— If you have a credit card account with Bank of America or Chase, two of the nation’s largest banks, a major security flaw has been exposed that could make your information vulnerable to an Internet crook – or even a nosy neighbor.
Consumer advocate Edgar Dworsky of ConsumerWorld.org, who discovered the flaw, says anyone who knows your phone number and has the last four digits of your Chase or BofA credit card number might be able access your account.
Here’s the flaw Dworsky uncovered: When you call a bank’s automated credit card account information system, the computer uses caller ID to compare the number you’re calling from with the one on the account (usually your home phone).
At BofA and Chase, if the phone number is a match, the verification process is streamlined. Rather than requiring the entire credit card number to be entered, the caller can usually access the account with only the last four digits. In some cases, a zip code is also required.
“The last four digits of your credit card number are just out there so predominantly,” Dworsky says. “If you look at any sales receipt, it always has those last four digits.”
In order for someone to take advantage of this security loophole, they’d have to trick the bank’s computer to make it appear the call is coming from your home phone. Internet “spoofing” sites make this incredibly easy to do. Con artists have been using this technology for years, and it is how those British tabloid reporters were able to hack into so many voicemail systems.
The banks respond
I contacted Chase and Bank of America and asked them to respond to all of this. Both banks e-mailed me statements that said they take customer security very seriously, but they do not think the scenario Dworsky outlines is a significant security threat to their customers.
“Our objective is to balance customers' need for convenience and quick access to general information with industry best protection of their accounts,” wrote Betty Reiss at Bank of America. “In addition to at least two levels of authentication required to access very limited information over our automated system, we have additional security controls in place to detect potential abuse of our automated systems. We understand that there will always be individuals who are trying to beat the system, and we're constantly looking at measures to better protect and service our customers.”
I got this response from spokesperson Eileen Leveckis at Chase: “Chase takes data protection extremely seriously and we have numerous fraud-detection tools in place to best protect our customers. We are always engaged in research and development for new anti-fraud and data-protection technologies and we are an established leader in data security.”
Adam Levin, co-founder and chairman of Identity Theft 911, was disappointed to hear how the banks responded.
“The fact that people can spoof phone numbers and then use just four digits and then come back with account information is a woefully insecure security system,” he says. “These banks really have to rethink their strategy and develop a much more serious security protocol when it comes to credit cards.”
Pam Dixon, executive director of the nonprofit World Privacy Forum, agrees. "Convenience is the greatest enemy of privacy, and this is a perfect example of that,” Dixon says. "The banks have made it too easy to access this sensitive information. There needs to be increased security procedures."
Testing the flaw
In running various vulnerability tests with his own cards and those of several volunteers, Dworsky found it was simple to gain access to the targeted account in almost every case.
“I was shocked. I was absolutely shocked that using a relatively simple technique, someone could find out about someone else’s credit card history.”
Using the same technique and with his permission, I was able to get into the database for Dworsky’s Chase and Bank of America credit card accounts. The automated system gave me his credit lines and how much credit was still available on the card, the amount of the last bill and when it was paid, plus information about dozens of recent transactions: the date, the amount and what was purchased.
The security protocol is stricter at Capital One, Citi and American Express. They all require the entire card number to be entered every time, no matter where the call is placed from.
Dworsky would like to see Chase and BofA do the same thing. “It’s so easy to close this loophole,” he says. "They just need to require anyone who calls their information line to put in the full 16-digit credit card number.”
So, am I safe?
OK, so I hack into the bank’s automated system and find out that your last payment was $500 on Aug. 12 and that you have available credit of $21,500. Maybe I learn that you made a $65 purchase at Home Depot on Aug. 3, and a $75 purchase at Target the next day.
This isn’t enough information to allow a crook to order a new credit card or get a cash advance. But an identity thief can use the information to build credibility with potential victims.
Here’s how it works: Armed with the details from your account, the thief phones you, this time using caller ID spoofing to make it look like he’s calling from your bank.
He tells you he’s from the bank’s security department, and says they’ve noticed some suspicious activity on your account. To prove he’s with the bank, the crook recites the information gleaned from the phone system about your credit card account. That could cause you to drop your guard, and give him enough additional account information to rip you off.
Identity theft isn’t the only threat here. This same technique could also allow unauthorized people to collect information about your charitable or political donations, religious or other organizations you belong to, even charges you’ve made for medical problems.
My two cents
ID spoofing has changed the security landscape. A phone number is no longer a reliable means of authentication. If you have a credit card with either of these two banks and you believe security trumps convenience, as I do, I encourage you to contact them and let them know how you feel. Tell them you want this loophole closed.