Credit Card Fraud at Chase.com: How Bad Training and Bad Security Processes Are Bad for Business (and Customers)

This is a story of a credit card fraud that happened to my wife and I just before the holidays. It’s an amazing one that apparently involves insiders working at Chase.com and UPS, but the fraud is only half the story. The other half is about incompetence, poor call center training, broken security processes, and how once again the weakest link in any business process is the person trying – or not trying – to do their job.

So if you’re counting on Chase to protect your identity or work proactively to solve a serious identity theft against you, read on. You may want to reconsider placing your precious identity in the hands of this clown car masquerading as the largest U.S. bank.

This is also a story about how, once the rogue human element is inserted into the picture, automated call centers and logistics systems make it too easy to steal – in this case by intercepting newly ordered Chase credit cards from a UPS distribution center, using a pilfered security code to activate the cards, and then going on a heckuva holiday spending spree. And it’s the story of  how hard it is for one of the biggest banks in the world to fathom that it’s just been stung by a not –very-sophisticated inside job. Chase would rather blame the victim than heal itself.

The story begins one morning three weeks ago with the receipt of an email from Chase, the issuer of my Southwest airlines credit card, that alerted me to the pending arrival of a “the new card that I ordered.” It also cautioned me to contact Chase if I hadn’t ordered it, and as I hadn’t ordered it I immediately called the call center.

And thus began a comedy of errors that has run now for three solid weeks. First I was told not to worry, that this must be some kind of routine re-order. I persisted, and was then told that indeed my wife had ordered the new cards the night before. I told them she hadn’t, and I was asked, I swear, if I was sure that she hadn’t. Yes, I was sure.  I was even asked if I had actually asked her if she had ordered the card. This conversation was going south quickly.

Having filled my idiot quotient already, I forced the call center agent to put her supervisor on, and he and I determined that some sort of fraud was happening, though with a curious twist: the new card was being sent to our home address. Nonetheless, we cancelled the card, retired the account number, and ordered new cards to be sent to us. And we put a new security password on the account so that all future activity would be required to “go through” the new password. For the record, the new password was written down on a piece of paper and my wife and I then entered it into our respective computer systems using a relatively elaborate code.

That afternoon, armed with the tracking number for the fraudulent card (but not the new ones, Chase didn’t give that tracking number to me) I began to track the package on the UPS site. At 3 pm a notation showed that the packaged was being diverted from home delivery to a pickup at a UPS facility, on the request of the receiver – not me, but obviously the woman who had pretended to by my wife. This made some sense, as it wasn’t obvious how the thief planned to get a hold of the card once it had been delivered to my house. It would be soon, however: I  hadn’t counted on the UPS side of this scam.

At 6 pm a new notation showed up in the UPS record, indicating that the thief had changed her mind and was now requesting it to be delivered to the house. Which meant that we were going to get three cards the next morning (a Friday): the two new cards and the original fraudulently ordered card.

Friday morning comes and around 11 am I get a call from Chase, checking on some recent activity with my new card. New card? Yes, one of the cards I ordered the previous day – and secured with a new password known only to Chase and me  – was being used at the Apple store in San Mateo, CA (above 45 minutes south from here) to great effect,while the other one was shopping its little heart out at SunGlass Hut in Napa, this time 45 minutes to the north. Merry Xmas.

Having never seen these cards, or even having an inkling of the new account number, I was dumbfounded. I immediately asked to speak to a supervisor, and was told that the cards were signed for at my house that morning at 9:50 am. I told them that was impossible, as I was home all morning and saw no no sign of UPS.

Maybe, it was suggested, with the utmost seriousness, UPS had showed up and someone waiting outside my house signed for them. Also not possible – Amber the wonder dog goes into serious intruder alert mode at the site of a UPS truck, and would have been barking up a storm at the site of a truck and some stranger in front of my house receiving some packages. In other words, the package had not only not been delivered, it hadn’t even made it to a delivery truck but had been stolen from the UPS distribution center in San Pablo, CA sometime after its arrival scan. (I checked with a UPS driver on this: had the thief diverted it from a delivery truck, the package would have been located in the electronic manifest of the truck and the driver would have become suspect  #1 in about two seconds. UPS drivers, unlike the seasonal help UPS hires in the DC during the holidays, are pretty unlikely to risk their jobs and pensions for a relatively minor fraud like this one.)

