But keep your red hot fingers off my heart

[venta]

Urgh. Feeling this rubbish with a cold, for this long, ought not to be allowed.

However, while I've been lying in bed, whinging, my credit card's been off having fun.

MBNA rang me yesterday, and explained there were some suspicious transactions on my card. Before going into details, they'd need me to answer some security questions. Oh dear, here we go again...

No, I'm not prepared to answer security questions until they prove they're actually MBNA.
But they're only going to ask for partial information, like the first two digits of my mothers' maiden name instead of the whole name.
I don't care, I'm not answering their questions.

This conversation is at least shorter than usual, as the bloke on the other end offers me the options of ringing the number on my card and asking to speak to security, or ringing a direct dial number he gives me. I take the former.

When I ring them back, the person I talk to mentions before clearing down that I'll get a letter through the post, because they were unable to contact me.

Eh ?

Apparently, at the point at which I refused to go through the security clearance, I was logged as uncontactable and a letter automatically dispatched to warn me of possible fraud. In case I didn't call them back. By the time I returned the call fifteen seconds later the letter was irretrivably sent.

Surely credit card companies, banks, etc ought to be encouraging people to behave like I did, not treating it as a strange anomaly. "Keep your personal information safe", they tell us. "Don't give out to anyone... unless they claim to be your bank. Which criminals never do. Oh no."

I understand that it's way more convenient for my bank to be able to ring me, rather than having to ask me to ring them. It's cheaper and more efficient. However, I do wish that the person who rings me would at least be able to grasp the reasons for my objection to the process.

Instead, you're made to feel like a paranoid loon for not giving out... well, exactly the kind of information someone would want if they were going to use your card fraudulently.

And yes, it seems my card has been off having fun at iTunes and Napster. Not a huge amount of fun, though - three songs, which totals about £3.

What I want to know is how did the credit card company spot it as suspicious ? Admittedly, I don't buy music from iTunes but it's the sort of thing that I might very plausibly do. I do buy downloadable music online occasionally, and MBNA probably don't know that I'd rather eat my own foot than use iTunes.

I've no idea what information iTunes (or any other online retailer) might log which would make it possible to deduce the purchaser wasn't me. And if they thought the transaction suspicious, wouldn't they stop it at the point of sale ?

I guess the heuristics used are kept secret by the credit card companies, just to make it harder to work round them. But does anyone have a clue how it works ?

Comments

[bopeepsheep.livejournal.com]

NatWest, on the one or two occasions they've rung me which happen to include this morning (a pending transaction tipping them off that I went out of the UK), have asked me to 'confirm & enhance' [i.e. they tell me part of the transaction and I tell them the other part] recent activity on my account which seems to work pretty well. You'd have to be a really dedicated stalker scammer to know exactly where I went shopping on Saturday & how much I spent, I suspect, since it doesn't even show up on my online banking yet.

[venta.livejournal.com]

That sounds fairly reasonable, depending on your level of paranoia. Good for Natest. It's the ringing you up and asking you for your mother's maiden name and date of birth that annoys me.

At that point, they can have more confidence in me (I'm answering a phone they know to be mine) than I can in them (they're calling from a withheld number).

Someone once pointed out that my objection was foolish, because both DOB and mother's maiden name are fairly easy to find out about someone, and thus I didn't need to worry about giving them away. They didn't understand why that made me crosser - if they're that bloody easy, why are you using them as security questions ? Hmm ?

[bopeepsheep.livejournal.com]

Lor' yes, a subscription to findmypast.com and a vague knack for Googling and I could find the details for a lot of people I know pretty quickly.

Some places have ridiculous policies on security. The people that run the Debenhams card thingy (GE Money?) would never talk to me, as a subsidiary card holder, despite the fact I was the one making 99.9% of the transactions, but I could get all sorts of information from their automated phone line by the simple measure of knowing my husband's birthday [and our shared card no.], something I think most people could manage to recall if pushed.

[mrph.livejournal.com]

Gah! You don't use memorable/personal information on automated lines, precisely because there's no way to know whether the age/gender of the caller matches - passcodes are better, as they aren't used for other things so can't be found out so easily.

A little worried by the subsidiary cardholder thing, too. Surely they do have your details on record, so they should be able to check 'em...

Unfortunately, I have a Debenhams card. *Sigh* Not impressed.

[j4.livejournal.com]

Happy National Identity Fraud Prevention Week. (Or, as RBS's cash machine told me, "National Identity Fraud Week", which sounds much more lucrative.)

