“I can assure you that they would not be able to do that with the Bank of America security”. The words of the Bank of America supervisor echoed in our heads as the Bank of America automated phone system revealed our account details over a call we were making via a Caller-ID spoofing website.
Bank of America is at it again. We really aren’t going out of our way to find issues with Bank of America’s security. They just happen to find a way to drop these issues in front of us as we go about our usual business of running Private Internet Access, our VPN Service.
It’s a hard call but we think the issue we discovered today is significantly worse than the previous one in which a random customer’s name and account balance was displayed to us while performing a funds transfer.
Social and Phone Number
Today’s issue simply requires a Bank of America customer’s SSN and telephone number. How to get someone’s phone number doesn’t even warrant discussion. Whilst people’s SSNs aren’t usually freely floating around on the internet, there are certain situations where it’s common place to give away this information. For example, employment W-4s and background checks both require a SSN. Imagine an employer that logged into their potential employees’ bank accounts to check their balance before deciding whether to hire them. The IRS W-9 form, which includes your SSN, is required to be filled out and given to any business that pays you more than 600$ per year. This can include relationships such as contracting, consulting, affiliate deals, and advertising, like Amazon Affiliates and Google AdSense. A business which pays many people and/or companies would likely have both the SSN as well as phone number for all of the recipients, which is everything that is required to get phone access to their bank account. Even if you’re not in a situation like this, once someone finds a way to get your SSN, getting your phone number is probably trivial.
Bank of America provided little to quell our concerns. “So, you mean that’s how it’s supposed to work?”… “Yes sir”. While they told us you are able to change your phone access code to be something different than your SSN, we know the issues with opt-out and defaults. They also claimed that this would only work when calling from your home phone. We raised the objection that Caller-ID spoofing services were and have been prevalent for years now. “I can assure you that they would not be able to do that with the Bank of America security,” the supervisor responded.
Hearing this, we decided to actually test it out using a well known spoofing website to fake our phone number and call into Bank of America’s automated system. After keying in our SSN, bingo, we were in and had full access to the account information and account transactional history, or in other words, we now had access to a bank statement over the phone.
We’ve provided a recording detailing how easy it was to get into our account and access our account details (we recorded over sensitive information in the call, as well as edited out some superfluous phone menu navigation).
Andrew is a long-time advocate of privacy and the conservation of the personal realm. He served as the brand manager for an internationally recognized best-selling product prior to co-founding Private Internet Access. Additionally, he was the co-founder of Mt. Gox Live which was acquired by Mt. Gox and created their official mobile application.