[TriLUG] OT: lack of security at BofA

Pete Soper pete at soper.us
Sun Dec 21 19:17:37 EST 2014 

   They make it a bit hard to use, but overall my wife and I have found 
the virtual credit card mechanism Citibank VISA offers to be a huge 
asset. These are single-transaction credit card number/expiration/CVV2s 
that are dispensed on demand and that you can use for any on-line or 
phone transaction. (In theory you could use it at a store front, but 
they'd have to manually key it in). If somebody tries to use the number 
for a second transaction they get rejected in the simple case or bust 
themselves otherwise. (Unfortunately, this means that you must be 
mindful of this situation when ordering multiple things from vendors 
like Amazon that will break multi-source orders up into multiple 
transactions. So far it seems totally OK to blunder with this and feed 
the additional virtual numbers into follow-up transactions).
    So we use our bank debit card for the grocery store type stuff and 
virtual credit cards for online and occasionally the actual credit card 
for in-store transactions. But the hard rule it to avoid using the real 
credit card if at all possible.
   As for security, Citibank has been very proactive with us over the 
years. For example they've called to confirm things are OK when one of 
us is charging stuff here and the other is charging stuff in the UK 
using the card. The two pre-virtual episodes we had long ago with actual 
fraud were handled very efficiently. I don't recall talking to a 
Citibank person and thinking "this person is an idiot or has a terrible 
script" such as I experience 99.7% of the time I talk to AT&T.
    We haven't had to get new cards at more than the usual rate, except 
for a couple occasions during the pre-virtual days and one time when I 
lost a card. So far it's been 23 years of satisfaction.
   If you get excited about this, keep in mind the "bit hard to use" 
detail. Essentially, if you try to dispense a virtual credit card number 
with a web transaction in a "surprising" place (essentially a different 
IP address) they decide to put their extra special authentication in 
place on top of all the usual secure web layer. If they can't text or 
robot-phone you a magic number to use to complete the transaction, 
you're hosed. So forget using this mechanism in foreign countries where 
they can't text or phone you. Otherwise, it's absolutely fabulous. :-) 
(My strategy for this is to dispense a set of numbers that I write down 
on paper [GASP!] and carry with me.)
-Pete

On 12/21/2014 06:10 PM, Joseph Mack NA3T wrote:
> On Sun, 21 Dec 2014, Justis Peters wrote:
>
>> It's a calculated risk. They have budget assigned to cover the losses 
>> on fraud. Their bureaucracy adapts only when a pattern emerges which 
>> creates a risk of loss they can't afford to cover.
>
> This is what I've heard too. The numbers show that fraud must cost 
> them a lot.
>
> BofA lost $1000 in an hour yesterday on my account. If BofA charges 
> the vendor 2% (I don't know how much it is, but this will do for the 
> moment. Assume a spherical credit card). I will need to run 50k$ 
> through this card for them to make the money back. This will take me 
> about 5yrs. BofA sends me a new card with a new number about every 
> year, because of fraudulent activity on my card. I expect they're 
> making a loss on me.
>
> As Steve says, they should have got a bigger bailout.
>
> Tim at Intrex says that people make cards up once they have your info. 
> My card has a chip in it, which is supposed to prevent duplication. 
> However I find from wikipedia that this chip is an alternative to the 
> magnetic stripe rather than in addition to the stripe and is not in 
> common use in the US
>
> Joe
>

More information about the TriLUG mailing list