Schneier on Security
A blog covering security and security technology.
« The Future of Privacy |
| Class Break of Citibank ATM Cards »
March 6, 2006
The Terrorist Threat of Paying Your Credit Card Balance
This article shows how badly terrorist profiling can go wrong:
They paid down some debt. The balance on their JCPenney Platinum MasterCard had gotten to an unhealthy level. So they sent in a large payment, a check for $6,522.
And an alarm went off. A red flag went up. The Soehnges' behavior was found questionable.
And all they did was pay down their debt. They didn't call a suspected terrorist on their cell phone. They didn't try to sneak a machine gun through customs.
They just paid a hefty chunk of their credit card balance. And they learned how frighteningly wide the net of suspicion has been cast.
After sending in the check, they checked online to see if their account had been duly credited. They learned that the check had arrived, but the amount available for credit on their account hadn't changed.
So Deana Soehnge called the credit-card company. Then Walter called.
"When you mess with my money, I want to know why," he said.
They both learned the same astounding piece of information about the little things that can set the threat sensors to beeping and blinking.
They were told, as they moved up the managerial ladder at the call center, that the amount they had sent in was much larger than their normal monthly payment. And if the increase hits a certain percentage higher than that normal payment, Homeland Security has to be notified. And the money doesn't move until the threat alert is lifted.
The article goes on to blame something called the Bank Privacy Act, but that's not correct. The culprit here is the amendments made to the Bank Secrecy Act by the USA Patriot Act, Sections 351 and 352. There's a general discussion here, and the Federal Register here.
There has been some rumbling on the net that this story is badly garbled -- or even a hoax -- but certainly this kind of thing is what financial institutions are required to report under the Patriot Act.
Remember, all the time spent chasing down silly false alarms is time wasted. Finding terrorist plots is a signal-to-noise problem, and stuff like this substantially decreases that ratio: it adds a lot of noise without adding enough signal. It makes us less safe, because it makes terrorist plots harder to find.
Posted on March 6, 2006 at 10:45 AM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Does this couple need to pay interest while the CC company is sitting and holding the check?
Sounds like a way for banks to make more money.
1) I agree that it is frightening.
2) I agree that this doesn't seem to do much to solve the problem if finding the bad guys.
3) It might have something to do their history or the method of payment. I've done similar things in the past without a problem, using EFT to move money from my broker to my bank to the CC company. Maybe using a cashier's check (or something similar) for that much money would ring bells.
MBNA probably doesn't do this as I just refinanced my house and sent a $16,000 payment (via online bill pay) to them and they credited it with no problem and no delays. I'll let you know if MIBs come knocking on my door in the future.
Strange - in Germany we have exactly the same law, now. It got passed last year - not supposed to catch The Terrorists but to find rather "normal" citizens, who not paying their taxes or are trying to hide their savings from the social insurance authorities.
did jcpenney just hold the check, or did it negotiate the check and then refuse to credit the account? if it just held the check, the maker could stop payment on it. if it negotiated the check and refused to apply a credit, that's flat-out fraud.
we could live to see bank runs in america on account of behavior like this if it seeps into the consciousness of joe average that the money in his account isn't safe from the government.
not just bank accounts, but the dollar itself isn't the safest vehicle these days. if you have a garden, consider burying something other than fertilizer in it. you can order gold, silver, platinum and palladium right over the net from goldmastersusa.com in tacoma and they'll ship it to you registered, insured mail. then you'll be definitely eligible for some homeland security list.
All I know is that I paid off a credit card last year (a Visa), with a one time transfer of $13000, due to some stock I sold. Haven't heard anything yet, and the card balance was updated when I expected it too (although I think maybe a day or so longer than normal for it to show up online).
According to Bruce's articles, I've gotten the impression he's actually in favour of doing this (verifying transactions). The only way to do this in real life is to monitor for any unusual (or suspicious) activity, raise an alarm when detected and then have a human operator check it.
I think it's good to have such systems in place, but they're by no means an indicator for wether or not someone is a terrorist (remember that doing anything unexpected will trigger the alarm and that it's impossible to avoid it).
What likely happened here is someone misunderstood what the system was designed for in the first place (and the ongoing terrorists scare isn't helping the situation at all).
