it’s hard to miss the regular stories about data, including sometimes financial account details, being hacked. But in addition to that, credit card companies also face ongoing attacks from fraudsters who obtain credit card information and put through bogus charges.
You’d think the banks that participate in the Visa and Mastercard networks would be vigilant about this issue. After all, the customer is liable only for $50 of loss even if his credit card goes missing. In my experience of actually having had my wallet stolen and having big charges run up with impressive speed, the banks don’t even hit customers with that allowed $50. On top of that, the merchant charges on credit cards are hefty, which you’d think would give them more than enough in the way of funding to create decent protections.
Think again.
Banks fetishize cost reduction as a way to increase profits, and they do it with particular zeal via headcount cuts of low-level employees, such as in customer-facing activities like call centers. There are regular examples of how they overdo it, such as cutting so many branches after a merger that they lose customers, forcing them to go back and reopen some.
Banks executives, if anything more so than their peers in the rest of Corporate America, also have enormous faith in technology as a magic bullet. Yet as our many readers who have done time in bank IT will tell you, operations are treated like an orphan child. One of the key bits of evidence is the industry-wide shoring up of legacy software, which at some point is going to start seizing up even more than it has. The reason banks haven’t migrated off isn’t just the enormity of the task and the virtual impossibility of identifying all the interdependencies of various systems; it’s also that, even if they could find a path through this problem, it would cost them on the order of all their net income for several years.
A wee example of these bad tendencies is how banks have been taking the cheap and easy road with credit card fraud to the degree that it is coming back to haunt them. I’ve run into this myself with the two cards I use for pretty much all my card charges, one a personal and one a business card at Citigroup.
Yes, Citigroup. I’ve stuck with them because miles, because I had Citi back in the day as a client, and because when I had a big problem with the credit rating bureaus, a guy at Citi went to enormous lengths to get it fixed. Other reasons include that historically, when I had a problem the Citi customer service people also on average were sharp and had more latitude than most call center staffers in straightening things out.
However, Citi has been racing to the bottom along with everyone else in the industry. It recently implemented a horrific new menu clearly designed to force customers to deal with automated prompts and Q&As and make it hard to get to live humans. Even though most companies have been going in that direction for a very long time, the abruptness of the change by Citi and the difficulty of circumventing their menus, particularly when my service request was way too non-routine to be on them, was aggravating.
The latest Citi service bungles involve card security. In the last month, I’ve had to get new personal and business credit cards due to fraud. The incidents were independent. On my personal account, I had made an online order for running shoes, and the merchant was a bad actor. Not only did it not send the shoes, but the charge came through from a Chinese account in renminbi, which meant the actual amount was different than what I’d agreed to. I got another charge I didn’t recognize shortly after that. I called in to say I didn’t recognize the charges and asked for a new card to be issued.
Even though Citi did send the replacement card pronto, they had a more elaborate authentication process than before. Despite my calling from a number that was on the account, Citi wanted to send a text to a mobile phone….and they wanted me to provide that number on the call! That does absolutely nothing in the way of verifying who I am. I refused to do so, which put them on tilt. Instead of going to a sensible next verification measure, like asking for the name of the bank I’d used to make my last payment, they instead insisted on calling me on the number on file, which they could readily see was the number I was already using.
Citi’s desire to get a mobile phone number out of me for the purpose of two-factor verification is even more peculiar in light of the fact that mobile phone communications are easily compromised. From a 2017 article in The Verge:
In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.
Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account….With two networks controlling the bulk of the market, there’s been little incentive to compete on security.
At the same time, it’s proven difficult to kill off particular types of two-factor even after they’re shown to be insecure. The National Institute of Standards and Technology quietly withdrew support for SMS-based two-factor in August, pointing to the risk of interception or spoofing, but tech companies have been slow to respond. If anything, services are relying more on SMS as Twitter and PayPal look to tie accounts more closely to phone numbers. It’s less secure, but easier to use. As long as it’s two-factor, few account holders know the difference.
