Interesting People mailing list archives
IP: Anybody can fetch your bank balance from any bank
From: Dave Farber <farber () cis upenn edu>
Date: Wed, 22 Jul 1998 15:38:40 -0500
Date: Wed, 22 Jul 1998 11:48:08 -0700 From: Brad Templeton <brad () templetons com> This week I was astounded to learn of an amazing privacy hole in the systems of almost all the major banks. It's so large that I was amazed I never heard of it, and I can't find in a web search much discussion of it so I don't know if people have talked about it. Maybe I've just been out of the loop. All the banks have a phone number for "merchant check verification." It's often a toll free number, and it's automated for touch tone access. I have not yet found one on a web site but I am sure some banks will be doing that before long. Using this service, and my bank account number (from any check) and no other identification (ie. you don't need any merchant number or password) you can get my bank balance. Because I have overdraft protection you get my combined checking/money market balance. You just key in my account number, a check number and an amount, and it tells you if the amount is in the account or not. As I tested, with a fairly trivial binary search, you can get my balance in just a few iterations. (It cheerfully asks you at Wells Fargo if you want to do another check.) You can use the same check number again and again. (Even if you could it would not hard to find a series of unused numbers.) Wells Fargo and Bank of America both do this and so do the rest. When I called Wells Fargo executive offices, they said I was the first to complain. They were a bit surprised themselves, at least in that office. I suggested that the verification service, since it is technically a service for the customer (to allow you to more easily write checks and convince recipients you are good for them) that it should be at the option of the customer. They said they had no way to turn it off. I suggested that perhaps the customer should be able to set a limit, ie. "verify checks up to $5,000, but for amounts over that, state the customer does not wish that information disclosed" or similar. All good ideas but not possible in their system. B of A thought that perhaps they could turn off all telephone access, but somehow I think that would just inconvenience the customer and probably not turn this off. This is surely coming to the web. And somehow I always thought your bank balance was perhaps the classic example of the type of data one wants to be private. Am I a dolt for not knowing about this? Do we want an effector message about it at some time? Or should I just write it up for RISKS?
Current thread:
- IP: Anybody can fetch your bank balance from any bank Dave Farber (Jul 22)