"Remember, all the time spent chasing down silly false alarms is time wasted. Finding terrorist plots is a signal-to-noise problem, and stuff like this substantially decreases that ratio: it adds a lot of noise without adding enough signal. It makes us less safe, because it makes terrorist plots harder to find."
True to a degree, since we're hoping to avoid false positives, but what about the false negatives? No signal at all can be just as big a problem as too much noise to find the signal...assuming there really is a signal, of course.
I think the most interesting point in this case is how hard it is to profile "normal" behavior based on one factor.
One anomaly, all by itself, is sufficient to raise a flag? Seems unlikely that an investigator would be so sloppy. Usually it takes some kind of cross-reference, triangulation, etc. just to avoid the risk of wasting time, as you suggest.
So were they penalized for missing the payment date since it went by while the money was in limbo?
While calling the DHS and putting the money on hold is definitely a major overreaction, I think the general idea of setting alerts for human authentication of things if they are far outside the norms is a very, very good one. One of my professors told me a story about how every month he would send a check for something like $122.50 to pay off his American Express card. Then one month he left off the decimal, and they withdrew over $12,000 from his bank account. In a case like that, a human would easily be able to see what had happened or, at the very least, could have called him to make sure he had intended to pay that huge amount.
None of the statutes or regulations cited in the post have anything to do with the claimed facts.
I suggest that the story is not a hoax, nor is it garbled, but is something else entirely: The bank lying to cover its own error.
Note to potential terrorist financiers: To test whether you're on a DHS watch list, make an unusual payment towards your credit card balance.
The nice people at your CC company will let you know about your status, courtesy of the DHS information-leaking delay in "clearing" the balance transfer.
Nicely done, Chertoff.
This is where personal responsiblity comes in. Should it really be a machines responsiblity to validate that? Should the bank be held responsible for it? After all the authorized user did submit the request...
The other question that I have: people who are complaining about this fucntionality, do you believe that the bank reviewing this amount is a breach of privacy? After all they are storing the amount of payments.....
Just a thought.. Privacy vs. Seucrity yet again.
I very recently paid off a very large balance from a credit card debt (larger than what was mentioned) and I never saw anything like this happen in my transactions. Sounds like a hoax.
Wouldn't leaving a balance on your Credit Card be the last thing to worry a suicide bomber?
What a stupid policy. Credit the account *and* call DHS. Don't hold the money, for Pete's sake, and *don't* tell the suspect calling on the phone they're considered a potential terrorist. Because if they are, they'll disappear, making the whole damn program worthless. If it turns out to be fraudulent, revert the payment and haul the party into court. My God, who's designing these protocols?
Lending and borrowing money is considered sinful in some flavors of Islam.
@ Bill McGonigle
The aim of the measures is
a) to make sure that people feel politicians have done something
b) to make sure that people campaign for fewer security measures so that the real criminals (mostly in govt. ;-) don't get caught
Please explain how sometihing that guarantees widespread publicity and complaints is "stupid" in that context.
Meanwhile a registered 'charity' could withdraw $500,000 in cash for 'distribution' and no alarms would be raised.
The system cannot detect a true positive if the transaction does not go directly through the system.
I once heard a story about someone carrying 10K in cash to buy post hurricane rebuilding supplies getting pulled over for a traffic stop, and having it confiscated. Seems there was no chance of return, even though it was a business owner in good standing with no drug/mob connections.
I always suspected it was Urban Legend, but could never confirm. Anyone know?
Quoth Ari: "According to Bruce's articles, I've gotten the impression he's actually in favour of doing this (verifying transactions). The only way to do this in real life is to monitor for any unusual (or suspicious) activity, raise an alarm when detected and then have a human operator check it."
At some point, of course, this has to be true -- if I'm taking a road trip and make a big purchase along the way, I can't blame the credit card company for not knowing I was driving to Missouri for a wedding and forgot my tuxedo, or whatever. However, it seems to me there's a pretty bright line you can draw between the suspiciousness of a sudden increase in debt and that of a sudden decrease. If you've suddenly started living beyond your means, that's cause for concern; if you've suddenly started living within your means, that's good for everybody. Security People can't have all the information, of course, but they're not constrained from exercising a little common sense -- what are the Soehnges going to do, strangle people with their credit rating?
