mouse print* Deal Alerter
Consumer World
menu

GO

Major Security Flaw Discovered
in Leading Banks' Credit Card Information Systems

CONTENTS

Site Search



SHOPPING
Product Reviews
Compare Prices
Car Buying
Catalogs
Stores

BARGAINS
Discount Shops
Computers
Discount Travel
$$$ Deals

CONSUMER RESOURCES
Directories
Booklets
Buying Info
Health
Home
Reference
Automobile
Legal
Fun

MONEY
Investments
Money Matters
Insurance
Credit/Bank

CONSUMER AGENCIES
Federal Agencies
State Agencies
Intern'l Orgs. Consumer Orgs.

COMPANIES
Online Cust Serv
Auto Mfrs.
Product Info

TRAVEL
Air, Hotel
Bed & Breakfast Destinations

NEWS
Scam Alerts
Recalls
Newspapers Mags

INTERNET
What's New Lists
Search Engines
Wonders
References
Computer Resources

REGISTER
for
Newsletter


Back to Homepage

Technique Used by UK Tabloid to Hack Voicemail
Can Expose Credit Card Info Too!

credit cards(BOSTON, August 19, 2011) -- If you have a credit card issued by Chase or Bank of America, two of the leading card issuers1 in the United States, your personal financial information may be vulnerable to hackers because of a major security flaw discovered by Boston consumer advocate Edgar Dworsky, founder of Consumer World. Your credit limit, outstanding balance, recent payment history, and an itemized list of recent charges can in many cases be accessed with relative ease by anyone simply by making a phone call.

According to Dworsky, the security loophole is in the 24-hour a day automated telephone account information systems used by some card issuers that allow cardholders to check the activity on their accounts. When a cardholder calls the customer service number on the back of the card from their home telephone, the bank verifies the caller ID of the call against their account records. If the phone number matches one on record, some banks shortcut further security checks and only ask for the last four digits of the account number rather than the whole number, and possibly also request the cardholder's zip code.

And therein lies the flaw. The system can be easily tricked by a hacker who "spoofs" the caller ID of the telephone used to call the bank, making it appear to be from the consumer's home phone. Now, only the last four digits of the account number are needed to gain access, which can be easily found on a discarded sales receipt from virtually any retail store.

"The trouble with this system is that hackers, crooks, suspicious spouses, or nosy neighbors can access your credit card information using the same method the reporters from that British tabloid used to break into subjects' voicemail accounts," explained Dworsky. "This is far more serious, however, since consumers' financial information and privacy are at risk."

To test the vulnerability of the banks' telephone systems, Dworsky first tested his own credit cards to determine which banks shortcut security by only requiring the last four digits of the card number to be entered.

Capital One, Citi, and American Express all appeared to require entire card numbers to be entered even when calling from home, and thus were more secure. Chase and some cards issued by Bank of America, however, only required the last four digits of the card number. Chase also required the cardholder's zip code, but Bank of America only asked for it sometimes.

Dworsky then asked friends and a New York Times reporter for permission to test the vulnerability of their accounts and to provide him with a recent sales receipt or the last four digits of their credit card numbers. In minutes, he was able to trick the bank's system into believing he was calling from their home phone numbers, and merely had to enter the last four digits of their card numbers and their zip codes to gain access.

Once into Chase's system, for example, Dworsky was given options to hear how much of his volunteers' credit lines were used and still available, how much their last bill was, when it was paid and in what amount, and recent purchases made with the card including the date, amount, and purpose, such as for doctors, hospital charges, drugstore and clothing purchases, and hotel stays. Dworsky discovered that Bank of America's system sometimes also reveals the specific names of merchants where the card was used.

Armed with specific purchase and payment information gleaned from a consumer's account, a thief could call the cardholder posing as a bank employee, and attempt to get them to reveal their entire account number and security code. With that, ID theft or credit card fraud could be facilitated.

Dworsky says his goal in exposing the banks' security flaw is to get them to implement better safeguards for cardholders. "It would be so simple for Chase and Bank of America to immediately require full account numbers when Visa and Mastercard cardholders access their system, and that would help thwart all but the most conniving of hackers. Requiring a password would further enhance security too."

Dworsky became interested in checking the security of banks' credit card information systems after reading a recent Boston Globe story revealing that most U.S. cellphone customers' voicemail accounts were vulnerable to intruders in the same way that News of the World reporters hacked into such cell accounts in London. "I saw that and wondered if credit card accounts were similarly vulnerable, and unfortunately the answer was 'yes' in some cases," said Dworsky.

FCC rules go into effect today making it illegal to transmit misleading or inaccurate caller ID information with intent to defraud or harm another.

1 The Nilson Report, February 2011



Return to Consumer World.

HOT SITES


*New Sites*
Just Added Here

hot deals

Car Prices
Find Dealers' Cost for Cars

Low Rate Credit Cards

2.5˘ Long Dist.
No Monthly Min.++

Check Prices
Find Low Prices

Mortgage Rates

Air Deals
This weekend

Better Business Bureau

BizRate
Online stores' ratings

Product Reviews

Find Products
by features

Compare Prices

What's On Sale?

Lemon Check®
Used car histories++

Consumer Booklets

Consumer Rights

Home Prices
Check City Sales Records

MAIN | News | Agencies | Resources | Companies | Travel | Money | Bargains | Shopping | Internet | Search

Copyright © 1995-2013 Consumer World®. All rights reserved. Duplication of the collection of links herein, or any portion thereof, is strictly prohibited. 26576