The Easiest Way to Break Into a Bank
by Anne
Two years ago I opened a bank account with TD Bank in New York.
As a person moving here from Germany, I was surprised at how easy it was to do so and how little information I had to give the bank in order to use their services.
A few months ago, I traveled back to Europe and wanted to sign up for online banking.
I went into the bank and asked how I could sign up for an online banking account and was instantly prompted with the question of whether I had an account with the bank. I affirmed that I did. The friendly person said that everybody with a bank account at TD Bank automatically has access to an online banking account. So I asked if they could show me how to access my account. We went to the website of the bank together and she asked me for my login information. I said that I didn't know my login information, nor which of my email addresses that I gave them, nor the password.
She called a help line and they looked up my account information that I gave to them. It was an old email address that by that time was deleted.
And now, here is the crazy part: they said that my password was: 123abc
I changed it immediately and could not believe that this was intentional on my part.
I checked my email account and saw that I had received an email from TD Bank two years ago saying "Thank you for your application to use TD Bank Online Banking. We are pleased to inform you that your application has been completed. Your username will be the email address you supplied during the enrollment process. Your initial Password will be the last 6 digits of your check card number."
This email alone makes it possible for anybody who can match your email address and bank card to access your online bank account. I told the story to a friend of mine who had just moved here from Berlin and she confirmed that when she opened a bank account with TD Bank, they gave her the pass word 123abc as her "initial" password that she needed to change.
Taking me as an example, a digital literate, growing up with the Internet etc., I thought to myself that there must be thousands of people in this country who do not know that they signed up for online banking and therefore thousands of online banking accounts have an open password.
And even if they knew and never used the online banking account, their password would still be 123abc. I was amused that for a possible hack, you don't need to find the password. You just need to find the matching email address!
TD Bank gave two ways to hack into online bank accounts.
One way is the life hack, matching the email address and the card number by a person (in some cases, for example in a domestic situation, it doesn't take much to do so).
They also made it possible to run a script with, let's say the most popular first and last names with the most popular email account server, let's say gmail.com, and run it with 123abc as a password.
I have not tried this and so I cannot speak from experience here and no data is available to me, but the possibility of entering an account with this combination even manually seems pretty high. This situation really seems like an open window type of scenario and it lets the mind wonder.