The process got even more ludicrous when my business card was compromised. Here Citi contacted me with a fraud alert.I confirmed that I hadn’t tried to book a $1700 order on Air Canada. They sent the replacement card on an expedited basis.
When I went to activate it, I was kicked over to the fraud alert department and got someone who was too obviously in a call center in India. We went through the asking for my cell phone number drill and after I refused, he said he would call the number I was on right away.
But unlike with the personal card, he didn’t call right away. So I called again, and apparently our calls crossed.
I had to start again from zero. Second person said they’d call my number on file, and I read it out to make sure we were discussing the same number. Again long delay, no call.
On the third call (and by now I am getting frosted), I repeated the same drill. This individual called back more punctually…on my mother’s land line! It was in the next room, and it announced the caller ID, so I could hear it was Citi.
I hobbled over and blew a gasket. I demanded why they had called my mother’s number, a number which legally has nothing to do with me and is most certainly not listed as a phone number on my account. The rep said they had looked up my SSN and found this number.1
But having taken that call did not advance the verification and it also meant I missed the call from Citi (very delayed second call callback) on my line.
The fourth effort led to another failed “calling you right back” promise.
It was only on the fifth call that I was able to activate the card.
Not only did I waste a half hour on this that I really didn’t have, but these misguided procedures also chewed up tons of call center time, one of the things Citi is keen to avoid.
Clive’s take:
The industry is being confronted by a hidden (for now, but it’s only a matter of time…) squeeze.
Fraud is now endemic and exploding on credit cards. The industry has brought it on itself. Too little has been invested in FALCON (Fraud and Loss Control) systems. And/or they are deemed “too intrusive” (transactions – especially online) have little to no customer tolerance for interruptions at the time of the sale being completed, if confronted by an “additional security check” screen, most customers simply abandon the purchase. So the tripwires are set, at the behest of marketing, really *really* high. Like, they’ll only stop a blatant runaway spender or closeout fraud pattern of transactions. Even what should be no-brainers like different billing and shipping addresses on Card Not Present aquiring are let through from “reliable” merchants.
So card issuers are desperate, just desperate, to get customers to sign up to text message/mobile two-factor verification of card transactions and servicing requests. But there’s big customer resistance here as well – a lot, for example, have a “personal” phone # and a separate business one (myself included). I never evah evah evah look at the “business” phone after hours. And I similarly never, over my dead, cold body, give my “personal” number to anyone who I don’t trust not to abuse this confidence or pester me. So which should I give out? I end up not wanting to give either.
Which completely throws card servicing and the cack-handed fraud prevention processes. This then adds to the call handing time for call centre agents, whose numbers are cut back on the basis that there won’t be so many, or so longwinded, calls to field.
As usual, no-one wants to pony up the costs to do the high-touch servicing which the product and the retail fraud environment demands.
We’ve seen versions of this movie before. The financial services industry has many activities that are routine and repetitive and thus can be managed on a high-volume, standardized basis. But they regularly also have customer needs with the same product that require special handling.
Clive used the word “servicing.” Mortgage servicing was the poster child for this phenomenon. Mortgage servicing was treated like a factory: highly automated processing of payments. The fee schedules for serving didn’t allow explicit payment, or even fat enough overall margins, to allow for much higher cost “default servicing,” particularly mortgage modifications, which are as much work as underwriting a new mortgage.
But the servicing agreements did provide for payment for foreclosures and the servicers got very good at streamlining that…..via cutting quite a few legal corners. As mortgage securitization expert Tom Adams pointed out long ago, every mortgage servicer that managed a portfolio with a high level of delinquencies resorted to fraud.
As we pointed out at the top, the credit card business has much fatter margins than mortgage servicing did, and the banks, not the customers, are the ones who get caught short in the event of successful frauds (although as my example shows, they can impose time costs on their hapless card holders). It’s going to be revealing to see how they try to dig themselves out of the mess they’ve created for themselves.
