I have my credit card with BigBankCo set up so that I get a text for every single transaction. (I simply set up an alert for any transaction $0.01 or over...)
Well, Monday morning I wake up and sit down to check my e-mail, and because I use Google Voice, all my texts appear in my GMail Window. I have two texts from 3AM waiting for me from my credit card: one for $40 from match.com (I'm 14 years happily married!), and one for around $3,000 (not a typo) from some random online store in Kuala Lumpur. (Neither I nor LadyWired have ever traveled to Southeast Asia.)
Well, I've been through this particular rodeo before, so I instantly call BigBankCo and work my way through to the fraud department. (Their VRU is terrible!) I report the fraudulent charges, and mention to the operator (emphasizing that I know she had nothing to do with it) that BigBank must have the absolute worst fraud detection software in the universe for letting through a charge on the other side of the globe for several $k without clearing it with me first. (I mean, they've called me in the past for $60 at the Best Buy ten minutes from my house...)
She thinks for a second, agrees, and typity-types for a while, and comes back with "Well, we denied it twice, but cleared it on the third try after the charge was verified." Me: "Verified? How? I certainly didn't verify it!"
While she's typing some more, I absentmindedly browse through my e-mail and see an e-mail from BigBank confirming that I've changed my e-mail address to Firstname.Lastname@WebMailProviderINeverUse.com
I mention this to her and ask her if that has something to do with it, and, by the way, I most certainly did not change my e-mail address. She confirms that the charge was "verified" by somebody clicking on a link in a verification e-mail.
Much typing and back-and-forth later, and two transfers to other departments, and I learn something very interesting: While their website is buttoned down like Fort Knox, with security questions, two-factor authentication, etc., all you need to do to change my e-mail address is have their customer service phone number, the account number, CID (which any fraudster will of course have already), and the last four digits of my SSN (which I have to give out SO many places, it might as well be the last four digits of my phone number!) That's it.
That's right, the website is locked down HARD, but you can get customer service reps to change your e-mail (providing a gateway to fraud) with the end of my SSN. I comment that fraudsters do not, in fact, want to read my online statement or pay my bill; they want the money, and it doesn't make any sense at all to let somebody completely bypass their fraud detection with such easily-obtained information.
FWIW, they have now set up a "security word" and any future interactions over the phone with them cannot be done without it. Talk about shutting the barn door after the $3k horse just ambled out the door...
The poor lady on the phone did agree with me that the last four of your SSN was indeed pretty pathetic security if it allows somebody to loot your account blind, and promised to send a request up the chain to have it fixed...
Well, Monday morning I wake up and sit down to check my e-mail, and because I use Google Voice, all my texts appear in my GMail Window. I have two texts from 3AM waiting for me from my credit card: one for $40 from match.com (I'm 14 years happily married!), and one for around $3,000 (not a typo) from some random online store in Kuala Lumpur. (Neither I nor LadyWired have ever traveled to Southeast Asia.)
Well, I've been through this particular rodeo before, so I instantly call BigBankCo and work my way through to the fraud department. (Their VRU is terrible!) I report the fraudulent charges, and mention to the operator (emphasizing that I know she had nothing to do with it) that BigBank must have the absolute worst fraud detection software in the universe for letting through a charge on the other side of the globe for several $k without clearing it with me first. (I mean, they've called me in the past for $60 at the Best Buy ten minutes from my house...)
She thinks for a second, agrees, and typity-types for a while, and comes back with "Well, we denied it twice, but cleared it on the third try after the charge was verified." Me: "Verified? How? I certainly didn't verify it!"
While she's typing some more, I absentmindedly browse through my e-mail and see an e-mail from BigBank confirming that I've changed my e-mail address to Firstname.Lastname@WebMailProviderINeverUse.com
I mention this to her and ask her if that has something to do with it, and, by the way, I most certainly did not change my e-mail address. She confirms that the charge was "verified" by somebody clicking on a link in a verification e-mail.
Much typing and back-and-forth later, and two transfers to other departments, and I learn something very interesting: While their website is buttoned down like Fort Knox, with security questions, two-factor authentication, etc., all you need to do to change my e-mail address is have their customer service phone number, the account number, CID (which any fraudster will of course have already), and the last four digits of my SSN (which I have to give out SO many places, it might as well be the last four digits of my phone number!) That's it.
That's right, the website is locked down HARD, but you can get customer service reps to change your e-mail (providing a gateway to fraud) with the end of my SSN. I comment that fraudsters do not, in fact, want to read my online statement or pay my bill; they want the money, and it doesn't make any sense at all to let somebody completely bypass their fraud detection with such easily-obtained information.
FWIW, they have now set up a "security word" and any future interactions over the phone with them cannot be done without it. Talk about shutting the barn door after the $3k horse just ambled out the door...
The poor lady on the phone did agree with me that the last four of your SSN was indeed pretty pathetic security if it allows somebody to loot your account blind, and promised to send a request up the chain to have it fixed...
Comment