JEDDAH, 22 June 2007 — Susan Slowe, a resident of a tiny community near the city of Bangor in the US state of Maine, picked up the phone and was taken aback by who was on the other end of the line: a stranger’s voice claiming to be a newspaper reporter in Jeddah, Saudi Arabia.
...She said that Bank of America had mailed a new card to her on June 1 but that the card never arrived. Instead, in just 11 days the card traveled to the west coast of Saudi Arabia and was used by crooks to try to buy furniture from a store off Jeddah’s main thoroughfare, Madinah Road.
Police arrested two Nigerian men in a gold souq in Jeddah on June 16 trying to use the card. During interrogation the men kept changing their story. They claimed that Susan Slowe was their sister.
...
The story of how a stolen credit card could be activated by crooks and sent 12,000 km away to be used to buy items in Jeddah begins with the activation process for newly issued cards.
The system, which was created and implemented by the US Postal Inspection Service, the government organization responsible for mail security, works this way: When a new or replacement credit card is issued in the United States it is mailed with a removable sticker on the back. The sticker has a toll-free phone number printed on it and instructions for how to activate the card. Customers must call from the home number listed on the account.
Slowe claims that the people who stole her card as it was being mailed to her were able to change the home number listed on the account by calling Bank of America.
The customer service representative at Bank of America asked a so-called “prompt question”, a security question that ostensibly is something only the customer would know, such as the mother’s maiden name, the last four digits of a social security number, or, in Slowe’s case, simply a date of birth.
“I got an e-mail from Bank of America on Monday (June 11) saying that there’s possibly fraud on my account,” she said. “I called them and the first thing they said to me was: ‘you’re not calling from your home phone number.’ I said I most certainly was. They said ‘that’s not the number we have on file.’”
Slowe said she is upset because the prompt question is too easy for other people to answer correctly. Dates of birth and maiden names can be acquired through online background-check services or public marriage records.
"They were able to get Bank of America to change that home phone number with very little information,” said Slowe.
Arab News contacted Diane Wagner, Bank of America’s senior vice president for media relations, to ask about the bank’s official policy on prompt questions. She declined to answer whether Bank of America’s customer-service policy allows people to change account information by providing simply the date of birth of the cardholder.
“For security reasons, we can’t get into specifics about our monitoring, but in general we weigh the balance between customer convenience and fraud risk when approving transactions,” Wagner said in an e-mailed statement to Arab News. “Our objective is to maximize customer convenience while minimizing fraud losses.”
Wagner points out that the $12,000 charge that posted to Slowe’s account never went through thanks to the bank’s policy of checking suspicious activity.
“It is my understanding that, yes, we were able to stop the fraudulent activity,” she said by e-mail. “As for the verification process, I know that there are a series of steps we take to verify account information. In this instance, I would need time to investigate further and again, I would not be able to disclose the specifics.”
Slowe confirms that the transaction was never finalized, and that Bank of America contacted her about the pending transaction. However, Slowe said the bank should do more due diligence because her home number should never have been changed by a third party.
-------------------------------
In a bit of irony, the Arab News article has a photo of the card. Exposing the card number, name, expiration date.
Yes, of course, the card was cancelled on June 11. So, really, no irony there. In fact several other names of Americans whose cards ended up there have popped up and the paper is trying to get more. Do you really think posting a picture of an expired credit card is a security breach? I think you're barking at the wrong thing. It's call press freedom and it has exposed a security breach on the CC verification system. You just need to get a life. Get a life.
ReplyDeleteThanks Angelo,
ReplyDeleteBut luckily I have worked in the banking world and know that once a card number is found to be used in fraud, that is card number is no longer used.
If you have looked over my blog, you would know that I fully support press of the freedom and of information overall.
You are right that this story from Arab News points to the serious issue of credit card fraud and weakness in the verification systems of the issuing banks.
Do I believe that the exposure of this card is a serious security beach? No. But like it or not..exposure of number cards in the media has lead to cases of fraud. Now I am sure, the fraud was stopping in its track, but it is something to think about.
http://urbanlegends.about.com/library/bl_latesha_vinette.htm
In addition, I agree that a "photo is worth a thousand words", but in this case, I don't see how removal of the card would reduce the "freedom of the press" in the least.
But you are right, they are free to post it...as I said. I hope the account was disabled.