"Curse these terrorists -- they're so fiendishly good at blending into society that they DON'T EVEN KILL ANYBODY!" "Yes -- if Americans can't feel secure in running up expenses they can't pay and blowing all their spare income on the interest, then the terrorists have already won!"
Just as in Germany, Australia also has a similar law. (Actually, I was under the impression that these laws are pretty common in most advanced countries.) Our version was passed years ago, certainly well before 2001, and is supposed to be to detect tax evasion and money laundering. It requires reporting of certain "suspicious" transactions over about AUD $10,000.
I've never heard of it resulting in payments being delayed, however. Even if you really suspect someone of involvement in terrorism, that's just so extremely incompetent that I really wonder if this case might not be a garble.
As someone on one of Bruce's other links pointed out, this case is perfectly consistent with the bank -- not the DHS -- suspecting the Soehnge's of cheque fraud and delaying the deposit of the cheque for the standard time (7 days). It happens all the time, and has nothing to do with the DHS, except that the US Secret Service Financial Crimes Division is usually alerted to fraud investigations, and the USSS has now been subsumed into the DHS.
No, it is not an urban legend, or at least there are very many similar cases which are true. It is called "Civil Asset Forfeiture." The day SCOTUS ruled this constitutional was the day when, in my mind, the USA ceased to be part of "the free world". My name below is linked a site with examples similar to the one you cite.
See also ACLU's take on it:
In few month when they will try to get a plane to go in vacation, they'll find out they are now on the no-fly list!
In few month when they will try to get a plane to go in vacation, they'll find out they are now on the no-fly list!
I work for a financial institution (in the wire transfer area) thus I am familiar with all of the regulations that banks in the US are obligated to follow. The regulations are not very well-defined, there is a lot of guesswork into what is considered "suspicious"; financial institutions only see a very narrow part of a transaction, it is very difficult to get a good feel for why money is moving around. People overreact because they do not want to be the one to let a real terrorist slip through the cracks. There are schemes where payments can be used to funnel money; for instance a person gets a cash advance on a card and then the criminal will give the person money to pay off the card.
Having said that, this is most certainly a stretch and a waste of resources. Paying a bill is hardly a high-risk activity. A JC Penney card is not the type of card where cash advances are taken or expensive stored value items can be used to launder money. They should stop muddying the waters and concentrate on the real issues at hand because all of this suspicion is not good for anybody.
Who said anything about terrorists? Surely it is more likely that the cheque is being held because it could be fraud or tax evasion?
Unless the folks used their JC Penney account to buy 1,000 throw-away cell phones, where is the connection to terrorism? Maybe the banks are afraid that they won't get their exorbitant fees next month?
I think bruce is creating his own movie plot threat now!
"I think bruce is creating his own movie plot threat now!"
I'm sure writing blockbuster screenplays pays better than computer security.
Several months ago, I paid my credit card company $5000, which is five times as much as my previous largest payment. I paid it through their web interface, pulling from my bank account. Normally, it gets credited immediately. This time, it took a couple days to post. I've never seen that happen before. I called them, and they told me don't worry, sometimes we have these delays but you won't pay the extra interest once it goes through.
So I don't think this story is a hoax, and in fact I'm rather irritated about it now.
Bruce: "The article goes on to blame something called the Bank Privacy Act, but that's not correct."
That depends on what blame you're talking about. The fact that financial institutions are required to report certain "suspicious" transactions to the Feds *is* the fault of the Bank Secrecy Act of 1970 (Wikipedia). The fact that so many people who thought it was fine for 35 years suddenly find it unreasonable looks like cheap politics.
The story has some merit. Last year I discovered any deposits to my bank over $5,000 cause the amount over $5,000 to be put on hold for 10 business days. In other words, deposit $10,000 and $5,000 of that is unavailable for 10 days. When I asked why, the answer never came back more succinct than "Its a matter of banking regulations and policy." You can, at least at my bank, send in two deposits for $5,000 each to prevent the quarantine. Leaves me to wonder if I wanted to deposit $100,000 and did so with 20 simultaneous deposits would the bank notice. After all, no official flags would have been tripped. If I had more time to pursue the issue perhaps I would have found a better answer.
I think this is a hoax based on a misinterpretation of standard policy.
