I have my doubts about ever.
Back in 2007, I posted “Subjunctive Identity Theft .. From American Express?”, citing a real-world case where American Express had identified suspicious activity on my account and left me a voice mail message with an 800 number to call.
Upon calling, the first thing the operator requests is my account number. Are you kidding me?
Seems Bank of America hasn’t learned either. I traveled abroad recently and used my Visa for a purchase. This triggered a ‘suspicious activity’ alert (reasonable, as I was obviously out of country). I get a nice email, the gist of which is:
We detected irregular activity on your Bank of America Credit Card on 05/14/2009. For your protection, you must verify this activity before you can continue using your card.
What can I do? Well, I can call a US 800 number (collect .. but would still cost airtime or hotel surcharges), or I can visit a web site:
http://www.bankofamerica.com/myfraudprotection
Where the first thing they ask of you is to provide your credit card number:
Wake up, gang .. you didn’t fool me, but you’ll get some folks.
Elsewhere in the email, they say:
Want to confirm this email is from Bank of America? Sign in to Online Banking and select Alerts History to verify this alert.
Then, I notice their last time login beacon for me is incorrect (it’s over six months old .. kids, I pay bills with Bank of America .. and I’m not six months late on any bills). So, is it the real site, or not? One last check. I open my account, and voila: no alerts when I log in and no alert history link to click.
So, what’s going on? Both Firefox and IE display a tidy green fill when the real Bank of America site is opened:
But, not so much on the http://www.bankofamerica.com/myfraudprotection site .. first of all, it redirects to https://myfraudprotection.bankofamerica.com/Welcome.aspx (redirects are always suspicious), and notice how there’s no green flood anymore?
Further, when you mouse over the security icon in Firefox, you get:
The site is verified by VeriSign and your connection is encrypted. But is it really Bank of America? See the “(unknown)”? Is this an unknown (to VeriSign) web hosting company, or has Bank of America simply not verified the site with VeriSign through proper channels? Sure the connection is encrypted, but a certificate for connection encryption isn’t that hard to get.
If you started reading this post thinking it was a statement of insecurity on the Internet, please understand: that’s how I intended it. However, either Bank of America has done something really, really stupid in the eyes of the non-trusting public, or the site is bogus, pointing to a server within their firewall that has been compromised.
I think I’ll watch the papers for a few days .. in the interim, I’m going to sit on hold for a while tomorrow when I get to the office .. will let you know what I learn.