Hello bugtraq, Hi bugtraq, I'd like to thank everyone for their replies, suggestions, and contact information. No two people provided the same information. This suggests to us that Bank of America does not have a central contact for security risks. We received about a half-dozen Bank of America contacts and we will be following up with 2-3 of them shortly. I'd also like to thank the 0-day social engineers for their variety of approaches used to attempt to gain access to this exploit. We received responses ranging from fraudulent "Bank of America" employees to phone calls from people claiming to be from Bank of America's IT Security. (One caller claimed to be from Bank of America's IT Security but didn't know what PGP is and then said he couldn't give his PGP key due to security restrictions. And when we asked him to provide information so we could verify the contact, he said he would call back but never did. To this caller: Yes, your social engineering failed and your caller-id spoofing was almost perfect. Emphasis on "almost".) To summarize, we seem to have identified 3 risks. The first is a minor issue that we are attempting to report to Bank of America. The second is a lack of official central contact for reporting security risks to Bank of America. The third is the plethora of 0-day social engineers that appear to jump on security risks and represent themselves as the affected company in order to gain access to the privileged information. A warning to people reporting security risks: beware of who you talk to. -- Best regards, Lance James www.securescience.net mailto:lancej@securescience.net Secure Science Corporation
