Posted by BPuhl on April 10, 2009
I have had a few discussions recently at work about ways to make things more convenient. Either convenient for our users (cloud services), convenient for our customers (single sign on), etc…
But a one-two punch hit me, when I just had 2 close friends – both of whom have been impacted by the financial mess – have their identity attacked because something that had built in security controls (checks) was made to be more convenient (by phone), and in the process all of the controls were removed so my friends were vulnerable.
Really, I call it fraud, or identity theft, or just plain robbery… But in both cases, the banks say that there are no laws against this:
My friend lost her job, and fell behind on payments. She owed $1100 for this months rent, $4400 to a creditor that by this point had gone to a collection agency, and some other bills (credit cards, gas, electricity, etc…). Through creative budgeting and working with parents, friends, and anyone else, she scraped together $5000 that she could use.
With the new money available, she came up with the following plan:
$1100 for rent
900 for the other bills
500 to the collection agency
The rest to be used for the following months rent, payments, etc…
She called the collection agency, and agreed to pay them $500 now, and then set up a payment plan for the rest of the money. That’s where the first mistake happened: They wanted the payment as a “check by phone”. So she voided a check, gave them the info, etc…
The collection agency first attempted to clear the check for the full $4400. Because the money was in the account, the check cleared – of course, this meant that she couldn’t pay any of the other bills, or her rent, etc… And she had already tapped out her friends, parents, etc…
You can imagine that the calls to the collection agency were like: “Sorry, sucks to be you – we’ve got our money now”
The bank was equally useless: “You gave them a check by phone, the money was in the account, they cleared it…Sucks to be you”
This was just completely ridiculous, but it shows that in the absence of standards or protocols, there is no shortage of people that will offer things for the sake of “convenience” which blow the hell out of “security”. If you have to write a check and sign it, then you fill in the amount, etc… modification of that is check fraud. But those security controls went out the window when banks allowed people to do “checks by phone”, and there is absolutely nothing to prevent unscrupulous people from raping your bank account if you give them the information.
The second case is similar, but with a slight twist
My friend has slowly but surely been paying off debts that were racked up over a period of time, and has been working through one of those debt consolidation management companies. Since she wasn’t getting the resolution that she needed from the company, she took back the money that was in their escrow account and started working with the collection agency independently.
On the first phone call, she had an $7,000 debt and worked with the agency to negotiate down to where they would accept $4300. Seems like a good deal, so again, check by phone for $4300.
A couple of days later, she received a notice from the collection agency, indicating that they “Had an agreement for an initial payment of $4300”. In other words, the deal they made on the phone was a lie, instead of negotiating the total, they just wanted an initial payment and were going to keep going after her for the remaining balance.
Ahhh…but the check by phone hadn’t cleared yet.
So a quick call to the bank, a $28.00 stop payment charge, and there was a stop-payment for that check before it cleared.
Not so much. 2 days later, $4300 was withdrawn from the account anyway, by check #1001 (not the check number she gave them). A long, convoluted, multi-transfer call back with the bank this time, and they could see where the initial check number had attempted to clear, been rejected (the stop payment), and then the company had re-submitted another check by phone with the different check number and got the money.
After several days of arguing, it’s still unclear whether the bank is going to say “Sorry, sux to be you” or if they are actually going to help. I’m not holding my breath.
So again, the safety features around checks – being numbered, signed, amounts written (twice) – are all placed into the trusting hands of the least trustworthy person (the merchant that wants your money), and there is remarkably little recourse. I suppose you could go get a lawyer, etc… But during that time the money is gone, life still needs to be lived, and a lawyer is going to take 30% of whatever you get back anyway (or some amount of payment)…
All for the sake of convenience (to whom?)
There are better ways, one of which I really like. I’ve had a credit card with CitiBank since college. And many years ago, they came up with this idea of virtual account numbers for your credit card. You can go to their website (or they have a downloadable application), and if you want to make a purchase, you can get a one-time use credit card number (with expiration and CVC) for that one purchase. I haven’t used it in a while, but IIRC you can even specify the amount of the purchase you’re going to make (which is really the protection). This is great, because the security of a credit card is handing the piece of plastic with the signature on the back to the person behind the register. With online purchases, you can’t do that, so instead lets take the things which you can control (amount of purchase, usefulness of the number after it’s been used properly) and control those instead. Reasonable mitigations.
This is the type of control that we’re going to need if we want to protect our resources in a more “convenient” (read: Online) world.