Why I "hacked" my way into my own bank account
Firstly I've used the term "hack" in a purely non-technical manner, if you take a system and use it an way it wasn't designed to be used. Your hacking with it.
I've seen more than a few recent high profile "hacks" lately and it seems there is nearly always a common attack vector. Often It's not the hardware, the software, the platform or even the user getting themselves compromised it's a combination of these elements and some Social Engineering. Basically People
are the weakest and most vulnerable point, and often because they are trying to be more helpful than they should. Human nature definitely does not work in favour of our Security.
Take (let's say) Sally, who this morning, kindly gave me pretty much complete control over my account and definitely gave me a launchpad for further "hacks"
How could this happen? I mean I bank with a HUGE bank. And they must take customer security pretty seriously right?NO, sadly it would seem not.
I'm not going to steal there money? So why should they care, really?
Here's what I did. I imagined
I'd misplaced my wallet, had a look in all the places I could think I'd have put it, rang a couple of taxi firms I've used recently to see if it had been handed in, Rang my girlfriend to see if I'd left it at hers she didn't answer so I dropped her a text. After a quick search of all the places I'd likely leave it, having gone through the washing pile and checked down the sofa. I really didn't want to cancel my cards because that would take imagining too far but I guessed from when I knew it wasn't in my pocket it'd be at least 45 minutes before I'd cancel my cards.
So now I had a time frame for the attack, 45 minutes. Not very long you'd think for someone to have found my wallet and compromised my account? So I did what I hope none of my friends on G+ would do. I decided to see how quickly I could use solely the contents of my wallet to compromise my account.
I pulled out my driving license and bank card, noted it was for a specific bank and googled their telephone banking number. I also figured I'd try and find out a bit about myself again just using Google.
Here's where the problems began. Google knows a lot, for example I'm a Junior PHP Support Engineer in the Location where I work
at a Company called The company I work for
(Thanks +LinkedIn You're getting deleted
) Secondly the average salary for a Junior PHP Support Engineer in the Location where I work
is £X Thirdly that £X after tax is ? £Y / month
All this took me 3 internet searches, one for the bank on the card, one for the name on my driving license and one to find out how much money I could statistically expect to be in my account soon after payday .
So I rang the bank I got an automated prompt that asked for my account number? No problem it's printed on my card. Then my sort code? printed on my card. Then the security number? again printed on the same card. Then my date of birth? this time, admittedly I had to consult my driving license.
I then got put through to Sally who immediately addressed me as Mr Storer, how's that for Customer Service and at the exact same time verification that the details I'd entered from the card and ID checked out.
She said to confirm it was indeed my account could I state the value of a recent transaction into my Account. Here comes the +LinkedIn
info. I said I wasn't sure of the exact amount but there should have been from The company I work for
and for something like, "Y and Something" She explained that I couldn't use "Something" as I had to give all the digits However she then explained I didn't have to get it exactly right, So I hesitated and went with £Y And I was in, she confirmed my recent transactions for me, told me how much had gone out for direct debits and to whom they had been paid (Phone bill, Rent) and my standing orders and asked me if there was anything else she could help me with.Now that is remarkable customer service!
The problem is I don't want remarkable customer service, I want remarkable security.
As I said at the beginning the weakness here isn't the technology it's the people. Predominantly myself
for not wanting the inconvenience of cancelling all my cards for them to turn up 30-45 minutes later when I remembered what coat I had on yesterday and Sally, dear helpful Sally who was genuinely trying her best to help whoever had found my wallet gain access to all my Money (Disclaimer this isn't very much)