Checking out of a Hilton hotel in London, security expert Roger Thompson was told his Visa card had been declined due to suspicions it was stolen, a situation that only got more disconcerting when he learned the bank that issued the card had more personal information on him and his family members than he ever imagined.
In a tale he relates in his blog, Thompson, chief research officer at AVG, said he was compelled to answer questions on the phone from a Wachovia Bank representative in its fraud-prevention division to prove he was really Roger Thompson and not a credit-card thief checking out of the London hotel.
It turns out Thompson’s Visa card was flagged and suspended because he hadn’t told the bank he was travelling overseas, a requirement he didn’t know the bank had.
But the “scary bit” about it all, he says, is that the bank fraud-prevention representative didn’t just ask him to give the correct answers to questions such as his mother’s maiden name, which he had provided to the bank for fraud detection purposes, but also a host of other questions about his daughter-in-law that he had no idea it knew.
“I was in shock,” Thompson says about what he found out that Wachovia Bank had stored “at their fingertips” related to his daughter-in-law — information Thompson thinks the bank may have found out through Facebook.
VIDEO – Jas Anand on how to fight card fraud
“They used her maiden name, they knew she was my daughter in-law, they wanted me to best describe the age range for this person,” Thompson says, adding that he was in “shock and indignation” about how they would know all this, including how long she was married.
The bank fraud-prevention representative indicated it was all “publically available information,” he says.
At the hotel on the phone, Thompson answered the questions about his daughter-in-law, the bank lifted the suspension on his credit card, and he paid his bill and left for the airport.
Thompson says he wracked his brain to figure out where the bank may have gotten this information about his daughter-in-law but he could only reason it was from Facebook, where she’s a friend.
Thompson , a security expert with decades of experience in identifying malware, fraud and hacker exploits of social-networking sites, such as MySpace and Facebook, says he doesn’t see this as an issue around Facebook per se.
Rather, this is about what kind of data corporations may be collecting from Facebook or other social-networking sites — if they are.
He adds this strikes him as a serious data-privacy issue, and notes that if a bank has this kind of database information on him, “they probably have it on you, too.”
Wachovia, now owned by Wells Fargo, wasn’t immediately available for comment on whether they do harvest information from social-networking sites for purposes of fraud detection or where they are obtaining personal information of this type not voluntarily provided by a customer.
Fighting fraud – are banks too aggressive?
A recent study indicates that many banks and financial institutions in Canada and other parts of the world have put in place very stringent measures to fight card fraud.
“We’ve seen banks use broad-scale measures to reduce risk – your credit card limits and overdraft limits are going down,” noted Jas Anand, product and risk strategy manager at Actimize Inc. “I think these are very aggressive steps that are probably not in line with the size of the problem.”
New York-based Actimize is a provider of fraud combating products and services
There were a total of 113 respondents to its study from across the globe – 40 per cent from the U.K., 40 per cent from North America, and the rest spread across Africa and Asia.
The study revealed that banks are effectively reducing the overall credit clients have available to them. “This is a harsh measure that can be toned down a bit to allow good customers to take advantage of credit, while still minimizing liability on the select few higher risk accounts.”
He said reducing overall limits shrinks the consumer’s access to funds. “I think that’s a good strategy when limited to high-risk accounts.”
Anand said this fear is well founded. “We’ve seen the evidence across Europe. When the U.K. implemented chip and PIN and it slowly spread throughout Europe, fraud migrated to the closest country that hadn’t yet implemented chip and PIN.
Fraudsters were stealing data, shipping it to the closest location they could use it, and creating the cards there.”
He said fraudsters who up until now have been producing fake cards in Canada are likely to still steal the data here, but then move to the U.S. to produce the cards.
“It’s easier to ship data across the border than it is physical cards. So with the movement of the card production facilities over to the U.S., there will be increased crime associated with those facilities – and so they’ll skim more U.S.-based cards as well. Then U.S. losses will go up. If Canadian cards are used in the U.S., the Canadian banks are still responsible.”
The Actimize study revealed that 15 per cent of banks polled issued new cards to 20 per cent of their customers.
However, as Anand noted it also highlighted a key factor that differentiates banks: the ability to make real time decisions on possible fraudulent transactions.
“By that I mean while the customer is at the ATM, while they’re shopping you can make a decision before the approval comes back to the unit. So in a matter of 10s of milliseconds I can score that transaction, evaluate the risk of fraud on that, and run through a series of policy rules that dictate what action will result from that transaction.”
He said having this ability to stop a transaction in flight would decrease fraud losses – based on the benefit of real time.
If there’s one technology that can reduce such losses, it’s going to be use of real time detection technologies at the point of sale and at the ATM, he said.