My credit card data was stolen last month. I was lucky– the thief moved slowly and there were only two charges before the fraud computer kicked in. But it was still a hassle and an inconvenience, and at first, I had to push pretty hard to get the fraud staff on the job.
Of course, it’s the card that I use all the time: a Fidelity Rewards American Express. It’s only my fifth credit card in over three decades, and I’ve never used a debit card. I’ve had the American Express account for nearly four years. There are no fees and it offers a 2% rebate that’s painlessly credited back to my Fidelity investment account. Since our local Costco also sells gas and only takes Amex, I swipe that card for nearly every single purchase in our household. We live a low-key beach-bum lifestyle these days, and I use so little cash that I can go more than a month between ATM visits.
I’ve had one card stolen over the years, and one other data theft, but surprisingly this time I was the guy who caught the online fraud. (First time ever.) I was waiting for a refund from a company and I was checking my account website to see if the credit had cleared yet. To my surprise, I saw that my Amex card had a temporary authorization for $1.30 at a cosmetics store– in Florida.
No, it’s not what some of you are thinking. My spouse and I have been married for over 25 years, but we’ve kept our finances separate because we were overseas (and underway) for most of our Navy careers. You couldn’t be confident of balancing your accounts, let alone know what each other had spent. Back in the good ol’ 1980s, it took so long for your credit-card bill to be forwarded by APO snail mail (and for your paper check(!) to be mailed back to the U.S.) that you were lucky to make your payment before the due date. Back then I was also underwater for over 90 days at a time on submarine patrols, so my card was unreliable. The fraud computers would regularly suspend it whenever I returned from sea and tried to use it.
This means that my spouse and I have had separate personal finances ever since we married. Separate paychecks, separate checking accounts, separate ATM cards, and separate credit cards. We have separate credit histories. We don’t use each other’s cards, and we regularly track our spending in Quicken. We almost never have one of those “Oops– honey, I’ve been meaning to tell you…” conversations.
Two months ago at USAA’s blogger conference, we saw how frighteningly easy it is to duplicate a credit card. A very cheerful exec from their banking services division did it in about 90 seconds. (Of course he’s cheerful– he can give himself a credit card whenever he wants!)
He started with his USAA corporate credit card and a fistful of hotel “room key” cards. He showed us how to buy a card reader on eBay (a completely legal item for small businesses) which even comes in a smartphone model. He showed us where to buy the hardware to write the credit-card data onto a magnetic stripe. (Also completely legal– and cheap!) He swiped his corporate card on the reader, fiddled with his laptop for a second, and then started swiping hotel key cards through the writer.
After making a dozen copies of his corporate credit card, he was also ready to go online with the same card data to buy more stuff. Finally, he showed us how to wirelessly transfer the data (by smartphone) so that your credit card data can be swiped by a clerk as you’re making your purchase– and sent overseas before you even sign the charge receipt.
When I saw that $1.30 “temporary authorization” on the website summary of my card purchases, I knew immediately that it wasn’t mine. I knew that I still had my credit card, and I’d been using it with local businesses where I’d been shopping for years, but none of that mattered. I knew that a clone of my card was being tested (5000 miles away from me) so that someone could start their spending spree.
Either that or someone in a store five time zones away from me had made a data-entry mistake and accidentally typed the wrong card number (my number) into their cash register.
Guess which scenario the card services company thought it could be.
The credit card services company, FIA Card Services, is part of Bank of America. BofA has been a popular media punching bag for a few years, and maybe we’ve been too harsh on them. You can assess FIA Card Services however you want– as a galaxy-spanning enterprise with decades of eagle-eyed security experience at handling credit-card fraud, or as a disorganized Megacorp “Office Space” zombie lurching about cluelessly.
I discovered the fraud on the weekend between Christmas and New Year’s, so perhaps they were down to a skeleton staff. I phoned them on a Saturday evening in Hawaii, which made it very late at night for the Mainland call center. Whatever time zone they were in, I could tell that the A-Team was not on duty.
Even after I explained the problem, they started at the beginning of the script. First I got the “Credit Card 101” lecture:
“Sir, do you still have your card in your possession?” Hey, pal, that’s why I called.
“Have you tried to use it recently?” Yeah, see all those Costco charges? In my ZIP code?
“Have you bought anything online?” Yeah, but are any of those companies flagged for fraud?
“Well, sir, it could be someone else in your household using your card.” Um, no. It’s theft. Seriously.
Then I was upsold:
“Would you like to purchase our monitoring service that…” No, I’d like to report a crime.
