Mortgaging your privacy with AccountChek
Because I’m moving, I’ve needed to start a bunch of new accounts and apply for various financial instruments. It’s become clear that where corporations used to speak about protecting your privacy, nowadays, they don’t even try.
The most outrageous violation was committed by the bank providing my mortgage, which uses and automated data collection system called AccountChek. Here’s the email I got as I was applying to them (and that’s after presenting all sorts of information including recent account statements and tax returns). I’ve redacted the name of the bank — it’s a small bank, but almost certainly doing the same thing as many other banks originating mortgages:
Hi Joshua Bernoff,
Thank you for choosing Xxxxx Savings Bank for your mortgage loan. Your loan application is almost done. The next step is to verify your assets.
At Xxxxx Savings Bank, we’re dedicated to making your loan process efficient and user-friendly, which is why we use AccountChek by FormFree as our third-party asset verification service.
AccountChek is the new standard in loan verification security. It streamlines asset verification with a paperless process that is easy and safe.
To get started, have your login credentials handy for any checking, savings, retirement or investment accounts relevant to securing your loan. Then click the button below, and AccountChek will guide you through the process, which will only take a few minutes.
If you have any questions or concerns, please do not hesitate to reach out to your Xxxxx Savings Bank Loan Officer or Client Service Coordinator.
Thank you, and have a Great Day!
Xxxxx Savings Bank
AccountChek is the latest in automated security violations
What’s amazing is what happens after you click on the button. An application called “AccountChek” verifies who you are, then asks for the user names and password of all your financial accounts.
If you happened to have two-factor authentication on these accounts (and I do), it then prompts you to share the codes that your financial providers send you in text messages, so it can get past the two-factor authentication. For example, my current bank’s account’s two-factor authentication text reads:
Your code is [six-digit code]. Don’t share it; we won’t call to ask for it. Call [phone number] if you didn’t request it.
This makes sense, because who would be asking for your two-factor authentication code but a scammer? Or, apparently, an automated system used to verify mortgages.
The difference between AccountChek and automated identity theft tool is hard for the layperson to discern.
For the record, when I brought this to the attention of the loan officer, he responded this way:
Good morning Josh,
While that email is legit, it’s not required if you prefer to just provide statements instead.
Thanks!
David
I had already provided those statements, but I’m sure the AccountChek system is far more efficient for the bank.
Ask yourself, what would happen if AccountChek were the victim of a data breach? What an alluring target. Just write some code that sits inside the AccountCheck system and harvests all the passwords and personal data of every person applying for a mortgage. Then, just before the mortgage goes through, when they’ve loaded up their bank account with all the cash for their down payment, just log in and drain the account.
Your Social Security number is now no more secret than your birthdate
In lining up my new home, I needed to apply for accounts with the electric company, water and sewer district, oil delivery company, and broadband cable company.
Every supplier asked for my Social Security number. Why not? It make it easier for them to verify my credit status
Of course, that means my number is now on file with them and stored in their systems. A data breach — inevitable — will expose my Social Security number, name, and other information to bad actors.
The fascinating book Data Leverage made me think about all the companies storing personal information without another thought. Those companies should be purging that information every few months to lessen the impact of a potential breach. Do you think my oil company is doing that? Can I trust my cable company to keep my data safe?
Privacy is no longer even a consideration
If you want to do business these days, you have to give up lots of personal information. It’s impossible not to.
My colleagues and I used to theorize that companies would differentiate based on how well they respect your privacy. Apple tried to do that (but now it’s checking all of your photos to see they might include child porn). Every other company is just racing to the bottom. Whatever makes things more convenient for them is what they do, regardless of which of your data they might be putting at risk.
What would it take to push back on this? Don’t suggest picking your suppliers based on privacy concerns — many of them, like the water district and the broadband company, are monopolies, and it’s pretty hard to figure out which ones are better than their competitors.
I’m seriously open to suggestions.
I have assumed that my two-factor authentication code (typically six to eight digits) changes every time I try to access any of my accounts that requires two-factor identification. My understanding is that the bad guys who stole my personal information from one of my account providers, including my password, therefore would still have a problem accessing my accounts requiring two-factor identification. Am I misunderstanding something? Have I been living in a fool’s paradise?
If they trick you into sharing your 2FA code at a given moment they have a window of about 15 minutes to log into your account and do as they wish.
I affirm your outrage! Extremely grateful that my mortgage team is doing things the old fashioned way. (My wife and I are also buying a home in Portland … Oregon.) Hope the rest of the process goes more smoothly.
This is egregious. I plan on never moving again, but if I do, I will not do business with anyone who uses this, or any like-kind of identity stealing software.
There are numerous public sector privacy initiatives at the Federal and EU level. Your only real option is to work through your legislators.
How about the old-school way? A F2F meeting or phone call where you present your credentials? As for your banking codes, just like David the loan officer said, they don’t need that stuff. But, if they insist, how would they know if you just made stuff up? After all, you can change your passwords anytime, and the 2FA code changes all the time.
They use those passwords to access your account and download your documents. They’d know right away if you gave them fake ones, since they wouldn’t be able to log into your accounts.
There are financial net worth sites that aggregate one’s assets across accounts. I assume that they do the same evil thing. We plan to buy another house and purchase/place it in an LLC to try shielding the information a bit more. I have no real idea if that helps or if that can be done with a mortgage or other promised future funds.
A few years back there was a celebrity who got into some legal trouble and from the news and police records I was able to learn WAY too much about him, his family, and his assets. He should have used some shell company to buy his real estate. I was shocked with the ease and depth of information. Had I been a bad boy things would have been uglier for him.
I am not sure how a solution allows the two competing interests to coexist. But I hope someone can figure it out.
I know one of my accounts sends me a request to confirm it’s me logging in. I do not believe that there is any sense in that as their request comes through the same avenue as my request. Of course it’s me or someone pretending to be me. Duh.