If you think the British tabloid phone-hacking scandal has nothing to do with your personal financial information, think again. A consumer advocate savvy in high-tech financial security discovered that similar tricks used by hackers to break into people’s voicemail accounts could also be exploited to gain access to confidential credit card information.
As described by the The New York Times, the hacking works like this: A person can use a legal service that makes a call from another number seem as if it’s coming from a different number. ”When the receiver of the phone call looks at the caller ID, it has our phone number, and as far as the receiver is concerned, it’s really us calling,” says Mike Paquette, chief strategy officer at Corero Network Security.
While this is alarming enough, Edgar Dworsky, founder of ConsumerWorld.org, discovered something even worse. From the Times: “[S]omeone armed with just a bit of personal information about a target can also gain access to the automated phone systems for Bank of America and Chase credit card holders.” There isn’t any evidence that a hacker could fraudulently use your credit card or steal your identity, but they’d have access to an alarming amount of highly personal data: How much you owe, what your credit limit is and where you’ve used the card. According to the consumer advocate’s investigation, Chase gives the caller access to previous transaction information by category while Bank of America lists merchant names; both would reveal to a hacker how much you spent.
This might not sound like a big deal, but consider the ramifications if someone were to get access to recent transaction details. “It contains contextual information someone could use to fool you, trick you or entice you into providing that information,” Paquette says. For instance, if someone found out you’d made a purchase at a large retail chain, they could later call you back pretending to be from that source and ask for information they could use to make fraudulent charges. “It could be used as a stepping stone to identity theft or fraud,” he says.
In addition, potentially damaging confidential information could be exposed. What if an estranged ex-spouse or potential employer found out you were up to your eyeballs in debt or were undergoing treatment for a medical or mental health condition? Although use of ID spoofing programs for these kinds of purposes isn’t legal, that won’t help you if the damage is already done.
The article says that this sort of shady information gathering could be stopped if credit card issuers required additional authentication such as keying in a PIN or part of your Social Security number before you could gain access to your information. Banks say they don’t want to do that, though, because it’s less convenient for their customers. (We’ve also heard from security experts on why banks’ over-reliance on Social Security numbers as a form of authentication also is problematic.) Until banks close this loophole, be vigilant if someone contacts you asking for your credit card number, even if they claim to be representing a merchant with whom you’ve done business.
Updated: Aug. 23, 11:49 a.m.