gast@cs.ucla.edu (David Gast) (02/09/91)
If you call 1-800-544-7544, you can get complete information about the fund holdings in Fidelity Funds of anyone whose social security number you know. The WSJ points out that the Chairman of Fidelity has a publically available SSN (from the SEC) and that it begins with 029-24. Peter Lynch's SSN begins with 018-34 and his SSN is also part of the public record. The story did not mention the complete SSNs. Another 800 number allows one to get complete information on options and stocks held via Fidelity Brokerage. Now it seems to me that with the TELECOM Digest Moderator's expertise at gaining publically available information or the TELECOM Digest's readers amazing expertise at anything telephonic, we should be able get and publish that information immediately. I personally feel that this information should not be available in this manner, but perhaps the only way to get others to help safeguard my privacy is to show how easily their privacy can be invaded. In the case of Mr. Johnson it might be interesting to know how much he has invested at Fidelity and how much in other investments. David Gast gast@cs.ucla.edu {uunet,ucbvax,rutgers}!{ucla-cs,cs.ucla.edu}!gast [Moderator's Note: Even if someone sent me his SSN I would not publish it here. This forum is not intended as a place to discuss the personal financial data of individuals. PAT]
Barton.Bruce@camb.com (Barton F. Bruce) (02/11/91)
In article <74338@bu.edu.bu.edu>, gast@cs.ucla.edu (David Gast) writes: > If you call 1-800-544-7544, you can get complete information about the > fund holdings in Fidelity Funds of anyone whose social security number > you know. Another silly case of someone's stupidity in implementing something that gives telephone based applications a black eye. Here in Boston, the now in trouble Bank of New England has a horribly stupid scheme. Your checking and savings account funds can be remotely transfered back and forth, and the current balances read by almost anyone. 99%+ of Mass drivers have their SSN as their drivers license #, and virtually every merchant accepting a check over the counter writes your drivers license on the back. The last four digits of your SSN are your PIN, and so a typical merchant can easily dial that bank's computer, enter your account number and PIN (both on your check at this point), and, noting that you are a tad short on checking account funds, simply move some from your savings to your checking. The bank has NO way to let you specify an alternate PIN. All accounts get phone access by default. The only suggestion they had when I pointed out the stupidity of this was to suggest that they could disable the service for customers so requesting! [Moderator's Note: First National Bank of Chicao has such a 'bank by phone' system here, but you pick your own PIN and are encouraged to change it frequently. FNB / Chicago may be going down the tubes soon along with Continental Bank (for the second time!) but at least they are security concious. PAT]
john@zygot.ati.com (John Higdon) (02/13/91)
"Barton F. Bruce" <Barton.Bruce@camb.com> writes: > The bank has NO way to let you specify an alternate PIN. All accounts > get phone access by default. The only suggestion they had when I > pointed out the stupidity of this was to suggest that they could > disable the service for customers so requesting! Bank of America has a wonderful system that is similar but more blatant. When you call the machine to deal with your account you are asked to give "the last four digits of your Social Security Number". If you happen to be a business, the last four digits of your "SSN" (your Federal employer number) appears on all of your employees' check stubs and W2 forms. Your account number appears at the bottom of the check. How many people do you suppose check out of idle curiosity, if nothing else, the balance in their employer's account? Oh, yes, this is how it is set up; there is no special arrangement for business. It works like a charm. John Higdon | P. O. Box 7648 | +1 408 723 1395 john@zygot.ati.com | San Jose, CA 95150 | M o o !
Ed_Greenberg@3mail.3com.com (02/13/91)
A similar story ... if you know the checking account number and last four digits of the social security number, you can access checking account balances for any personal Bank of America account. One calls the local number for customers service. I checked with the bank, and they have no method for substituting a random or chosen pin for the SS#, nor for blocking the use of the service.