____
1 At Christmas, when my siblings often come visit my mother, I would ship presents that weren’t gift wrapped to me at her address so I could label and wrap them. So they appear to have connected her phone to me from her address.
40 comments
Comments are closed.
I had the same thing happen to me in trying to purchase a JBL sound bar. After I complained and filed a fraud report and several communications B.A. credited my account for the charge. Since then they sometimes reject a charge if they feel it bogus and send me an email to verify the charge. They also lock the account until I respond. It is an inconvenience but probably necessary thing.
B.A. ? Very interesting that I got a call with a recorded, faintly chinese accented female voice saying something about my B.A. account needing verification of some sort, “Press 1”. The call was clearly a phishing attempt.
About B.A. extra hoops you now have to jump through, they may be necessary but I imagine the extra hoop jumps will encourage people to pay with cash when possible. (And at the very time the big banks and cc companies are pushing the idea ‘digital cash’. They’re hoisting themselves in multiple ways. )
Banks and technology (or more widely, cost cutting) is really fun area.
Historically, banks put in technology to make their processes cheaper (=cut costs). That sounds good, but there’s a point that can be made (too long for a comment) that process optimisation leads to commoditisation.
Commoditisation then means your revenues are constrained (via volume), and the only way to increase your margins is by cutting costs, but even that is (in theory) only temporary, as there cannot be a long-term competitive advantage in costs in commodity industry (in practice, it’s much more complex, as it’s nearly impossible to replace the IT systems once they are bedded in, so the quality – or lack of – internal IT systems becomes the competitive cost advantage).
Nevertheless, the product itself became a commodity, yet most of the bank’s management is refusing to treat it like that.
Just in passing, I have seen on this insistence with providing a mobile number with companies. It is almost a fetish. There is one thing that I am not sure about with this article. I have seen how banks just seem to cavalierly dismiss the increasing amounts of fraud committed on cards. So my question is this. Ultimately just who eats these costs? Do the banks write it off as just a cost of doing business? Do the banks charge it to all their customers via the high interest rates charged on credit cards – which is about 20% at the moment. Or do banks carry insurance for such costs of fraud and get the insurance companies to pick up the tab?
Never heard about insuring such losses by banks (but I never worked in the US). And the first and second options are basically the same, you look at your credit part portfolio and you have fees and interest income on one side and all kinds of expenditures on the other, including defaults, fraud, opex etc. At the end of the day you want the former minus letter to be positive.
Mobile phone 2-factor authentication is the fad now. Even my uni is going to that. What will the fad be 2 or three years from now? What about people who don’t have a mobile phone?
As for Chase suddenly implementing a worse process (no doubt to save money), maybe a new manager is on board. (Sometimes I think the current MBA degree should be retitled the MSA degree – Master of Spreadsheet Administration. ha.)
typo: ‘As for Chase’ should be ‘As for Citibank’.
My university too.
But at least they will SELL you a “Duo token number generator” thingie if you don’t have a cell phone.
So you push the button on the duo token thingie and type into the “Second Factor Identification Line” the number that the duo token thingie generates.
” You don’t have a cell phone?” No. I believe cell phones cause brain cancer. In 20 years we will know. Best of luck with your cell phone.
Losses on a credit card (this also applies to debit card) payment are a game of counterparty pass-the-parcel. Initially the card holder will report a potentially loss-generating transaction (fraud, incorrect billing, goods not of merchantable quality, suspicious transactions… there’s a long, long list of disputable transaction reasons).
So… pretty pronto the card issuer will be potentially sitting on the loss, but almost immediately they’ll use what in the industry is referred to as “liability shift” which means in the first instance they can shift the burden of proof onto the merchant, to prove they did ship the goods, the did despatch them to the right address, the services were as described etc. etc. etc.
