November 2007
A Bad Week for Privacy (12 November 2007)
Attempted Credit Card Fraud? (16 November 2007)
The FBI Denies Tracking Ethnic Foods (27 November 2007)

Attempted Credit Card Fraud?

16 November 2007

When we got home last night, there was a message for my wife on the answering machine: "We’ve seen what may be fraudulent activity on your credit card. Please call 800-955-9060 number, and have your card number handy." For fun, we called it and got an automated prompt: "Please enter your card number." No indication of which credit card, let alone which bank, and the phone number didn’t match that printed on the back of any of her cards. Hmm…

I did a Google query for the number and got a number of hits. Some posters said it was Chase’s fraud department; others listed it as a telemarketer or scam source. You can find a reasonable sample of opinions here. Of course, I have no idea who the posters are. One claimed to work for the fraud department at Chase — but is the claim true?

All of the folks who claimed it was legitimate specified Chase, so my wife called the number on the back of her Chase card. There was indeed a notation in her record about possible fraud, and it followed a classic pattern: a $1 "probe" charge to see if the number was good, followed by an attempt to purchase some expensive electronics., That charge was declined, because whoever it was didn’t have the CVV. So — Chase’s fraud detectors are well-tuned, and spotted this one very quickly. That’s the good news.

The bad news, of course, is how they handled it. They absolutely should have said which bank they were calling from (and we know they didn’t, because we still have the answering machine message). It’s by no means authoritative — anyone can claim to be from Chase — but it would at least tell the recipients which credit card is involved, and hence whom to call back. My wife asked about that and got a very unsatisfactory answer: because of their branding agreements — they issue and service a lot of affinity cards — they have to be careful about what name they assert. So? Surely their databases know what group has its name on your card.

The big problem, of course, is that they seemed to expect (and want) consumers to call a strange number left on an answering machine and key in their credit card numbers. Excuse me? Are they trying to teach people to respond to phone phishes? They don’t have enough trouble with email solicitations, so they want to cause the same trouble with phones? Or are they so worried about people abandoning Internet banking out of fear that they want people to be just as afraid of the phone? (No, I don’t really believe that, and I’m not seriously suggesting that that was their motive.)

A proper phone message would have been "I’m from Chase [calling about your XXX-branded card] whose last 4 digits are numbered WXYZ. We suspect fraud. Please call the number of the back of the card and mention code ABC." What they actually did was totally preposterous.

I suppose I could take some comfort from the fact that in the US, the consumer is not liable for credit card fraud. (More precisely, there’s a $50 limit to liability, but as a matter of policy banks don’t even try to collect that much.) Still, having a card cancelled (as this one is now) is a hassle, and I don’t want more of it. They really should clean up their act.

Tags: security
https://www.cs.columbia.edu/~smb/blog/2007-11/2007-11-16.html