Shostack + Friends Blog Archive


Bank of America Customers Under Attack

The Seattle Post Intelligencer asa story, “B of A Customers Hit By Thefts,” about cash withdrawals being made overseas:

According to customer service representatives at Bank of America, there have been numerous reports of checking account fraud in Seattle, but many more incidents being reported from other states. The increases in fraud reports are generally about overseas cash withdrawals, they said.

Seattle police have been taking “a lot” of calls and reports involving Bank of America customers, said police spokeswoman Debra Brown. She could not provide a specific number of complaints, but said that while officers routinely get calls about financial fraud involving a variety of banks, people have been reporting an unusual number of Bank of America-specific thefts.

Bank of America has lost:

Correlation, of course, is not causation. There’s lots of data leakage, and these Bank of America customers could have come under attack in lots of ways. If only we had mandatory disclosure of these sorts of things, consumers wouldn’t be tempted by rotten inference, reporters could report quantified facts, and bloggers wouldn’t be drawing attention to such articles. Bank of American customers should be demanding more answers.

5 comments on "Bank of America Customers Under Attack"

  • Adam,
    You wrote:
    “. . . Correlation, of course, is not causation . . .”
    “. . . Bank of American customers should be demanding more answers . . .”
    I agree and I think that these are responsible statements. I’m wondering if the following are possibly true and/or relevant:
    1. Relative to the amount of information under control at Bank of America, the 4 incidents as specified represent a small fraction. From a senior manager’s perspective, the goal is 0% leakage, but the cost to achieve that 0% is prohibitive.
    2. I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud or other crime, I’m not sure that I agree with mandatory disclosure. That data, while useful to the awareness of security provides information that cannot be made transparent to an entity’s competitors, i.e. the availability of this data may provide for means of advantage in key markets based on the data “surrounding” the security data. I’m a proponent of mandatory disclosure of “lost data”, but I just think that this topic needs a great deal more discussion.
    3. While the data regarding calls (to customer service, not the police) is not public, I wonder if the increase as reported is of significance to the management team. I say this not to put attention elsewhere, but given the focus of the the personnel involved in running call centers and the data surrounding calls (with data mining software used in these settings), I suspect that the focus is on the usual characteristics of the calls, i.e. minimizing contact time, delivering “good” call services, etc. Additionally, do the people that have the data in hand to determine the change in call patterns that would show this as an issue, truly have the means to make change?
    4. In the absence of any penalty to shareholder value, the management team and their reputations and ability to run a profitable bank will view other issues above these.
    5. I have worked in capital markets, but my specialty is not reading earnings and other financial statements. If BofA has public data in those reports that provides for disclosure on losses, theft, etc. I’d be curious. Perhaps one of your other readers has information on this type of line item and it’s existence/non-existence on any of these quarterly reports. Analysts from the major trading firms have a way of sniffing out this information and if this were relevant data to the overall revenue, earnings or other important financial data, it would make it into analyst reports and be reflected in BofA’s share price.
    6. Given that criminals act to exploit for maximum value with minimum exposure, I think that the exposure remains minimal, i.e. other than the opportunity for detection, there is little to deter criminals (especially overseas) in these instances. BofA customers, as an entity, have no representation other than BofA (that I’m aware of) and therefore by default expect that BofA will provide the means for this deterrent.
    I think that the above issues have damaging consequences for any firm as they make it difficult to identify security problems that have long-term and durable impact on profitability. While the beginning effects appear negligible on the bottom line (or top line revenue, for that matter), the ability to identify and address these issues will require that more firms fail through their share prices as opposed to pressures from the security community and regulatory agencies. And NO, I’m not stating that there isn’t net impact by the security community, but rather stating that the security community represents a leading indicator of the “opportunity for lost revenue and earnings”. Like many leading and lagging indicators, the value of the indicator is only useful if it provides a pertinent horizon for profit.

  • Adam says:

    I’m working on a longer response, but quickly, I don’t see (1) as correct: I think that 1.2 million people is a substantial fraction of BofA’s customer base. I think that #4 is absolutely correct.

  • Adam,
    To clarify my view in point #1, if I as a senior manager, at BofA or elsewhere, have as my benchmark, incidents involving leakage, then four incidents over a possible universe of thousands or tens of thousands (not sure exactly how to estimate this, but number of physical shipments outside of banking facilities of customer data on tapes and some other measure of intrusion possiblities on the BofA network) seems relatively low. Additionally, as that same manager, I’m of course not measuring the population of BofA customers that have been put at risk. If my direct manager accepts my benchmarks of incidents and not the population measure, then the risk to the manager is minimized without benefit to the general population of BofA customers and BofA itself as a corporate entity. It is that opportunity (not malicious, but rather either short-sighted or self-serving), the lack of application of the appropriate benchmark in measurement that I was attempting to identify as a weakness.
    Although I’ll sound sensationalist, the manager gets the benefit of “How to Lie with Statistics” (by Darrell Huff), chapter 2, “The Well Chosen Average” or chapter 9, “How to Statisticulate”.
    Sorry, I should have been a bit more clear. Looking forward to more of your perspective . . .

  • formerbofainsider says:

    the lack of security both before and after the nations takeover doesnt surprise me , Mack Hicks and other senior security management has LONG been totally incompetant, and these are the people who claimed to be the original designers of the IP for fedwire II(and who only delivered a poorly stolen 56(40 bit) bit(des) copy of some un named developers original(112 bit(triple DES design))(whom we know))
    (please feel free to delete post after personal reading due to patriot act threat!) in fact please do!

  • formerbofainsider says:

    hey adam… just for an example of scale DB(my manager at BOA) gave me a customer list of 32 million DBA(direct deposit customers) with email addresseses on 18 million of them to spanm before I went on vacation in feb 1997(btw we got 3.4 % POSITIVE RESPONSES) 1.2 M addresses? nothing!(btw the 32m customers requested further email contact but were sent the wrong (green/read:ecological) spam(they ate it up statistically) 🙂
    fedwire II architect

Comments are closed.