So, the merchant is left holding the baby? No. They can also foist responsibility onto the acquirer (the party who provides their merchant services hardware and card authorisation). The can also be like PayPal and say they were only an intermediary and seek redress from the third party they acted as middlemen for. In order to accept card payments and offer a card acceptance facility, the merchant has to be itself sponsored by a bank and they usually have some sort of indemnity (which will be covered by some security or other, invariably). So if the merchant gets into trouble or does a moonlight flit, there’s redress there too.
While all this seems to affect various protections to various parties from wrongdoing, the complexity creates, as complexity has a nasty habit of doing, a tendency to be rather blasé about who, ultimately, might end up shouldering the burden from wrongdoing by someone else in the chain of liability. If there’s a long chain and multiple counter-parties in it, you can lull yourself into thinking there will always be someone else left carrying the can, that someone not being you.
Sorry, long winded answer but there’s not a simple answer here to an apparently simple question. Which is why the industry itself is getting into a bit of a mess with it all.
Thanks for that Clive. I should have guessed that the whole process would have been a mess.
Most simply, the banks make up for any losses they absorb through credit card fraud committed upon them by committing much larger frauds elsewhere.
You should welcome them insisting on calling you back on a phone number of record since the number you call from can easily be spoofed.
They do appear to have little interest in catching the CC fraudsters, such as involving the police to arrest or question the people who show up at the Air Canada gate with the stolen tickets etc. Probably easier to just absorb the costs and keep managements’ focus on highly lucrative product lines like laundering trillions for drug cartels. Like heroin dealers, they prefer not to get the police involved.
One additional reason they might be eager to obtain your cell phone number is that by providing that you have authorized (per fine print) collection agencies to contact you at that number.
I had not thought of that! Yet another reason not to have a cellphone.
This was on the verification of sending a new card to a physical address where I had to provide the CVC to prove I had possession of the card. I’ve never had a problem, evah, with a Fedex package being delivered to the wrong address/person. And in perpetrating card fraud, the phone number on the account isn’t one of the identifiers, it’s the CVC and zip code (in addition to the card # and expiration date).
There are way less inconvenient-to-customer ways to verify identity, like to ask for the name of the bank used to make the last payment on the bill.
Got it Yves. Last time you will see me stick up for the banks in any way :-)
My Chase card accounts are in the process of being switched to a default “Arbitration for any disputes” contract agreement (which can be opted out by writing a physical letter and sending it to the correct PO box.) As soon as I saw this my thought was that this was a way to push back fraudulent charges onto customers and when they complain throw them to the arbitration panel. If this is their intention I have a feeling it will painfully backfire.
It won’t backfire, it will be a complete success for small transactions. Who is going to take the tax on time for arbitration for a $60 fraud case? Once the word gets out that you have to show up for arbitration multiple times to get less than $60 back, forget it.
Once all citizens may have accounts and thus debit cards at the Central Bank itself then fraud wrt to those accounts will constitute a Federal Crime in the US.
And the US Federal Government, being monetarily sovereign, is neither revenue constrained nor profit motivated, at least in principle, wrt fighting fraud.
So, at least wrt to debit cards, fraud should be, in principle, a minuscule problem.
Having worked on Falcon and worked in the card industry, Falcon isn’t cheap to run (it eats CPU like there is no tomorrow) especially if it runs real-time during an authorization as opposed to being processed on a one-off basis – what determines whether it’s in-line or one-off is based on the score that comes out of Falcon.
And there’s one detail that’s been left out – card issuers are supposed to send to FICO their aggregated processing results to them so they can build a consortium model that all Falcon users are supposed to load into their scoring engine.
What’s missing is competition in the fraud detection marketplace – I have yet to run across a financial institution that does’t run Falcon.
Just to point out that this is NOT crazy. I’ve heard of plenty of cases where the number that comes up in the caller ID is hacked, so that the wrong number displays. But I haven’t heard of cases where the phone company’s switching center is hacked so that a call gets mis-directed. So when you call, all they really know is that your phone SAYS that it is calling from the number that they have on record. But when they call, they can be reasonably sure that they are connected to the numbere that they have on record.
