Capital One: Poster Boy for Poor Security and Privacy

Capital One, a large US-based bank and credit card issuer, stands out for sending by far the largest number of transactional emails containing personally identifying information (PII) to my spamtrap collection. :/ Capital One uses a number of ESPs, but its transactional emails are usually sent from Bigfoot Interactive, owned by Epsilon Interactive.

Attached below are two such transactional emails to two different spamtraps, with the PII removed of course! The first was sent to a typoed email address that has never been valid. Capital One has been sending transactional emails to this email address for at least two years without ever having verified that the email address was correct or belonged to their customer. The second was sent to a repurposed spamtrap that has not been in use by a real person for at least eight years. I suspect that this is a long-time customer who didn’t bother to notify the bank when he switched email addresses.

If Capitol One had simply processed bounces and paid attention to engagement, it would have quickly identified these email addresses as invalid. It could then have stopped sending email to these email addresses, and notified its customers through another channel (such as a phone call or postal notification) that their email was undeliverable.

In the past week, my spamtrap collection has received at least a dozen emails from Capital One to email addresses that they apparently think belong to their customers regarding the customers’ bank and credit card accounts. These emails do not contain the full credit card numbers (thank goodness!), but they do contain the last four digits of the account number, along with the full names and balances on the accounts. Other information can often be inferred from the email addresses themselves. For example, I was able to locate the current postal address and home phone number of an individual who was almost certainly the intended recipient of the second email. If I were a criminal, not a spam and security researcher, I could use this information to the detriment of this individual.

I see similar emails from a few other banks and credit card companies, but rarely containing this much personal information, and in much lower volumes.

Banks, credit card issuers, investment firms, and other companies that possess extremely sensitive customer personal and financial information are responsible for keeping that information confidential. In some countries, such as within the European Union, they have a legal responsibility not to divulge sensitive information to third parties without explicit consent. Failure to do so, especially in today’s environment of back-to-back breaches, is unconscionable.

Capital One desperately needs to clean up the mess in its customer database and email practices. In my opinion, Capital One customers would be well advised to insist that Capital One not to use email to communicate with them until it can do so without sending sensitive private information to third parties who should never have seen it.

Payment Notification (sent to never-valid spamtrap)

Sending IP: 206.132.3.124

Actual Headers:

Received: from bigfootinteractive.com (arm124.bigfootinteractive.com [206.132.3.124])
	by <xxx> (Postfix) with ESMTP id <xxx>
	for <xxx>; Sun,  6 Mar 2016 21:##:## +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; d=email.capitalone.com; s=ei; c=simple/simple; q=dns/txt;
	i=@email.capitalone.com; t=<xxx>; l=<xxx>; x=<xxx>;
	h=From:Subject:Date:To:MIME-Version:Content-Type;
	bh=<xxx>=;
	b=<xxx>=;
Received: from [192.168.##.##] ([192.168.##.##:##] helo=<xxx>)
	by <xxx>.epsiloninteractive.com (envelope-from <<xxx>@email.capitalone.com>)
	(ecelerity 2.2.2.45 r(34222M)) with ESMTP
	id <xxx>; Sun, 06 Mar 2016 15:##:## -0500
Reply-To: <xxx> <<xxx>@email.capitalone.com>
Bounces_to: <xxx>@email.capitalone.com
X-SS: <xxx>
X-BFI: <xxx>
Date: Sun, 06 Mar 2016 15:##:## EST
From: =?iso-8859-1?B?Q2FwaXRhbCBPbmU=?= <capitalone@email.capitalone.com>
Subject: Your card statement is ready
To: <xxx>
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="<xxx>"
Message-ID: <<xxx>.DumpShot.1@email.capitalone.com>

Readable Email:

From: Capital One <capitalone@email.capitalone.com>
To: <removed>
Subject: Your card statement is ready

View your statement online.

Visit Capital One          Sign in to your account

About your account ending in ####
<Personal Name Removed>,

The March 2016 statement for your Capital One® credit card is ready — just sign in to view your statement online.

Statement balance: <$###.##>
Minimum payment: <$##.##>
Payment due date: <April ##, 2016
by ## p.m. ET>

You can view your transaction details online, manage your account, or make a payment.