When I worked at a credit card company, one of the issues we talked about was a criminal getting ahold of someone's account information, finding out the current balance, and sending in a check (drawn on a nonexistent account) to cover the balance. Then they can charge a lot more in the interval between when the check arrives and when it bounces.
The flag for this is: a larger than normal check arrives, from a checking account they're unfamiliar with. In instances of non-fraud, this is a pretty rare occurence. The solution is to credit the account immediately (they're required by U.S. law to do so in any case), but not to release the available credit until the check has cleared.
Sounds like that's what happened here, and somebody blew it out of purportion.
Now we know why the terrorists always appear to be such snappy dressers.
Do I need to be sure to leave my Arizona brand jeans at home when I go to the airport...we have a code red here, I repeat code red - passenger is suspected of wearing clothes from JC Penneys.
GPE that's called "structuring" and can land you in jail. Read in James Bovard's Lost Rights for all sorts of things that you would (at least, no one with any sense would) never expect could land you in jail. Actually, in this case, I thought the bank only had to report **cash** deposits not checks.
It's probably apocryphal , but I have heard a story about a gambler in Vegas who bet considerably more than $10000 in cash , lost , and supposedly would not tell the casino who he was. According to the story , the casino gave him the money back. Like I said apocryphal , but a funny story nonetheless.
This story sounds like someone didn't know what they were talking about. Here is the most likely scenario:
When credit card companies receive large payments they usually evaluate the likelyhood that the payment is fraudulent. They would credit the payment, but not release the credit limit until the check has cleared (usually a set number of days). This prevents the cardholder from, effectively, doubling their credit limit. For instance, you receive a card with $5k limit, and charge it up to that amount. You then send in a bogus check for $5k to payoff the balance. Between the time the credit card company credits your payment and the time the bogus check is returned, you charge up another $5k. You have effectively reached a $10k limit. this is one of the key indicators of an organize fraudulent attack on a credit card.
Second, financial institutions are required by law to monitor transactions and customer activity for "suspicious activity". When questionable or suspicious activity is discovered, they are required to report the facts to the government. http://www.fincen.gov for all you need to know about this requirement. Generally, this is designed to catch money laundering, but is also required for suspected fraudulent activity.
I do not see that this transaction would warrant reporting to fincen. However, if an institution took into consideration other factors that we are unaware, it could be reported, and the insitution would be given a "safe harbor" as long as it was reported in good faith.
Now, with that being said, institutions are required to NOT disclose the fact that a transaction, transactions, or any other activity has been reported. In fact, it is a violation of federal law and the insitution, and the employee(s) divulging the information, would be subject to both criminal and civil prosecution.
Terrorism is a lie like the drug war. If you all believe in Terrorism so much why haven't we bombed Saudi Arabia for 9/11? Or is it really Bush that slammed the planes into the World Trade Center?
If Big Brother Credit takes my money, all I'll do is not pay off my cards, Big Brother Credit will have to write me off!
>>Remember, all the time spent chasing down silly false alarms is time wasted. Finding terrorist plots is a signal-to-noise problem, and stuff like this substantially decreases that ratio: it adds a lot of noise without adding enough signal. It makes us less safe, because it makes terrorist plots harder to find.
that's just plain idiotic. how in the F do they know if it's a false alarm or not until the investigate it? use some common sense.
I think that america is becoming a police state. I think as always, our founding fathers knew that people in higher places are just regular people who have priveledged information. That is why NO ONE CAN BE TRUSTED with our personal information. Lets say the government wants to shut your business down for whatever reason, (not terrorist related) but perhaps makes you look like a terrorist) in order to effectively shut down your business or worse seize your assets so they or someone who is corrupt, could gain control of the monies.. (Aw, no one in government is corrupt, yight?, yeah EXACTLY..... But it could easily happen with the new Patriot Act. Because they do not need to inform anyone including family due to national security laws, they also are free from needing to explain themselves.. IT PAYS TO BE A GOVERNMENT OFFICIAL... So see if they say "Sorry National Security won't let me talk or share that information, then you and I America Citizens are really screwed. Not exactly my idea of the American Dream, how about you?
The story is probably true (I can verify) the same thing happened to me with Sears Mastercard just now. I paid off the balance and because my balance had never been that high before (only $2200.00 mind you) they cashed my check and did not apply the balance to my card. They claimed it's policy now to hold any payment over $500 if your payments are not normally that high. They will hold it for 14 days before applying it to my account according to the patriot act is what I was told.
