[TriLUG] OT: lack of security at BofA

Steve Litt slitt at troubleshooters.com
Sun Dec 21 12:56:20 EST 2014 

You're right, Michael. But as a nation it's our fault. We didn't give
BofA enough bailout money to do security right!

SteveT


On Sun, 21 Dec 2014 12:52:54 -0500
Michael Kimsal <mgkimsal at gmail.com> wrote:

> You are a difficult customer.  Come on - they have real Security
> Experts(tm) on staff.  You're just some Joe off the street(tm) - how
> can you possibly know anything how complex bank security *really*
> is?  These are Big Problems(tm).  They are going to require Big
> Solutions(tm), and will involve another decade of work, will require
> billions to execute, and still won't be secure, but they can prove
> they're Doing Something(tm).
> 
> Yes, I'm a bit trademark crazy this morning.
> 
> On Sun, Dec 21, 2014 at 12:39 PM, Joseph Mack NA3T
> <jmack at austintek.com> wrote:
> 
> > With concerns about social engineering as a method of breaking
> > security, I was not impressed with my interaction with BofA this
> > morning.
> >
> > o I got a phone call from someone from BofA about a problem with my
> > credit card (last 4 digits given). I asked how I know he was from
> > BofA. He said "we can discuss that if you like" and then changed
> > the subject. I assumed I had a phisher. I hung up.
> >
> > o I concluded someone not from BofA had my credit card number and
> > phone number. I couldn't imagine why such a person would call.
> >
> > o I called BofA to tell them that I'd got a phone call from someone
> > pretending to be from BofA, who had my credit card number and phone
> > number, but who wouldn't prove they were from BofA.
> >
> > o I found that indeed there had been fraud. Someone has been going
> > around various grocery stores and pharmacies in Oxford and
> > Creedmore (places I don't go) and rung up $1k on my account (which
> > BofA is going to credit me) being $200 at each of 5 places. How
> > they managed to do that I don't know. I thought you had to show
> > them your card.
> >
> > o they cancelled my card and said I'd get a new one in 5-7 business
> > days. I asked them to overnight me a card. After some
> > to-and-fro'ing said they'd send one by tues.
> >
> > HERE'S THE CRITICAL PART
> >
> > o I asked why someone would call me purporting to be from BofA, but
> > would offer no proof and then changed the subject as if identifying
> > themselves was irrelevant to investigating fraud.
> >
> > Answer: this WAS a call from BofA. They weren't pretending to be
> > from BofA. She said there is no possible way of proving they are
> > from BofA. She then asked me how they could possibly prove they are
> > from BofA as if to show me that it was not possible.
> >
> > I pointed out that parties identifying each other is a big part of
> > security and that there are many ways of doing so. I gave an
> > example. They caller could say "Call the BofA number on the back of
> > the card. Tell them you are calling to check on fraud on your card.
> > If you like, you can give them this case number xxxx. Thank you.
> > Have a good day."
> >
> > She wouldn't accept that this was possible. They don't have case
> > numbers. She then explained what was supposed to happen and what
> > did happen.
> >
> > I stopped her. I said that I wasn't interested in what she thought
> > happened this mornng or was was supposed to happen. The only thing
> > that was relevant was that I got a phone call from someone
> > purporting to be from BofA who couldn't prove he was from BofA and
> > then was evasive.
> >
> > She said that she would register my concern. From the tone of her
> > voice, I detected that she thought I was a difficult customer.
> >
> > Joe
> >
> > --
> > Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> > jmack (at) austintek (dot) com - azimuthal equidistant
> > map generator at http://www.wm7d.net/azproj.shtml
> > Homepage http://www.austintek.com/ It's GNU/Linux!
> > --
> > This message was sent to: mgkimsal at gmail.com <mgkimsal at gmail.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org
> > from that address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web  :
> > http://www.trilug.org/mailman/ options/trilug/mgkimsal%40gmail.com
> > Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list