[TriLUG] OT: lack of security at BofA
Hrivnak, Michael
mhrivnak at hrivnak.org
Sun Dec 21 13:41:56 EST 2014
Shortly after I became treasurer for an arts-related nonprofit, I had to
call the bank with a question about the checking account. It was the first
time I'd done so, and I wasn't sure how they'd want to authenticate me.
They asked me three questions, all of which I answered based purely on
public knowledge. One was, "In what city was this account opened", and I
guessed it's the city where the nonprofit was founded (Durham). I don't
recall the second question, but the last question was for the tax ID, which
by law is a matter of public record. I literally looked it up on
guidestar.com while they waited on the phone, and I told them as much. I
told them that many nonprofits even put that right on the website to make
donations easier!
Similarly, the person on the phone didn't care. What a shame.
Michael
On Sun, Dec 21, 2014 at 1:19 PM, Jonathan Mainguy <jon at jmainguy.com> wrote:
>
> By using a credit card
> On Dec 21, 2014 1:17 PM, "Scott Lambdin" <lopaki at gmail.com> wrote:
>
> > At Wells fargo, you can have a temp card on the spot at a branch. I
> mean,
> > how can you live without one?
> >
> > --Scott
> >
> > On Sun, Dec 21, 2014 at 12:56 PM, Steve Litt <slitt at troubleshooters.com>
> > wrote:
> >
> > > You're right, Michael. But as a nation it's our fault. We didn't give
> > > BofA enough bailout money to do security right!
> > >
> > > SteveT
> > >
> > >
> > > On Sun, 21 Dec 2014 12:52:54 -0500
> > > Michael Kimsal <mgkimsal at gmail.com> wrote:
> > >
> > > > You are a difficult customer. Come on - they have real Security
> > > > Experts(tm) on staff. You're just some Joe off the street(tm) - how
> > > > can you possibly know anything how complex bank security *really*
> > > > is? These are Big Problems(tm). They are going to require Big
> > > > Solutions(tm), and will involve another decade of work, will require
> > > > billions to execute, and still won't be secure, but they can prove
> > > > they're Doing Something(tm).
> > > >
> > > > Yes, I'm a bit trademark crazy this morning.
> > > >
> > > > On Sun, Dec 21, 2014 at 12:39 PM, Joseph Mack NA3T
> > > > <jmack at austintek.com> wrote:
> > > >
> > > > > With concerns about social engineering as a method of breaking
> > > > > security, I was not impressed with my interaction with BofA this
> > > > > morning.
> > > > >
> > > > > o I got a phone call from someone from BofA about a problem with my
> > > > > credit card (last 4 digits given). I asked how I know he was from
> > > > > BofA. He said "we can discuss that if you like" and then changed
> > > > > the subject. I assumed I had a phisher. I hung up.
> > > > >
> > > > > o I concluded someone not from BofA had my credit card number and
> > > > > phone number. I couldn't imagine why such a person would call.
> > > > >
> > > > > o I called BofA to tell them that I'd got a phone call from someone
> > > > > pretending to be from BofA, who had my credit card number and phone
> > > > > number, but who wouldn't prove they were from BofA.
> > > > >
> > > > > o I found that indeed there had been fraud. Someone has been going
> > > > > around various grocery stores and pharmacies in Oxford and
> > > > > Creedmore (places I don't go) and rung up $1k on my account (which
> > > > > BofA is going to credit me) being $200 at each of 5 places. How
> > > > > they managed to do that I don't know. I thought you had to show
> > > > > them your card.
> > > > >
> > > > > o they cancelled my card and said I'd get a new one in 5-7 business
> > > > > days. I asked them to overnight me a card. After some
> > > > > to-and-fro'ing said they'd send one by tues.
> > > > >
> > > > > HERE'S THE CRITICAL PART
> > > > >
> > > > > o I asked why someone would call me purporting to be from BofA, but
> > > > > would offer no proof and then changed the subject as if identifying
> > > > > themselves was irrelevant to investigating fraud.
> > > > >
> > > > > Answer: this WAS a call from BofA. They weren't pretending to be
> > > > > from BofA. She said there is no possible way of proving they are
> > > > > from BofA. She then asked me how they could possibly prove they are
> > > > > from BofA as if to show me that it was not possible.
> > > > >
> > > > > I pointed out that parties identifying each other is a big part of
> > > > > security and that there are many ways of doing so. I gave an
> > > > > example. They caller could say "Call the BofA number on the back of
> > > > > the card. Tell them you are calling to check on fraud on your card.
> > > > > If you like, you can give them this case number xxxx. Thank you.
> > > > > Have a good day."
> > > > >
> > > > > She wouldn't accept that this was possible. They don't have case
> > > > > numbers. She then explained what was supposed to happen and what
> > > > > did happen.
> > > > >
> > > > > I stopped her. I said that I wasn't interested in what she thought
> > > > > happened this mornng or was was supposed to happen. The only thing
> > > > > that was relevant was that I got a phone call from someone
> > > > > purporting to be from BofA who couldn't prove he was from BofA and
> > > > > then was evasive.
> > > > >
> > > > > She said that she would register my concern. From the tone of her
> > > > > voice, I detected that she thought I was a difficult customer.
> > > > >
> > > > > Joe
> > > > >
> > > > > --
> > > > > Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> > > > > jmack (at) austintek (dot) com - azimuthal equidistant
> > > > > map generator at http://www.wm7d.net/azproj.shtml
> > > > > Homepage http://www.austintek.com/ It's GNU/Linux!
> > > > > --
> > > > > This message was sent to: mgkimsal at gmail.com <mgkimsal at gmail.com>
> > > > > To unsubscribe, send a blank message to trilug-leave at trilug.org
> > > > > from that address.
> > > > > TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug
> > > > > Unsubscribe or edit options on the web :
> > > > > http://www.trilug.org/mailman/ options/trilug/mgkimsal%40gmail.com
> > > > > Welcome to TriLUG: http://trilug.org/welcome
> > > --
> > > This message was sent to: Scott Lambdin <lopaki at gmail.com>
> > > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> > that
> > > address.
> > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > > Unsubscribe or edit options on the web :
> > > http://www.trilug.org/mailman/options/trilug/lopaki%40gmail.com
> > > Welcome to TriLUG: http://trilug.org/welcome
> > >
> > --
> > This message was sent to: Jon Mainguy <jon at jmainguy.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> > address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web :
> > http://www.trilug.org/mailman/options/trilug/jon%40jmainguy.com
> > Welcome to TriLUG: http://trilug.org/welcome
> --
> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
> Welcome to TriLUG: http://trilug.org/welcome
>
More information about the TriLUG
mailing list