[TriLUG] OT: lack of security at BofA

Justis Peters justis.peters at gmail.com
Sun Dec 21 13:50:26 EST 2014 

It's a calculated risk. They have budget assigned to cover the losses on
fraud. Their bureaucracy adapts only when a pattern emerges which creates a
risk of loss they can't afford to cover.

Kind regards,
Justis

On Sun, Dec 21, 2014 at 1:41 PM, Hrivnak, Michael <mhrivnak at hrivnak.org>
wrote:
>
> Shortly after I became treasurer for an arts-related nonprofit, I had to
> call the bank with a question about the checking account. It was the first
> time I'd done so, and I wasn't sure how they'd want to authenticate me.
> They asked me three questions, all of which I answered based purely on
> public knowledge. One was, "In what city was this account opened", and I
> guessed it's the city where the nonprofit was founded (Durham). I don't
> recall the second question, but the last question was for the tax ID, which
> by law is a matter of public record. I literally looked it up on
> guidestar.com while they waited on the phone, and I told them as much. I
> told them that many nonprofits even put that right on the website to make
> donations easier!
>
> Similarly, the person on the phone didn't care. What a shame.
>
> Michael
>
> On Sun, Dec 21, 2014 at 1:19 PM, Jonathan Mainguy <jon at jmainguy.com>
> wrote:
> >
> > By using a credit card
> > On Dec 21, 2014 1:17 PM, "Scott Lambdin" <lopaki at gmail.com> wrote:
> >
> > > At Wells fargo, you can have a temp card on the spot at a branch.  I
> > mean,
> > > how can you live without one?
> > >
> > > --Scott
> > >
> > > On Sun, Dec 21, 2014 at 12:56 PM, Steve Litt <
> slitt at troubleshooters.com>
> > > wrote:
> > >
> > > > You're right, Michael. But as a nation it's our fault. We didn't give
> > > > BofA enough bailout money to do security right!
> > > >
> > > > SteveT
> > > >
> > > >
> > > > On Sun, 21 Dec 2014 12:52:54 -0500
> > > > Michael Kimsal <mgkimsal at gmail.com> wrote:
> > > >
> > > > > You are a difficult customer.  Come on - they have real Security
> > > > > Experts(tm) on staff.  You're just some Joe off the street(tm) -
> how
> > > > > can you possibly know anything how complex bank security *really*
> > > > > is?  These are Big Problems(tm).  They are going to require Big
> > > > > Solutions(tm), and will involve another decade of work, will
> require
> > > > > billions to execute, and still won't be secure, but they can prove
> > > > > they're Doing Something(tm).
> > > > >
> > > > > Yes, I'm a bit trademark crazy this morning.
> > > > >
> > > > > On Sun, Dec 21, 2014 at 12:39 PM, Joseph Mack NA3T
> > > > > <jmack at austintek.com> wrote:
> > > > >
> > > > > > With concerns about social engineering as a method of breaking
> > > > > > security, I was not impressed with my interaction with BofA this
> > > > > > morning.
> > > > > >
> > > > > > o I got a phone call from someone from BofA about a problem with
> my
> > > > > > credit card (last 4 digits given). I asked how I know he was from
> > > > > > BofA. He said "we can discuss that if you like" and then changed
> > > > > > the subject. I assumed I had a phisher. I hung up.
> > > > > >
> > > > > > o I concluded someone not from BofA had my credit card number and
> > > > > > phone number. I couldn't imagine why such a person would call.
> > > > > >
> > > > > > o I called BofA to tell them that I'd got a phone call from
> someone
> > > > > > pretending to be from BofA, who had my credit card number and
> phone
> > > > > > number, but who wouldn't prove they were from BofA.
> > > > > >
> > > > > > o I found that indeed there had been fraud. Someone has been
> going
> > > > > > around various grocery stores and pharmacies in Oxford and
> > > > > > Creedmore (places I don't go) and rung up $1k on my account
> (which
> > > > > > BofA is going to credit me) being $200 at each of 5 places. How
> > > > > > they managed to do that I don't know. I thought you had to show
> > > > > > them your card.
> > > > > >