Then, I asked the Chase supervisor the two questions that have bedeviled Chase since that day:  1) how can you activate a new card that is password protected without the password, and 2) how can someone intercept a package from UPS without a tracking number? Bear in mind, I had encrypted the new password on our computers and I had never received the tracking number.

Absent a reasonable explanation that has escaped me for these two weeks, I have to conclude that it was an inside job: Someone at Chase stole my wife’s identity, ordered the first card, and then, noticing that it had been cancelled, stole the new password and tracking info, passing the latter on to his or her partner at UPS and using the former to activate the card. The fact that this theory seems possible is reinforced by Chase’s inability to actively investigate this fraud: Their investigative incompetence has left a security hole a mile wide in their credit card operations, and anyone who knows what I know about how Chase deals with fraud would have easily been able to pull  this off with some reasonable assurance that Chase would be unable to figure it out.

Indeed, this is where  the farcical elements of the story begin to pile up. Chase has now spent the last three weeks attempting, and failing, to figure out how this fraud could have taken place without the involvement of someone inside Chase: it’s clear that their investigation is centered on a desperate attempt to show that no inside job took place.

Instead, some pretty silly alternative scenarios have been suggested. The best was the theory that someone in my house listened in on the phone call and obtained the new password. I have interrogated my wife, my two young children, and Amber, and none of them apparently stole the data. (Amber broke and confessed to sleeping in the bed while we were out of the house, but that was it on our end.) Chase has also continued to assert that no identity fraud has taken place from inside Chase, and that, rest assured, Chase is working to resolve the matter.  (I have learned that “rest assured” is Chase’s little call center mantra, it’s probably on a poster hanging up next to a picture of Chairman James Dimon. Trust me, it’s one of the great oxymorons of modern business.)

And, just to be clear, without revealing too much, if this fraud was accomplished by listening in on my phone calls, the scam could have been much more comprehensive. Nuff said on that.

There is one other scenario that has degree of possibility with respect to authorizing the pilfered credit cards: judging from weeks of dealing with Chase’s call centers, including people who claim to be two and three levels above the level one responders, it is possible that some gross incompetence in the Chase call center allowed the person who diverted the cards from UPS to activate them without the password (using my mother’s maiden name), though I was assured by Chase that a call center rep can’t even enter the activation screen without the password. This still doesn’t solve the question of how someone can pull a packaged out of a UPS distribution center without a tracking number, unless another poorly trained Chase call center rep gave out the UPS tracking number to a caller without correctly verifying their identification.

I leave open this possibility because it turns out that poor training and gross incompetence is Chase’s forte when it comes to call center operations. One of many examples: After the replacement cards were intercepted from UPS, we had them cancelled and two new cards ordered, with yet another new password set up for the account. The new password, I found out five days later, hadn’t actually been entered into the system, or it had been entered and erased by someone. It was a heady moment when I first called in and tried to access the account with the new password, only to find that I had to use a previous password to check on a fraud notification alert (see below on how they mucked this one up  too).

Chase, in a rare moment of humility, acknowledged this failure to record the new password was an error.  The fact that a call center managers (this was a manager) is unable to press ‘enter’ when placing a new password on an account, means almost anything is possible inside Chase, much more probable than my wife hiding the fact that she’s ordered new credit cards or that someone is lurking in the basement listening to my phone calls.

One more in the list of noteworthy failures inside Chase: when I got the new cards on Saturday, I notified the Chase fraud desk that I would be traveling to Boston that Mon. (which is why I was still even working with this company: I needed a credit card for my trip and my only other one was Amex.) The following Wed. I received a travel notification alert from Chase that indicated that someone had placed a notification of pending travel on the account. I called (and was rejected from the account because I was using a new password that had actually never been entered. Luckily I still remembered the old password), I found out that the travel alert was the one I had placed on the account five days earlier. Five days! The people who went on the shopping spree has spent thousands of dollars in the space of an hour, imagine what someone could do for the five days it takes for the fraud alert to show up. So much for a proactive fraud alerting system.

The story unfortunately has yet to be resolved. Chase has basically been trying to end its investigation of the fraud for the last three weeks, calling me periodically to say that their Center of Excellence has determined that no fraud occurred. I have asked three different supervisors to provide answers to my two questions  regarding the password and tracking number, and after a week there has been no answer. They did admit the other day that there had been a pattern of credit card diversions from UPS in Northern California, but that of course has nothing to do with Chase.

