Credit card security fail

I suppose it says something about my travel schedule when a local purchase at Best Buy triggers a card security alert, but charges across country or overseas do not.  When I arrived home after picking up one of the new 3TB disk drives there was a voice mail from my bank informing me that I needed to call right away regarding a suspicious card transaction.  The number they provided was not the same customer service number on the back of the credit card. This pegged my mental fraud detector so I called the number on the back of the card instead.  The Customer Service Rep politely informed me that “we don’t handle those here” and that I would need to call the number provided in the voice mail and no she could not verify that the number in the voice mail belonged to the bank. “But it must be the right number or they wouldn`t have called you, right?”  Sigh… Amateur.

I gave up and called the number from the voice mail.  It asked me to “speak or enter your credit card number.”  I asked it to “please let me talk to a human.”  After a minute or so of pounding on the 0 key, an actual human responded.

Bank: Hi, can I have your card number please?

Me: No.

Bank: I’m sorry?  I’ll need your card number in order to help you today.

Me: How do I know you are my bank?

Bank: Well, we are alerting you to some suspicious activity on your account.  If you give me your card number, I can look up your account and we can see if the transactions are fraudulent or not.

Me: Well, how about instead I alert YOU to some suspicious activity on my account?  It seems I received a phone call claiming that there is some odd transaction on my account.  But the customer service number that I know is my bank doesn’t know anything about it.  When I do call the unverifiable number, the first thing they want is my card number and presumably some additional identifying information SO THEY CAN STEAL MY IDENTITY AND TAKE OVER MY ACCOUNTS.  Now, I ask you again, do you have any way to identify to me that you are in fact my bank  BEFORE I give you any personal or account information?

Bank: No, not really.

Me: And if you are who you say you are, don’t you have a problem with this?

Bank: Your point is valid but I’ve never heard of anyone objecting to this.  We have a whole department full of operators and this is all we do.  All day long.  Honestly, it’s safe and not a problem.

Me: Then your management are idiots and your customers are all sheep.  This is unreasonable and I won’t comply.  What are my alternatives?

Bank: I guess you could go to your local branch.  They could then verify me by name in the company phone book.

Me: Anything else?

Bank: It’s possible the alert may be posted to your online banking by now.  Do you use online banking?

I do in fact use online banking and the alert was posted there.  So after all was said and done, I found out that the “suspicious transaction” was a disk drive I purchased at my local Best Buy.  I mean, c’mon it’s ME.  Whatever happened to “know your customer”? Buying a disk drive… near my home… on the weekend, should be the least suspicious of my charges.  You see a large celery purchase, then call the cops!

But regardless of the legitimacy of the charge, the customer-side process is an identity theft nightmare just waiting to happen.  They tell you to never give out your information to someone who calls you but to hang up and call back so you know it’s the right company.  But being the one to initiate the call is no protection if you call a number that a stranger provided and which you cannot verify!  The bank should know better.  WE as customers should know better.  If this happens to you, refuse to give your information without the bank verifying who they are.  (Which of course they cannot do without first getting YOUR info so they can tell you something about your account that only they would know and by then it’s too late.)  Insist that the number on the card MUST be the one you can call for things like this and then hold the bank accountable.

This entry was posted in Fail, News. Bookmark the permalink.

2 Responses to Credit card security fail

  1. Scott Meridew says:

    Great Post Rob. Here’s a simple solution I’d like to see them implement – because I’ve been in your shoes before. Know how we all receive a CVV number printed on the back of the card so we can verify that we are in possession of the card? Why don’t they issue a corresponding CVV number that THEY can use to identify themselves to you? Then when they call you, they can verify who they are first.

  2. Doug says:

    I was 45 minutes into talking to someone at my local bank branch when we shifted over to the topic of security. I asked if they were improving the online security, perhaps to some sort of two-factor authentication device like the RSA Key. (Answer: No.) I made an offhanded comment that their security was annoying lax. She asked “what do you mean?”

    I pointed out: We’ve been making all sorts of changes to my personal account, and yet you haven’t even asked me for ID.

    She turned red, and stammered briefly.

    “And THAT’s why I’m asking for better security for my online bank access.” I told her.
    (And I’m not getting it, because apparently nobody asks these obvious questions.)

Leave a Reply