Banking Security, Round 2

You know, I really do like my bank. They have issues, but for the most part, they’ve been fair, they treat me with respect, and when I have an issue, they’ve actually worked with me to resolve them. I think the fees are horribly high when I mess up, but they aren’t out of line with the industry, so they aren’t really an incentive to change.

And yes, it’s still Bank of America that holds my moolah.

Wow, they do some stupid things. I’m pretty sure that this one falls under “we really don’t believe it’s a problem” but then, so my the last article. I can’t believe that it’s nearly 2009, we’ve figured out that it doesn’t take a white man to run this country, but a bank still believes that social engineering won’t be a fraud issue.

Before I get to far into this, let’s be quite clear on one pertinent bit of information. It’s not “Identity Theft” it’s “Bank Fraud”. The term “Identity Theft” was made up to shift blame from the institutions that created an identity system that is so fundamentally flawed that people can effectively lose themselves. The biggest, unresolved problem with Identity Theft isn’t that it happens, it’s that by calling it anything other than “Bank Fraud” means that it falls under different, more lenient, laws. Which is why it’s still happening, but I digress.

So a few weeks ago I updated my phone number at the bank. Not a big deal, I had done it at the blog weeks prior. I got an email today from BofA that starts off like this:

Dear Bank of America Customer:

You recently had an email conversation with a Bank of America customer service representative or submitted a change of address or telephone number update through Bank of America’s Online Banking.

“Um, I might have. I don’t really remember…” is what I thought as I read this. Why? Because I had gotten a confirmation email from the bank right away, and I knew it was right, and I moved on with my life.

I figured I better check the address that the email was from to see if it was obviously a spammer. The email address is “surveys@bankofamericasurveys.com” which looks like it might be official, but probably isn’t – at least to me. Worse, the name of the address is “CMA Insight Team” which apparently has nothing to do with the real CMAs. I, therefore, think it’s a phishing expedition.

It might not be, but I’m going to treat it as one, and I’ve logged into my online banking and sent a delicious email to them about how it’s really stupid to tell your banking customers that it’s ok to go to just any old domain that has ‘bankofamerica’ in it, because you’re secure, you’re good, and we’re all happy and making chocolate statues of liberty and feeding unicorns while riding ponies.

Most bank fraud happens through social engineering. So why does my bank keep screwing up the basics of how to keep their own customers safe? I cannot fathom it.