[TriLUG] OT: lack of security at BofA

Sun Dec 21 12:52:54 EST 2014

You are a difficult customer.  Come on - they have real Security
Experts(tm) on staff.  You're just some Joe off the street(tm) - how can
you possibly know anything how complex bank security *really* is?  These
are Big Problems(tm).  They are going to require Big Solutions(tm), and
will involve another decade of work, will require billions to execute, and
still won't be secure, but they can prove they're Doing Something(tm).

Yes, I'm a bit trademark crazy this morning.

On Sun, Dec 21, 2014 at 12:39 PM, Joseph Mack NA3T <jmack at austintek.com>
wrote:

> With concerns about social engineering as a method of breaking security, I
> was not impressed with my interaction with BofA this morning.
>
> o I got a phone call from someone from BofA about a problem with my credit
> card (last 4 digits given). I asked how I know he was from BofA. He said
> "we can discuss that if you like" and then changed the subject. I assumed I
> had a phisher. I hung up.
>
> o I concluded someone not from BofA had my credit card number and phone
> number. I couldn't imagine why such a person would call.
>
> o I called BofA to tell them that I'd got a phone call from someone
> pretending to be from BofA, who had my credit card number and phone number,
> but who wouldn't prove they were from BofA.
>
> o I found that indeed there had been fraud. Someone has been going around
> various grocery stores and pharmacies in Oxford and Creedmore (places I
> don't go) and rung up $1k on my account (which BofA is going to credit me)
> being $200 at each of 5 places. How they managed to do that I don't know. I
> thought you had to show them your card.
>
> o they cancelled my card and said I'd get a new one in 5-7 business days.
> I asked them to overnight me a card. After some to-and-fro'ing said they'd
> send one by tues.
>
> HERE'S THE CRITICAL PART
>
> o I asked why someone would call me purporting to be from BofA, but would
> offer no proof and then changed the subject as if identifying themselves
> was irrelevant to investigating fraud.
>
> Answer: this WAS a call from BofA. They weren't pretending to be from
> BofA. She said there is no possible way of proving they are from BofA. She
> then asked me how they could possibly prove they are from BofA as if to
> show me that it was not possible.
>
> I pointed out that parties identifying each other is a big part of
> security and that there are many ways of doing so. I gave an example. They
> caller could say "Call the BofA number on the back of the card. Tell them
> you are calling to check on fraud on your card. If you like, you can give
> them this case number xxxx. Thank you. Have a good day."
>
> She wouldn't accept that this was possible. They don't have case numbers.
> She then explained what was supposed to happen and what did happen.
>
> I stopped her. I said that I wasn't interested in what she thought
> happened this mornng or was was supposed to happen. The only thing that was
> relevant was that I got a phone call from someone purporting to be from
> BofA who couldn't prove he was from BofA and then was evasive.
>
> She said that she would register my concern. From the tone of her voice, I
> detected that she thought I was a difficult customer.
>
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) austintek (dot) com - azimuthal equidistant
> map generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> --
> This message was sent to: mgkimsal at gmail.com <mgkimsal at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> options/trilug/mgkimsal%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome

-- 

Michael Kimsal
http://kims.al <http://michaelkimsal.com>
919.827.4724