Why the hell can't Capital One email me my new credit card number and details?

C1 emailed and texted me tonight that my account was compromised. They cancelled the card and issued me a new one. Takes 2-3 days to get. My Blue Cross autopayment is tomorrow so I need to change credit card info. C1 says I can only see the full card number and details through the C1 mobile app. I don’t have that. When I download it, it’s not compatible with the phone. So why the hell can’t they just email it to me or put a link to see it online after I log in with my computer?

1 Like

This is an automatically-generated Wiki post for this new topic. Any member can edit this post and use it as a summary of the topic’s highlights.

Isnt the short answer that if they emailed you the card info, they’d then have to contact you again about your card info being potentially compromised and issue another replacement…

8 Likes

Isn’t obvious? Someone could pretend to be you and ask the same question? Or low-level staff could steal it too. Why not just pay with another card until you get the new one?

I agree it’s annoying.

4 Likes

Not if they send it to my registered email. And how is it any different if it’s on the mobile app thing?

I’m not sure how familiar you are with email, but in snail mail parlance, it is like a postcard. Would you like your cc# sent on a postcard?

5 Likes

^Right. Email is insecure. But there’s practically no difference between an app and a web browser. Most apps are basically displaying the same web pages anyway.

Give me your cap1 login/password and I’ll tell you your CC number. :rofl:

This is not necessarily true. For repeated payments they may approve the transaction and just forward the balance to the new card. They may even go further and inform the biller of the new card number.

3 Likes

So why wont C1 let me somehow access my card number through the web like they do on a cell phone?

1 Like

I have the CapOne mobile app and I can’t see my full CC details, at least I can’t find it.

I had a similar situation with a Chase card compromised last month. It took forever for it to arrive due to USPS delays, which stunk because I was itching to use a couple of Chase Offers. At least I was able to use Chase Pay in stores that accepted it.

But I had the same question. This is a replacement for a long-established card (low identity theft risk) and I have the Chase App, so why can’t I just see the card details online or in the app?

1 Like

This is why mobile wallets are the way of the future.

With the token setup and associated cryptography, it is much more secure than using your card, and should it be somehow compromised in the future, banks can instantly issue a new card to your mobile wallet.

I try to use Apple Pay wherever I go, and thanks to the pandemic, NFC payments have taken off at retailers. There are still a few holdout retailers, and I wish there was an easier way to use your wallet over the internet, but it does a decent job of limiting your exposure to breaches, requiring the replacement of the card.

But I had the same question. This is a replacement for a long-established card (low identity theft risk) and I have the Chase App, so why can’t I just see the card details online or in the app?

Well, I got this message form C1 so apparently you can.

Visit Capital One98x35 Sign In

Your card never quits. Your new card information is available now!

Use the Capital One Mobile app to access your new card number.

Get My Card Info

Re: Account ending in 8239

You or an authorized user recently let us know that your Capital One card was compromised, so we’re sending you a new card. While your new card is in the mail, you can access your new 16-digit card number, expiration date and security code (CVV) in the Capital One Mobile app.

You can use your new card information to shop online or update any recurring payment to avoid declines.

Get My Card Info

Viewing your new card information will activate your new physical card, so you won’t need to activate it when it arrives.

I have a very old card and a 2 months old card. I can’t find a way to see the old card’s account number in the app, but for the new card there’s a section titled “Card Number” with a “GET YOUR NUMBER” link below current transactions, just above “Statements & Documents”. Clicking the link then goes through 2FA, then displays the full account, CVV, and expiration.

As to why they show it in the app but not browser, who the f knows. Perhaps someone decided that the app is more secure. I don’t know why, it doesn’t seem more secure to me.

1 Like

That would be my guess. It seems security policy is often standard procedures/protocols plus whatever the people charge think. Not sure about CC’s as there may be more regulations involved, but in my experience with private business and govt, I definitely see this often.

1 Like

Are app sources available for download / compilation? If so, I will reconsider my app ban.

Pointers appreciated.

This is absolutely true, much to my dismay. In order to stop card issuers from giving your new digits to recurring chargers, you must contact the issuer and specifically tell them to not provide the updated info to vendors.

I meant in terms of the information they provide and the security of that information – both are just serving web pages / web page-like data from CapOne servers.

I appreciate that is what they are supposed to be doing. My concerns are how to prove that is all they are doing, and that they are doing it securely. When I look at all of the Javascript junk sites that, supposedly secure, financial institutions want me to allow to run rampant on my machine, I have a serious doubt of the security of the information that their app is serving. Just as important is what data their app is pulling from my device.

I know you’re a security minded guy/gal/zebra, so this isn’t just me picking nits. It would reassure me if they allowed their “app” sources to be viewed/reviewed. I would then consider that app to be more trustworthy than their “we take security very serious, so trust us” marketing / legal drivel.

:rofl: I’m imagining a Pink Panther -style animation about a security-minded Zebra :zebra:

The access to the device is secured by the OS, and the permissions are somewhat granular. Basically apps have access to things like the hardware information, possibly some unique info from the SIM card, phone number, WiFi SSID, and probably a list of other installed apps. Access to things like phone calls, messages, contacts, files, and camera/mic is controlled separately and is usually optional.

I’m not aware of any banks that open source their apps, and that’s not likely. I also don’t know if the source gets independently audited. Considering how frequently the apps are updated, the audit may be periodic, like once a year. So no, I don’t think there’s any way to really trust them beyond the “trust us” drivel unless you have the resources or know-how to reverse engineer them.

Personally I don’t keep any banking apps installed on my phone anymore. If / when I need something (like mobile check deposit), I install, use, and uninstall. That’s what I did to get the full credit card number upthread. The main reason I do this is not for security, but because I don’t use them frequently and the rapid update/release cycle means that I’d probably have to update the app when I use it next time anyway. This saves storage space and possibly improves performance and battery life (many apps start up automatically, often without a good reason). And I don’t have to buy a new phone because the old one ran out of space (my Nexus 5X only has 16GB, with plenty available).

2 Likes

Is there a way to “silo” the apps? I know companies that use Microsoft have the business apps and personal apps separate, denoted with the “lock” icon. But is there a way to do this for personal apps? I’ve tried setting up an Android virtual machine in VMware on my computer, but the Android OS installation never seems to work.

I would be interested as well, but for VirtualBox. I’m still skittish about VMware, not that I have tons of sealed court records that were exposed. :smile: