[comp.org.eff.talk] ANYONE CAN FIND MY CREDIT CARD BALANCE & LAST PMT

bill@camco.Celestial.COM (Bill Campbell) (04/04/91)

I was appalled today when I called about my Visa account and when
asked, entered my account number a voice nicely told me my current
balance and last payment information.  This was with the First
Omni Bank Credit Card Center.

There's nothing to keep anyone with the phone number and an
account number from getting this information.  How common is
this?  Is there no protection from this?

Bill Campbell
-- 
INTERNET:  bill@Celestial.COM   Bill Campbell; Celestial Software
UUCP:   ...!thebes!camco!bill   6641 East Mercer Way
             uunet!camco!bill   Mercer Island, WA 98040; (206) 947-5591

cs4304ak@evax.arl.utexas.edu (David Richardson) (04/05/91)

(followups to alt.privacy.  Change this if you need to).
(X-posted to soc.college due to content).

In article <959@camco.Celestial.COM> bill@camco.Celestial.COM (Bill Campbell) writes:
[Bill called First Omni Bank & gave them his credit card number, & they
gave him his balance.  [The implication was that they didn't ask for
other info to verify his identity - DWR]. ]
>There's nothing to keep anyone with the phone number and an
>account number from getting this information.  How common is
>this?  Is there no protection from this?

This brings up a very good point, for which I have a possible solution:
Businesses which give out private information over the phone should have
some way of identifying customers.  It should be something not likely
to be found with the primary identification (such as a credit card #).
This means that anything commonly carried in a wallet is out (such as
address, drivers license, etc.).  I propose using whatever the customer
wants to use, be it a PIN, a mother's maiden name, etc.

On a related topic, our school in in the discussion stage of phone-in
registration.  When asked if he would pay a small extra fee to register
over the phone, a student said "...but someone may abuse it by using
another person's ID number."  In this case, a PIN would probably be
best.

By the way, my credit card has a telephone-balance inquiry, & it
required your 5-digit zip code (not to hard to get if someone steals
your wallet).  A BBS I use requires your mother's maden's name if you
forget your password (I gave it my cat's name on the registration
sheet).

-- 
David Richardson   U. Texas at Arlington  +1 817 856 6637  PO Box 192053
Usually hailing from: b645zax@utarlg.uta.edu         Arlington, TX 76019
b645zax@utarlg.bitnet, SPAN: UTSPAN::UTADNX::UTARLG::B645ZAX   -2053 USA
The Lord is my shepherd, I shall not want.

mpd@anomaly.SBS.COM (Michael P. Deignan) (04/08/91)

bill@camco.Celestial.COM (Bill Campbell) writes:

>There's nothing to keep anyone with the phone number and an
>account number from getting this information.  How common is
>this?  Is there no protection from this?

Citibank, my Visa bank, has a similar phone number. All one must do is
enter an account number and their 5 digit zip code, and you get your
balance, available credit/cash-advance limit, minimum payment/due date.

The really annoying thing is that the number you call is right on the back
of the credit card. All someone has to do is lift your wallet and voila,
they have your card number, your zip code (from license), and instantly
they have your credit limit, along with how much they can milk your card
for.

MD
-- 
--  Michael P. Deignan                      / Since I *OWN* SBS.COM,
--  Domain: mpd@anomaly.sbs.com            /  These Opinions Generally
--    UUCP: ...!uunet!rayssd!anomaly!mpd  /   Represent The Opinions Of
-- Telebit: +1 401 455 0347              /    My Company...

bparr@well.sf.ca.us (Barry L. Parr) (04/08/91)

The AT&T Universal card offers an 800 number that will give you the 
balance on your Visa, using your Zip code as a PIN.  This is the
next best thing to no security at all.

Barry Parr/M&T Publishing/Redwood City, CA

barmar@think.com (Barry Margolin) (04/09/91)

In article <24095@well.sf.ca.us> bparr@well.sf.ca.us (Barry L. Parr) writes:
>The AT&T Universal card offers an 800 number that will give you the 
>balance on your Visa, using your Zip code as a PIN.  This is the
>next best thing to no security at all.

