Because I’m moving, I’ve needed to start a bunch of new accounts and apply for various financial instruments. It’s become clear that where corporations used to speak about protecting your privacy, nowadays, they don’t even try.
The most outrageous violation was committed by the bank providing my mortgage, which uses and automated data collection system called AccountChek. Here’s the email I got as I was applying to them (and that’s after presenting all sorts of information including recent account statements and tax returns). I’ve redacted the name of the bank — it’s a small bank, but almost certainly doing the same thing as many other banks originating mortgages:
Hi Joshua Bernoff,
Thank you for choosing Xxxxx Savings Bank for your mortgage loan. Your loan application is almost done. The next step is to verify your assets.
At Xxxxx Savings Bank, we’re dedicated to making your loan process efficient and user-friendly, which is why we use AccountChek by FormFree as our third-party asset verification service.
AccountChek is the new standard in loan verification security. It streamlines asset verification with a paperless process that is easy and safe.
To get started, have your login credentials handy for any checking, savings, retirement or investment accounts relevant to securing your loan. Then click the button below, and AccountChek will guide you through the process, which will only take a few minutes.
If you have any questions or concerns, please do not hesitate to reach out to your Xxxxx Savings Bank Loan Officer or Client Service Coordinator.
Thank you, and have a Great Day!
Xxxxx Savings Bank
AccountChek is the latest in automated security violations
What’s amazing is what happens after you click on the button. An application called “AccountChek” verifies who you are, then asks for the user names and password of all your financial accounts.
If you happened to have two-factor authentication on these accounts (and I do), it then prompts you to share the codes that your financial providers send you in text messages, so it can get past the two-factor authentication. For example, my current bank’s account’s two-factor authentication text reads:
Your code is [six-digit code]. Don’t share it; we won’t call to ask for it. Call [phone number] if you didn’t request it.
This makes sense, because who would be asking for your two-factor authentication code but a scammer? Or, apparently, an automated system used to verify mortgages.
The difference between AccountChek and automated identity theft tool is hard for the layperson to discern.
For the record, when I brought this to the attention of the loan officer, he responded this way:
Good morning Josh,
While that email is legit, it’s not required if you prefer to just provide statements instead.
I had already provided those statements, but I’m sure the AccountChek system is far more efficient for the bank.
Ask yourself, what would happen if AccountChek were the victim of a data breach? What an alluring target. Just write some code that sits inside the AccountCheck system and harvests all the passwords and personal data of every person applying for a mortgage. Then, just before the mortgage goes through, when they’ve loaded up their bank account with all the cash for their down payment, just log in and drain the account.
Your Social Security number is now no more secret than your birthdate
In lining up my new home, I needed to apply for accounts with the electric company, water and sewer district, oil delivery company, and broadband cable company.
Every supplier asked for my Social Security number. Why not? It make it easier for them to verify my credit status
Of course, that means my number is now on file with them and stored in their systems. A data breach — inevitable — will expose my Social Security number, name, and other information to bad actors.
The fascinating book Data Leverage made me think about all the companies storing personal information without another thought. Those companies should be purging that information every few months to lessen the impact of a potential breach. Do you think my oil company is doing that? Can I trust my cable company to keep my data safe?
Privacy is no longer even a consideration
If you want to do business these days, you have to give up lots of personal information. It’s impossible not to.
My colleagues and I used to theorize that companies would differentiate based on how well they respect your privacy. Apple tried to do that (but now it’s checking all of your photos to see they might include child porn). Every other company is just racing to the bottom. Whatever makes things more convenient for them is what they do, regardless of which of your data they might be putting at risk.
What would it take to push back on this? Don’t suggest picking your suppliers based on privacy concerns — many of them, like the water district and the broadband company, are monopolies, and it’s pretty hard to figure out which ones are better than their competitors.
I’m seriously open to suggestions.