OT - designed for Internet Explorer

Bill Sconce sconce at in-spec-inc.com
Tue Mar 28 14:20:01 EST 2006 

Move over, Boston Globe --

In the last week or so an unnamed credit union of which I'm a member
has been rumoured to have lost control of their PIN list -- someone
"took it home" on a PC, somewhow someone else got hold of the PINs,
and eventually a depositor noticed that their account had been cleaned 
out.  (All of this is just rumour, part of the chuckle.)

A few minutes ago, when I went to check a balance (this credit union
has an online, "designed for Internet Explorer" Web facility) where
the login page should have been was a page saying "we periodically 
require that all PINs be changed, enter your old PIN and a new one 
in the form below and click SAVE", etc.)

Just like the notices I've been getting from Wells Fargo, and Chase,
and everywhere else I don't have an account.   

Wait,

I do have an account here.  And the software IS maintained by folks who
think "works with IE" is acceptance testing...  

So I called the credit union.  Answer: the PIN change is indeed being 
requested  by the credit union; it's not a man-in-the-middle attack.  (This
time.)  So much for "legitimate instututions will we'll never ask you for
your personal information on line", yadda yadda.  (Yes, I know, there's a
difference, but this is just too funny.) 

And I guess it IS  "periodic".  There has to be a first time.  Right after
a breach would be a good time to start...   :)

As I say, for amusement purposes only.  No names named.  Still, it's
supposed to be wise to check one's accounts from time to time at ANY
institution, since there's a time window for reporting errors...

-Bill


Update:  phone conversation with a rep a few minutes ago.  They did
experience a loss.  That part's not rumour.

Update II:  the telephone-response system, which used the same
PINs, isn't being updated.  (Can't -- different operating system, doesn't
talk to the IIS system.)  So the PINs stolen in the PC episode are now
"only" useful to the criminals via the TouchTone system. 

Wouldn't Joseph Heller be proud?

More information about the gnhlug-discuss mailing list