Schneier on Security
A blog covering security and security technology.
« Movie-Plot Threat: Terrorists Using Twitter |
| UPC Switching Scam »
October 30, 2008
Horrible Identity Theft Story
This is a story of how smart people can be neutralized through stupid procedures.
Here's the part of the story where some poor guy's account get's completely f-ed. This thief had been bounced to the out-sourced to security so often that he must have made a check list of any possible questions they would ask him. Through whatever means, he managed to get the answers to these questions. Now when he called, he could give us the information we were asking for, but by this point we knew his voice so well that we still tried to get him to security. It worked like this: We put him on hold and dial the extension for security. We get a security rep and start to explain the situation; we tell them he was able to give the right information, but that we know is the same guy that's been calling for weeks and we are certain he is not the account holder. They begrudgingly take the call. Minutes later another one of us gets a call from a security rep saying they are giving us a customer who has been cleared by them. And here the thief was back in our department. For those of us who had come to know him, the fight waged on night after night.
Posted on October 30, 2008 at 12:10 PM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And somewhere, some poor sap just wants to check his balance. :-(
This reads like an attack on management for outsourcing, perhaps even from a disgruntled "displaced" employee.
Does it really matter if the security is run from the US or some other country?
No, the point is that an escalation/exception procedure needed to be in place. Once someone flagged an account multiple times as suspicious or even malicious, higher-level review should have been initiated beyond the first-tier security department.
Um, shouldn't Chase have called the account holder, and changed the account and card numbers?
I suspect the story is all or part bogus.
Yes, Chase should have. It's Chase.
And since the thief can get the account and card numbers from Chase by knowing the other stuff, what good would changing them do?
Call center scripts and policies are software executed by rather unreliable "machines" that happen to be really good at natural language processing. The person on the other end of the phone is really just the human interface device. They mostly don't have the authority to exercise any sort of intelligence.
So really, this is not different from an exploit in the bank's web site. It's a software problem.
The other option would be to give the call center employees a bit more latitude and let them simply ditch a known criminal, or report him to the police. People are extremely good at voiceprinting.
Yes an out-of-bound call-back would be in order as long as they don't ask the caller for his phone number before using it.
"You won't reach me as I've gotten a new mobile phone."
"My home phone is cut off because you bastards screwed up my account and my bill didn't get paid!"
"I'm calling from a friends house. If you call my number on file, there will be nobody there."
My experience with Bank of America's security dept: following some suspicious activity, BoA calls and leaves a message asking me to contact thier security department, or visit their web site. The phone number given is not the number on the back of my card. The Website mentioned is not the BoA website.
The BoA security dept was indistinguishable from a phishing attack! There are deep misunderstandings at work here.
That's why my mother NEVER responds to any BofA telephone calls. There have been a number of attempts to phone phish her for information and she caught on immediately. If BofA called her legitimately they'd likely get hung up on just as a phisher would. BofA told her they'd never call and ask for any information from her, so as soon as she's asked a question, she hangs up. Similarly, she knows the number on the back of her card, so she would never call another one.
In these circumstances the *correct* answer for the callcenter is to advise the caller "We cannot handle your call without your presenting physical ID. Please visit your local branch tomorrow with two forms of photo-ID and they will be able to handle your transaction in person".
Sounds like Chase has a lot to incorporate into their Red Flag Rule Program that's due next spring.
Wonder if that will be effective?
Several times a clerk has received a message telling them them to call BofA for authorization when I've tried to use my card. One time was for a purchase that seemed odd for my account (it was me but how they knew it was odd still scares me), the other was when I put money down for Disney vacation in Florida and an hour later was in Target in Houston. Both time is was glad of the procedure even if it cost me more time. I can't remember what the clerk asked me but I know I had to answer it and show my DL.
This kind of stuff can only happen in large countries with large banks, where being anonymous is the norm. Won't happen any time soon in a bank in a small town where everybody (including the bank clerk) knows everybody else since primary school.
First of all: I don't believe this story as it is reported. This sounds, as someone else already mentioned, like a disgruntled former employee who distorts some facts to make his former employer look horrible.
But probably under this smoke there is some fire. According to established procedures, the bank should have contacted the card owner and changed all or at least some of the information necessary for access, if not the card number. Why they didn't do that is the real question.
You can't trust anyone these days. Especialyy someon in a call center amking $6.50 an hour to protect your personal information. I have identity theft protection with SOLUS ID. I no longer have to worry about identity theft.
And my wife wonders why I "sign" the backs of all my credit cards with my nickname, Ask For ID.
Of course, only about 25% of merchants check the back of my credit card.
"The US security department had access to LexisNexis. If you're not familiar with it, it's basically a encyclopedia of everybody's life. Previous addresses, family member's names, jobs, schools, anything and everything that could be linked to your name and/or social security number . . . Chase didn't trust the Philippine department to have it though."
Wait a minute, they didn't trust the /security/ department with necessary information? Outsourced or not, that's just messed up.
Davi: Does it really matter if the security is run from the US or some other country?
