Using relatively simple techniques, hackers can tap into some banks’ automated telephone customer service lines and determine balances and account histories, according to an investigation by a prominent consumer advocate.
“The trouble with this system is that hackers, crooks, suspicious spouses, or nosy neighbors can access your credit card information using the same method the reporters from the British tabloid used to break into subjects’ voicemail accounts,” Edgar Dworsky, founder of ConsumerWorld.org, says in a press release. “This is far more serious, however, since consumers’ financial information and privacy are at risk.”
The investigation determined that two banks, Chase and Bank of America, have security vulnerabilities. Bank representatives disagree with Dworsky’s assessment, saying that even if hackers do compromise their systems, the thieves won’t get very far.
[Related article: On Cell Phone Hacking and Privacy: A Modest Proposal for Mr. Murdoch]
“In addition to at least two levels of authentication required to access what is very limited information over the automated voice system, we have additional security controls in place to detect potential abuse of the automated system,” says Betty Riess, a BofA spokeswoman.
Likewise, Chase says the risk of such an attack is “minimal,” according to a prepared statement by Chase spokeswoman Christine Holevas.
Dworsky teamed up with New York Times reporter Ron Lieber to test the security of the banks’ automated systems. Using just Lieber’s zip code and the last four digits of his credit card account numbers, Dworsky managed to enter the phone systems of both Chase and Bank of America. Chase granted Dworsky access every time he tried, whereas BofA occasionally denied him. See the Times story here.
At both banks, Dworsky was able to find the cardholder’s credit limit, account balance, recent payment history. Bank of America sometimes revealed specific merchants’ names where purchases were made.
[Featured Tool: Get your free Credit Report Card from Credit.com]
In both cases, the flaw is that the phone systems grant access with just the customers’ zip code and the last four digits of their account, both of which are easily obtained by thieves, either by rummaging through wastebaskets in retail stores or trash cans behind victims’ houses.
“It would be so simple for Chase and Bank of America to immediately require full account numbers when Visa and Mastercard cardholders access their system, and that would help thwart all but the most conniving of hackers,” Dworsky says. “Requiring a password would further enhance security too.”
But officials at Bank of America worry that adding too many hoops for customer authentication could provoke customer backlash.
“One of the top reasons customers use the automated system is because they want to quickly check account status and transaction information,” Riess said in a statement emailed to Credit.com. “Our objective is to balance customers’ need for convenience and quick access to general information with industry best protection of their accounts.”
[Featured Product: Looking for credit cards for good credit]
Image: Trace Meek, via Flickr.com