
Bank of America Telephone Access Security Hole - rasengan
https://www.privateinternetaccess.com/blog/2012/11/even-a-vpn-service-cant-protect-your-privacy-if-youre-using-bank-of-america/
======
badsecurityhole
This is more dangerous than it sounds. As the blog post points out you can
only get account balance and last transactions. Here's what's really
dangerous: the last transactions.

Say you have one more piece of information: account # and routing #. This can
be obtained from any check the person has written. Now you can link their
account to your account from your bank's website. Your bank will make some
small deposits into their account that you will have to verify. Now you use
the security hole discussed in this post and you can find out what the amount
of those small deposits was. You have now successfully linked their account to
your account and you can withdraw their entire account balance into your
account from your bank's website.

Now go to your local bank branch and withdraw your entire account in cash and
walk away. So yes, this security hole is bad.

~~~
ams6110
...and then prepare for the FBI to show up at your door. You can't open a bank
account without producing several pieces of ID bearing you current address.
Not discounting the apparent stupidity of BofA relying on caller ID for
auhthentication, but it's not quite that easy. Moving money from one account
to another leaves a trail.

Still a really bad situation though.

~~~
smsm42
Current address can change. The only reason my bank knows my current address
is because I've repeatedly informed them, and it took about half a year and
some effort from my side to have them update _all_ accounts and records with
the correct address. So the FBI has a good chance of scaring some innocent men
living in a rental apartment that was used by some bad guy two years ago. In
one place I lived, I regularly got payment demands from various credit
companies to the name of somebody that (I suspect) lived there 2 years ago at
least (I knew who lived there before me, and that wasn't the bad credit
person). So address doesn't give much.

------
georgeorwell
The responsible thing to do in this situation is to keep escalating at the
bank until somebody listens. "Bank of America supervisor" implies a manager at
a call centre. A few more escalations and you reach some pretty senior people
with actual authority to change things.

A zero-day involving actual dollars (BoA) is a lot different than a zero-day
involving email addresses (AT&T, recently). If this exploit makes withdrawals
possible, and it sounds like it does, then you're making it easy to seriously
mess up someone's life before it's fixed.

~~~
josh2600
This is a feature...

This is basically a lookup which authenticates users based on caller ID (the
password is the ssn). This is the same as when your carrier changed your
voicemail password to be your phone number (and self-authenticate on inbound
calls).

The problem everyone is looking at effects 100% of customers but the bank
(mistakenly) believes the barriers to entry are high.

The important takeaway is this: You cannot have a secure service that is
authenticated with a phone number.

Phone numbers have been, and will continue to be, an invalid source of
identity. In fact, considering a phone number as a signaling agent in a Web of
Trust is a terrible decision to make. Time and again we hear of these exploits
which wouldn't happen without terrible assumptions.

PSA: YOUR PHONE NUMBER IS SPOOFABLE; IT TAKES 10 SECONDS. DO NOT BUILD SYSTEMS
THAT TRUST YOUR PHONE NUMBER AS IDENTITY.

~~~
brown9-2
I am no expert but I think the problem is assuming that the caller ID of the
incoming call to the bank is authentic.

I'm curious if you could break a similar system that assumed that receipt of
an _outgoing_ call made to the customer's phone number was validation of
identity.

~~~
MichaelGG
Outbound call to a number is harder to break. One way is to port the number to
another provider, illegally. If you have the person's information and bill,
you probably have enough info to get the line transferred. And sometimes,
providers will accidentally/idiotically allow a number to be ported even if
the information isn't correct; there's plenty of room for mistakes.

Another attack is to target the way they place the outbound call. Suppose they
place the outbound call with provider X. An attacker might sign up and start a
port via provider X. If provider X has poor code, they might activate the
number internally, and route all their customers calls to your account, before
they find out the port's been rejected. Or you might be able to compromise the
provider another way - many providers and VoIP software systems are
hilariously weak on security.

The first attack will work across the entire phone network; the second
requires the authentication call to be made via an insecure provider.

~~~
josh2600
Right but you're talking about owning the DID, which one may or may not need
to do in order to compromise your connection. For example, if I pwn the
Asterisk box your call routing runs through, I can mirror the audio or
redirect the audio pretty trivially.

Going a step further, given how few people aren't buying through a reseller,
it's possible to pwn an upstream provider and impact boxes through a man in
the middle attack. Even over TDM you're not safe because of physical taps
which are difficult to detect (albeit easier than IP).

No, Phone numbers are not secure and should never be used as a form of
authentication. You don't even need to port a number, you just need to be
somewhere in the stream.

~~~
MichaelGG
I think there's a significant scope difference in performing a MiTM attack
(via hacking a provider or installing a tap) and forcing a port through.

After all, it's implicit in telephone banking when you authenticate via voice
that you trust the connection. The argument you're making is that telephony is
insecure, which is arguably true, but sorta irrelevant within the scope of
telephone banking.

~~~
josh2600
How is it irrelevant? Is it not the crux of the issue here?

Many upstream providers are just Asterisk boxes forwarding traffic. Those
boxes can be overloaded with a malformed SIP header; hell, most application
switches get wrecked by malformed headers.

What I'm trying to say is that money is one of those things where security is
actually important. Trusting telephony, even as a signal and not source, is
foolish. There are many better methods of deriving identity.

My point, and arguably the point of the article, is that telephony is
insecure, and I think it's pretty far from irrelevant... Please correct me if
I misunderstood, I'm not trying to offend I just don't understand.

------
bo1024
So if this was on a website instead of via phone the authors would presumably
be facing criminal charges or years in prison, right?

~~~
JacobAldridge
Well, they used a proxy to log into their own account, so probably not. Had
they tried to demonstrate this using someone else's SSN, then yup - lock 'em
up!

------
chayesfss
Hate to pile on but security & boa don't go together too well
[http://www.gosecureauth.com/blog/easily-bypass-bank-of-
ameri...](http://www.gosecureauth.com/blog/easily-bypass-bank-of-
america-2-factor-safepass-authentication/)

------
smsm42
From what I understand, knowing somebody's name, SSN, address and DOB would
allow you to impersonate him/her at 90% of places. In 90% of the rest, they'd
require some password but if you sound convincing enough and desperate enough
and claim you forgot the password, they'd give you some information they're
not supposed to in exchange for the pieces from above. SSN especially is
treated like it's super-secret even though practically everybody asks you for
it - banks, employers, car dealers, credit cards, lenders, etc. Government
loves to ask DOB for some reason like it's a big secret - even though looking
for congrats of anybody's facebook page allows to know DOB for like 90% of
people.

In general, this whole system does not collapse only because overwhelming
majority of people are honest and don't even think about cheating it. Which I
think is good, but still I am a bit scared when I think about how fragile it
is.

~~~
sageikosa
I am both amused and annoyed at now having to enter my US postal ZIP code when
using my credit card at some gas stations. If someone stole my wallet, they'd
have that information already as it is on my driver's license.

~~~
sneak
Don't use your license address as your billing address.

------
csmatt
It's not just BofA. I know of at least one other popular bank that uses the
last four of one's SSN as the default password. They may also require a DOB,
but that's simple enough.

------
Aloha
First, its not off CID, its off ANI (ANI is what is passed to the remote
endpoint when you call a toll free number), not that you cant spoof ANI - but
often it can be a little harder, as its used in billing on the telco side.

Second, every bank does something like this, I can access my credit card by
phone with just the last four digits of my account number, and by calling in
from my phone. I can do the same thing with my BofA account number in lieu of
my SSN.

Third, again, every bank is like this to some extent - every CC I have, if I
call in from my number, and key in the last for digits of my credit card, I
can get info. I should also point that knowing someones Tel Number, Account
Number and/or CC number is a considerable amount of info to have.

~~~
philsnow
"Second, every bank does something like this"

I can't tell if your implying that this makes the practice somehow less bad,
but I hope not.

"I should also point that knowing someones Tel Number, Account Number and/or
CC number is a considerable amount of info to have."

It's a considerable amount of information for a random stranger to have, but
_not_ for an attacker.

------
lcusack
On a related note - can anyone give me perspective on the quality of their VPN
service?

~~~
gfosco
I use PIA for my VPN and like it very much. Lots of different places to
connect to, runs fast enough to do torrents, no complaints here.

------
thechut
This is the same sort of exploit used in the "Phone hacking" scandal that News
of the World and other newspapers got in trouble for. Except in that case they
were hacking voicemail boxes not bank accounts. This is pretty serious and not
exactly a novel idea, very surprised that BoA hasn't encountered this problem
yet.

------
shaaaaawn
So the worst case scenario that this maybe non-repeatable process might result
in someone: 1) accessing more of your data and 2) maybe perform fraudulent
transactions that will be detected and/or reported; investigated; and
refunded. Uptown problems.