Are you for real? It's not like they're outsourcing to Switzerland -- they're outsourcing to the lowest bidder. The fact that they outsourced security already tells us how much the value security - they'd rather go with folks living at the much lower living standards of the Phillipines!
If I heard that a research lab was being outsourced to Indonesia, it had better depend on some unique feature of Indonesia or I know we're going to get crap; not because the Indonesians aren't just as good as Americans, but because it signals that they're putting cost cutting above almost everything - otherwise, they would bring the Indonesians to the States.
I hope you're not a security guy -- with your depth of thought, I shudder to think the holes you've left. The point is you've got to value security in the first place above bean-counting.
From my experience this sort of thing happens all the time in the financial world. I would not doubt this story for a second. IMO the biggest reason your bank account isn't flipped every day is because there are bigger, juicer targets...it's not that crooks don't have your information - it's just that they're lazy, there are easier and bigger targets, and you're not worth it.
Most of us reading this blog know how to handle these concerns. Sure, we know how to train the call center, improve security, we've got all the answers. The problem is, we're the exception - situations like above are the rule.
Find a good local credit union and use them. Their charters put their own community ahead of, say, maximizing profits at consumer expense.
If an issue does occur, you can walk in and escalate as far as necessary - sometimes as far as the CEO - and your situation will get handled.
Just my $.02
> "I "sign" the backs of all my credit cards with my nickname, Ask For ID.
Yes I've had the same experience. You can even sign your name with a little drawing (or something equally nutty) and they'll still pass it.
On the other hand, by not signing your card you're violating your cardholder agreement, and technically the card's not valid.
On the surface "see ID" sounds like a practical idea, but I wouldn't recommend it. Use your credit card with your real signature, and rely on the fraud and theft protection that comes with it. Use credit, never debit, as debit doesn't come with that protection.
Why doesn't Chase care? Because banks do not bear any of the brunt of credit card fraud. They may even make a profit on it.
Let's say your card number is stolen. You get your statement and their are charges which you did not make totalling thousands of dollars. You call Chase and report it. They put a hold on your account and issue you a new card. They probably won't immediately credit you the $5000 on your bill unless you push it (and you should). They'd like to float it out as long as possible.
Then, through Visa/Mastercard, they pull the amount of the fraudulent charges out of the various merchant's bank accounts who were the point of fraud. So, Amazon sees $1000 pulled from them plus a $20-75 'chargeback' fee. MyOnlineStore.com gets $2000 pulled from them, etc. Keep in mind, these companies have already delivered the product/service to the criminal.
Chase refunds your money and leaves you with the impression that 'they've covered you'. In fact, they've simply passed the buck. All efforts at credit card security are the minimum necessary to make consumers feel 'safe' and keep merchants passified so that the situation won't get so bad that they unite and act against the banks.
As Bruce has mentioned so many times, if the cost of a security failure is an externality, then there is no incentive to fix it. There is no incentive here.
"the bank should have contacted the card owner and changed all or at least some of the information necessary for access, if not the card number."
How can you change your mother's maiden name, or the name of the high school where you met your future husband? :-)
... That's why I always make up random answers to these secondary questions. Before calling the callcentre I retrieve my own record of these random answers so I am able to immediately provide the correct answers to the callcentre rep.
Low standard of living does not mean low intelligence, low education or low levels of professionalism. All of those defects can be found in staff in any country on earth.
To follow your particular example, Indonesia is an extremely large country with extremes of poverty and wealth. It is quite easy to conceive of many fields of research in which Indonesian scientists are respected. If you assume that "Indonesia" means only "cost-cutting" then you are tarring 220 million people with a single stereotype.
What's up with Chase? They let this through but they freeze my credit card every other month for "unusual activity", which there is none, of course.
@Aaron: this is a good thing. Merchants are the front line against credit card fraud and are the only ones who can properly authenticate transactions at the point of sale. Asking them to bear the risk means that they have the incentive to deal with the problem.
For someone (from the US) who lived in the Philippines for a few years, this is not surprising. They follow the instructions word by word. If they are told the specific questions and someone answers them correctly, then they will pass. Everyone been to a mall in the Philippines probably remembers the metal detectors on all the entries. Everyone walks through (most with their bags) and it beeps or doesn't beep. But that's ok. No questions asked - the security did it's job (by having people walk through the metal detector) and that's all they were told to do.
my instinct says that it is phony
Given my experiences with outsourcing security functions to the lowest bidder, I see no reason to doubt this story.
Of course, it's not the well-below-US-minimum-wagers to blame. It's the American company that thinks it's outsourced its responsibility along with the work. They should have learned by now that if the contract does not stipulate in agonizing detail exactly what the outsourcer is to do, it won't get done... period.
To me, this says something about the wisdom of outsourcing security in the first place... but I don't see things from the lofty vantage point of a CEO with a yearly bonus to worry about.
@ David Ottenheimer
> Does it really matter if the security is run from the US or some other country?
It does. The running from a developping country instead of the US means that the remote security staff has a lower corruption threshold.
Imagine the following scenario. Security staff has all the info to authenticate a customer. I contact one of the security staff, and offer him $400 for all the information needed.
You have a US employee (paid, let's assume, $1500/month). He has to balance about a week of salary against the risk of being caught and fired. Proposition is risky.
