Newsgroups: comp.society.privacy From: David Wagner Posted on: 1998/11/25 Message-ID: Approved: comp-privacy@uwm.edu Organization: ISAAC Group, UC Berkeley Usenet Reader wrote: The Wall Street Journal for Nov 5 (or maybe the 4th) had a big front page article on how info brokers illegally obtain private info on people. E.g., if a lawyer is considering suing someone, first he may pay $100 to get that person's bank balance, to see whether he is suitable. Most people don't realize it, but it's far worse than this. With most banks, once you have a target's account number, you can readily learn their account balance. Most banks have an automated dial-up service to help merchants check whether a check will clear. You punch in a number; the voice response system tells you whether they have at least that much money currently in their account. Now the algorithm for recovering someone's account balance should be clear: a simple binary search suffices. In other words, punch in $1000; if the computer says "more", try $2000; if the computer then says "less", try $1500; etc. This can be readily automated with a computer + modem, or (more cheaply for most lawyers) just hire an intern at minimum wages. And it gets better. You can use this technique to ascertain someone's exact salary, down to the penny. Find out their account balance on Oct 31. Then find it out on Nov 1, just after their direct deposit check clears. For best results, just query their account balance every day for a few months to build up a picture of their spending habits and income. At this point you probably don't believe me. Try it. I've tried it, on myself, and on others. Or maybe you think such behavior would be easily detected. Maybe not. I went and complained to my bank, and they told me that they not only was this vulnerability present, but worse -- They had absolutely no audit logs. They had no thresholds in place. They had no way to check whether anyone had ever queried my account in the past. And they had no intent to change things. In fact, it turns out that even the manager at my local bank didn't know the feature existed. He didn't believe me -- until I showed him with his desk phone. (Even then, he had to call headquarters to confirm...) Just goes to show you how little-known this problem is. If you're wondering whether there's any way to defend yourself, go talk to your bank. See if your bank has an automated bank account balance service. If so, complain. In my case, the bank was able to mark my account as "high risk for fraud". They also placed a password on my account, which had the side effect of disabling the automated voice response system. (Or I suppose you can get an account offshore in some jurisdiction where they actually care about banking privacy.) Another observation. If I wanted to write the software to do the autodialing, I could have used the automated response system to identify all the account numbers of everyone who had an account at some specified branch, as well as their balances (but not their names, as far as I can tell). I imagine the designers probably didn't intend to build that feature into the automated voice response system... This raises a question: how do I cash a check w/o revealing my account? Yeah, good question. As far as I can tell, the answer is: You don't. Sorry.