SEATTLE -- There's a warning for anyone with a credit card from two of the nation's largest banks.
A security loophole could make your information vulnerable to criminals.
This has to do with those automated telephone account information systems all the banks have. They sure are convenient. At Chase and Bank of America, they could be a little too easy to use.
"I was shocked at how easy it was to get into the accounts of other people. I had their permission, so I didn't do anything illegal," said Edgar Dworsky, consumer advocate and founder of website ConsumerWorld.org.
But he proved his point.
Here's the flaw he uncovered. When you call a bank's automated credit card account information system, the computer uses caller ID to compare the number you're calling from with the one on the account,usually your home phone.
At Bank of America and Chase, if the phone number is a match, the verification process is streamlined. You don't have to enter the entire 16 digits of the credit card; in most cases, all you need is the last four numbers -- something that can be found on any credit card receipt.
"This is people's personal information," Dworsky said. "No one has a right but me or someone I authorize to go into my account and hear what my credit line is, where I've been shopping, what I bought. to allow hackers in because of this security loophole is really pretty bad."
In order for someone to take advantage of this security loophole, the hacker would have to trick the bank's computer to make it appear the call is coming from your home phone.
Internet spoofing sites make this incredibly easy to do, as I discovered when I did a test and broke into Dworsky's account with his permission. Hackers know all about these sites.
I asked Chase and Bank of America to comment on this. Both said they take customer security very seriously, have procedures in place to detect fraud. And they do not think Dworsky's scenario is a significant security threat.
So how can this hurt you? Security experts tell me identity thieves can use these details they get from that automated credit card phone system to trick you into giving up valuable information, such as your security number or full account number. believe me, they have ways to do it.
The security protocol is stricter at Capital One, Citi and American Express. They all require the entire card number to be entered every time, no matter where the call is placed from, Dworsky would like to see Chase and Bank of America do the same thing.
A security loophole could make your information vulnerable to criminals.
This has to do with those automated telephone account information systems all the banks have. They sure are convenient. At Chase and Bank of America, they could be a little too easy to use.
"I was shocked at how easy it was to get into the accounts of other people. I had their permission, so I didn't do anything illegal," said Edgar Dworsky, consumer advocate and founder of website ConsumerWorld.org.
But he proved his point.
Here's the flaw he uncovered. When you call a bank's automated credit card account information system, the computer uses caller ID to compare the number you're calling from with the one on the account,usually your home phone.
At Bank of America and Chase, if the phone number is a match, the verification process is streamlined. You don't have to enter the entire 16 digits of the credit card; in most cases, all you need is the last four numbers -- something that can be found on any credit card receipt.
"This is people's personal information," Dworsky said. "No one has a right but me or someone I authorize to go into my account and hear what my credit line is, where I've been shopping, what I bought. to allow hackers in because of this security loophole is really pretty bad."
In order for someone to take advantage of this security loophole, the hacker would have to trick the bank's computer to make it appear the call is coming from your home phone.
Internet spoofing sites make this incredibly easy to do, as I discovered when I did a test and broke into Dworsky's account with his permission. Hackers know all about these sites.
I asked Chase and Bank of America to comment on this. Both said they take customer security very seriously, have procedures in place to detect fraud. And they do not think Dworsky's scenario is a significant security threat.
So how can this hurt you? Security experts tell me identity thieves can use these details they get from that automated credit card phone system to trick you into giving up valuable information, such as your security number or full account number. believe me, they have ways to do it.
The security protocol is stricter at Capital One, Citi and American Express. They all require the entire card number to be entered every time, no matter where the call is placed from, Dworsky would like to see Chase and Bank of America do the same thing.
0 komentar:
Post a Comment