Re: Bank of America Contact

[Lance James <lancej () securescience net>]

Hello bugtraq,

Hi bugtraq,

I'd like to thank everyone for their replies, suggestions, and contact
information.  No two people provided the same information.  This suggests
to us that Bank of America does not have a central contact for security
risks.

We received about a half-dozen Bank of America contacts and we will be
following up with 2-3 of them shortly.

I'd also like to thank the 0-day social engineers for their variety of
approaches used to attempt to gain access to this exploit.  We received
responses ranging from fraudulent "Bank of America" employees to phone
calls from people claiming to be from Bank of America's IT Security.  (One
caller claimed to be from Bank of America's IT Security but didn't know
what PGP is and then said he couldn't give his PGP key due to security
restrictions.  And when we asked him to provide information so we could
verify the contact, he said he would call back but never did.  To this
caller: Yes, your social engineering failed and your caller-id spoofing was
almost perfect.  Emphasis on "almost".)


To summarize, we seem to have identified 3 risks.
The first is a minor issue that we are attempting to report to Bank of
America.
The second is a lack of official central contact for reporting security
risks to Bank of America.
The third is the plethora of 0-day social engineers that appear to jump on
security risks and represent themselves as the affected company in order to
gain access to the privileged information.  A warning to people reporting
security risks: beware of who you talk to.  

-- 
Best regards,
 Lance James
www.securescience.net                          mailto:lancej () securescience net
Secure Science Corporation