IP: Anybody can fetch your bank balance from any bank

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Rohit Khare -- UC Irvine -- 4K Associates -- +1-: "On the cringely tip..."
• Previous message: Dave Farber: "IP: Announcement of ITU silver medal award to Jon Postel"

This week I was astounded to learn of an amazing privacy hole in the
systems of almost all the major banks. It's so large that I was amazed
I never heard of it, and I can't find in a web search much discussion of
it so I don't know if people have talked about it. Maybe I've just been
out of the loop.

All the banks have a phone number for "merchant check verification." It's
often a toll free number, and it's automated for touch tone access. I
have not yet found one on a web site but I am sure some banks will be
doing that before long.

Using this service, and my bank account number (from any check) and no
other identification (ie. you don't need any merchant number or
password) you can get my bank balance. Because I have overdraft
protection you get my combined checking/money market balance.

You just key in my account number, a check number and an amount, and it
tells you if the amount is in the account or not. As I tested, with
a fairly trivial binary search, you can get my balance in just a
few iterations. (It cheerfully asks you at Wells Fargo if you want to
do another check.) You can use the same check number again and again.
(Even if you could it would not hard to find a series of unused numbers.)

Wells Fargo and Bank of America both do this and so do the rest.

When I called Wells Fargo executive offices, they said I was the first
to complain. They were a bit surprised themselves, at least in that
office. I suggested that the verification service, since it is technically
a service for the customer (to allow you to more easily write checks and
convince recipients you are good for them) that it should be at the
option of the customer. They said they had no way to turn it off.

I suggested that perhaps the customer should be able to set a limit,
ie. "verify checks up to $5,000, but for amounts over that, state the
customer does not wish that information disclosed" or similar. All good
ideas but not possible in their system. B of A thought that perhaps they
could turn off all telephone access, but somehow I think that would just
inconvenience the customer and probably not turn this off.

This is surely coming to the web. And somehow I always thought your
bank balance was perhaps the classic example of the type of data one
wants to be private.

Am I a dolt for not knowing about this? Do we want an effector message
about it at some time? Or should I just write it up for RISKS?

• Next message: Rohit Khare -- UC Irvine -- 4K Associates -- +1-: "On the cringely tip..."
• Previous message: Dave Farber: "IP: Announcement of ITU silver medal award to Jon Postel"