[TriLUG] OT: lack of security at BofA

Joseph Mack NA3T jmack at austintek.com
Sun Dec 21 12:39:27 EST 2014 

With concerns about social engineering as a method of breaking security, I was 
not impressed with my interaction with BofA this morning.

o I got a phone call from someone from BofA about a problem with my credit card 
(last 4 digits given). I asked how I know he was from BofA. He said "we can 
discuss that if you like" and then changed the subject. I assumed I had a 
phisher. I hung up.

o I concluded someone not from BofA had my credit card number and phone number. 
I couldn't imagine why such a person would call.

o I called BofA to tell them that I'd got a phone call from someone 
pretending to be from BofA, who had my credit card number and phone number, 
but who wouldn't prove they were from BofA.

o I found that indeed there had been fraud. Someone has been going around 
various grocery stores and pharmacies in Oxford and Creedmore (places I don't 
go) and rung up $1k on my account (which BofA is going to credit me) being $200 
at each of 5 places. How they managed to do that I don't know. I thought you had 
to show them your card.

o they cancelled my card and said I'd get a new one in 5-7 business days. I 
asked them to overnight me a card. After some to-and-fro'ing said they'd send 
one by tues.

HERE'S THE CRITICAL PART

o I asked why someone would call me purporting to be from BofA, but would offer 
no proof and then changed the subject as if identifying themselves was 
irrelevant to investigating fraud.

Answer: this WAS a call from BofA. They weren't pretending to be from BofA. She 
said there is no possible way of proving they are from BofA. She then asked me 
how they could possibly prove they are from BofA as if to show me that it was 
not possible.

I pointed out that parties identifying each other is a big part of security and 
that there are many ways of doing so. I gave an example. They caller could say 
"Call the BofA number on the back of the card. Tell them you are calling to 
check on fraud on your card. If you like, you can give them this case number 
xxxx. Thank you. Have a good day."

She wouldn't accept that this was possible. They don't have case numbers. She 
then explained what was supposed to happen and what did happen.

I stopped her. I said that I wasn't interested in what she thought happened this 
mornng or was was supposed to happen. The only thing that was relevant was that 
I got a phone call from someone purporting to be from BofA who couldn't prove he 
was from BofA and then was evasive.

She said that she would register my concern. From the tone of her voice, I 
detected that she thought I was a difficult customer.

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) austintek (dot) com - azimuthal equidistant
map generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

More information about the TriLUG mailing list