"The story is probably true (I can verify) the same thing happened to me with Sears Mastercard just now. I paid off the balance and because my balance had never been that high before (only $2200.00 mind you) they cashed my check and did not apply the balance to my card. They claimed it's policy now to hold any payment over $500 if your payments are not normally that high. They will hold it for 14 days before applying it to my account according to the patriot act is what I was told."
Funny, the exact same thing just happened to me. I paid a balance of about $2200 down to zero on my Sears card (not the Sears Mastercard). I paid with a cashier's check at the local Sears store. When over a week later the account wasn't zeroed out, I called. The first rep I spoke with said almost verbatim what you said -- due to the Patriot Act, it would take 10 days to credit the payment.
The second rep that I spoke with, on the 11th day, said various things. She said that if I paid with a cashier's check it would take up to 14 days "because it has to go to the Federal Reserve."
It sounds like that Sears and others have given their phone reps a bunch of nonsense talking points. My guess is the most likely explanation is what's cited above -- they don't want someone to suddenly write a huge check paying the account down and then make a huge purchase on a bad check.
I think it's cowardly to hide behind the Patriot Act or any other excuse. Just tell the truth -- your algorithm detects sudden large paydowns and puts a hold on your credit. (I was not concerned with using credit but rather that my payment had been lost.)
I just had the same problem with Sears Mastercard. I have only a small amount of credit but to earn bonus points I tried to cycle through it several times last month and paid several payments, the largest one being $397. I was told that my 2nd and 3rd payments totalling ~$606 were being held 10 days on my credit due to the Patriot Act allowing (not requiring) holds of 7-10 days for any payments exceeding $300 in a given month. They were applied to my balance but not to my available credit.
I also have the same problem with Sears Mastercard. I work in Higher Education and I am only paid once a month. To keep a handle on my bills, I pay everything on my Sears MC and pay my entire bill off at month end when I am paid. Usually may balance is b/t $1,500 to $2,500. My payments are credited to my account immediately, but take 15 days to become back available to me. In some cases, this hinders me from paying my other monthly bills because even though I paid the bill, I dont have the available credit for another two weeks!!! Do all credit card companies do this? Because I am considerting using another credit card to pay my bills with.
Yup got the same thing on my Orchard Bank credit card after paying a large amount of $450.00 to my credit card using EFT from another bank. I bet they are thinking my big payment of $450.00 was going to buy some side winders or Orchard bank is just desperate to discourage my use of their services.
Add me to the list of Sears MC holders.
Last month I spent 100% off my credit limit, and paid it (in full) on time.
Therefore, 100% of my credit limit is on hold. I learned this today after a charge denial. I called and the answer was "Any payment of $1000 or more will cause the payment amount to be held agasint the credit limit." I'll have to wait 2 weeks before I can use my card again.
The Russian economy has gone down the toilet several times. Their citizens knew they couldn't trust the banks so they put their money under their mattresses.
The Patriot Act was created to trample on the rights of the innocent, while deflecting any blame from those who stand to lose the most under intense scrutiny.
Wow...it just happened to me. Normally I pay about 1500 and this month I paid 2500 because i was moving and obviously had higher expenses. I always pay my balance...now I have a notice for high-risk activity...
This just happened to me and I'm pretty amazed that I am being penalized for paying more than I normally do. This is really frustrating and unneccesary. It's another case of common sense going out the window.
This just happened to me and it is very frustrating...I did not know about this "law" and it seems that common sense has gone out the window, again. I can't believe I'm being penalized for paying more than is expected. I wonder how American Express gets around this issue??
I googled this because this just happened to me with TWO credit cards! My money was debited from my bank... and I really didn't pay large chunks. $350 to one, and $550 to another. I did this on Sunday, and on Tuesday realized that the money was taken from my bank, but the credit cards (Capital One and First Premier), neither one, credited my balance with the amount. First Premier said they could hold my money for 20 days. Capital One said they could hold my money for 6-10 days.
I wrote Capital One back and asked, which is it... 6,7,8,9 or 10 days, and how will I know?!
