Security Flaw Affects Two Of The Largest U.S. Banks

By Jim Armstrong, WBZ-TV

BOSTON (CBS) – The back-to-school shopping season might mean that your credit cards are seeing some extra action. That could put you, the consumer, at extra risk.

No matter why you’re using your credit cards, Somerville-based consumer advocate Edgar Dworsky says your private information could become public, especially if your credit card comes from Bank of America or Chase Bank.

“All of a sudden your personal financial information is an open book,” Dworsky explains.

WBZ-TV’s Jim Armstrong reports

While watching this summer’s U.K. hacking scandal unfolded, Dworsky got to thinking.

“I said, ‘Gee, I wonder if credit card accounts are vulnerable also.’ That’s what gave me the idea to check it.”

What he found wasn’t good.

When you pay by credit card, your store receipt almost always prints with the last four digits of your card prominently displayed.

Most of us can be fairly careless with those receipts.

Dworsky realized that a thief can use any one of a number of internet-based phone-number spoofing services to call your bank from what appears to be your home phone number.

The bank’s automated system recognizes what it thinks is your number, and lets the thief access your account information, using just those last four digits as “proof” the person on the other end of the line is really you.

“I found that Chase and Bank of America only require the last four digits when you’re calling from your home telephone, and that’s the problem,” reports Dworsky.

“It’s going to be very difficult to protect yourself until the banks change the system.”

Some banks require you to punch in your complete, 16-digit account number when you call their automated service; Dworsky says those banks’ systems offer more protection for the consumer.

But, he adds, Bank of America and Chase are reluctant to switch to that format because they say their customers like the convenience of only having to put in the last four digits.

More from Jim Armstrong
  • Concerned

    The thief still needs to get a hold of your phone number, and not only that but the one that’s on file with that bank. Seems to me like there’s a bit of alarm-ism going on here…

    • Dan

      It’s actually not that hard to find out information such as addresses and telephone numbers — a little searching online goes a long way these days. As for using the right number, chances are that you don’t have an extra phone line beyond a landline and a cell phone. Because of that, I would say that most cases are 50/50 if the potential victim doesn’t have just one phone number. It makes me wonder how the system reacts to multiple attempts to access an account from different phone numbers, though.

  • Jim Haines

    Instead of the last 4 digits, they should ask us for security number on the back of the card. That is only three digits and never prints out on a receipt.

blog comments powered by Disqus
Taz Show
Download Weather App

Listen Live