Another week, another settlement between Chase and some arm of the government for laws that Chase has violated. The latest $83.3 million settlement is for “violating regulations that prohibit lending money for entities linked to countries engaged in illicit nuclear trade and that cover dealings with Cuba and Sudan.”
Oops, it is this easy:
According to Dworsky, the security loophole is in the 24-hour a day automated telephone account information systems used by some card issuers that allow cardholders to check the activity on their accounts. When a cardholder calls the customer service number on the back of the card from their home telephone, the bank verifies the caller ID of the call against their account records. If the phone number matches one on record, some banks shortcut further security checks and only ask for the last four digits of the account number rather than the whole number, and possibly also request the cardholder’s zip code.
And therein lies the flaw. The system can be easily tricked by a hacker who “spoofs” the caller ID of the telephone used to call the bank, making it appear to be from the consumer’s home phone. Now, only the last four digits of the account number are needed to gain access, which can be easily found on a discarded sales receipt from virtually any retail store.
Not the largest of outages but we had a Chase customer report that Chase.com (the entire site) was unavailable for 5-10 minutes around noon Eastern today (August 17th).
You would expect disenchanted hipsters to use YouTube to complain about the businesses they don’t like. But when 60+ year old customers, not the typical users of social media, are posting Chase Sucks! videos to YouTube, Chase must really have taken a turn for the worse.