This has never happened to me and i have several credit cards ( approx 17, visa/mc amx). i usually always PIF or very large payments, between 4k-8k per month. this is my normal payment habits. payments are always credit and made available within 24/48hrs. but my wife is a Vice President of Credit Operations for a major american bank, and she says they usually place holds on checks up to 14 days for accounts with any type of history of returned checks or late payments. The clerk receiving the check payment, the processor is at descretion to place holds. But the good news is, you can always demand to speak to a supervisor or manager and demand that payment be released, especially if you have a perfect payment history with no return checks, late history. the descretion is 100% within the banks power, to release the hold... and YES , the banks are scared of bad checks... CITI lost 35% last quarter... if i was citi.,. id be scared too..
This is not a hoax. I found this post because it is going on with one of my credit cards for the second month in a row. The people at the bank told me about it, and I was wondering how common it was. Hence I found this discussion.
Very real, folks.
THIS MAY OR MAY NOT BE A HOAX.
IT IS ENTIRELLY POSSIBLE IN MY OPINION BASED ON MY PERSONAL EXPERIANCE!
I GOT A "CASH OUT REFI" ON MY HOUSE 2 YEARS AGO TO PAY OFF MY MASSIVE DEBT LOAD.
NEIGHBORS INFORMED ME THAT A VAN WITH BLACKED OUT WINDOWS PARKED DOWN TO STREET BUT WITHIN SIGHT OF MY HOUSE HAD BEEN THERE OFF AND ON FOR 3 DAYS AND AT A COUPLE OF TIMES THE NEIGHBORS HAD SEEN MEN IN THE VAN VIDEOTAPING MY HOUSE AND ME WHEN I WAS OUTSIDE!
I COULDN'T IMAGINE WHY ME? I MEAN I'M A RETIRED LAW ABIDING, TAX PAYING, PAINFULLY HONEST (BUT IN DEBT) CITIZEN!
IT TOOK ME A COUPLE OF DAYS TO FIGURE OUT THAT IT MIGHT HAVE BEEN THE LARGE MONEY AMMOUNT ELECTRONICALLY WIRED INTO MY ACCOUNT FROM THE MORTGAGE CO.
I THOUGHT THAT MAYBE THEY THOUGHT I WAS SOME KIND OF DRUG DEALER OR TAX CHEAT, MOVING THAT MUCH IN SUCH A SHORT PERIOD.
WELL TO END MY STORY, IT ALL CAME TOGETHER LAST MONTH.
BACK IN JANUARY I APPLIED FOR A LOW INTEREST BALANCE TRANSFER FROM ONE CREDIT CARD TO ANOTHER AND WAS APPROVED.(THE AMMOUNT WAS VERY SMALL).
I KEPT LOOKING FOR IT TO SHOW ON MY STATEMENTS BUT IT NEVER DID.
IT IS NOW APRIL AND IT HASN'T HAPPENED YET!
FINALLY FOUND OUT FROM ONE OF THE CARD COMPANYS THAT YES INDEED THE FEDS CAN AND DO HOLD UP SUSPICIOUS FINANCIAL TRANSACTIONS, AND WHEN THEY DON'T HAVE ENOUGH SUSPICIOUS TRANSACTIONS THEY JUST PICK ONES AT RANDOM TO JUSTIFY THEIR PAY!(THIS LAST PART I LEARNED FROM A RETIRED FORMER HIGH RANKING FEDERAL LAW ENFORCEMENT OFFICIAL).
ALL THIS IS DONE UNDER THE PROTECTION OF THE "PATRIOT ACT".
OUR TAX DOLLARS AT WORK!!!!!!!!!!!!!!
The gov't is NOT worried about catching terrorists.
Thus, the "noise to signal" ratio means nothing.
These laws are a dragnet for normal citizens.
You are the target.
Absolutely TRUE. One payment autopaid for today (online banking- therefore wired, I guess, $400) one check $400 they received OVER 15 DAYS AGO. Still not applied to available credit line with Sears Gold. Wait until I close this account and move the balance to the other one. This is INSANE! The woman told me they don't give you back the credit line for up to 15 days. You are better off making small payments than large ones as they don't chunk away the line (oh and they don't hold it from the credit line until 2 days AFTER it is possted. The moral is DON'T PAY YOUR CREDIT CARD I guess.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.