This post will highlight the lax security of Lafayette Federal Credit Union's wire transfers. The author of this post is not responsible for head injuries due to repeatedly slapping one's forehead. The author also recommends to not hold any sharp objects in your hand while reading this and cannot be held responsible for the reader stabbing themselves if they fail to heed this advice.
Want to make a wire transfer?
Do you know someone with an account at Lafayette Federal Credit Union? Do you know their account number, their mother's maiden name and their debit card number?
- Don't have their account number? Get them to write you a check.
- Don't have their debit card number? Get them to purchase something from you, it is a Visa after all.
- Don't have their mother's maiden name? Equifax does. Try purchasing it from them or one of the criminals who likely stole it from them.
Once you've got your information ready you're ready to initiate a domestic or foreign wire transfer. Just follow the steps below.
You'll then get a mail like this.
To: Andrew McConachie From: email@example.com Subject: Wire Mr. Mc Conachie, For security purposes can you please email me back the following: Mother’s maiden name? And the last six digits of your debit card with us? Thanks, LFCU Employee
Respond with the information they ask for.
Congratulations you've just completed a wire transfer!
What's wrong with this picture?
There are three main problems with this protocol.
The first problem is that the wire transfer HTML pages are accessible to anyone with a web browser. They should be behind their secure login like the rest of their Internet banking. There is no reason for this to be otherwise. It should require a login to initiate a wire transfer. Also, it should only allow a logged in user to initiate a wire transfer from their own account. Currently, anyone on the planet can initiate a wire transfer for any customer of Lafayette Federal Credit Union. Yes, you heard that correctly. Anyone with a web browser can initiate an international wire transfer to anywhere from any Lafayette Federal Credit Union customer. I have only done domestic transfers and the examples in this post are about domestic transfers, but both forms are available online.
The second problem has to do with the email they send asking for information. Not only can emails be intercepted, read, replayed, faked and lost, but the person who fills in the form chooses the email address. A criminal initiating a wire transfer from a victim's account can simply fill in their own email address. Thereby circumventing any notification the victim may have received that someone is initiating a wire transfer from their account.
The third problem has to do with they information they ask for. Anyone could have these two bits of information on anyone else. Producing this information and handing it over to the bank proves little if anything. Worse yet, I guarantee there are multiple email inboxes filled with exactly these two pieces of information at Lafayette Federal Credit Union, in plaintext. We can't consider this kind of information secret anymore, if we ever could have. And even if we could and should treat it as secret information worthy of proving a person's identity and will to initiate a wire transfer, Lafayette Federal Credit Union doesn't treat it that way. They require their customers to expose it to the world everytime they initiate a wire transfer.
What's to be done?
Who knows? Likely nothing will happen until thieves rob some of their customers. And then likely Lafayette Federal Credit Union will place the burden on their customers by claiming identity theft, which is really just a way for them to skirt responsibility. For my part I'm writing this post and complaining loudly.
My suggestion for folks who are stuck dealing with this kind of lax security would be to refuse to answer their emailed information request and instead require a phone call. This does two things. First, it doesn't transfer your not-really-secret information over the wire in plaintext. Second, it annoys the requestor for this information and makes them take note that one of their customers is dissatisified with their security protocol. I always requested a call when receiving these mails and I always got a bank person to call me so I could read the information over the phone.
In addition, I have sent the following as feedback to them on their recent customer satisfaction survey.
The only problem I have with LFCU is their security protocol when requesting wire transfers. Each time I order a wire transfer someone from LFCU emails me asks me a question like the following. === Mr. McConachie, For security purposes can you please email me back the following: Mother’s maiden name? And the last six digits of your debit card with us? === Another time they also asked for a copy of my driver's license. This kind of lax security is terrifying for this day and age. And frankly it calls into question the ability of LFCU to competently operate a financial institution, and has caused me to lose considerable trust in LFCU. Is there an email inbox at LFCU with a bunch of maiden names and debit card numbers in it? What a nice and generous service you guys provide for hackers. Email is completely insecure. Not only are you advertising to the world that I'm initiating a transfer, but you're also advertising to every hacker on the planet that you store this information insecurely. If we lived in a more sane country I would report you to some regulator who would force you to change this practice or revoke your license to continue banking, but I doubt the CFPB can do anything about this level of security incompetence. I'm not even sure what bothers me more. The fact that you're asking for this information or that you think it proves anything. Does LFCU really think that by forcing me to expose myself like this they're actually confirming the real Andrew McConachie wishes a wire transfer to occur? Anyone can send this information to you because anyone can spoof email. And this information isn't *that* secret because anyone can capture the email I send, or you know, steal it from financial institutions like LFCU that store it in some random person's email inbox. So not only are you forcing me to expose myself by asking this, you're not even proving anything by collecting it. It's a lose/lose for both of us. Please clean up your security act. Sincerely, Andrew McConachie