
ExxonMobil Bungles Rewards Card Debut - el_duderino
https://krebsonsecurity.com/2018/07/exxonmobil-bungles-rewards-card-debut/
======
itchyjunk
Should they have just used a subdomain in their regular domain? Seems like a
series of mini problems. Is the '+' obsolete (you need it for international
calls right?) or it the problem the phone using the same button for 0 as well.
So people who don't pay attention press 0 instead of '+'.

It just seems like "similar looking domains" and stuff has been a problem for
ever and it still is. Will this still be a problem in near and far future?

~~~
deaps
I wholeheartedly agree with the "similar looking domains" thing. They should
just use a subdomain.

If I'm used to visiting "capitalone.com" \- and the site to activate a new
card is something like "activatecapitalone.com" \- that seems sketchy. It
should be capitalone.com/activate or activate.capitalone.com -- I tend to
simply avoid sketchy sites even if they appear to be from official sources.

~~~
scarface74
The worse case I’ve seen is Amazon’s credit card site —
Amazon.mycreditcard.mobi. I realize that it’s run by a third party, but I am
sure they could have given it a better domain name.

------
bgreen7929
Easier to go to the speedpass+ app, if you have set that up. They have your
rewards card there already and you just assign a pin #.

------
khurrammohd78
I don't have exxon reward card I need one plzz

------
sp332
Wait do they not own the domain? Or they own the domain and the registrar's
parked page is full of scams?

------
Stinki4
I have haad nothing but trouble trying to activate this card

------
nerdponx
_It always amazes me when major companies with oodles of cash (ExxonMobil made
$20 billion last year) roll out new marketing initiatives without consulting
professionals who help mitigate security and privacy issues for a living. It
seems likely that happened in this case because anyone who knows a thing or
two about security would strongly advise against instructing customers to
visit a parked domain or one that isn’t yet fully under the company’s
control._

Why is it amazing? There are no negative consequences, so why bother?

~~~
duxup
Presumably they want people to participate in this program.

------
reaperducer
Sounds like the marketing department did its job, and the web guys missed
their deadline.

~~~
jrnichols
or in my experience...

marketing put some URL on new promotional material without ever bothering to
check if it existed or was even available.

a whois on exxonmobilerewardsplus.com doesn't look very reassuring at all.

I think someone scooped them on the domain and now they're stuck with bad
promotional material.

