If you have a credit card account with Bank of America or Chase, two of the nation’s largest banks, a major security flaw has been exposed that could make your information vulnerable to an Internet crook – or even a nosy neighbor.
Consumer advocate Edgar Dworsky of ConsumerWorld.org, who discovered the flaw, says anyone who knows your phone number and has the last four digits of your Chase or BofA credit card number might be able access your account.
Here’s the flaw Dworsky uncovered: When you call a bank’s automated credit card account information system, the computer uses caller ID to compare the number you’re calling from with the one on the account (usually your home phone).
At BofA and Chase, if the phone number is a match, the verification process is streamlined. Rather than requiring the entire credit card number to be entered, the caller can usually access the account with only the last four digits. In some cases, a zip code is also required.
“The last four digits of your credit card number are just out there so predominantly,” Dworsky says. “If you look at any sales receipt, it always has those last four digits.”
In order for someone to take advantage of this security loophole, they’d have to trick the bank’s computer to make it appear the call is coming from your home phone. Internet “spoofing” sites make this incredibly easy to do. Con artists have been using this technology for years, and it is how those British tabloid reporters were able to hack into so many voicemail systems.