Recently I was elected the new Treasurer of the Capitol of Texas Chapter of the Information Systems Security Association.  No, that’s not my way to seek your approval, but thanks for the kudos.  The reason why I bring this up is that one of the first things I needed to do as the new Treasurer was change the bank account information over from the old 2008 board members to the new 2009 ones.  I called in advance and scheduled a meeting with a banking representative and asked what I needed to bring with me.  The answer was documentation showing the board change, a current account signer, and a new account signer (me).  So far so good.

So me and two of the old board members show up at the bank to do the deed.  We sit down in the guys office with the door wide open while he proceeds to ask me personal questions such as my social security number and mother’s maiden name in front of those guys and anyone within earshot.  I probably should have said something right there, but lowered my voice and gave the guy the requested information, but that was strike #1 for a bank whose name I will not mention.

I tell him that I’ve brought two of the current signers with me and motion toward the guys sitting next to me.  They tell the bank representative their names and the representative acknowledges.  He starts handing me paperwork to sign effectively removing the old names off of the account and putting the account solely in my name.  At this point he’s asked for my driver’s license, my SSN, my mother’s maiden name, but has yet to verify that the guys sitting next to me were who they said they were.  No request for any form of identification from either of them.  Strike #2.

I ask him to assist me with setting up the online account access and he makes a quick call to find out what needs to be done and hands me another form which I sign.  At this point he tells us we’re all set.  One of the old board members asks “So at this point all of my information has been completely removed from the bank account?” and the bank representative says “yes”.  We thank him and leave only to discuss what just transpired outside amongst ourselves.  What would have prevented us from walking into that bank with a fake document showing a board member change, having two of my buddies pretend that they were the old board members, and getting the account changed into my name and walking off with the money?  They required no signature or identification from the old board members.  In fact, I did pretty much all of the talking and I’m pretty sure they didn’t even say their names (or that they were the old board members), I did.  You guessed it, strike #3!

So what have we learned from this little exercise?  First, no matter how secure your systems are, you need to make sure your process take security into account equally.  Second, Capitol of Texas ISSA really needs to find a new bank.  Do you have any idea how secure your bank account  is?