UBL wiz visa card Internet application insecureNovember 8th, 2009
United Bank Ltd. sells these prepaid visa cards called wiz. One of best features of these cards is that you can use them online. But before you can do that you have to send a signed Internet application form. You can send it via email, fax or postal mail.
But the email method of submission is very insecure.
Now the form has to contain your card number and your signature. So you have to download it, scan it and email it to them. The problem arises when it comes to the security of that email message. You have to send that email to them in unencrypted form! The reason being that they provide no PGP key for you to encrypt it. I emailed them asking for one but got no response!
But its not just the internet application form. One of the features of a wiz card is the option to receive an account statement via email. This is actually an essential feature because its the only way to get an account statement short of going to an ATM. Unfortunately this e-statement also includes your full debit card number in plain text!
Anyone can intercept these emails and it will reveal your debit card number. The hacker can then use that number to shop online at your expense!
Looks like these guys have a lot to learn about IT security.
Please read my full review of the UBL wiz card.