it’s hard to miss the regular stories about data, including sometimes financial account details, being hacked. But in addition to that, credit card companies also face ongoing attacks from fraudsters who obtain credit card information and put through bogus charges.
You’d think the banks that participate in the Visa and Mastercard networks would be vigilant about this issue. After all, the customer is liable only for $50 of loss even if his credit card goes missing. In my experience of actually having had my wallet stolen and having big charges run up with impressive speed, the banks don’t even hit customers with that allowed $50. On top of that, the merchant charges on credit cards are hefty, which you’d think would give them more than enough in the way of funding to create decent protections.
Banks fetishize cost reduction as a way to increase profits, and they do it with particular zeal via headcount cuts of low-level employees, such as in customer-facing activities like call centers. There are regular examples of how they overdo it, such as cutting so many branches after a merger that they lose customers, forcing them to go back and reopen some.
Banks executives, if anything more so than their peers in the rest of Corporate America, also have enormous faith in technology as a magic bullet. Yet as our many readers who have done time in bank IT will tell you, operations are treated like an orphan child. One of the key bits of evidence is the industry-wide shoring up of legacy software, which at some point is going to start seizing up even more than it has. The reason banks haven’t migrated off isn’t just the enormity of the task and the virtual impossibility of identifying all the interdependencies of various systems; it’s also that, even if they could find a path through this problem, it would cost them on the order of all their net income for several years.
A wee example of these bad tendencies is how banks have been taking the cheap and easy road with credit card fraud to the degree that it is coming back to haunt them. I’ve run into this myself with the two cards I use for pretty much all my card charges, one a personal and one a business card at Citigroup.
Yes, Citigroup. I’ve stuck with them because miles, because I had Citi back in the day as a client, and because when I had a big problem with the credit rating bureaus, a guy at Citi went to enormous lengths to get it fixed. Other reasons include that historically, when I had a problem the Citi customer service people also on average were sharp and had more latitude than most call center staffers in straightening things out.
However, Citi has been racing to the bottom along with everyone else in the industry. It recently implemented a horrific new menu clearly designed to force customers to deal with automated prompts and Q&As and make it hard to get to live humans. Even though most companies have been going in that direction for a very long time, the abruptness of the change by Citi and the difficulty of circumventing their menus, particularly when my service request was way too non-routine to be on them, was aggravating.
The latest Citi service bungles involve card security. In the last month, I’ve had to get new personal and business credit cards due to fraud. The incidents were independent. On my personal account, I had made an online order for running shoes, and the merchant was a bad actor. Not only did it not send the shoes, but the charge came through from a Chinese account in renminbi, which meant the actual amount was different than what I’d agreed to. I got another charge I didn’t recognize shortly after that. I called in to say I didn’t recognize the charges and asked for a new card to be issued.
Even though Citi did send the replacement card pronto, they had a more elaborate authentication process than before. Despite my calling from a number that was on the account, Citi wanted to send a text to a mobile phone….and they wanted me to provide that number on the call! That does absolutely nothing in the way of verifying who I am. I refused to do so, which put them on tilt. Instead of going to a sensible next verification measure, like asking for the name of the bank I’d used to make my last payment, they instead insisted on calling me on the number on file, which they could readily see was the number I was already using.
Citi’s desire to get a mobile phone number out of me for the purpose of two-factor verification is even more peculiar in light of the fact that mobile phone communications are easily compromised. From a 2017 article in The Verge:
In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.
Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account….With two networks controlling the bulk of the market, there’s been little incentive to compete on security.
At the same time, it’s proven difficult to kill off particular types of two-factor even after they’re shown to be insecure. The National Institute of Standards and Technology quietly withdrew support for SMS-based two-factor in August, pointing to the risk of interception or spoofing, but tech companies have been slow to respond. If anything, services are relying more on SMS as Twitter and PayPal look to tie accounts more closely to phone numbers. It’s less secure, but easier to use. As long as it’s two-factor, few account holders know the difference.
