Major Security Flaw Discovered in Leading Banks' Credit Card Information Systems
A Boston consumer advocate just discovered a security flaw when calling the automated phone number on the back of credit cards from Chase and Bank of America. With a little bit of finagling, a hacker could easily access other people’s recent credit card activity, including their outstanding balance, credit available, when they made their last payment and for how much, and individual purchase transactions.
According to Dworsky, the security loophole is in the 24-hour a day automated telephone account information systems used by some card issuers that allow cardholders to check the activity on their accounts. When a cardholder calls the customer service number on the back of the card from their home telephone, the bank verifies the caller ID of the call against their account records. If the phone number matches one on record, some banks shortcut further security checks and only ask for the last four digits of the account number rather than the whole number, and possibly also request the cardholder's zip code.
And therein lies the flaw. The system can be easily tricked by a hacker who "spoofs" the caller ID of the telephone used to call the bank, making it appear to be from the consumer's home phone. Now, only the last four digits of the account number are needed to gain access, which can be easily found on a discarded sales receipt from virtually any retail store.
"The trouble with this system is that hackers, crooks, suspicious spouses, or nosy neighbors can access your credit card information using the same method the reporters from that British tabloid used to break into subjects' voicemail accounts," explained Dworsky. "This is far more serious, however, since consumers' financial information and privacy are at risk."
To test the vulnerability of the banks' telephone systems, Dworsky first tested his own credit cards to determine which banks shortcut security by only requiring the last four digits of the card number to be entered.
Capital One, Citi, and American Express all appeared to require entire card numbers to be entered even when calling from home, and thus were more secure. Chase and some cards issued by Bank of America, however, only required the last four digits of the card number. Chase also required the cardholder's zip code, but Bank of America only asked for it sometimes.
Dworsky then asked friends and a New York Times reporter for permission to test the vulnerability of their accounts and to provide him with a recent sales receipt or the last four digits of their credit card numbers. In minutes, he was able to trick the bank's system into believing he was calling from their home phone numbers, and merely had to enter the last four digits of their card numbers and their zip codes to gain access.
Once into Chase's system, for example, Dworsky was given options to hear how much of his volunteers' credit lines were used and still available, how much their last bill was, when it was paid and in what amount, and recent purchases made with the card including the date, amount, and purpose, such as for doctors, hospital charges, drugstore and clothing purchases, and hotel stays. Dworsky discovered that Bank of America's system sometimes also reveals the specific names of merchants where the card was used.
Armed with specific purchase and payment information gleaned from a consumer's account, a thief could call the cardholder posing as a bank employee, and attempt to get them to reveal their entire account number and security code. With that, ID theft or credit card fraud could be facilitated.
Dworsky says his goal in exposing the banks' security flaw is to get them to implement better safeguards for cardholders. "It would be so simple for Chase and Bank of America to immediately require full account numbers when Visa and Mastercard cardholders access their system, and that would help thwart all but the most conniving of hackers. Requiring a password would further enhance security too."
Dworsky became interested in checking the security of banks' credit card information systems after reading a recent Boston Globe story revealing that most U.S. cellphone customers' voicemail accounts were vulnerable to intruders in the same way that News of the World reporters hacked into such cell accounts in London. "I saw that and wondered if credit card accounts were similarly vulnerable, and unfortunately the answer was 'yes' in some cases," said Dworsky.
FCC rules went into effect on August 19 making it illegal to transmit misleading or inaccurate caller ID information with intent to defraud or harm another.