Thanks for choosing Capital One.

Important Information from Capital One®
Contact Us | Privacy | Help Prevent Fraud

To ensure delivery, add capitalone@email.capitalone.com to your address book.

This email was sent to <removed> and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

If you are past due on your account, view additional disclosures that may apply to you.

The third parties listed are not affiliated with Capital One and are solely responsible for their products and services. All trademarks are the property of their respective owners.

Please do not reply to this message, as this email inbox is not monitored. To contact us, visit www.capitalone.com/contact.

¤ 2015 Capital One. Capital One is a federally registered service mark. All rights reserved.

Refund Notification (Sent to repurposed spamtrap, 8+ years out of use)

Sending IP: 206.132.1.107

Actual Headers:

Received: from bigfootinteractive.com (arm1107.bigfootinteractive.com [206.132.1.107])
	by <xxx> (Postfix) with ESMTP id <xxx>
	for <xxx>; Thu,  3 Mar 2016 17:##:## +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha1; d=email.capitalone.com; s=ei; c=simple/simple; q=dns/txt;
	i=@email.capitalone.com; t=<xxx>; l=<xxx>; x=<xxx>;
	h=From:Subject:Date:To:MIME-Version:Content-Type;
	bh=<xxx>=;
	b=<xxx>=;
Received: from [192.168.##.##] ([192.168.##.##:##] helo=<xxx>)
	by <xxx>.epsiloninteractive.com (envelope-from <<xxx>@email.capitalone.com>)
	(ecelerity 2.2.2.45 r(34222M)) with ESMTP
	id <xxx>; Thu, 03 Mar 2016 10:##:## -0500
Reply-To: =?iso-8859-1?B?ImNhcGl0YWxvbmUi?= <<xxx>@email.capitalone.com>
Bounces_to: capitalone.<xxx>@email.capitalone.com
X-SS: <xxx>
X-BFI: <xxx>
Date: Thu, 03 Mar 2016 10:##:## EST
From: =?iso-8859-1?B?Q2FwaXRhbCBPbmU=?= <capitalone@email.capitalone.com>
Subject: <xxx>, your check's in the mail
To: <xxx>
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="<xxx>"
Message-ID: <<xxx>.DumpShot.1@email.capitalone.com>

Readable Email:

From: Capital One <capitalone@email.capitalone.com>
To: <removed>
Reply-to: <xxx>@email.capitalone.com
Subject: <xxx>, your check’s in the mail

Your refund check is on its way!

Visit Capital One          Sign in to your account

It’s in the mail–really

Your refund check is on its way!

Re: Your account ending in ####

<Personal name removed>,

We’ve mailed you a Capital One® credit balance refund check. It should arrive within the next 10 days.

Sign in anytime to manage your account. If you have any questions about this credit balance refund check, please call the number on the back of your card.

Thanks for choosing Capital One.

If you haven’t already, sign up for paperless statements and documents today!

Important Information from Capital One®
Contact Us | Privacy | Help Prevent Fraud

To ensure delivery, add capitalone@email.capitalone.com to your address book.

This email was sent to <removed> and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

If you are past due on your account, view additional disclosures that may apply to you.

The third parties listed are not affiliated with Capital One and are solely responsible for their products and services. All trademarks are the property of their respective owners.

Please do not reply to this message, as this email inbox is not monitored. To contact us, visit www.capitalone.com/contact.

¤ Capital One. Capital One is a federally registered service mark. All rights reserved.

2 Responses to Capital One: Poster Boy for Poor Security and Privacy

  1. Where I am, banks don’t send email. This is obviously in Europe, in a Northern European country.

    I’m a customer of four different financial groups. One sends email. The emails they send say “You have a message from us. Log in to see it.” …without any instructions or links for how to. That’s the extent of acceptable as far as I am concerned. The other three don’t send email.

    • That’s what I would consider reasonable as well. Unfortunately in the US banks do not seem to understand the extent of the phishing problem.

      Most users find it extremely difficult to distinguish between a well-crafted phish and a legitimate email from their bank. To me, that fact SHOULD mean that banks avoid using email to communicate with users, or do so with extreme care. I’m horrified how few banks feel the same way in the US.

Leave a Reply

Go back to top