Barclays Bank: Sending Transactional Billing Notices to a Spamtrap

Today Barclaycard, the credit card division of U.K. banking firm Barclays, joined the MainSleaze Spam blog list of banking infamy. It did so when it sent a transactional billing email to an email address that has not been live for ten years, notifying the non-existent owner of this email address that he or she had a payment due, and including a name, last four digits of a credit card number, and tagged URLs that presumably gave anybody who received this email access to a customer’s banking records. The ESP is Cheetahmail, a subsidiary of Experian.

Spam is bulk email; this email was not bulk email and therefore was not spam. The issue I have with it is that customer information is being sent to unknown individuals and apparently has been for many years because this email address has not been live since 2002. Barclays either did not verify the email addresses that customers provided to it, or ignored SMTP rejections (“bounces”) for an extended period. This shows an extraordinary lack of concern for the security of customer information. In a bank, of all businesses, that is a serious failing.

Sending IP: 207.251.96.125

Spam Sample:

Actual Headers:

Received: from ebm1.cheetahmail.com (ebm1.cheetahmail.com [207.251.96.125])
        by <xxx> (Postfix) with SMTP id <xxx>
        for <xxx>; Sat, 17 Mar 2012 10:xx:xx +0200 (EET)
Content-Type: multipart/alternative; boundary="<xxx>"
Date: Sat, 17 Mar 2012 08:xx:xx -0000
From: "Barclaycard" <barclaycard@mail.barclaycard.co.uk>
Message-Id: <<xxx>@ebm1.cheetahmail.com>
Mime-Version: 1.0
Received: (qmail 45165 invoked by uid 108); Sat, 17 Mar 2012 08:ss:ss -0000
Reply-To: "Barclaycard" <support-<xxx>@mail.barclaycard.co.uk>
Subject: Payment Due
To: <xxx>

Readable Email:

From: Barclaycard <barclaycard@mail.barclaycard.co.uk>
To: <spamtrap>
Subject: Payment Due
Reply-To: Barclaycard <support-<xxx>@mail.barclaycard.co.uk>

Hello <xxx>,

The next payment for your Barclaycard Cashback card account ending <xxx> is due on 26 Mar 12.

If you have paid in the last seven days, please ignore this email.

If you are paying online, you need to allow three working days for your payment to clear. That’s four working days if you’re making your payment at your bank or by post. Finally, if you have already set up a direct debit, please remember that your payment will be made on or before the payment due date.

Pay your bill
http://mail.barclaycard.co.uk/<xxx>/logon2txt

Here are the details of the payment due.

Minimum payment due: £<xxx>

Payment due: <xxx>

To view your account, just go to mybarclaycard. While you’re there, you can also keep track of your spending, see more detail on transactions, set up a direct debit payment or switch on and manage other updates and alerts.

Log in
http://mail.barclaycard.co.uk/<xxx>/logontxt

Thank you for using mybarclaycard.

Kind regards,Paul McWeeney Paul McWeeneyHead of Consumer Sales and Service

Legal
Please do not e-mail a response to this message. If you have a query regarding Barclaycard please contact us at Barclaycard Customer Services on 0844 811 9111. Call charges info:
http://mail.barclaycard.co.uk//<xxx>/cchargestx .

Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.

This message is confidential and intended for the addressee only. Please be aware that messages sent over the internet are not secure and should not be seen as forming a legally binding contract unless otherwise stated. We will never contact you via e-mail or via a website, asking you to supply us with any security details relating to you, your credit card details, PIN, or online account servicing. For more information visit www.barclaycard.co.uk :
http://mail.barclaycard.co.uk/<xxx>/hometxt .

Status Disclosure
Barclaycard is a trading name of Barclays Bank PLC. Barclays Bank PLC is authorised and regulated by the Financial Services Authority and subscribes to the Lending Code which is monitored and enforced by the Lending Standards Board. Registered in England No: 1026167. Registered Office: 1 Churchill Place, London, E14 5HP.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top