+++ Bank of Montreal - MasterCard Security Issues +++ written by: warVamp 03/16/2000 Identity: Bank of Montreal Product: MasterCard Service: Automated Telephone Account Holder Services Issue: Security (or lack of), Compromised Data Privacy +++ Introduction +++ With security issues an ever-present concern on the Internet. Companies are taking precautions to ensure their data, as well as yours is protected. So in this high-tech, convenience oriented world you would expect your most treasured item could be kept safe. And it intrigues me to see that such a low-tech flaw, in an automated system can so easily be exploited. Money. It makes the world go round. The banks are aware of this and you know this, so they keep it safe with nearly impenetrable security. And I do emphasize "Nearly". To take a trip down credit card lane you need only look to one of the most common pieces of 19th century technology. The telephone. Thank you Mr. Alexander Graham Bell. +++ Details +++ MasterCard Automated Customer Service Dial: 1-800-263-2263 ... ring, ring ... "Thank you for calling MasterCard, our office is currently closed for general inquiries, however, at this time we are pleased to offer several self-serve options, if you require agent assistance, please call back during regular business hours." ... repeats in French "For service in English, press [1]" ... repeats in French "Please enter your 16 Digit MasterCard number or your 11 Digit Line of Credit Number, followed by the [#]." ... Entered Credit Card Number ... "We have recently mailed MasterCards to you, if you have received these cards, press [1] now to activate them, otherwise press [2] to go to the Main Menu." ... Pressed [2] ... For Current balance and Payment Information, press [1] For a list of your recent transactions, press [2] To request a copy of a recent statement, press [3] If you are reporting a Lost or Stolen Card, press [4] "For all other requests, please call back during regular business hours." "To return the Main Menu at any time, press the [*]." +++ Notes +++ This call was placed during the evening. No annoying Customer Service Representatives to bother you. Whoa ... What's this you say, where's the security ? Good question. No P.I.N. Number Required. No Verification or Identification Required. WOW ! Now that's convenient ! But for whom ? hmmmm ... +++ Conclusion +++ People who want your personal information, with enough persistence, with probably get it. Banks and Credit Card companies have an obligation to keep your finances and personal information safe. This should be considered an obvious disgrace on their part for considering this service secure. +++ Credits +++ I wish to personally thank 'The Clone' for his support and guidance in writing this document. +++ written by +++ warVamp +++ contact +++ warvamp @ hotmail.com //bp2k//