[TriLUG] OT: lack of security at BofA
Pete Soper
pete at soper.us
Sun Dec 21 19:17:37 EST 2014
They make it a bit hard to use, but overall my wife and I have found
the virtual credit card mechanism Citibank VISA offers to be a huge
asset. These are single-transaction credit card number/expiration/CVV2s
that are dispensed on demand and that you can use for any on-line or
phone transaction. (In theory you could use it at a store front, but
they'd have to manually key it in). If somebody tries to use the number
for a second transaction they get rejected in the simple case or bust
themselves otherwise. (Unfortunately, this means that you must be
mindful of this situation when ordering multiple things from vendors
like Amazon that will break multi-source orders up into multiple
transactions. So far it seems totally OK to blunder with this and feed
the additional virtual numbers into follow-up transactions).
So we use our bank debit card for the grocery store type stuff and
virtual credit cards for online and occasionally the actual credit card
for in-store transactions. But the hard rule it to avoid using the real
credit card if at all possible.
As for security, Citibank has been very proactive with us over the
years. For example they've called to confirm things are OK when one of
us is charging stuff here and the other is charging stuff in the UK
using the card. The two pre-virtual episodes we had long ago with actual
fraud were handled very efficiently. I don't recall talking to a
Citibank person and thinking "this person is an idiot or has a terrible
script" such as I experience 99.7% of the time I talk to AT&T.
We haven't had to get new cards at more than the usual rate, except
for a couple occasions during the pre-virtual days and one time when I
lost a card. So far it's been 23 years of satisfaction.
If you get excited about this, keep in mind the "bit hard to use"
detail. Essentially, if you try to dispense a virtual credit card number
with a web transaction in a "surprising" place (essentially a different
IP address) they decide to put their extra special authentication in
place on top of all the usual secure web layer. If they can't text or
robot-phone you a magic number to use to complete the transaction,
you're hosed. So forget using this mechanism in foreign countries where
they can't text or phone you. Otherwise, it's absolutely fabulous. :-)
(My strategy for this is to dispense a set of numbers that I write down
on paper [GASP!] and carry with me.)
-Pete
On 12/21/2014 06:10 PM, Joseph Mack NA3T wrote:
> On Sun, 21 Dec 2014, Justis Peters wrote:
>
>> It's a calculated risk. They have budget assigned to cover the losses
>> on fraud. Their bureaucracy adapts only when a pattern emerges which
>> creates a risk of loss they can't afford to cover.
>
> This is what I've heard too. The numbers show that fraud must cost
> them a lot.
>
> BofA lost $1000 in an hour yesterday on my account. If BofA charges
> the vendor 2% (I don't know how much it is, but this will do for the
> moment. Assume a spherical credit card). I will need to run 50k$
> through this card for them to make the money back. This will take me
> about 5yrs. BofA sends me a new card with a new number about every
> year, because of fraudulent activity on my card. I expect they're
> making a loss on me.
>
> As Steve says, they should have got a bigger bailout.
>
> Tim at Intrex says that people make cards up once they have your info.
> My card has a chip in it, which is supposed to prevent duplication.
> However I find from wikipedia that this chip is an alternative to the
> magnetic stripe rather than in addition to the stripe and is not in
> common use in the US
>
> Joe
>
More information about the TriLUG
mailing list