The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
“The trouble with this system is that hackers, crooks, suspicious spouses, or nosy neighbors can access your credit card information using the same method the reporters from the British tabloid used to break into subjects’ voicemail accounts,” Edgar Dworsky, founder of ConsumerWorld.org, says in a press release. “This is far more serious, however, since consumers’ financial information and privacy are at risk.”
The investigation determined that two banks, Chase and Bank of America, have security vulnerabilities. Bank representatives disagree with Dworsky’s assessment, saying that even if hackers do compromise their systems, the thieves won’t get very far.
[Related article: On Cell Phone Hacking and Privacy: A Modest Proposal for Mr. Murdoch]
“In addition to at least two levels of authentication required to access what is very limited information over the automated voice system, we have additional security controls in place to detect potential abuse of the automated system,” says Betty Riess, a BofA spokeswoman.
Likewise, Chase says the risk of such an attack is “minimal,” according to a prepared statement by Chase spokeswoman Christine Holevas.
Dworsky teamed up with New York Times reporter Ron Lieber to test the security of the banks’ automated systems. Using just Lieber’s zip code and the last four digits of his credit card account numbers, Dworsky managed to enter the phone systems of both Chase and Bank of America. Chase granted Dworsky access every time he tried, whereas BofA occasionally denied him. See the Times story here.
At both banks, Dworsky was able to find the cardholder’s credit limit, account balance, recent payment history. Bank of America sometimes revealed specific merchants’ names where purchases were made.
[Featured Tool: Get your free Credit Report Card from Credit.com]
In both cases, the flaw is that the phone systems grant access with just the customers’ zip code and the last four digits of their account, both of which are easily obtained by thieves, either by rummaging through wastebaskets in retail stores or trash cans behind victims’ houses.
“It would be so simple for Chase and Bank of America to immediately require full account numbers when Visa and Mastercard cardholders access their system, and that would help thwart all but the most conniving of hackers,” Dworsky says. “Requiring a password would further enhance security too.”
But officials at Bank of America worry that adding too many hoops for customer authentication could provoke customer backlash.
“One of the top reasons customers use the automated system is because they want to quickly check account status and transaction information,” Riess said in a statement emailed to Credit.com. “Our objective is to balance customers’ need for convenience and quick access to general information with industry best protection of their accounts.”
[Featured Product: Looking for credit cards for good credit]
Image: Trace Meek, via Flickr.com
April 9, 2024
Credit Cards
October 21, 2020
Credit Cards
August 3, 2020
Credit Cards