United Bank Ltd. sells these prepaid visa cards called wiz. One of best features of these cards is that you can use them online. But before you can do that you have to send a signed Internet application form. You can send it via email, fax or postal mail.
But the email method of submission is very insecure.
Now the form has to contain your card number and your signature. So you have to download it, scan it and email it to them. The problem arises when it comes to the security of that email message. You
have to send that email to them in unencrypted form! The reason being
that they provide no PGP key for you to encrypt it. I emailed them
asking for one but got no response!
But its not just the internet application form. One of the features of a wiz card is the option to receive an account statement via email. This is actually an essential feature because its the only way to get an account statement short of going to an ATM. Unfortunately this e-statement also includes your full debit card number in plain text!
Anyone can intercept these emails and it will reveal your debit card number. The hacker can then use that number to shop online at your expense!
Ironically when you visit UBL's site
you are redirected to a secure HTTPS version. But when it
comes to sending debit card numbers they have no encryption system in
place like PGP.
Looks like these guys have a lot to learn about IT security.
The debit card number alone won't do any good.
Yeah your right. They also need the expiry date and they have to know when your card is activated for online use. But its still better to be safe than sorry.