Card holders of two major card issuers, Bank of America and Chase, may be vulnerable to attack from a major security flaw discovered by Boston consumer advocate Edgar Dworsky, founder of Consumer World, a public service and non-commercial guide from more than 2000 of the most useful consumer resources.
According to Dworsky, access to 24-hour, automated account information by telephone is the loophole that allows hackers to steal by spoofing the caller ID phone number of the victim to make contact with the bank. When a customer calls the credit card service number, the bank verifies the caller ID against their records. Once the credit card company agent sees a legitimate number that is attached to the account, they may ask for further verification such as the last four digits of the account number or the cardholder’s zip code, both of which are easily obtained from discarded sales slips.
The crooks now have access to all automated account information available via telephone, including available credit, last payment made and details about recent purchases. Armed with these details, they have enough data to convince the cardholder that they are a bank employee and attempt to get the cardholder to divulge the entire account number and security code. With that, ID theft or credit card fraud could be facilitated.
Dworsky says his goal in exposing the banks' security flaw is to get them to implement better safeguards for cardholders. "It would be so simple for Chase and Bank of America to immediately require full account numbers when Visa and MasterCard cardholders access their system, and that would help thwart all but the most conniving of hackers. Requiring a password would further enhance security too."
Looking for a new credit card? Click here to compare a wide selection of credit card offers from issuers such as Bank of America, Chase, Citi, Discover and more.