See my comment above. First, one time, they called a number that legally has nothing to do with me and is in an area code literally over 1000 miles away from the area codes of the only #s that are #s officially associated with the account. Second, there are way less inconvenient to the customer ways to verify the account as I described. Third, this was their alternative to the not-even-remotely security-promoting idea of having me provide a cell phone # and then texting me. So their position de facto was that I was OK and everything was security theater.
2FA is coming late to the banks, but they’re not the only laggards. Health providers are in the same boat. What most have done is take the cheapest route they can, SMS text ( which also happens to have been the easiest to implement 5 years ago). If that also offers the opportunity to monetize even more of customer PII, so much the better. There are other, more secure and flexible, methods: an authenticator app doesn’t require you give up your mobile number; a hardware key is even better. The problem is, many “modern” systems don’t support multiple devices (what happens if you use an authenticator on your phone, and then lose your phone?), if at all. AWS only lets you register one authenticator or hardware key. Google, on the other hand, allows you to have multiple backup keys. Some password managers like open source (and audited) Bitwarden can also serve as web based authenticators, so you can avoid being tied down to your phone. Some authenticator and key systems also give you the option of setting up “backup codes” as a last resort (Google does that by default). For all the trillions of dollars under their control, it does seem like the banking sector’s approach overall has been at best cavalier. Oh, and that reverse lookup via SSN? That crap needs to be made illegal, if it isn’t already.
I worked in the chop shop of Wells Fargo in the midst of the Great Recession. Aside from packaging mortgages in foreclosure to sell to Fannie and Freddie and the Fed for 100 cents on the dollar – I assumed that big bank IT would work better than anywhere else I had been.
Ha ha. We lost hours of productivity regularly because the intra-company internet wouldn’t work. At least once we lost the whole day. Another time a guy sent an email to all the department heads, except he accidentally sent it to everyone in the bank, and then people started replying-to-all to ask to be taken off the email, which unleashed a cascade of communication the system could not handle. What a joke.
A good friend was head of IT for the bank. He quit a few years after, starting his own business white-hat hacking mainframes. He’s got a great gig, just hacking, he finds the flaws and then someone else has to fix them. His main argument has been that Mainframes are profoundly vulnerable but the big banks especially have acted like they are impenetrable immortal.
I think here in Singapore dbs bank was able to quite successfully move to all digital without being a massive problem to its customers. Might be worth a look for you guys in the USA
Singapore is a high-trust, rule-of-law centric society and business culture. The rest of the world, certainly places like the U.K. and the US, erm, aren’t. This makes a big difference to how much targeting of exploits to, for example, perpetrating a fraud goes on and thus the level of capacity, capability and stress which the system needs to be able to cope with.
This post is mostly an exposition on why I don’t bank with a big bank. I have accounts with a regional credit union, and with a local bank that has a total of three offices. It wonderfully simplifies the process of talking to a real person. In many cases, it will be a real person I have been dealing with for over a decade. I have never had the least bit of hassle when stuff comes up.
Back in the day, the argument for having an account with a big bank was that it had a large number of ATMs. That isn’t really an issue nowadays, what with us using plastic to pay for a cup of coffee. What is the argument nowadays? I honestly don’t know. So why deal with a megabank? Is there any reason apart from habit?
So why deal with a megabank? When it’s the most convenient to walk to from home or work.
We tried a local smallish bank, They thought it was a great idea to grow by buying other small banks. Every single time (without fail) they brought another bank into their system, the on line banking went down. For days.
After the last time for a week, we bailed.
I was with Commerce Bank, which was a great small bank, and it was purchased by the mediocre TD bank.
I like small banks and want to use them. Every single time they last no more than 3 years before they’re acquired by some almost big regional bank from the Midwest and the branches close, service worsens, and the advantage is outweighed by the loss of the nearby branch and inconvenience of distance plus routing and account number changes.
