Wielding little more than your phone number and the last four digits of your card, hackers can access your BofA or Chase credit card purchase history, and maybe more.
According to an investigation done by consumer advocate Edgar Dworsky, founder of ConsumerWorld.org, a security flaw in both Chase (NYSE:JPM) and Bank of America®‘s (NYSE:BOA) telephone access systems makes it relatively easy to surreptitiously access private account information.
While many banks and card issuers offer telephone access to account information, most have more security features than Chase and Bank of America®. Both banks allow access to account info if it appears the incoming call is from the cardholder’s phone number. This is relatively easy to do now, with the wide availability of online phone spoofing services, which disguise the actual origin of a phone call to whatever the number the user desires.
In fact, according to Dworsky, phone spoofing is exactly how reporters from News of the World managed to hack celebrities’ and kidnapping victims’ voicemail accounts: simply by appearing to be calling from the phone number connected with the voicemail account.
Only BofA and Chase Exhibit These Flaws
Bank of America® and Chase are alone in having this security flaw because they only require a caller to punch in the last four digits of their card number and their ZIP code to access their account information, so long as they are calling from the number associated with the account.
Dworsky tested his suspicions about the security of Bank of America® and Chase’s phone systems by asking friends for the last four digits of their card number, and quickly managed to access private account information, like recent purchases, credit limits, and outstanding balances.
He was not, however, able to issue new cards, or debit the accounts he accessed. The security flaws, were in this sense, not so massive.
Dworsky was most troubled, it seems, by Bank of America®’s system, which allows a caller to learn the “specific names of merchants where the card was used.” Chase’s system, on the other hand, only divulges the purpose, or category, of the purchase — liquor store, motel, etc.
Dworsky fears that thieves, “[a]rmed with specific purchase and payment information gleaned from a consumer’s account…could call the cardholder posing as a bank employee, and attempt to get them to reveal their entire account number and security code.”
“With that,” writes ConsumerWorld, “ID theft or credit card fraud could be facilitated.” He also points out that, in addition to hackers, “suspicious spouses” could also abuse the loophole.
Phone Spoofing is Technically Legal
As of now, phone spoofing itself is not illegal, though the Truth in Caller ID Act, which President Obama signed into law in 2010, makes it illegal to use such services “with the intent to defraud, cause harm, or wrongfully obtain anything of value.”
But ultimately, the responsibility of protecting consumers falls squarely on the back of the banks, not new laws that could only help after the fact, should a scammer get caught doing something that is already illegal — stealing money. In exposing the flaw, Dworsky hopes to force Bank of America® and Chase to implement better security features.