New security flaw for Chase credit cards
Oops, it is this easy:
According to Dworsky, the security loophole is in the 24-hour a day automated telephone account information systems used by some card issuers that allow cardholders to check the activity on their accounts. When a cardholder calls the customer service number on the back of the card from their home telephone, the bank verifies the caller ID of the call against their account records. If the phone number matches one on record, some banks shortcut further security checks and only ask for the last four digits of the account number rather than the whole number, and possibly also request the cardholder’s zip code.
And therein lies the flaw. The system can be easily tricked by a hacker who “spoofs” the caller ID of the telephone used to call the bank, making it appear to be from the consumer’s home phone. Now, only the last four digits of the account number are needed to gain access, which can be easily found on a discarded sales receipt from virtually any retail store.