Then they went for “computer glitch”:
“It’s only a temporary authorization, not an actual charge, and that might not be the final amount. It’ll clear up in a couple of days.”
I could see where this was going, so I asked him if he was recording the call. When he affirmed, I told him that I was formally notifying FIA Card Services of an unauthorized use of my credit card and that any fraud would be their problem. As you might expect, he was cool with that. Apparently, the call center script doesn’t have any tripwires for customers slinging words like “theft” or “crime” or “fraud”. I had no desire to get to know the supervisor on duty that night, either.
Our daughter was home from college, so we had plenty of activity in the house. I dropped this problem and we resumed surfing our usual routine. I even used that Amex card the following Wednesday with no problems.
But when we came home from surfing on Thursday morning, our answering machine was blinking like a holiday light show. I had calls from both a computer and from a human who was “urgently” trying to reach me. Good thing I hadn’t needed to use that Amex card in the surf break, either, because it was “suspended pending resolution of the matter”.
You would think that FIA’s fraud department would want to speak to me as soon as my return call connected. You would think that they’d leave a callback number ringing directly in the cubicle of the person working on the problem. You would think that they’d have an expedited service for customers returning their call– especially for calls about fraud.
You would be wrong.
At this point, I was beginning to wonder if FIA Card Services even has an “A-Team”.
When I called back, a cheerful computer audio track insisted on telling me about my card balance and my last dozen transactions. I had to wade through the usual “interactive” voice “response” menus to get to a live human. Then I had to be transferred to the fraud department, where I was again put on hold. I’ve revised my opinion of FIA’s abilities from “eagle-eyed security” to “zombie”.
While I was waiting, I logged on to my account. Yup, the card had been used to buy a ticket on Norwegian Air– and $381.25 to Sweden seems like a good price.
The fraud squad hadn’t even read my call center file. When they launched into their own Credit Card 101 lecture, I mentioned that I’d already called FIA Card Services on this problem. I was put back on hold while they reviewed their records, and they returned to inform me that they’d reverse the charges. They also said that they’d canceled the card and would issue me a new one in “five business days”.
In Hawaii, when someone on the Mainland tells you it’ll be there in five business days, what it really means is that it takes five business days to get to the West Coast. They don’t understand that from there it can take another week to get to Hawaii. I pointed out that I’d already been inconvenienced by FIA Card Services on my first phone call and again on this call, and they needed to reciprocate with some of the famously advertised Amex rapid response. FIA grudgingly admitted that they could FedEx the card to me on Saturday morning– in just 48 hours.
Sure enough, it arrived only 96 hours later. Good thing I asked for expedited service.
My USAA credit card covered the four-day gap… admittedly at a smaller rebate rate, but with no drama.
I activated the new Amex card with no problems, the charges have been reversed, and the old account data was transferred over. I didn’t have any automatic payments linked to that card, so I didn’t have to scramble to update anything. Life goes on.
A week later FIA piled insult on top of injury by requiring me to fill out not one but two fraud statements– in two separate envelopes on two separate days. The website had already been updated and my new card had charged up a storm. However, they still snail-mailed me paper forms to fill out, add my signature, and snail-mail back.
So how do I keep my card data from being stolen again?
Beats me. I still don’t know how it happened the first time, and if FIA knows then they haven’t told me. Was my credit-card data skimmed at the Thai restaurant in our local shopping center? Was it the genetic testing that I ordered from 23andMe.com? The books I ordered from Amazon.com? Was the card data stolen two months ago during my Mainland travel and eventually sold to someone who finally got around to using it?
I’m going to do some basic follow-up to protect against more credit fraud problems. I’ll request a free annual credit report from one of the three agencies every four months (as usual) to make sure that this incident doesn’t slop over onto my records. I’ll add a fraud alert to my credit file for the agencies to keep an eye on.
My new credit card number is on file with Amazon.com but I’m not going to store it on any other websites unless it’s absolutely necessary. If I do, I’m going to use a one-purchase number provided by FIA’s website. I’d love to get an e-mail alert from FIA Card Services every time my credit card is charged, but they don’t seem to offer that convenience.
If my credit card data is stolen from the new card, though, then I’m done with FIA Card Services. Of course, I have a fairly hefty credit limit built up with them, and I’m reluctant to mess with that. I’d like to keep a high credit rating for our insurance rates. I’m retired and I don’t plan to borrow more money, but if I decide to refinance a mortgage then I’d also like to do it on that high credit rating.
I won’t have to give up Amex if I give up FIA– I can just sign up for a Costco rebate Amex card and enjoy their customer service.
Are there any other steps I should be taking to recover from this fraud?