Even a VPN Service Can’t Protect Your Privacy if You’re using Bank of America

bank of america

BoA

“I can assure you that they would not be able to do that with the Bank of America security”. The words of the Bank of America supervisor echoed in our heads as the Bank of America automated phone system revealed our account details over a call we were making via a Caller-ID spoofing website.

• • •

Bank of America is at it again. We really aren’t going out of our way to find issues with Bank of America’s security. They just happen to find a way to drop these issues in front of us as we go about our usual business of running Private Internet Access, our VPN Service.

It’s a hard call but we think the issue we discovered today is significantly worse than the previous one in which a random customer’s name and account balance was displayed to us while performing a funds transfer.

Social and Phone Number

Today’s issue simply requires a Bank of America customer’s SSN and telephone number. How to get someone’s phone number doesn’t even warrant discussion. Whilst people’s SSNs aren’t usually freely floating around on the internet, there are certain situations where it’s common place to give away this information. For example, employment W-4s and background checks both require a SSN. Imagine an employer that logged into their potential employees’ bank accounts to check their balance before deciding whether to hire them. The IRS W-9 form, which includes your SSN, is required to be filled out and given to any business that pays you more than 600$ per year. This can include relationships such as contracting, consulting, affiliate deals, and advertising, like Amazon Affiliates and Google AdSense. A business which pays many people and/or companies would likely have both the SSN as well as phone number for all of the recipients, which is everything that is required to get phone access to their bank account. Even if you’re not in a situation like this, once someone finds a way to get your SSN, getting your phone number is probably trivial.

Bank of America provided little to quell our concerns. “So, you mean that’s how it’s supposed to work?”… “Yes sir”. While they told us you are able to change your phone access code to be something different than your SSN, we know the issues with opt-out and defaults. They also claimed that this would only work when calling from your home phone. We raised the objection that Caller-ID spoofing services were and have been prevalent for years now. “I can assure you that they would not be able to do that with the Bank of America security,” the supervisor responded.

Hearing this, we decided to actually test it out using a well known spoofing website to fake our phone number and call into Bank of America’s automated system. After keying in our SSN, bingo, we were in and had full access to the account information and account transactional history, or in other words, we now had access to a bank statement over the phone.

We’ve provided a recording detailing how easy it was to get into our account and access our account details (we recorded over sensitive information in the call, as well as edited out some superfluous phone menu navigation).

About Andrew

Andrew is a long-time advocate of privacy and the conservation of the personal realm. He served as the brand manager for an internationally recognized best-selling product prior to co-founding Private Internet Access. Additionally, he was the co-founder of Mt. Gox Live which was acquired by Mt. Gox and created their official mobile application.

  • Kendra

    All I have to say is WTF.

  • Crazy

    Just imagine how bad it really is out there in the world of security… and how bad it’s going to get.

  • Crank of America

    Has this issue been resolved over the past few months, or has Bank of America simply ignored this?

    • Penelope

      No this issues has not been resolved because I am dealing with it at the moment. My family and boyfriend are keeping tabs on me by my bank statement. I was told the same thing he mentioned and went into a location and showed them on three different phones you can bypass all of the default and securities.

  • Steve

    Our government agencies are revealing our identities through carelessness and incompetence. True story: while conducting business with a local Social Security Office, a clerk mailed me some paperwork. In that envelope was the name, address, bank account number and social security number of a perfect stranger. She probably put it in my envelope by accident. I, of course, shredded the information.