can check your credit card balance, make payments, view statements and transfer money.

Sounds useful – Isn’t it?

There’s absolutely nothing wrong with MBNA offering a mobile version of their site. It enhances the availability of their credit card servicing website to those who want/need to access it when they’re out and about, or those whose only access to the ‘net is via their mobile.

HOWEVER, at Scam Detectives HQ we’re concerned that if banks or credit card suppliers get their users used to trusting QR codes in genuine emails, it’s only a short step away from scammers including them in phishing emails, which could lead to users inadvertently visiting dodgy websites or downloading fake apps which could:

 

  • Make your calendar, contacts and credit card information (if you shop or bank online using your smartphone) visible to cybercriminals.
  • Attempt to steal your Google or Facebook password – many apps are integrated with various social networks.
  • Track your location.
  • Install keylogging software.
  • Send an SMS to a premium number, racking up your phone bill.
  • “Jailbreak” a device and distribute additional malware.
  • Redirect users to malicious applications.

For more information about how QR codes could be used as part of a scammer’s toolkit, see our guest blog from Norman Feiner, MD of Simply Fone

OK, so QR codes can be risky – Why are you having a go at MBNA?

If users think it’s OK to scan QR codes that appear in emails from MBNA, why would they hesitate to scan them when they receive “phishing” emails that purport to come from their bank?

Bearing in mind that smartphone users are less likely to have anti-virus or other security software installed on their phones, it’s a recipe for disaster and MBNA have a responsibility to their customers to educate them about safe practices, and not to encourage unsafe ones.

So what’s your advice?

If you want to visit MBNA’s mobile offering, open your phone’s web browser and type in the following URL:  http://www.mbna.co.uk/m/

NEVER scan QR codes in emails that look like they come from your bank or ANY institution with whom you have a financial relationship. In fact, we’d probably go further. NEVER scan QR codes in emails. Full stop.

 

 

 

 
This entry was posted on Thursday, February 23rd, 2012 at 4:44 pm and is filed under "Spear" Phishing, Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments: 1

Leave a reply »

 
  • Mr box
    February 24th, 2012 at 2:35 pm
    #22678
     

    As an MBNA customer I receive email from MBNA all the time and they alway’s come with a SiteKey message attached to the top of the email, along with the last four digits of the card number. This doesn’t seem to be shown in your example?? If these aren’t present then I would realise the email was not from MBNA and therefore would not take notice of any content either…..

    Note from Editor

    The original email did indeed contain a sitekey message and the last 4 digits of my card number, which I chose to remove for security reasons. However, this does not answer the point that by encouraging customers to scan QR codes and/or click on links in emails, MBNA are flying in the face of all current advice to email users, especially that contained on http://www.banksafeonline.org.uk/ (operated by the UK Payments Administration)

    However I do thank you for your comment.

    PS: Your IP address places you at a Bank of America office. Bad form. I would have posted your comment equally had you been honest.

     
     
     
  • Leave a Reply
     
    Your gravatar
    Your Name
     
     
     

     
     
 
About Scam Detectives

Scam Detectives is brought to you by Clear as Crystal Web Design in association with Our Sponsors

Media Enquiries

Please see our Press page for contact details and press releases

Press »
Tell us your story

Help warn others and stop someone else becoming a victim.

Contact Us »

 
My Zimbio
Top Stories Cleaning Contractor in Wrexham Holiday Flats in Blackpool Beauty Salon in Chester