;;>> TD Bank; VISA account privacy issue <<;; >>; By: The Clone Date: Thursday February 10, 2000 ;<< ._. --------- Contents: --------- __ 1. Introduction 2. Severity 3. Details 4. Solutions 5. Conclusion 6. Contact 7. Credits __ Introduction: Over the year of auditing various automated-systems for security, I've determined that more than 90% of these systems aren't secure and that more than half of them could be exploited in some way in less than an hour. This just doesn't sit well with the companies affected... not to mention the customers, shareholders, and employees involved. This time I'm taking a look at Toronto Dominion Bank's VISA; automated voice-account database. The methods used to secure YOUR personal information are so weak that one could easily compromise account data in a number of minutes. _ Severity: # Personal account information such as last Visa payment, last Visa transaction, and other particularly important personal data is at risk of being accessed by unauthorized third-persons. # Toronto Dominion Bank customer information is also at risk of being exposed, exploited, and stolen. _ Details: We'll assume at this time that the "evil doer" who we'll call 'Sonny Bono' has your TD-VISA account number. Perhaps you threw away your statement information and Sonny found it in the trash. Or perhaps Sonny stole your TD-VISA bank card, and knowing that if he attempts to use your card at an ATM machine that the little camera will take his picture. So Sonny calls up 1-800-9TD-VISA because he knows that he can do other things with your card that would destroy any trust you have in TD bank if only you knew better. Immediately he hears an automated voice saying: "Welcome to TD-VISA", followed by "If you are calling from a touch-tone phone please press [1]". By pressing [1], he gets the following options: + Account Balance, Statement Information, or most Recent postage Transactions - press [1]. + Credit Application Status, Credit Line increases - press [2]. + Reporting a Lost or Stolen Card - press [3]. + Past Due Accounts - press [4]. + Customer Service Representative - press [0]. --- After hearing the options, Sonny proceeds to laugh at option three because he's a bad boy with no conscious at all (tsk tsk). What does he want now? Well he wants your account balance information, your statement information, your most recent postage transactions, and possibly your credit application status. Why? Think about all the naughty things criminals do and then be creative with those thoughts. There you go. Sonny presses one and is then brought to another option menu. The automated voice tells him: "Please enter your card number and press the number sign (#) when finished." Complying with the statement means that he is then asked for his PIN number. This is where I shake my head in anger disbelief at the idiocy of TD-Bank and their customer pin-code assignments. By default TD Bank assigns its customers pin-codes based on their postal codes. For example; the victim lives at 223 Jameson Road in Stinkytown, Alberta, Canada and their postal is R3R-1B5. We'll assume that Sonny also has an account through TD-Bank and he knows that by entering the three digits out his postal code, he'll then have access to his account statements. So Sonny enters the victims' pin-code. The pin-code just happens to be "315"... tada! Piece of cake. He now has access to your account information. He can eavesdrop on every bank transaction you make, your account balance, etc. If he decides he wants to talk to a customer service representative he could do a lot more. By using his social engineering skills, he might quite possibly trick the TD-Bank employees into giving off the credit card number that belongs to the account. Banks have an enormous amount of information on you. And you have the right to know what they have on their databases. If the bank employee trusts Sonny he/she WILL tell them anything they want to know. Creative and skilled social engineers can get virtually anything they want by being polite, relaxed, and not suspicious. Solutions: The following solutions are quite obvious but they will help to stop this huge invasion of privacy... Here is what you can do: ; Call up TD-Bank and change your pin-code to a less obvious series of numbers. ; Change your pin-code on a regular basis Here is what TD-Bank can do: ; When setting up a customers account, have them choose a pin-number ; Do not have default pin-codes on your systems... EVER ; Get rid of automated systems all together [this will likely not happen] Conclusion: Please be aware that the people who do want to access your account information will do so at all costs. This advisory was written to show that there isn't anything that is secure. A bank and a credit card company would be the first you'd think to tighten up on security. So they do - only to a certain degree. Please keep in mind that Bank's compromise a little security to make it easier for customers to access their account information quickly over the telephone. That weakness is what many criminals use to their advantage. Are your secrets safe? No. Should we give up a little convenience for security? You decide. _ Contact: url; http://nettwerk.hypermart.net email; webmaster@nettwerk.hypermart.net _ Credits: I want to give credits to Susan Larcombe for giving me the idea to write this document. A N E T T W E R K E D P R O D U C T