I haven’t given up on small but I don’t harbor any delusions that the entity will be around for more than a couple of years at most.
Challenge: Floriduh
In ancient Greek drama, whomever the Gods wished to destroy they first made mad.
Clearly our major banks are now incurably mad. How many will survive the fintech wave intact?
Giving them your cell number is pretty pointless if their systems are old and decrepit.
I attempted to purchase a TV in person at retailer ( chip enabled card, chip reader ) with a Citi bank card. Charge was declined. I called the customer support, they said it was flagged as fraud and transferred to the fraud department, that person told me to reply to the text message that was sent. The only problem, was, I never received a text message. I asked if the fraud person could authorize the charge. Answer was i needed to respond to the text message.
I used my Amex card instead.
On the way home, yet another fraud person called to ask if I had my card in my possession as there was an attempt at fraud on my card.
Never got that text message.
In the online space merchants are responsible for most fraud. The card issuer processes a chargeback to the merchant which is almost impossible to reverse, so the card issuer or bank incurs no bad debt. Face to face retail if the card has a chip and is processed properly the card issuer is responsible for the fraud. The US is the only country that implemented chip or EMV cards without a pin. In other countries this reduced face to face fraud significantly, moving most to online. The technology exists to require the use of a pin for online as well. Card issuers concerns over payment friction, slowing transaction time override fraud concerns since merchants pay for most fraud.
The US once again implemented the dumbest, most backward version of EMV. Out of a fear of slowing transactions they left the door wide open to fraud despite the huge expense of new POS hardware and certification. Plus if you go overseas and use your card it still defaults to signature, resulting in a lot of weird looks from retail clerks and shutting you out of many transactions like buying train tickets from a machine.
If banks are so concerned about credit card fraud they have themselves to blame. Several years ago in the U.S. credit cards were reissued to customers with this newfangled security system of a chip in it. Much of the rest of the world was using chips in cards already. The bank said these new cards improved reducing fraud. The real security feature was using a PIN number too but it would slow purchase times so merchants balked and PIN’s were not given to credit card holders. This is what occurred with the VISA cards I have.
Merchants supported the use of PIN. The card issuers were against it, as were Visa and MasterCard.
OK. Got it backwards. Know somebody resisted it’s implimentation.
My local credit union dealt reasonably well with a recent spate of creative, albeit despicable fraud that I experienced.
I was contacted via text to alert me of a suspected incidence of fraud and I was given the option to text a reply confirming or disputing the charge. It was unclear whether the text originated from my credit union or VISA, so I opted to call the credit union directly instead of text reply. The person in customer service transferred my call to the fraud department (this was the VISA person) who stated the amount; $29.49. It originated from a Western Union in San Fran and I don’t reside in Cali. I disputed the charge and they cancelled my card and issued a new one. Whoever stole my card number charged similar amounts daily (sometimes twice) to the same Western Union for about a week before the problem abated. Each fraudulent debit was credited back to my account automatically during that time.
This was a chipped card; so much for the promise of extra protection.
I’ve never banked with or transferred money via Western Union and can’t be sure where my number was obtained but the last legit transaction was the day prior when I followed a link in a digital obituary to a florist to buy flowers for a funeral. The obit had been created for the family by the cemetery. Seems an easy place for the unscrupulous to take advantage and there’d be multiple layers of possible suspects within just that one transaction. Yeesh.
Would I really be any safer if I used their newfangled mobile app?
Chip and PIN (or even just mag stripe and PIN) is only effective in Card Present transactions, where you’re in possession of the physical card at the point of sale. For Card Not Present — where the vast majority of fraud occurs — you’re relying on CVV or CVC validation, which is by no means undefeatable. If the CVV/CVC is compromised, you’ve got authorisation checks and card issuer surveillance. As card payment volumes skyrocket but underlying infrastructure capacity stays, more or less, the same, the temptation to be less invasive in referring transactions presented for authorisation increases.
Thanks for taking a moment, Clive. Cheers.