Wednesday, January 07, 2009

Rats, foiled

I was in Japan over the holidays. I attempted to use my BofA card. Their fraud controls assumed something was wrong, and locked the card. In order to unlock it, I needed to visit a branch and show 2 pieces of ID.

I went to the local branch. They verified my ID, then called the same phone number I called to unlock the card. When she called in, the employee helping me identified herself saying "this is employee Alice Smith 2955".

Ah hah! She identified herself with an assigned 4-digit number. Now I have the number and can impersonate her!

However, this turned out to be the wrong department. She had to call another one to unlock the card. This time she said "this is employee Alice smith 6878".

Rats, it's not a fixed number. I tried to ask her what the number signified, and she quickly answered "I can't go into that". So, there is a complex system behind this, complex enough that she won't discuss it.

She had her computer in front of her. I'm assuming sort of intranet application whereby she applies for a temporary ID by clicking on a button, that the person on the other end quickly types in, popping up the name on their terminal that they can verify.

The interesting thing is that she could not be authenticated via the phone system. It's amazing that we've progressed this far in technology yet the phone system is still so far behind. On the other hand, anti-government paranoids (such as myself) want an anonymous phone system, so while I'm surprised phones have poor security, I'm also glad.

1 comment:

christian said...

BoFA is one bank im proud to say I use AND trust. I think they have great security practices in use. Just ordered myself a safepass card to see how it works out, been using safepass with my mobile for a while now.