> > > > > > o they cancelled my card and said I'd get a new one in 5-7
> business
> > > > > > days. I asked them to overnight me a card. After some
> > > > > > to-and-fro'ing said they'd send one by tues.
> > > > > >
> > > > > > HERE'S THE CRITICAL PART
> > > > > >
> > > > > > o I asked why someone would call me purporting to be from BofA,
> but
> > > > > > would offer no proof and then changed the subject as if
> identifying
> > > > > > themselves was irrelevant to investigating fraud.
> > > > > >
> > > > > > Answer: this WAS a call from BofA. They weren't pretending to be
> > > > > > from BofA. She said there is no possible way of proving they are
> > > > > > from BofA. She then asked me how they could possibly prove they
> are
> > > > > > from BofA as if to show me that it was not possible.
> > > > > >
> > > > > > I pointed out that parties identifying each other is a big part
> of
> > > > > > security and that there are many ways of doing so. I gave an
> > > > > > example. They caller could say "Call the BofA number on the back
> of
> > > > > > the card. Tell them you are calling to check on fraud on your
> card.
> > > > > > If you like, you can give them this case number xxxx. Thank you.
> > > > > > Have a good day."
> > > > > >
> > > > > > She wouldn't accept that this was possible. They don't have case
> > > > > > numbers. She then explained what was supposed to happen and what
> > > > > > did happen.
> > > > > >
> > > > > > I stopped her. I said that I wasn't interested in what she
> thought
> > > > > > happened this mornng or was was supposed to happen. The only
> thing
> > > > > > that was relevant was that I got a phone call from someone
> > > > > > purporting to be from BofA who couldn't prove he was from BofA
> and
> > > > > > then was evasive.
> > > > > >
> > > > > > She said that she would register my concern. From the tone of her
> > > > > > voice, I detected that she thought I was a difficult customer.
> > > > > >
> > > > > > Joe
> > > > > >
> > > > > > --
> > > > > > Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> > > > > > jmack (at) austintek (dot) com - azimuthal equidistant
> > > > > > map generator at http://www.wm7d.net/azproj.shtml
> > > > > > Homepage http://www.austintek.com/ It's GNU/Linux!
> > > > > > --
> > > > > > This message was sent to: mgkimsal at gmail.com <mgkimsal at gmail.com
> >
> > > > > > To unsubscribe, send a blank message to trilug-leave at trilug.org
> > > > > > from that address.
> > > > > > TriLUG mailing list :
> > http://www.trilug.org/mailman/listinfo/trilug
> > > > > > Unsubscribe or edit options on the web  :
> > > > > > http://www.trilug.org/mailman/ options/trilug/mgkimsal%
> 40gmail.com
> > > > > > Welcome to TriLUG: http://trilug.org/welcome
> > > > --
> > > > This message was sent to: Scott Lambdin <lopaki at gmail.com>
> > > > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> > > that
> > > > address.
> > > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > > > Unsubscribe or edit options on the web  :
> > > > http://www.trilug.org/mailman/options/trilug/lopaki%40gmail.com
> > > > Welcome to TriLUG: http://trilug.org/welcome
> > > >
> > > --
> > > This message was sent to: Jon Mainguy <jon at jmainguy.com>
> > > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> > that
> > > address.
> > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > > Unsubscribe or edit options on the web  :
> > > http://www.trilug.org/mailman/options/trilug/jon%40jmainguy.com
> > > Welcome to TriLUG: http://trilug.org/welcome
> > --
> > This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> > address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web  :
> > http://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
> > Welcome to TriLUG: http://trilug.org/welcome
> >
> --
> This message was sent to: Justis Peters <justis.peters at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/justis.peters%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list