MBNA are at it again! This time, it’s with a QR Code…
Regular readers will remember that last year we criticised credit card giant MBNA for sending out emails that flew in the face of their own security advice by including links for the recipient to log into their account. If you haven’t seen that article, you’ll find it here
Today, they’ve REALLY outdone themselves.
What’s the problem then?
It’s that black block thingy – the one that looks like this:
What is it?
It’s a QR code, and if you scan it with your phone’s camera, it’ll take you to the MBNA mobile site, where you can check your credit card balance, make payments, view statements and transfer money.
Sounds useful – Isn’t it?
There’s absolutely nothing wrong with MBNA offering a mobile version of their site. It enhances the availability of their credit card servicing website to those who want/need to access it when they’re out and about, or those whose only access to the ‘net is via their mobile.
HOWEVER, at Scam Detectives HQ we’re concerned that if banks or credit card suppliers get their users used to trusting QR codes in genuine emails, it’s only a short step away from scammers including them in phishing emails, which could lead to users inadvertently visiting dodgy websites or downloading fake apps which could:
- Make your calendar, contacts and credit card information (if you shop or bank online using your smartphone) visible to cybercriminals.
- Attempt to steal your Google or Facebook password – many apps are integrated with various social networks.
- Track your location.
- Install keylogging software.
- Send an SMS to a premium number, racking up your phone bill.
- “Jailbreak” a device and distribute additional malware.
- Redirect users to malicious applications.
For more information about how QR codes could be used as part of a scammer’s toolkit, see our guest blog from Norman Feiner, MD of Simply Fone
OK, so QR codes can be risky – Why are you having a go at MBNA?
If users think it’s OK to scan QR codes that appear in emails from MBNA, why would they hesitate to scan them when they receive “phishing” emails that purport to come from their bank?
Bearing in mind that smartphone users are less likely to have anti-virus or other security software installed on their phones, it’s a recipe for disaster and MBNA have a responsibility to their customers to educate them about safe practices, and not to encourage unsafe ones.
So what’s your advice?
If you want to visit MBNA’s mobile offering, open your phone’s web browser and type in the following URL: http://www.mbna.co.uk/m/
NEVER scan QR codes in emails that look like they come from your bank or ANY institution with whom you have a financial relationship. In fact, we’d probably go further. NEVER scan QR codes in emails. Full stop.