That seems crazy to me.  The Universal card already has a secret PIN
associated with it, to be used when using it as a calling card.  So why
do they use a different, and easily-determined, PIN for balance
information?
--
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar

mjb@sequent.com (04/09/91)

In article <1991Apr9.020427.26222@Think.COM> barmar@think.com (Barry Margolin) writes:
"In article <24095@well.sf.ca.us> bparr@well.sf.ca.us (Barry L. Parr) writes:
">The AT&T Universal card offers an 800 number that will give you the 
">balance on your Visa, using your Zip code as a PIN.  This is the
">next best thing to no security at all.
"
"That seems crazy to me.  The Universal card already has a secret PIN
"associated with it, to be used when using it as a calling card.  So why
"do they use a different, and easily-determined, PIN for balance
"information?

Yeah, that's what I thought, too.  I send them a paper letter suggesting
that they use the PIN instead of the zip code to authenticate the user.
No response.  Maybe I don't charge enough stuff to get customer service.
Maybe I should charge even *less* stuff in the future.  I like the concept,
though.

Matthew.
[mjb@sequent.com]

johne@hp-vcd.HP.COM (John Eaton) (04/10/91)

>
>"In article <24095@well.sf.ca.us> bparr@well.sf.ca.us (Barry L. Parr) writes:
>">The AT&T Universal card offers an 800 number that will give you the 
>">balance on your Visa, using your Zip code as a PIN.  This is the
>">next best thing to no security at all.
>"
>"That seems crazy to me.  The Universal card already has a secret PIN
>"associated with it, to be used when using it as a calling card.  So why
>"do they use a different, and easily-determined, PIN for balance
>"information?
>
>Yeah, that's what I thought, too.  I send them a paper letter suggesting
>that they use the PIN instead of the zip code to authenticate the user.
----------
You absolutely do not want them to use your cards PIN for phone ID. A thief
who steals your card only gets three guesses of your PIN once it is in the
machine. He gets as many as his autodialer can punch out via the phone. If 
he can get your PIN from the 800 number then he can get all sorts of cash
from your card.

John Eaton
!hp-vcd!johne

barmar@think.com (Barry Margolin) (04/10/91)

In article <6750018@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes:
>You absolutely do not want them to use your cards PIN for phone ID. A thief
>who steals your card only gets three guesses of your PIN once it is in the
>machine. He gets as many as his autodialer can punch out via the phone. If 
>he can get your PIN from the 800 number then he can get all sorts of cash
>from your card.

I don't understand this response, as there's no "machine" involved.  I was
replying to a message about the AT&T Universal card, which can be used as
an AT&T Calling Card.  The PIN I referred to is the one that you enter over
the phone when charging long-distance phone calls.  I think you're
referring to the PIN used in an ATM.  Maybe the AT&T card uses the same PIN
for both, but that's a separate problem, and doesn't diminish the value of
using the PIN when requesting information in preference to using the ZIP
code.


--
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar

mjb@sequent.com (04/10/91)

In article <6750018@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes:
>You absolutely do not want them to use your cards PIN for phone ID. A thief
>who steals your card only gets three guesses of your PIN once it is in the
>machine. He gets as many as his autodialer can punch out via the phone. If 
>he can get your PIN from the 800 number then he can get all sorts of cash
>from your card.

Indeed, it turns out that the Universal Card has the same PIN for the
calling card number and the MasterCard number (arguably a Bad Idea).
Well, I learn something new and terrifying every day.  However, the
by-phone-account-balance system lets you change your PIN over the
phone, so a thief who steals my card gets all the free guesses at my
PIN that he wants, anyway.  Fun *and* profit!  Feh.

Matthew.

johne@hp-vcd.HP.COM (John Eaton) (04/11/91)

<<<
< Maybe the AT&T card uses the same PIN
< for both, but that's a separate problem, and doesn't diminish the value of
< using the PIN when requesting information in preference to using the ZIP
< code.
----------
I am assuming that the same PIN is used for calling card as well as Cash
advances from ATM's. If someone finds your card and tries to get a cash
advance then he only has three guesses before the ATM eats it. If he can
have his computer call in and brute force the PIN via phone then he will
probably be able to get cash off of your card.

John Eaton
!hp-vcd!johne

janson@athena.mit.edu (James A Anderson) (04/11/91)

In <1991Apr10.161630.3499@sequent.com> mjb@sequent.com writes
" In article <6750018@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes:
  >You absolutely do not want them to use your cards PIN for phone ID. A thief
  >who steals your card only gets three guesses of your PIN once it is in the
  >machine. He gets as many as his autodialer can punch out via the phone. If 
  >he can get your PIN from the 800 number then he can get all sorts of cash
  >from your card.

