[Fair use for education and research purpose only]

April 4, 2000

Title: Sovereign telephone customers hung up

The new bank says a password security glitch will be fixed today.

By LYNN ARDITI Journal Staff Writer

Nearly a week after Sovereign Bank New England scrambled to close a privacy lapse in its online banking services, a similar problem with its telephone banking is still not fixed.

The privacy problem with the telephone banking system is related to one discovered by The Providence Journal last Tuesday in Sovereign's online banking system. Sovereign has since tightened security with its online banking.

But the same customers whose online bank accounts were potentially vulnerable to snooping still face privacy risks with their telephone banking, if they haven't changed their passwords from the ones Sovereign assigned them.

Sovereign said yesterday that a new system will be in place by 5 p.m today to force customers banking by telephone to change their passwords.

``We realized there was a hole there and we're plugging it,'' said Cliff Lavin, president of Sovereign's electronic banking operations, First Web Bank Direct.

The password problem stems from the way Sovereign assigned customers user names and passwords for its 40,000 new online bank accounts.

A customer's password, or PIN (personal identification number), is supposed to be secret.

But Sovereign gave customers user names and passwords derived from a number which is widely used for personal identification.

To compound the problem, Sovereign's system forces customers to use the same passwords for their online and telephone banking systems.

Edward Kane, a Boston College finance professor who teaches a course on banking, had likened Sovereign's online security system to locking the doors and ``leaving one window unlocked.''

Now, with the discovery of a similar problem with its telephone banking, Kane said, ``it sounds like the basement door was open, too.''

Sovereign opened for business last Monday by acquiring an estimated 800,000 accounts from BankBoston, primarily in Rhode Island and Connecticut.

The sale -- which included some 120,000 customers in Rhode Island -- was part of a massive divestiture required by federal regulators to enable the merger that created FleetBoston Financial Corp.

When Sovereign bought the accounts, it set up 40,000 of its own Internet banking accounts for customers who used to bank online with BankBoston.

BankBoston used to require customers to punch in the 16 digits on the front of their ATM cards and then a password they had chosen to log into their online account.

But Sovereign said it wanted to make its online banking more ``convenient'' for its customers. So it assigned user names and four-digit passwords based on the widely-used number.

As of last Wednesday, Sovereign had installed a security measure to force its online customers to change their assigned passwords.

Sovereign customers who use their assigned passwords and attempt to access their accounts on the Internet now must answer questions to verify they are the account holders. The program then forces the customers to change their passwords before logging into their accounts.

But the same security measures have not been put in place yet for the telephone banking system.

Sovereign said it knew about the telephone banking issue last week but hadn't gotten to fixing it because it was deemed ``a lower risk'' than the trouble with the online system.

The telephone banking system doesn't allow customers, or anyone else who might access their accounts, to make payments over the phone.

But they could snoop.

Someone armed with a customer's user name and password could call Sovereign's toll-free banking line, dial into the customer's account, and hear an automated voice recording of account balances and the most recent payments made.

What's more, some Sovereign customers may not even realize they have the problem passwords.

Those customers included Mary Champlin, of Narrangansett.

Until yesterday, Champlin, 43, didn't know that her account was among the 40,000 to which Sovereign had assigned the problem passwords.

It wasn't until she tried to access her bank account over the telephone that she became concerned.

Champlin discovered that her telephone bank account only worked if she punched in the password the bank had assigned for her online account.

But Champlin, who had read the Journal stories about the password privacy problem, had decided to try to avoid the problem by not using her online account with Sovereign.

``That is one of the reasons why I didn't access it,'' she said.

What Champlin didn't realize was that even if she never banked online with Sovereign, her accounts could still be accessed with her assigned password. (The password remains active until a customer changes it.)

``I had no intention of going into [the online account] because of the security problem,'' Champlin said. ``I wouldn't have ever known.''

Ironically, the only way Champlin and customers like her can change their problem passwords is to do it online.

As of Friday, Sovereign said, customers had changed the passwords for about 20,000 of the bank's 40,000 online accounts.

Sovereign said it began mailing letters, dated March 30, over the weekend to all 40,000 online account holders to ask them to change their passwords ``and ensure even greater security with your new system.''

But Sovereign's letter says customers' privacy was never at risk.

``We apologize for any inconvenience or concern these [press] reports may have caused you and your family in this matter,'' the letter says, ``and once again assure you that your private customer data was not at risk at any time.''

Sovereign officials say it's really a matter of how you define private.

``Maybe it's definitional,'' said Sovereign's Lavin. ``Theoretically if you went in to snoop someone could look at your balance . . . your checks . . . your account number.''

But Lavin says he doesn't consider that information private.

``The data we consider private is your data about you . . . your name, your address, your family income,'' he said. ``None of that was ever remotely even threatened.''

Evan Hendricks, of Privacy Times, a bi-weekly newsletter based in Washington, D.C., sees it differently.

``I think that's as twisted and self-serving a definition of private information that I've ever heard in my 23 years of following this issue,'' Hendricks said of Lavin's remarks. ``You should go ahead and get his [user number and password] from the DMV [Department of Motor Vehicles]'' and look at his bank account.

That, however, would be impossible.

Lavin, who has a different type of online account through First Web Bank Direct, says he changes his password ``every 30 days like clockwork.''

Lynn Arditi is the banking writer for The Providence Journal. She can be reached by e-mail at larditi@projo.com.

No numbers given The Providence Journal is not disclosing the specific identification numbers assigned to Sovereign Bank New England's online banking customers to log into their accounts on the Internet or over the telephone.

http://www.projo.com/cgi-bin/frame_it.cgi?URL=/report/pjb/stories/03453291.htm

=======================

-- (Dee360Degree@aol.com), April 04, 2000