Wire Transfer Security at Lafayette Federal Credit Union

This post will highlight the lax security of Lafayette Federal Credit Union's wire transfers. The author of this post is not responsible for head injuries due to repeatedly slapping one's forehead. The author also recommends to not hold any sharp objects in your hand while reading this and cannot be held responsible for the reader stabbing themselves if they fail to heed this advice.

Want to make a wire transfer?

Do you know someone with an account at Lafayette Federal Credit Union? Do you know their account number, their mother's maiden name and their debit card number?

  • Don't have their account number? Get them to write you a check.
  • Don't have their debit card number? Get them to purchase something from you, it is a Visa after all.
  • Don't have their mother's maiden name? Equifax does. Try purchasing it from them or one of the criminals who likely stole it from them.

Once you've got your information ready you're ready to initiate a domestic or foreign wire transfer. Just follow the steps below.

  1. Choose a domestic or international transfer and don't forget to enter your email address so they can contact you.

  2. You'll then get a mail like this.

To: Andrew McConachie 
From: employee@lfcu.org 
Subject: Wire 
Mr. Mc Conachie, 
For security purposes can you please email me back the following: 
Mothers maiden name? 
And the last six digits of your debit card with us?  

Thanks, 
LFCU Employee 
  1. Respond with the information they ask for.

  2. Congratulations you've just completed a wire transfer!

What's wrong with this picture?

There are three main problems with this protocol.

The first problem is that the wire transfer HTML pages are accessible to anyone with a web browser. They should be behind their secure login like the rest of their Internet banking. There is no reason for this to be otherwise. It should require a login to initiate a wire transfer. Also, it should only allow a logged in user to initiate a wire transfer from their own account. Currently, anyone on the planet can initiate a wire transfer for any customer of Lafayette Federal Credit Union. Yes, you heard that correctly. Anyone with a web browser can initiate an international wire transfer to anywhere from any Lafayette Federal Credit Union customer. I have only done domestic transfers and the examples in this post are about domestic transfers, but both forms are available online.

The second problem has to do with the email they send asking for information. Not only can emails be intercepted, read, replayed, faked and lost, but the person who fills in the form chooses the email address. A criminal initiating a wire transfer from a victim's account can simply fill in their own email address. Thereby circumventing any notification the victim may have received that someone is initiating a wire transfer from their account.

The third problem has to do with they information they ask for. Anyone could have these two bits of information on anyone else. Producing this information and handing it over to the bank proves little if anything. Worse yet, I guarantee there are multiple email inboxes filled with exactly these two pieces of information at Lafayette Federal Credit Union, in plaintext. We can't consider this kind of information secret anymore, if we ever could have. And even if we could and should treat it as secret information worthy of proving a person's identity and will to initiate a wire transfer, Lafayette Federal Credit Union doesn't treat it that way. They require their customers to expose it to the world everytime they initiate a wire transfer.

What's to be done?

Who knows? Likely nothing will happen until thieves rob some of their customers. And then likely Lafayette Federal Credit Union will place the burden on their customers by claiming identity theft, which is really just a way for them to skirt responsibility. For my part I'm writing this post and complaining loudly.

My suggestion for folks who are stuck dealing with this kind of lax security would be to refuse to answer their emailed information request and instead require a phone call. This does two things. First, it doesn't transfer your not-really-secret information over the wire in plaintext. Second, it annoys the requestor for this information and makes them take note that one of their customers is dissatisified with their security protocol. I always requested a call when receiving these mails and I always got a bank person to call me so I could read the information over the phone.

In addition, I have sent the following as feedback to them on their recent customer satisfaction survey.

 The only problem I have with LFCU is their security protocol when
 requesting wire transfers. Each time I order a wire transfer someone
 from LFCU emails me asks me a question like the following.

 ===
 Mr. McConachie,
 For security purposes can you please email me back the following:
 Mothers maiden name?
 And the last six digits of your debit card with us?
 ===

 Another time they also asked for a copy of my driver's license. This
 kind of lax security is terrifying for this day and age. And frankly
 it calls into question the ability of LFCU to competently operate a
 financial institution, and has caused me to lose considerable trust in
 LFCU.

 Is there an email inbox at LFCU with a bunch of maiden names and debit
 card numbers in it? What a nice and generous service you guys provide
 for hackers. Email is completely insecure. Not only are you
 advertising to the world that I'm initiating a transfer, but you're
 also advertising to every hacker on the planet that you store this
 information insecurely. If we lived in a more sane country I would
 report you to some regulator who would force you to change this
 practice or revoke your license to continue banking, but I doubt the
 CFPB can do anything about this level of security incompetence.

 I'm not even sure what bothers me more. The fact that you're asking
 for this information or that you think it proves anything. Does LFCU
 really think that by forcing me to expose myself like this they're
 actually confirming the real Andrew McConachie wishes a wire transfer
 to occur? Anyone can send this information to you because anyone can
 spoof email. And this information isn't *that* secret because anyone
 can capture the email I send, or you know, steal it from financial
 institutions like LFCU that store it in some random person's email
 inbox. So not only are you forcing me to expose myself by asking this,
 you're not even proving anything by collecting it. It's a lose/lose
 for both of us.

 Please clean up your security act.

 Sincerely,
 Andrew McConachie