Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Capital One Security
Date: March 24, 2007 06:56PM

This is my post regarding security problems I've come across while being a Capital One customer. Below is a list of problems some common sense, some just illegal and some makes you scratch your head and ask WTF? Anyone have any similar issues or such please post. I'm at the point of paying off the card by the end of this month and closing it. Would like to see if I'm just overly paranoid or just another hapless customer.

1. Since I do all my banking etc online I have no need to paper statements. So I took up the offer to go paperless which CO (Capital One) offers. Well that would make me safer since now my card info in writing will not be floating around in the mail system and accidentally being delivered to my neighbor etc, which trust me happens often. Well 12 months later I still receive a paper statement each month. I have called CO customer service and complained and demanded they fix the problem. Each time they say they have corrected and have even had managers personally take care of it. Come next month I get a statement and the whole complaining process starts over again. How hard could it be?

2. CO started to send me solicitations in the mail about offers which I had requested to be opted out. 12 months later they still has not fixed that either so kept getting them even though my law they have to, its my right you know =oP. Well one thing they would send is Purchase Checks, which are basically like regular checks that take money out of your credit card account. Now thats something bad to send in the mail since someone gets it they can easily forge it and take your money. Worst of all its not in an unmarked envelope and says Capital One in pretty letters. After calling customer support about this they said they cant stop sending me them even though they were solicitations and I did not want them. One manager told me the only way was to get a P.O Box and send the mail there. I was like WTF why kind of solution is that. Well this problem was never fixed.

3. I work at TJ Maxx and after the recent security breach I closed all my bank and credit card accounts and reopened new ones because TJX has info on all of them. Thus I has to re-register an account at CapitalOne.com. After succesfully doing it I get the following email sensitive parts have been changed:

Quote

*************************************************
John Doe

Welcome!

Your account ending in 1234 is registered
with Capital One's Online Account Services (OAS).

Your user name for this account is MY_USERNAME_PLAIN_TEXT.

Please keep this e-mail for future reference.
*************************************************

OAS is a secure site where you can
**********************************
- pay your Capital One bill online for free
- view your statements and transactions online
- check your credit limit and available credit
- update your personal information

We all know when it comes to online banking etc, its not like using a forum where if someone knows your username its not that big a deal. But when it comes to handling financial info its must be treated like a password and protected. Well I know what my username is I freaking registered it so why are they emailing me it in plain text? Ironically on their Capital One Security they say the following:

Quote

Your user ID (user name) and password represent the keys you use to access your account information on our system. Keep these “keys” in your possession only–please protect them as you would your house keys.

Yet they think they know better and send your 'keys' in an email in plain-text in case OMG you forgot your username within a 24 hour period.

4. After getting the above email I called customer support to get the email address or phone number for CO security. I wanted to give them a piece of my mind and some common sense. Of course I was transfered a dozen times, hung up 3 times and amazingly you cant get a number from CO unless you give them your account info which is not relevant at all. Maybe they want to write down a note in your account that you are a troublesome customer. I of course denied they my account info and demanded the contact info. One lady eventually gave in and told me a number. After calling that number turns out its was the number to online support. Asking the guy for contact info for CO security department or whatever department that handles security he kept saying that they didn't have such a department. I was astounded that CO did not have one. After asking him calmly again he told me... "we have no security" I was speechless, here some idiot who gods know how they got that job just told me CO does not have any security. I really wished I has recorded the conversation since thats a priceless thing to hear.



Anyone know of a credit card company that has better security policies than CO? I use BOA too and they are truly great in their policies.

Options: ReplyQuote
Re: Capital One Security
Date: March 24, 2007 07:34PM

http://capitalone.com/redirect.php?log=1&linkid=WWW_1106_Z_09_HOME_R3_02_T_VISG&dest=http://www.google.com/

Redirect URL which can be used in email phishing, of course it doesn't check against whitelist of URLs, who would have thought they would be so careless? O.O

Options: ReplyQuote
Re: Capital One Security
Posted by: trev
Date: March 24, 2007 07:40PM

Actually, that URL does seem to do some checks - only that Google happens to be whitelisted (while Yahoo is not). mozilla.com is also whitelisted, lol :)

Options: ReplyQuote
Re: Capital One Security
Date: March 24, 2007 08:59PM

Interesting, I didn't bother to check any other URLs. I wonder how many sites are whitelisted O.O *tries sla.ckers.org*

I wonder if capitalone.com is whitelisted if so should be able to make it loop O.O

Options: ReplyQuote
Re: Capital One Security
Posted by: trev
Date: March 24, 2007 09:41PM

The fact that is does check the host it redirects to doesn't make it any less a security issue however. One could use Google's "I'm Feeling Lucky" function for example to redirect further to some malicious site.

Options: ReplyQuote
Re: Capital One Security
Date: March 24, 2007 10:29PM

True indeed.

Boggles me as to why they would whitelist Google. I have not come across a link on their site that links to Google, even so why would they unless they wanted to do a search, but they have their own built in search. Conspiracy...O.O

Options: ReplyQuote
Re: Capital One Security
Posted by: trev
Date: March 25, 2007 08:55AM

Yes, they probably whitelist microsoft.com and mozilla.com/.org to link to browser download pages. But Google is strange.

Options: ReplyQuote


Sorry, only registered users may post in this forum.