[valkyriekaren.livejournal.com]

Aye, ShatWest's cashpoint told me that today too - which freaked me out a bit!

Identity fraud is Not Fun - I went through it earlier this year when someone copied my card details and used them to spend £2000 of my money (i.e. all the money I had, plus a lot of money I didn't have!) in the space of three days before I managd to get it all stopped. It was horribly stressful and I'm only thankful I have supportive friends and housemates or I could have had real problems.

[venta.livejournal.com]

Aye, I remember reading your LJ entries about it. It didn't sound like a bag of laughs, and I feel I've got off really very lightly. I'm also quite impressed that my credit card company noticed so fast, even if I am a bit bewildered how they managed it.

[reddragdiva]

Anything outside the usual spending habits will trigger a check. Usually it's flagged during the transaction in a shop, or I get a letter asking me to call them.

[venta.livejournal.com]

But I don't think it *is* outside my usual spending habits - and if using a new online retailer counts as unusual, why don't I get a lot more of these queries ?

[reddragdiva]

Dunno!

I got flagged several times when I was using my card for all manner of things, like £600 of leather coats, cigarettes from the US ... obvious fraud suspects.

[bopeepsheep.livejournal.com]

That puzzles me though - I didn't get checked when buying a car with my Solo card (best transaction ever!) but I've been interrogated by phone in BHS, of all places, buying something really small like kids pyjamas for a fiver.

[venta.livejournal.com]

I have a savings accounts which, owing to the nature of the account, I can only withdraw money from using a hole in the wall or writing to them. A few years ago, I withdrew almost all the money from it, in £400 chunks, one per day (£400 being the maximum that that cashpoint will let you have at once).

I was sure they'd think that was suspicious, since I'd only ever put money in before, but apprently not.

[ar-gemlad.livejournal.com]

Chip and pin machines have a random (or every x transactions) check so that every so often you may have to ring through to the clearance centre. My husband will be able to tell you all about chip and pin machines if you want ;)

[bopeepsheep.livejournal.com]

Ah, this would have been mid-to-late 2003 so before C&P came in nationwide, but I may ask him about them anyway, I find all that sort of thing very interesting!

I'm amused at the 'chip and pin' photo on Wikipedia. :)

[kissifa.livejournal.com]

I'm experimenting with a new type of fraud prevention. I put as much as I can as often as I can into the savings account I have which has no card linked to it. When I want to buy anything I use my magic intarweb banking to put money into my account which has a debit card. It's a good way to control frivolous spending too.

Plus I watch my bank balance like a hawk. Internet banking is a good thing. :)

[broadmeadow.livejournal.com]

Yesterday I tried to make a purchase from Pixmania. The order process included going through the Verified By Visa thing which gives added online security, and I requested delivery to work which is an address I have registered with my credit card. Once Pixmania had the money they then emailed me asking for scans of passports etc to prove my identity. I told them to get lost and cancel the order.

[hjalfi.livejournal.com]

As far as I can tell from my brushes with Verified By Visa, it's a flash thingy in an iframe with no verifiable origin that asks me to enter security informat. So far I've just told it to get lost, as being in an iframe there's no (convenient) way of finding out where it came from or whether it's been sent over a secure link. While there does seem to be a 'personal message' field that appears like it's supposed to indicate that it really did come from the bank, it still looks to me like a phisher's paradise if the retailer gets compromised.

I remain unconvinced.

[bateleur.livejournal.com]

But does anyone have a clue how it works ?

Most likely the IP address was in an unlikely country for use of a UK credit card and this drew iTunes' attention.

PS. You seem to have caught my former punctuation spacing habit!

[venta.livejournal.com]

You seem to have caught my former punctuation spacing habit!

You've commented on that before :)

Actually, I think I evolved it independently. I can't justify it, and have to be careful to edit it out on any important documents I'm writing.

[undyingking.livejournal.com]

Echoing this. Lack of country agreement accounts for 90% of the cases in which the card verification service we use at work alerts us to potential fraud.

(The things we sell are things that people are unlikely to be buying from a net cafe while they're on holiday, otherwise I'd have thought this would cause a lot of annoyance. But maybe they use different guidance for those sorts of things.)

[onebyone.livejournal.com]

I'm not supposed to use my credit card abroad without first telling them where I'm going. It hadn't occurred to me that this applies to online transactions too on account of IP logging, but it makes sense. So I could buy your stuff while on holiday with no (additional) annoyance.

[undyingking.livejournal.com]

Please do so next time, to confirm this. The more you buy, the better test it'll be.