rv01%harvey@gte.com (Robert Virzi) (02/13/91)
David Gast writes: > If you call 1-800-544-7544, you can get complete information about the > fund holdings in Fidelity Funds of anyone whose social security number > you know. The WSJ points out that the Chairman of Fidelity has a > publically available SSN (from the SEC) and that it begins with > 029-24. Peter Lynch's SSN begins with 018-34 and his SSN is also part > of the public record. The story did not mention the complete SSNs. I tried this and it is not exactly true. In addition to someone's social security number, you also need to know their account number. I don't know how Fidelity assigns account numbers, but I would imagine that this scheme offers significantly more protection than the four-digit PINs used by banks. Is this a change in the security of the system, or just poor reporting on the part of the WSJ? Bob Virzi rv01@gte.com ...!harvard!bunny!rv01
carols@drilex.dri.mgh.com (Carol Springs) (02/15/91)
In Volume 11, Issue 102, David Gast writes: >If you call 1-800-544-7544, you can get complete information about the >fund holdings in Fidelity Funds of anyone whose social security number >you know. As of February 5, this was not true. According to newspaper reports, people who called the number on that date got a human person who asked for their Fidelity account number in addition to their SSN. What's going on? Well, in response to reports such as the one in the {Wall Street Journal} (and subsequent irate calls from customers), Fidelity is in the process of changing its system. First it blocked access to Fidelity executives' accounts. Soon after, it disabled the touchtone system and put a human in the loop, as described above. Tracey Gordon at Fidelity says that a new automated system is being implemented wherein both Fidelity account number and SSN have to be entered. And within a few weeks, a PIN access system is supposed to be in place. Before the initial reports appeared, Fidelity was claiming that the SSN system was introduced because its market research showed that customers overwhelmingly preferred this method to entering their Fidelity account numbers. Complete account info blocking was available to individual customers, but was not the default. Carol Springs carols@drilex.dri.mgh.com
gast@cs.ucla.edu (David Gast) (02/16/91)
> A similar story ... if you know the checking account number and last > four digits of the social security number, you can access checking > account balances for any personal Bank of America account. One calls > the local number for customers service. I checked with the bank, and > they have no method for substituting a random or chosen pin for the > SS#, nor for blocking the use of the service. Actually, you do not need the SSN. All you need is the account number. With only the account number, it will not tell you the balance, but it will tell you if a there is at least $N in the account (that is, will this check bounce?). A simple application of binary search will yield the account balance although you might stop after being within plus or minus some epsilon. I presume that you don't really care if the person has $503.12 or $508.31. Further, the telephone number is the main customer service number and the VM prompts lead to the correct choices. If you are in a branch, you can pick up the phone and go from there. I think the first VM choice is #2. David
carroll@ssc-vax.uucp (Jeff Carroll) (02/16/91)
In article <74661@bu.edu.bu.edu> rv01%harvey@gte.com (Robert Virzi) writes: >David Gast writes: >> If you call 1-800-544-7544, you can get complete information about the >> fund holdings in Fidelity Funds of anyone whose social security number ... > I tried this and it is not exactly true. In addition to someone's > social security number, you also need to know their account number. I > don't know how Fidelity assigns account numbers, but I would imagine > that this scheme offers significantly more protection than the > four-digit PINs used by banks. I doubt it. In order to get a person's four digit PIN, one must do one of three things: a) crack the bank's computer, b) steal the person's bank card, read the strip, and crack whatever (if any) encryption is used, or c) steal the piece of mail which notifies the subscriber of his PIN, which is only possible in systems which preassign PINs. Otherwise the cracker is facing the expectation of making 5000 inquiries to the bank with the wrong PIN (assuming an unenlightened search strategy). There are many more possible ways to get the whole nine-digit SSN of any person one is likely to be interested in; though in principle the SSN is supposed to be confidential, most people succumb at one time or another to pressure to disclose it, to their employers (who can be pretty free with tossing it around, within their rights) if to no one else. > Is this a change in the security of the system, or just poor reporting > on the part of the WSJ? Might just be an operator who only knows how to search the database by the account number key. Jeff Carroll carroll@ssc-vax.boeing.com
linc@tongue1.berkeley.edu (Linc Madison) (02/19/91)
[Several people have written about having access to financial information with only an account number and a part of a Social Security Number, or other similarly flimsy identity-checking.] My bank requires only the account number and part of the SSN. My brokerage account (not at Fidelity) requires only the account number. No PIN whatsoever. The only consolation in these two cases is that I can only retrieve information, not make any transactions. Linc Madison = linc@tongue1.berkeley.edu [Moderator's Note: One of the factors people should review when selecting a financial insititution is how well does the bank keep private information secure from prying eyes/ears. That should be as important a part of the final decision as the amount of interest paid, the fees charged, etc. PAT]
yazz@prodnet.la.locus.com (Bob Yazz) (02/22/91)
To get personal financial information about me, without my knowledge: My bank requires only your account number OR your ATM number. They said when I asked that fewer people would use the service if a PIN was required and there was no way to be removed from the system! My cable company requires only my phone number (I've changed that code to something that starts with 0 so they won't bother any innocents with telemarketing drivel). I think the whole state of privacy is apalling. They don't even tell you when they put these things in. Bob Yazz -- yazz@lccsd.sd.locus.com
Carl Wright <wright@ais.org> (05/20/91)
David Gast referred to how you can use the account number of a person to determine the approximate balance by making repeated request on whether the balance exceeds a certain dollar amount. The only innovation involved here is that you don't deal with a human operator. The ability to call a bank and ask if a specific account has enough money to cover an imaginary check is a standard bank service in all the U.S. I've done it myself on my less trustworthy customers. Carl Wright | Lynn-Arthur Associates, Inc. Internet: wright@ais.org | 2350 Green Rd., #160 Voice: 1 313 995 5590 EST | Ann Arbor, MI 48105