Swedbank in Sweden have a feature where you can access an accounts entire balance by generating random CC#'s for online shopping and this service is protected by your social security number, a 6 character password, a-z, 0-9 and no special characters allowed.
They've had this for at least 6 years now, maybe longer. Early on when I e-mailed them about it they simply stated that it's not their service, in other words; out-sourced.
Swedbank also requires two-factor authentication. You can bypasss this by calling them - they only ask for 1 thing to authenticate you. Two-factor authentication is rather useless if you can just bypass it like that.
>You can bypasss this by calling them - they only ask for 1 thing to authenticate you.
The domain for my personal site is shared with my family. My father registered the domain and all of the details in the account use his information. I had just created an AWS account and wanted to move the site's DNS to Route53.
I was able to call into the domain registrar and get exactly zero of the details correct, but they pointed the domain to Route53. It was hilarious how bad it was. I used my social, my name, my address, etc., none of which matched the info on file.
Even if I had used my father's info, it (except the social) would have been wrong because we lived overseas on a military base. When your system says Japan and someone from the US is calling, that should set off all sorts of alarm bells.
Yes, and I had no idea they were that easy to bypass on a social level.
Also this CC# generator falls outside of the 2FA scope, also something I asked them about several years ago and received the same reply "it's not our service".
Swedish social security numbers are public information btw, just to clarify the insanity - I can call in to the government register and ask for anyone's number, there isn't even any obfuscation or semi-privacy about it like US SSNs.
there isn't even any obfuscation or semi-privacy about it like US SSNs.
GOOD. The US "private" SSN system is completely messed up. You can't commit identity theft by just knowing a personnummer. Very, very much unlike the US...
But you can. People treat the full "personal numbers" as a secret and if you can recite one, nobody will think you're anyone different. It's not meant to be this way, but in my experience it is.
They've had this for at least 6 years now, maybe longer. Early on when I e-mailed them about it they simply stated that it's not their service, in other words; out-sourced.