Bank of America Website Flaw Allows Reading of Other Customer's Statements
There is a security flaw in Bank of America's website which allows any Bank of America customer to view another customer's credit card statements under certain circumstances.
Bank of America was notified of this security issue in a letter, but they replied that they are unwilling to change their website, and the security hole still exists as of the writing of this article.
Only Bank of America credit card holders, not deposit account holders, are affected by this security hole.
The flaw relies on two things: first, the section of the bank's website that displays customer statements retrieves the statements by using an unencrypted URL containing the full credit card account number.
Second, the same URL used to retrieve one customer's statement can be used by another Bank of America customer to view that same statement and others from the first customer's account.
The URL for viewing a statement in the "statements" section of the Bank of America website is constructed as follows:
The 54XXXXXXXXXXXXXX kept in the web browser's history, where it can be seen by future users of the same computer. This is where the ability to read other customers' statements comes into play.
By copying the above URL to the clipboard, then logging in to a Bank of America account for which one has a legitimate login and password, one is able to paste the URL into the browser address bar.
The statement will then be pulled from the server without any validation of which customer is logged in at the time.
Conceivably, an attacker could put any valid Bank of America credit card number into the URL and pull that customer's statement.
However, he would need to also have the correct statement date (shown as 01102008 and 2008-00-10 in the above URL) as well as the 3-digit random number at the end of the account number and date code, which is 346 in the above example.
The issuer code, 90, which is put in from of the account number, does not seem to change, although this has only been verified with a handful of personal and family accounts which this writer has tested.
It would be possible to guess the 3-digit random code after enough tries. If an attacker already has the actual URL from a customer, however, then he can simply use that URL, since the 3-digit code appears to be assigned to the statement and not to the login session.
The fact that the full account number is stored and transmitted so clearly was reported to Bank of America about six months ago.
Their reply stated, "The account number on your computer's URL is ineffective without the security code and expiration date that is printed only on your credit card. Bank of America monitors the accounts on a daily basis to protect you from fraud... You are not held liable for fraudulent use of the account. Due to system constraints, we are unable to remove the account number from your URL field."
It would seem that Bank of America does not care about the privacy or security of their customers' credit card statements enough to fix this critical flaw in their website.