[onebyone.livejournal.com]

Good thinking. In fact, I should buy on several different cards, some of which I've told the issuer about the holiday and others I haven't.

[undyingking.livejournal.com]

Before Christmas would be good, if you have any holiday left -- our end-of-years could do with a bit of a boost.

[qatsi.livejournal.com]

Don't worry, it will probably be weeks before you get the letter ...

The only time something like this has happened to me, I got an answering machine message from Nationwide, so I had to call them. But I have seen other colleagues dealing despairingly with call centres in the way you describe.

[mrph.livejournal.com]

*Sigh* Security checks on unexpected outbound calls are a complete pain. It's much easier if you're calling back and the customer's expecting a call.

When it's unexpected - which covers 90% of the initial possible fraud calls - it's a no win situation.

The closest I've come to an ideal solution is putting a freephone 'fraud prevention' number somewhere prominent on the website/stationery, then giving customers who don't want to go through security a reference # and asking them to call that freephone number, explaining that they can check it beforehand using the website/stationery.

Any bank who wants you to happily provide security details when they unexpectedly call you has to balance this against the fact that online fraud's getting harder and telephony banking fraud's becoming an increasingly popular alternative (the two combine beautifully, I'm afraid...).

[onebyone.livejournal.com]

putting a freephone 'fraud prevention' number somewhere prominent on the website/stationery

Barclaycard have this spot on - their customer service number is printed on the back of the card. Unfortunately it's an 0870, but they also have an "international number" which I suspect might work just as well...

[(Anonymous)]

In spite of verification from our bank that we had the loot, and being offered a security number given us by the bank when they first turned down our card, Visa refused to let uy pay the balance on our new kitchen on our debit card. Luckily, the firm was old-fashioned enough to take a cheque.

[shrydar.livejournal.com]

My ATM card was stopped when I tried using it twice in 15 hours at two dodgy and geographically disparate points. The first withdrawal was at Newcastle central train station, and the second was declined outside a nightclub in Oxford at one o'clock in the morning.

[ao-lai.livejournal.com]

A few weeks ago some people tried to persuade me to take out some sort of Sky box maintainance cover-thing with them. I'm pretty sure they had nothing to do with the ordinary maintainance contract you get, and the format of their letter, with the big angry red lettering, looked kind of suspicious. So I ignored it. And there is a point to this.

The point is that they then started to phone me. When they did, they would launch into a little bluster about how my maintainance cover thing was due to expire (but not imminently, I suspect ;) and that they were just going to sort out a new one for me, if that's okay, so could I tell them some stuff? Starting with what sort of box I had, perhaps?

I fended off a couple of these, since they were very persistent, but the third and fourth ones (I think) I tried to reason with, the fourth one particularly. I told them that there was no way I was going to give anything like payment details to someone who had *phoned me* out of the blue.

This seemed to confuse them. I told them that I might consider it if they gave me some other way of contacting them, like a phone number that I could get from a known Sky website, or from an existing bill, or something. (It probably didn't help their case that I still suspect they weren't affiliated with Sky at all, but were just trying their luck as independents, but hey ho.) Still, this was too much for them, and they said, still slightly confused, that they could tell me a number, and I could call them back on that number. I tried to explain that any number they gave me after calling me out of the blue was no more inherently trustworthy than they were right now, but this seemed to be beyond them. Eventually they settled for sending me a third, or possibly fourth, copy of their urgent-looking letter with the big red font. Then, apparently, they gave up.

So yes, I too am disturbed by companies that seem to be actively out to encourage people to do *entirely the wrong things* as regards identity theft and general fraud. I am very disturbed indeed...

[mrlloyd.livejournal.com]

Combination of time of day, Geo-IP address and purchasing habits I suspect. Perhaps along with your using your card somewhere else at around the same time?

[glittertigger]

I made lots of expensive purchases scattered around Europe earlier this year and HSBC got all antsy (letter and phone calls) and tell me they still have a "keep a watch on this one" mark on my account. Even though I've assured them it really was just me being extravagant on an extended business trip.

[mrph.livejournal.com]

Sounds a bit dodgy. I wonder if they have a 'holiday marker' system - I know Barclays and a few other banks do, so that customers can let them know they'll be overseas.

Otherwise you can end up with a situation where money's spent in, say, Nigeria - and the bank can't phone you to confirm it's genuine (...as you're in Nigeria so not answering the phone...), so they stop your card(s), potentially leaving you overseas with no working plastic... :-/