Credit Card Identity Theft In Action (Maybe)
March 5, 2009
Credit card fraud isn’t a new experience for me, I’ve had people steal my credit card number and spend hundreds of dollars on it before. Cleaning up the mess was a major pain, which is why I groaned when I recently received the letter below from Bank of America’s Global Consumer Fraud Prevention department:
“We have learned that some credit card information for your Bank of America account may have been compromised at a third party location. Your credit card number may have been part of this occurrence. At Bank of America, we take your privacy very seriously. To ensure your privacy is protected to the best of our ability, Bank of America has taken the following steps:
– We have reviewed your credit card account activity and see no evidence that your account has been misused in any way. We will continue to monitor activity on your Bank of America account, and if we detect suspicious transactions, we will notify you.
– As a measure of added security, we will close your current account and issue you a new account number and credit card(s). They will arrive in a separate mailing in approximately 5 – 7 business days. You many continue to use your existing card until your new card arrives.”
Then they go on to advise me to review my monthly statements and online banking account for unauthorized transactions, destroy my old card, and change my credit card information for any bills I autopay with it. Luckily, I only use this card as one of my backups when a merchant doesn’t accept my American Express Blue Cash card so I don’t have any recurring payments that I need to change.
Obviously Bank of America knows it could potentially be a major pain for some customers and they go on to acknowledge this and apologize:
“We understand that some of these steps may pose an inconvenience to you. We apologize and are doing everything we can to minimize it. Please know that Bank of America seeks to keep your financial information secure. As a valued credit card customer, you are protected by Total Security Protection* including Fraud Monitoring, Zero Liability, Online Protection, Guaranteed Credit*, and our Privacy Policy.
Again we apologize for any inconvenience this situation may have caused you. If you have any questions, please call 1-800-xxx-xxxx. We are at your service 24 hours a day, seven days a week.”
I like the fact that they’re alerting me to the potential issue and are apologizing for the trouble it may cause but I would like to know more detail, such as when it happened and what information may have been compromised. I’d also like to know what compromised means. Was it simply that someone left my account information sitting out on their desk for anyone to see for a week, or that someone hacked into a computer system and stole my name, address, and credit card account number?
They do end the letter with a nod to identify theft protection:
“P.S. For important information on how to protect your identity, please visit us at bankofamerica.com”
I checked out their main page and found a link entitled “monitor and manage your credit” under the Privacy and Security section that contained information on their Privacy Assist and Privacy Assist Premier products.
- Unlimited online access to the information the 3 leading credit reporting agencies—Equifax Inc.®, Experian® and TransunionSM—are reporting about you.
- Your credit files will be monitored each business day. You’ll be sent a notification within 2 business days when new accounts are opened, inquiries are made, or address changes occur so you can take action if needed.
- Experience Internet Surveillance – a powerful online feature that monitors your personal information on the Internet
Their Privacy Assist products sound pretty useful but they do have a monthly fee for the service. I don’t have anything against paying for credit card and identity monitoring in general but in this case, since it was Bank of America’s partner that potentially compromised my data (whatever that entails) it would be nice if Bank of America would give me one year of their service at no charge.
So what do you think? Should I take the time to follow up with Bank of America and see if they’ll grant me access to their credit and identity monitoring service? Do you think if I call in they’ll provide me with more information on what actually happened to “compromise” my information and the extent of the issue?
All posts by Ben Edwards
Clearly, we cannot live without debt or making a purchase using our credit cards and this is what prompts fraud. I do hope that more people will become of this modus operandi so that the number of fraud victims will lessen. ID theft is among the most committed form of fraud these days because ill-minded people have easy access on our accounts, especially when they go dumpster diving and see some useful information that they can use to their advantage. Anti-fraud services mean well I suppose and we also need to protect our finances by reporting any anomalies right away.
One way to prevent identity thieves from getting a hold of your personal information is to have copies of your credit records shredded properly. Do not expose your card too often, the same goes with all your personal numbers and passwords.
I received a letter exactly like this from Bank of America on March 27, 2009, and much like the author of this article, I appreciated the actions BofA took to close my account and issue me a new card. However, I am exceedingly curious about the nature of the compromise (who, what, where, why, when…How?). I called BofA 11 times to inquire about this information, only to be transferred or have my call dropped. First, they told me that they did not have the information I was requesting, then they told me that they could not release it due to an ongoing investigation. I asked who or what entity was investigating this incident, and they thought that saying “the police” would suffice. I then spoke with a manager named Michael that told me that he was not familiar with any case in which a consumer was able to obtain any of the above information. I do not want this information so I can cause undue harm to BofA or any third party, however I would like to maintain detailed knowledge of these incidents as an informed and educated consumer with the hope of altering my future spending patterns with the goal of avoiding companies that do not sufficiently protect my personal information. I have submitted complaints to the Better Business Bureau, the FTC, and Richard Blumenthal, the Attorney General in my state of CT. We will see what results from these submissions.
