Even a VPN Service Can’t Protect Your Privacy if You’re using Bank of America

Posted on Nov 26, 2012 by rasengan
Share Tweet Plus
bank of america

bank of america

“I can assure you that they would not be able to do that with the Bank of America security.” The words of the Bank of America supervisor echoed in our heads as the Bank of America automated phone system revealed our account details over a call we were making via a Caller-ID spoofing website.

• • •

Bank of America is at it again. We really aren’t going out of our way to find issues with Bank of America’s online security. They just happen to find a way to drop these issues in front of us as we go about our usual business of running Private Internet Access, our VPN Service.

It’s a hard call but we think the issue we discovered today is significantly worse than the previous one in which a random customer’s name and account balance was displayed to us while performing a funds transfer.

Social and Phone Number

Today’s issue simply requires a Bank of America customer’s SSN and telephone number – very sensitive information. How to get someone’s phone number doesn’t even warrant discussion. Whilst people’s SSNs aren’t usually freely floating around on the internet, there are certain situations where it’s common place to give away this information. For example, employment W-4s and background checks both require a SSN. Imagine an employer that logged into their potential employees’ bank accounts to check their balance before deciding whether to hire them. The IRS W-9 form, which includes your SSN, is required to be filled out and given to any business that pays you more than 600$ per year. This can include relationships such as contracting, consulting, affiliate deals, and advertising, like Amazon Affiliates and Google AdSense. A business which pays many people and/or companies would likely have both the SSN as well as phone number for all of the recipients, which is everything that is required to get phone access to their bank account. Even if you’re not in a situation like this, once someone finds a way to get your SSN, getting your phone number is probably trivial.

Bank of America doesn’t care about Privacy it seems

Bank of America provided little to quell our concerns. “So, you mean that’s how it’s supposed to work?”… “Yes sir”. While they told us you are able to change your phone access code to be something different than your SSN, we know the issues with opt-out and defaults. They also claimed that this would only work when calling from your home phone. We raised the objection that Caller-ID spoofing services were and have been prevalent for years now. “I can assure you that they would not be able to do that with the Bank of America security,” the supervisor responded.

Hearing this, we decided to actually test it out using a well known spoofing website to fake our phone number and call into Bank of America’s automated system. After keying in our SSN, bingo, we were in and had full access to the account information and account transactional history, or in other words, we now had access to a bank statement over the phone.

We’ve provided a recording detailing how easy it was to get into our account and access our account details (we recorded over sensitive information in the call, as well as edited out some superfluous phone menu navigation). Maybe it’s time for Bitcoin over Bank of America.

About Andrew

Andrew is a long-time advocate of privacy and the conservation of the personal realm. He served as the brand manager for an internationally recognized best-selling product prior to co-founding Private Internet Access.

VPN Service

Comments are closed.


  1. Kendra

    All I have to say is WTF.

    6 years ago
  2. Crazy

    Just imagine how bad it really is out there in the world of security… and how bad it’s going to get.

    6 years ago
  3. Crank of America

    Has this issue been resolved over the past few months, or has Bank of America simply ignored this?

    6 years ago
    1. Penelope

      No this issues has not been resolved because I am dealing with it at the moment. My family and boyfriend are keeping tabs on me by my bank statement. I was told the same thing he mentioned and went into a location and showed them on three different phones you can bypass all of the default and securities.

      6 years ago
  4. Steve

    Our government agencies are revealing our identities through carelessness and incompetence. True story: while conducting business with a local Social Security Office, a clerk mailed me some paperwork. In that envelope was the name, address, bank account number and social security number of a perfect stranger. She probably put it in my envelope by accident. I, of course, shredded the information.

    5 years ago
  5. Ameer Abbas

    cant believe they can be this rubbish at their financial security after $450 billion has been stolen through cyber crime last year … such a shame , i will rape these guys in my new blog post , thanks for the update mate

    4 years ago
  6. jay67

    I use a Hotmail account for junk email and two other “real” accounts for my mail. None of my accounts at B of A are related to the junk account. I Called B of A last Friday to set/change some account stuff and made a few withdrawals at an atm machine out of town. The next day my junk mail account had spoof B of A emails in it requesting I “verify” account info via the provided link which were clearly an attempt to secure my info. How my junk mail account ended up with such garbage when I did NOT use the internet to do any of the atm transactions is a mystery to me. Now to learn even a VPN won’t work with BofA is very disappointing.

    4 years ago