I social engineer my own banks
For miscellaneous reasons, I have several different checking accounts at different banks. The most wild reason for opening a new account was that one day, while on a trip, I acquired $200+ in coins. I had no nearby bank account with a physical presence – just a very small credit union. I was too cheap to use a Coinstar machine*, so instead, I went to various credit unions that were supposed to be partners with mine. I hauled in an extremely heavy duffle bag packed with rolled coins and hefted it on the counter. “Can I deposit these?” At four different credit union branches, the answer was often “we refuse, because you don’t have an account with us.” One said “we would, except we don’t have a coin-counting machine.” So I called the next one in advance. I asked “can I deposit coins into my partner credit union through your branch?” They said “Certainly! Bring them on in.” Finally. This one was in the middle of a mall – it was a long walk. So I arrived, panting, heaved and hefted in my giant duffle bag and dropped it on the counter. Employee’s jaw drops. “I… was imagining like $20. I’ll be right back.” Had the whole family with me. 10 minutes later, she comes back out, and says in a low voice, “We can only accept the deposit if you open an account with us.” Fine, whatever, I just want to be done with this. I open an account, deposit the money. They gave us free hats and tote bags for being new customers. I entered the new account into YNAB. Logged in and checked it every once in a while.
Yesterday, I realized that they had started to charge us account inactivity fees. I ask nicely if they can reverse the fees, and they do. I then decide to close the account, just to streamline things.
This is the troubling part.
I call in. Phone call goes like this.
Me: “I would like to close my account.”
Agent: “What’s your account number?” I read it to her. “What’s your name?” I tell her. “Nope, that’s not your account.” We double-check the account number, she tries it again.
Agent: “Are you David Eargle?” … yes, but it would have been better if I had told you my name, if that’s being used as part of identity verification.
Agent: “What’s your birthday”? I rattle it off quickly. She says, “Did you say [my actual birthday]?” “Yes.” “Okay, good.” Well, if I actually wasn’t me, and didn’t know my birthday, it wouldn’t have mattered! Could have just mumbled something close-ish and said “yes” to whatever she corrected me on.
Agent: “What’s your secret passphrase?” I say just a moment, I need to look at my notes. I don’t have a verbal passphrase recorded – just three secret questions and a password reset question, all of which are 20+ random characters. I ask, “I have secret phrases answering the following questions. Which one of those do you want?” She’s not certain. She suggests, “Well, what’s the last four of your social?” I tell her.
Again, she says, “Did you say [my actual last four of the SSN]?” Palm to forehead, yes, that’s what I said. Another thing I didn’t need to be accurate on.
Agent: “Okay, I’ll close the account, but there’s still funds in it. We’ll mail out a check.”
Me: “What address will the funds be sent to?”
Agent: “You can just fax us the address you want, with a picture of your ID.”
I couldn’t be happier to be rid of that bank. Opsec level is -9000. If I had the name of another member and their account number, I could buy a few extra pieces of identifying information, forge an ID for him, call in today, close the account, and have all funds mailed to a destination of my choosing. Would the funds eventually be refunded? Eventually, but not after a long headache for the customer.
Not the first bank of mine to fail on the verbal-password auth challenge, either. Many improperly-trained agents can be easily persuaded to accept answers to knowledge-based questions instead, despite a verbal password requirement being on file. In that post, Krebs says that he tests the opsec of customer service agents at institutions that hold his assets. He eventually found one that consistently followed the protocol, although he left it unnamed. Maybe one day I’ll find them, too.
*Although I’m reading online that I could have exchanged the coins at a Coinstar for a gift-card, sans fees. Sigh.
David Eargle is an Assistant Professor at the University of Colorado Boulder in the Leeds School of Business. He earned his Ph.D. degree in Information Systems from the University of Pittsburgh. His research interests include human-computer interaction and information security. He has coauthored several articles in these areas using neurophysiological and other methodologies in outlets such as the Journal of the Association for Information Systems, the European Journal of Information Systems, the International Conference on Information Systems, and the Hawaii International Conference on System Sciences), along with the Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI). More about the author →