You have a philippino employee (equivalent pay, relative to the country is on the order of $150/month). He has to balance two and a half month of pay against the risk of being caught. Much much better proposition.
Why do you think the US-based security dept. didn't trust the local office branch?
I noticed the other week that I didn't sign the credit card I've been using for the last 6 months. I still haven't signed it which is pretty good evidence no one ever checks. Of course if it gets stolen, that's going to suck so I probably should...
I've used it in three different states, and I use i almost every day. I sign the silly print out at the supermarket, which clearly no one looks at :)
You are not required to sign the back of the card for "security" reasons. You are required to sign it because by doing so you agree to 800 pages of 4-pt type about what the issuer can do to you (anything, basically) and what recourse you have (none, basically).
BTW: "outsourcing" can even be within a (large enough) company. My "personal worst" was finding out that the call-center for problems with the corporate VPN was only available during "working hours", i.e. 8-5, M-F _there_, about 8 time zones from where I was trying, during _my_ working hours (8-5 PST) to access the company servers (also in PST).
"The US security department had access to LexisNexis. "
"Chase didn't trust the Philippine department to have it though"
When you don't even trust their security why outsource your security to them
I know a few Chase people (some of which have been there 10+ years) who have been recently laid off. Times are tough in the financial sector now, and this story is likely the result of a disgruntled employee or someone who's trying to avoid his job from going overseas. Note the finger-pointing at the overseas people.
I have Chase accounts, and twice had someone attempt to fraudulently use them. Both times Chase closed the account and opened a new one.
The reason to sign the back of your cards is simple--you then avoid liability for fraudulent purchases.
It goes like this: your card agreement with your bank requires you to sign the back of your card. The store is supposed to verify the signature (except, now, for low $ purchases at certain types of businesses) against that on the receipt.
If your card is stolen and used for fraudulent purchases, and they recover the card (rare, probably 1 in 1000), the bank can compare the signature (or lack thereof) on the card with the receipts. If they match (i.e., you left it blank, and the thief filled it in) or there is no signature, the bank has the right to hold you responsible for the fraudulent purchases.
The usual reason given for not signing the back is that someone doesn't want their signature there because the fraudsters can copy it. Fraudsters don't have time for signature replication, and know that in the vast majority of cases, it isn't checked. They want to use the cards quickly (when my sis-in-law's card was stolen, it was used within 15 minutes, in the same mall) before the bank is notified and the spigot is turned off.
Protect yourselves. Sign your cards.
And as to the disgruntled agent issue. No. Really. This happens all the time, because script kiddies (on both sides of the law) only know how to follow scripts, and while someone can get in trouble for not following the script to do the right thing, it is very hard to get in trouble for following instructions.
I had to write scripts for call centers, and whenever I put in anything requiring a decision on the part of the call center staff, instead of just a flow chart of responses to statements by "customers", most of the staff and their supervisors would freak out on having to make a choice. However, the few that didn't mind making decisions I nutured to become assets for fraud prevention. It is rare for someone in any corporate structure to want to take responsibility, especially in a customer service/call center environment. If you want fraud prevention, instead of risk management, you have to take responsibility for risks.
@Francois: "Use credit, never debit, as debit doesn't come with that protection."
Debit cards don't come with the same *legally mandated* protections that credit cards do.
However, at least *my* credit union (and I suspect many others) voluntarily give their debit cards all the same protections the credit cards get, just because they're a credit union and "It's The Right Thing To Do" still counts for something.
This is more than bogus; someone railing against outsourcing in a novel way .. we the American are fighting against the barbarian hordes (also residing in US I might add)
Why not just call the cardholder -- cancel the card .. send him another one?
Bruce probably used up all his neurons on the new hash .. that a bogus post gets thru with ease.
@Bruce .. this bogus shoudn't have gotten past your 101 filter. Nothing in this story makes even kindergarten sense.
It's some jerk railining against outsourcing .. and you fell for it.
How can you change your mother's maiden name, or the name of the high school where you met your future husband? :-)'
You can change them any time you want.
The answers I give for those questions are equal in quality to the passwords I use, because that's what they are: backdoor passwords. And everyone with whom I do business gets a different answer.
So ... I might have been born in
My bank recently implemented those lame security questions. You know those questions that worked so well for Palin. I believe these questions simply because banks do not appear to take security extremely seriously. I do not give banks the same leeway as say Google or Yahoo, even though many accounts in both cases are free. Banks simply have a greater responsibility.
In any case, the need for ads, and for cost cutting, has trumped the needs for security. Over the years my bank has allowed third parties to send me branded letter, then denied that they are responsible for the content and security of the sensitive information. They have allowed third parties to send email that went to third part bank branded websites that requested sensitive information. They have used interstitial at login to promote new products or request information, prior, apparently, to verifying credentials. I assume they have very smart people who understand security, so I assume that these are deemed reasonable risks.
Beware of Solus ID Theft Protection. They are a scam. I purchased their Platinum Protection 2 months ago and they have failed to provide me with service OR a refund despite numerous phone calls. All I ever got from them were excuses.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.