An employee in one of Bank of America's customer call centers has admitted he stole sensitive account information and tried to sell it for cash. Brian Matty Hagen said he met with two individuals whom he later learned were undercover FBI agents and offered to sell them names, dates of birth, telephonic passwords, and other …
If someone did an expose on how many people in the world can easily call up your details I think there'd be outrage. Masses of gov. employees you wouldn't trust with a spare watch, tonnes of bank/etc workers, any hackers with half a brain, the intelligence services, & frankly anyone who actually wants to find out probably could.
Until they ask themselves...
...who's going to call up the information when they themselves can't. Without that knowledge, people can't process the transactions you want or call up the information you're asking about (in the case of the call center tech here--his access is justifiable because he performs transactions and account inquiries over the phone; a window teller probably has similar access). A certain level of trust is required for everything to work, so it has to become a case of figuring out whom to trust.
Sarbanes-Oxley has required US listed companies to restrict how financially sensitive systems are accessed, and banking laws restrict how authentication is handled. There should be ZERO access to the entire telephonic password, instead there should only be a limited selection of letters that the telephone operative can enter to see if the customer is authenticated. Seems the BOA has some archaic systems going on here.
It wont stop someone in a bank gleaning details from your account if you call them, but it should stop them accessing it when they feel like it. Seems the US could do with catching up with europe for some of this security.
More likely, the customer didn't twig when a known bank employee asked him for his whole password instead of the partial information that the computer was inviting him to ask for.
"Can I have letters 1,2 and 5 of your password?"
tap tap tap wait
"oops, my computer's just gone down. Sorry about this"
(make smalltalk for a minute or so)
"OK, we're back, I'll need to take you through security again"
"can I have letters 4,6 and 8 of your password"
"Yes, sir, that's fine, how can I help you? "
At this point the criminal employee has six letters of the password and can probably guess the rest nine times out of ten.
Sigh. Does crime really not pay?
That's the problem.
He was a "target of opportunity" skimmer. He didn't just pull up accounts willy-nilly. He skimmed the details he happened to call up (legally and at the request of proper account holders) during his regular duties at work. And someone with a strong enough memory could probably walk away with plenty of damaging data without leaving any evidence of a skimming.
I have access to all manner of private stuff...
...but then, I'm NOT an idiot.
Will this ever get fixed?
"sell them names, dates of birth, telephonic passwords, and other details for Bank of America customers,"
This case (and others just like them) show how stupid the whole banking system is.
Static numbers can not provide security or authentication, period. This is especially true given how many people have access to our #'s in every day transactions.
One shouldn't have to trust the waitress at a restaurant in order to use their credit card there. A library staff member shouldn't have the opportunity to commit id fraud simply because they have access to SSNs.
Anyone versed in cryptography knows the difference between identification and authentication. Banking technology is decades behind the cryptography and this is the reason id theft is possible in the first place.
I needed to vent, it disturbs me every time I see the consequences of banks mistaking identification as authentication.
So tell me...
...how do you pass along credit card information to the waitress without allow her to have access to one iota of useful information and still be able to handle the transaction seamlessly and without any further input from you? Oh, did I mention that it needs to be as simple as possible since there are going to be millions of the things out and about? And since they have to be usable for years at a time (or the churn rate would be horrific--not green at all) and for hundreds of uses, forget batteries.
Bluntly, saying it's broken is one thing. But if you want to prove it's really broken, at least provide a sensible and practical solution as well.
why would the FBI be in the market for personal information, they have taps on all of the lines anyway.
They needed a shill.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft and HTC are M8s again: New One mobe sports WinPhone
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers