On Sun, 27 Jul 2003, Stephen Sprunk wrote:
That's not even the dumbest part. You can reset your password at most banks, insurance companies, stores, airlines, etc. by claiming you forgot it; they'll happily reset it to your mother's maiden name, SSN, or some other publicly-available datum.
NOTE: I've had over $42,000 stolen from bank accounts via the internet. Take that into account when you read this... First of all security of the physical and network bank web sites may very well be up to snuff. However when you combine with the customer service side of things for the whole package BANK SECURITY IS AN ABSOLUTE JOKE! At one bank I was at someone called up claiming to be me and setup my web account and wired themselves $9,500 three times over a two day period. They even called the bank back asking what was taking so long and why the money wasn't in their account yet. When I found out about this a month later (I had no reason to check the website since I didn't use it) the bank was able to reverse two of the tranfers and ate the other one (noone ever said thieves were smart, they never moved most of the money out of the destination account). During the conversations with the bank I asked that the account be disabled and never enabled again and to have this request noted. Well about 8 months later someone called in claiming to be me and got the account reenabled. They had a bank check made out to themselves for about $13,500 and sent via postal mail. Fortunately they got caught cashing the check in AZ and are now in jail awaiting trial. That however is not the end of things. I haven't had any more money stolen, but at another bank, which I have been at for well over 10 years thus predating any web site, they automatically setup web accounts with a default password (last four digits of your SSN). When I heard this I said to my self "oh %^&*!" I asked to have the web account disabled and was told this could not be done. So I immediately went back to my computer and changed the password. Fortunately noone has done anything with that account. Basically while the network security may be there that is only part of the package and the rest of the package is not up to snuff. The big "problem" in my eyes is that physical presense is no longer necessary so it is next to impossible to catch these thieves (unless they do stupid things like the ones who stole from me). A sophisticated criminal will probably be able to get away with millions of dollars in a very short period of time and be able to vanish without a trace. I'm not sure what needs to be done, but the security as now implemented is not even close to enough IMHO. Networkwise (to bring this back on topic) I'm not sure there is really much that can be done. bye, ken emery