If You Send Me the Wrong Data, I’m Hosed

by David Plotkin

A few weeks ago, I had the amazing bad luck to become the victim of identity theft. This was, fortunately, a fairly minor issue; two different credit cards were applied for (and approved) in my name. The first came to my attention when I got a voice mail from Walmart because there was suspicious activity on a card — merchandise had been bought and sent to a delivery address in Idaho (more on that later). When I called back, I spoke to the order desk and verified that I had not made the purchase, and they agreed to cancel it. They then suggested that I contact my credit card company and cancel the card. So I asked them which card it was. Now here is where it gets interesting — they wouldn’t tell me! As I wondered aloud how on earth I could cancel the card if I didn’t know which one it was, they insisted they couldn’t help me. So I tried something. I asked the lady if I guessed the type of card, would she tell me if I was right? She agreed to do that, and I guessed that it was a Walmart Discover card. And how did I know that? I had recently gotten a notice from Discover that a card application in my wife’s name (she died in 2011) had been rejected. When Walmart person confirmed that I had guessed right, I then managed to get to customer service at the credit card company and cancel the card. Of course, they wanted the account number, which I didn’t have, but I got past that by insisting that they could find it by my Social Security Number. Having worked for a bank, I knew they would have that, and they did. But really? I had to guess? Talk about a lack of data — as well as a failure of business rules!

The second card was much easier — I got a letter in the mail congratulating me on my new Citibank card. Since I hadn’t applied for one, I called the number to find out what was going on. They verified that a card had been opened in my name, with my address that matched the last four digits that were printed on the letter. Somewhat more distressing, though, was the fact that the card had already been used to purchase thousands of dollars in airline tickets from Expedia. I, of course, had to wonder how that was possible, since I did not yet have the cards in my possession, nor had I activated them (you know — the sticky on the card with a number you have to call from your home phone). They admitted that they provided the new account number for immediate use to the applicant! Talk about another failure of business rules.

I contacted one of the Credit Reporting agencies (TransUnion, in this case) and placed a fraud alert on my credit. This is simple to do via phone or online, and is then disseminated to the other 2 agencies. If anyone queries your credit (as they will if you apply for a credit card), the agency will check with you that it is a valid credit application before responding to the query. A fraud alert expires after 90 days, but you can renew it. I figured that I might as well purchase an inexpensive plan which provides me a notification of any change in my credit history, as well as any inquiries. However, when I got my first report, I was in for a nasty shock. The account numbers listed did not show the last 4 digits. The problem is that if you look up your accounts online, all you SEE is the last 4 digits. You can, of course, get at the whole number, but it is far more trouble. So I called TransUnion to complain about how close to worthless not having the last 4 digits was, and they told me that the information was passed from the bank without that information, and there was nothing they could do about it. Sheesh. Is this the best we can do? Seems like it ought to be EASY to protect your credit, not intentionally made difficult. I decided to cancel the account because all I ever got was snailmail that told me generally that something had happened with a particular account. Since that information was worthless, I wasn’t going to pay for it. However, I didn’t have to cancel the account, as yet another credit card was compromised — the one I used to pay for that account. Since they could no longer charge the card, they canceled it for me.

The last part of this story occurred just recently, when I got a call from a detective in Boise, Idaho. They had executed a search warrant on the residence of a fraud suspect, and found some of my mail. By the contents we were able to date the mail as having been stolen in January of 2012, shortly before we realized we had a problem and put in locking mailboxes. But the stolen mail compromised more accounts because it included those stupid checks you can write against your credit card! Fortunately, none had ever been used. They hadn’t caught the suspect yet, but they were close, having run her out of three places. And, they have a case of mail fraud now as well — a federal offense. Hope she spends a nice long stretch in the slammer!

Related Posts Plugin for WordPress, Blogger...

David-Plotkin

David Plotkin is an Advisory Consultant for EMC, helping clients implement or mature Data Governance programs in their organizations. He has previously served in the capacity of Manager of Data Governance for the AAA of Northern Ca, Nevada, and Utah; Manager of Data Quality for a large bank; and Data Administration Manager at a drug store chain. He has been working with data modeling, data governance, metadata and data quality for over 20 years. He serves as a subject matter expert on many topics around metadata, data governance, and data quality, and speaks often at industry conferences. 

  3 comments for “If You Send Me the Wrong Data, I’m Hosed

  1. March 18, 2013 at 10:43 am

    Ugh. Sorry you had to go through all this. Both my banks in Canada make me use my credit card or debit numbers as my login IDs. That’s crazy stupid.

    And when there is a breach, they won’t tell me which card in the notification call. They just leave a message “please call this number about your account” and then expect me to spout off all my CC numbers until they find one that matches. I refuse. I call the number on the back of each credit card, ask to be connect to loss prevention, then get them to confirm or deny that they are aware of a problem with my CC.

  2. March 18, 2013 at 10:46 am

    My banks and brokerage accounts password policies don’t allow for strong passwords. Arrgh.

    • March 18, 2013 at 11:43 am

      Oh, that one, too. My banks only allow really short passwords with no special characters.

Leave a Reply

Your email address will not be published. Required fields are marked *