Banks told of security flaw with use of caller ID
Former Massachusetts assistant attorney general Edgar Dworsky, who now runs the consumer education website Consumerworld.org, discovered the flaw after reading a Globe story about “caller ID spoofing’’ services - Internet sites used to trick caller ID systems into believing a call comes from a different phone number.
Identity thieves who know a customer’s ZIP code and the last four digits of his credit card number can use such services to pose as a customer when calling an automated bank customer service line, Dworsky said. Retail stores often print the last four numbers of a credit card account on sales receipts, which a thief could recover from the trash if discarded by the customer.
In an e-mailed statement, Bank of America spokeswoman Betty Riess defended her company’s security policies. “Our objective is to balance customers’ need for convenience and quick access to general information with industry-best protection of their accounts,’’ Riess said.
Chase spokesman Paul Hartwick said in an e-mailed statement that his company “takes data protection extremely seriously,’’ but as to the threat of telephone spoofing, “we have found the risks to be minimal.’’
Last month’s Globe story showed how caller ID spoofing sometimes makes it easy to gain access to a victim’s cellphone voice mail systems. After the story ran, cellular carrier AT&T Inc. announced a change in its cellphone password policy to make it more difficult to gain unauthorized entry.
Working with a reporter for The New York Times, Dworsky found that by using a similar method, he was able to gain illicit access to a variety of personal information, including a person’s credit card balances and such details about recent purchases as amounts and the names of retailers. Some credit card companies used security techniques that fended off this kind of attack, but Dworsky found that Chase and Bank of America customers were vulnerable to the method.
Taken alone, the security flaw discovered by Dworsky wouldn’t allow a criminal to steal money or open new lines of credit. It does make it easier to snoop on a victim’s financial habits. Armed with stolen details about a customer’s finances, a criminal posing as a bank employee could trick the victim into sharing even more sensitive information.
Dworsky said the method would likely be used by someone who knows the target, and wants information about, for example, shopping habits or spending. “I could imagine some spouses being interested in doing this, particularly if the marriage has problems,’’ he said.
There are no reports of this method being used to breach someone’s privacy, but Dworsky said that because the attack would leave no traces, “the victim will never know.’’
The trick works because customers dialing the banks’ customer service lines from their home phones need not enter their full 16-digit credit or debit card number to access the system. Using Caller ID technology, the bank recognizes calls from a home phone, and requires entering only the last four digits of the card number. Caller ID spoofing can fool the system into thinking the call originates from a customer’s home phone.
To safeguard against such attacks, Chase and Bank of America could require users to enter their full 16-digit credit or debit card number even when calling from home, Dworsky said. “For the casual person who’s snooping around, . . . this would pretty well stop them,’’ he said.
Jacob Jegher, a senior banking analyst for the Boston-based financial research firm Celent, favors a tougher approach to security. “I personally would not recommend that caller ID be used as an identification method at any level,’’ Jegher said.
Hiawatha Bray can be reached at firstname.lastname@example.org.