  Indeed, it turns out that the Universal Card has the same PIN for the
  calling card number and the MasterCard number (arguably a Bad Idea).
  Well, I learn something new and terrifying every day.  However, the
  by-phone-account-balance system lets you change your PIN over the
  phone, so a thief who steals my card gets all the free guesses at my
  PIN that he wants, anyway.  Fun *and* profit!  Feh."

one should distinguish between the risk of using the PIN and the risk offered
by a system's failure to respond to suspicious behavior.

my bank, for example, offers access to account information over the phone.
the PIN is used to restrict access.
in order to reduce the exposure to unauthorized access, erroneous PIN's are
handled as if they had been entered at an ATM: once three errors
have been made, no access is permitted.
that restriction remains in effect for 24 hours (both by phone and at an ATM)
if this occurs repeatedly, the account is brought to the attention
of bank personnel. (i've observed the first response only.)
while this is not perfect, i believe it reduces the risk to the same level
as allowing ATM access.

a small distinction, but important none the less.
yours,
james.

barmar@think.com (Barry Margolin) (04/12/91)

In article <6750020@hp-vcd.HP.COM> johne@hp-vcd.HP.COM (John Eaton) writes:
>I am assuming that the same PIN is used for calling card as well as Cash
>advances from ATM's. If someone finds your card and tries to get a cash
>advance then he only has three guesses before the ATM eats it. If he can
>have his computer call in and brute force the PIN via phone then he will
>probably be able to get cash off of your card.

Well, he can, even though the balance inquiry service doesn't use the same
PIN.  All he has to do is program his computer to try to make long distance
phone calls with my card number.  When he gets "Thank you for using AT&T"
he knows he has cracked it.

Hopefully AT&T keeps track of the number of wrong calling-card PINs given,
and disables the card after too many.
--
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar

jfw@neuro (John F. Whitehead) (04/13/91)

In article <1991Apr11.184329.11411@Think.COM> barmar@think.com (Barry Margolin) writes:

>All he has to do is program his computer to try to make long distance
>phone calls with my card number.  When he gets "Thank you for using AT&T"
>he knows he has cracked it.
>
>Hopefully AT&T keeps track of the number of wrong calling-card PINs given,
>and disables the card after too many.

You are only given 3 tries to get your calling card number right on an AT&T
phone call and then you are disconnected.  Assuming that you know that a
certain phone number has a calling card number associated with it, you could
get a computer to crack it would be possible with an average of 1,667 calls,
or a maximum of 3,334 phone calls.  This could be done but would obviously
be time consuming.

But you wouldn't get away with it -- AT&T checks for such strange calling
behavior.  About two years ago, I wanted to order concert tickets long 
distance from work, so I charged it to my calling card.  I dialed, entered
my card number, and the line was busy.  I repeated this many times over the
next two hours trying to get through the busy line.

Less than two hours after I gave up my quest for tickets, I got a phone
call from AT&T.  They said, "Are you aware that your calling card was
being used excessively this morning?  We have noticed that 150 calls were 
placed over a two hour period using your credit card number and are 
contacting you at the daytime phone number we have in your records.  Do
you know about this?"

I explained what I did and thanked them very much for being so observant.
And this was with me using my *correct* calling card number!  So if you
get a computer to redial to figure out your calling card PIN, it will
certainly be noticed if it takes more than a few attempts.

    John Whitehead                     Internet:  jfw@neuro.duke.edu
    Department of Neurobiology                    jfw@well.sf.ca.us
    Duke University Medical Center     Bitnet:    white002@dukemc           
    Durham, North Carolina             

res@colnet.uucp (Rob Stampfli) (04/15/91)

In article <1991Apr10.210855.6250@athena.mit.edu> janson@athena.mit.edu (James A Anderson) writes:
>in order to reduce the exposure to unauthorized access, erroneous PIN's [given
>over the phone] are handled as if they had been entered at an ATM: once three
>errors have been made, no access is permitted.
>that restriction remains in effect for 24 hours (both by phone and at an ATM)

This causes a new potential for abuse, though.  Suppose I dislike you for some
reason.  With the mere knowledge of your credit card number (which I could get
if you ever use your card in my store) I can effectively prevent you from
using it at any ATM for an extended period by simply making a few phone calls
per day.  And, there is very little chance I would ever be caught, if I took
some relatively simple precautions.
-- 
Rob Stampfli, 614-864-9377, res@kd8wk.uucp (osu-cis!kd8wk!res), kd8wk@n8jyv.oh