The process got even more ludicrous when my business card was compromised. Here Citi contacted me with a fraud alert.I confirmed that I hadn’t tried to book a $1700 order on Air Canada. They sent the replacement card on an expedited basis.
When I went to activate it, I was kicked over to the fraud alert department and got someone who was too obviously in a call center in India. We went through the asking for my cell phone number drill and after I refused, he said he would call the number I was on right away.
But unlike with the personal card, he didn’t call right away. So I called again, and apparently our calls crossed.
I had to start again from zero. Second person said they’d call my number on file, and I read it out to make sure we were discussing the same number. Again long delay, no call.
On the third call (and by now I am getting frosted), I repeated the same drill. This individual called back more punctually…on my mother’s land line! It was in the next room, and it announced the caller ID, so I could hear it was Citi.
I hobbled over and blew a gasket. I demanded why they had called my mother’s number, a number which legally has nothing to do with me and is most certainly not listed as a phone number on my account. The rep said they had looked up my SSN and found this number.1
But having taken that call did not advance the verification and it also meant I missed the call from Citi (very delayed second call callback) on my line.
The fourth effort led to another failed “calling you right back” promise.
It was only on the fifth call that I was able to activate the card.
Not only did I waste a half hour on this that I really didn’t have, but these misguided procedures also chewed up tons of call center time, one of the things Citi is keen to avoid.
The industry is being confronted by a hidden (for now, but it’s only a matter of time…) squeeze.
Fraud is now endemic and exploding on credit cards. The industry has brought it on itself. Too little has been invested in FALCON (Fraud and Loss Control) systems. And/or they are deemed “too intrusive” (transactions – especially online) have little to no customer tolerance for interruptions at the time of the sale being completed, if confronted by an “additional security check” screen, most customers simply abandon the purchase. So the tripwires are set, at the behest of marketing, really *really* high. Like, they’ll only stop a blatant runaway spender or closeout fraud pattern of transactions. Even what should be no-brainers like different billing and shipping addresses on Card Not Present aquiring are let through from “reliable” merchants.
So card issuers are desperate, just desperate, to get customers to sign up to text message/mobile two-factor verification of card transactions and servicing requests. But there’s big customer resistance here as well – a lot, for example, have a “personal” phone # and a separate business one (myself included). I never evah evah evah look at the “business” phone after hours. And I similarly never, over my dead, cold body, give my “personal” number to anyone who I don’t trust not to abuse this confidence or pester me. So which should I give out? I end up not wanting to give either.
Which completely throws card servicing and the cack-handed fraud prevention processes. This then adds to the call handing time for call centre agents, whose numbers are cut back on the basis that there won’t be so many, or so longwinded, calls to field.
As usual, no-one wants to pony up the costs to do the high-touch servicing which the product and the retail fraud environment demands.
We’ve seen versions of this movie before. The financial services industry has many activities that are routine and repetitive and thus can be managed on a high-volume, standardized basis. But they regularly also have customer needs with the same product that require special handling.
Clive used the word “servicing.” Mortgage servicing was the poster child for this phenomenon. Mortgage servicing was treated like a factory: highly automated processing of payments. The fee schedules for serving didn’t allow explicit payment, or even fat enough overall margins, to allow for much higher cost “default servicing,” particularly mortgage modifications, which are as much work as underwriting a new mortgage.
But the servicing agreements did provide for payment for foreclosures and the servicers got very good at streamlining that…..via cutting quite a few legal corners. As mortgage securitization expert Tom Adams pointed out long ago, every mortgage servicer that managed a portfolio with a high level of delinquencies resorted to fraud.
As we pointed out at the top, the credit card business has much fatter margins than mortgage servicing did, and the banks, not the customers, are the ones who get caught short in the event of successful frauds (although as my example shows, they can impose time costs on their hapless card holders). It’s going to be revealing to see how they try to dig themselves out of the mess they’ve created for themselves.
1 At Christmas, when my siblings often come visit my mother, I would ship presents that weren’t gift wrapped to me at her address so I could label and wrap them. So they appear to have connected her phone to me from her address.