[TriLUG] OT: lack of security at BofA

Scott Lambdin lopaki at gmail.com
Sun Dec 21 13:17:13 EST 2014


At Wells fargo, you can have a temp card on the spot at a branch.  I mean,
how can you live without one?

--Scott

On Sun, Dec 21, 2014 at 12:56 PM, Steve Litt <slitt at troubleshooters.com>
wrote:

> You're right, Michael. But as a nation it's our fault. We didn't give
> BofA enough bailout money to do security right!
>
> SteveT
>
>
> On Sun, 21 Dec 2014 12:52:54 -0500
> Michael Kimsal <mgkimsal at gmail.com> wrote:
>
> > You are a difficult customer.  Come on - they have real Security
> > Experts(tm) on staff.  You're just some Joe off the street(tm) - how
> > can you possibly know anything how complex bank security *really*
> > is?  These are Big Problems(tm).  They are going to require Big
> > Solutions(tm), and will involve another decade of work, will require
> > billions to execute, and still won't be secure, but they can prove
> > they're Doing Something(tm).
> >
> > Yes, I'm a bit trademark crazy this morning.
> >
> > On Sun, Dec 21, 2014 at 12:39 PM, Joseph Mack NA3T
> > <jmack at austintek.com> wrote:
> >
> > > With concerns about social engineering as a method of breaking
> > > security, I was not impressed with my interaction with BofA this
> > > morning.
> > >
> > > o I got a phone call from someone from BofA about a problem with my
> > > credit card (last 4 digits given). I asked how I know he was from
> > > BofA. He said "we can discuss that if you like" and then changed
> > > the subject. I assumed I had a phisher. I hung up.
> > >
> > > o I concluded someone not from BofA had my credit card number and
> > > phone number. I couldn't imagine why such a person would call.
> > >
> > > o I called BofA to tell them that I'd got a phone call from someone
> > > pretending to be from BofA, who had my credit card number and phone
> > > number, but who wouldn't prove they were from BofA.
> > >
> > > o I found that indeed there had been fraud. Someone has been going
> > > around various grocery stores and pharmacies in Oxford and
> > > Creedmore (places I don't go) and rung up $1k on my account (which
> > > BofA is going to credit me) being $200 at each of 5 places. How
> > > they managed to do that I don't know. I thought you had to show
> > > them your card.
> > >
> > > o they cancelled my card and said I'd get a new one in 5-7 business
> > > days. I asked them to overnight me a card. After some
> > > to-and-fro'ing said they'd send one by tues.
> > >
> > > HERE'S THE CRITICAL PART
> > >
> > > o I asked why someone would call me purporting to be from BofA, but
> > > would offer no proof and then changed the subject as if identifying
> > > themselves was irrelevant to investigating fraud.
> > >
> > > Answer: this WAS a call from BofA. They weren't pretending to be
> > > from BofA. She said there is no possible way of proving they are
> > > from BofA. She then asked me how they could possibly prove they are
> > > from BofA as if to show me that it was not possible.
> > >
> > > I pointed out that parties identifying each other is a big part of
> > > security and that there are many ways of doing so. I gave an
> > > example. They caller could say "Call the BofA number on the back of
> > > the card. Tell them you are calling to check on fraud on your card.
> > > If you like, you can give them this case number xxxx. Thank you.
> > > Have a good day."
> > >
> > > She wouldn't accept that this was possible. They don't have case
> > > numbers. She then explained what was supposed to happen and what
> > > did happen.
> > >
> > > I stopped her. I said that I wasn't interested in what she thought
> > > happened this mornng or was was supposed to happen. The only thing
> > > that was relevant was that I got a phone call from someone
> > > purporting to be from BofA who couldn't prove he was from BofA and
> > > then was evasive.
> > >
> > > She said that she would register my concern. From the tone of her
> > > voice, I detected that she thought I was a difficult customer.
> > >
> > > Joe
> > >
> > > --
> > > Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> > > jmack (at) austintek (dot) com - azimuthal equidistant
> > > map generator at http://www.wm7d.net/azproj.shtml
> > > Homepage http://www.austintek.com/ It's GNU/Linux!
> > > --
> > > This message was sent to: mgkimsal at gmail.com <mgkimsal at gmail.com>
> > > To unsubscribe, send a blank message to trilug-leave at trilug.org
> > > from that address.
> > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > > Unsubscribe or edit options on the web  :
> > > http://www.trilug.org/mailman/ options/trilug/mgkimsal%40gmail.com
> > > Welcome to TriLUG: http://trilug.org/welcome
> --
> This message was sent to: Scott Lambdin <lopaki at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/lopaki%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>


More information about the TriLUG mailing list