I got the same letter from BoA today. Funny, just a couple days ago I checked my account online and the closed credit card number was still there. I checked after reading the card carrier and sure enough, the potentially compromised account number is gone, replaced by the new one. I also received the letter and card on the same day, though the letter was dated March 5.
I have to say BofA did the smart thing in closing the old account and issuing a new card immediately. I wish they would’ve emailed a notice as well – I did receive my normal “payment has posted” alerts.
However, BofA is the first card company I’ve heard from regarding this and I have several other Visa and MC cards. I’m wondering now if the other banks will take the same actions as BofA.
I’m also curious who the “third party” was and how the “compromise” occurred.
Fortunately, I have never had a fradulent transaction on any of my credit cards. The closest I ever had was about 15 years ago when they used those dialup Verifone terminals most places, and a shop was having trouble with the machine where the card didn’t seem to go through until the 3rd try. In that case, it was a legitmate mistake though, and the shop gave me no trouble about reporting the error to the card issuer (I only noticed it because the card had a 0 balance to start with and when I checked balance, my available credit was reduced by 3 times the purchase amount).
From these comments, I’d say it’s not really BofA’s responsibility to give you free credit monitoring, but it IS the 3rd party’s responsibility to pay for it, and I think it should be your choice of credit monitoring services.
Companies that handle sensitive financial information (be it credit card, checking account or whatever) HAVE to be held responsible for these things, and they should NEVER get away with just a slap on the wrist (especially in situations like ChoicePoint, where they were using live data in an unauthorised environment).
The sad thing is that some of these are probably inside jobs, and in a large organization it’s very difficult to be sure what everyone’s up to – the micromanagement that would be required results in a hostile workplace, and all of the good employees will move on. You have to have employees you can trust, but then again, you’d be surprised at who might be the thief/spy/etc. (I know I’ve seen people fired for theft at various jobs that I never would’ve suspected.)
I say you call them and make a big deal out of it, go as far as telling them you will cancel the card and go someone else because as you said, essentially they are responsible for that compromised situation, and yet they want you to pay for their slack?
I say you tell them to shove it. ๐
I got one of those too. My new cards and the heads up letter arrived on the same day, and I opened the new cards first. The letter with those had the standard language, “Thank you for reporting your card lost or stolen” and really freaked me out since I obviously hadn’t done that. I was on hold for 10 minutes before it occurred to me to open the other letter! My husband and I just assumed it was a data breach รขโฌโ there was at least one report within the last few weeks of a major breach so I didn’t really think too much of it. I will, however, pull my credit report in a couple of weeks to be safe.
It was BoA… do something. A friend had her purse stolen, closed her account immediately. Some stupid teller and branch manager still let an obviously forged check get cashed, from the new account.
Sure, BoA admitted it was their mistake and said the manage will get in trouble, but they let it happen in the first place. They don’t care about you or your money.
Ben –
I work for a local community bank, and it’s very important for people to know that it is not Bank of America (or any bank’s) fault that your information was compromised. Millions of cardholders at banks around the country are affected by this. As their letter that you posted stated and the last comment mentioned, the compromise was with a third party processor — basically, when you use your credit card, the vendor doesn’t dial directly in to your bank for approval. A third party processor (NYCE and STAR are somewhat commonly known) handles the transaction in real time, which either approves or denies the request. The information is later passed on to your bank so that it may be posted to your account (this delay is sometimes evident… memo postings, anyone?).
Banks are not doing a good job of telling customers this because, frankly, it opens them up to lawsuits for blaming the third party processor who is actually responsible (plus it’s confusing to customers).
Ben, it doesn’t hurt to call. But don’t expect BA to voluntarily give you this service for free.
I recently received a similar letter from my financial institution, after Heartland Payment Systems (which processes my credit card payments) was hacked. I received a new credit card, but no credit monitoring. No worries, because I already had it. I understand that a class action suit has been pressed to get similar help for others whose card info was stolen.
It’s interesting that BA used the phrase “third party location”. How … vague. Was this a Visa? If so, you may find interesting the article at the following link:
http://lastwatchdog.com/secrecy-shrouds-breach-payment-cards-processor
Identity theft is becoming a major problem. The worst part of it is that the thief often gets away. Hope all goes well for you.
Thanks,
Nate