At this point the only reason I am hanging on to the cards is to see how this will all pan out and to see what Chase is going to do for me once they finally admit that the fraud occurred inside Chase.  I’m thinking a three-year subscription to a credit card alert service for starters. Just starters.

So, the moral of this long-winded story is simple: It’s possible to be the largest bank in the United States and be ill-equipped to deal with credit card fraud to a shocking degree. Despite however many millions Chase must spend on protecting its credit card holder, it’s clear that they don’t train their people well, they don’t have strong, bullet proof security processes, their investigation processes are pitiful, and they’re overall default mode is to blame the victim and ignore the obvious.

But most important is how vulnerable Chase is to relatively clever gang of credit card thieves working inside Chase and its logistics partner, UPS.  This is the Wikileaks effect in the consumer credit world: you can build the best security system in the world, and yet a single individual with inside access can circumvent it with little effort. The trick is to not only be able to prevent such an occurrence – some of which can be done by better hiring practices, particularly during seasonal hiring rushes – but also to be able to consider the impossible – an inside job – and investigate it thoroughly and passionately. Chase has been mailing this investigation in from the get-go. They need to clean it up before they kill off whatever reputation they think they still deserve.

 

 

4 thoughts on “Credit Card Fraud at Chase.com: How Bad Training and Bad Security Processes Are Bad for Business (and Customers)

  1. Thanks for posting this. Recently,in August of 2012, my Chase
    Card was hacked and I was told I would be receiving a new card
    with the same account # and same 3 digit # on the back and then
    got another letter telling me I had applied for a Chase card, which
    I already had…..someone was using my account on Walmart.com
    but Chase had supposedly caught it in time and declined the
    order. This whole mess is very sad, and once again, your posting
    has been the absolute best I have read on the “deer in the headlights’
    system that they seemed to be operating. This had nothing to do
    with UPS, but could be, indeed, an inside job….
    Jacqueline Arnold
    Boulder CO

  2. On Thursday November 1, 2012 I received a call from Chase asking if I had made a purchase from Dell in the amount of $800.00 among other charges. Of course I had not and was told that I would not be responsible for the charges and a new card would be issued that day to arrive on the 2nd.. Happy Day’s? Not so fast!! I received the card last Friday, but did not activate until the following Tuesday. Business as usual, I had made three purchases from the Tuesday the new card was activated until last Friday when I received another call from chase asking me if I was in Canada on vacation using my new card. ABSOLUTLEY NOT was my reply. I had just arrived back home with my family after a nice dinner at a local restaurant here in Long Beach, CA. The lady at chase had told me that the FRAUD had just hung up with her claiming to be me was wondering why her new card was not working anymore after making about 2K in fraudulent purchases. Meanwhile while on the phone with the first Chase employee, I receive a call from another chase employee asking me the same questions while the perp was holding to get the answer from him. I told the 2nd Chase employee that I was on another line with the 1st person trying to resolve the same issue he’s called me about. The 2nd Chase caller hung up and I continued with the 1st caller. I had told Chase that this was a brand new card and was dumbfounded how something like this could happen.. I continued to dig with the 1st caller and she finally asked me if I had requested a new card to be sent to a Canadian address. By this time I was appalled… To make a very long story short – Saturday, November 3, 2012 someone had called chase, said they were me, was able to give my mothers maiden name and the last 4 digits of my SS # and a duplicate card , in my name was sent out – no questions aked – so I’m told by Chase. The fact that they Chase had sent out a duplicate card, knowing just a few day’s prior that there was fraudulent activity taking place and a new card was issiued to ME to the address on file should have been enough to alert even the dumbest Chase employee. Not to mention the duplicate being shipped off to another country.. HELLO!!! Also, I never received an email alert for the duplicate card shipped to Canada as I did the first go around and for the cards (cards meaning that they not only accessed my business Visa but also my personal) due today. Why was I never sent an alert email for the 2nd card issued to Canada and how was the fraud able to access information that only I and Chase have access to? I’ve played around with every scenario that I could think of, and have concluded that this was an inside job… I don’t think this is just one person at Chase but a small group of scheisters selling information and new cards being issued to legitimate card-holders for profit. I say look at the lady who made the initial call (Dell purchase), the person who issued a card to Canada and who failed to push the key to alert me of the 2nd card shipped. Bottom line, noone at Chase seemed to have any answers.. What a joke! Can’t trust anyone anymore! Chase told me that they had the address where the card was sent to in Canada, but that they did not pursue criminal cases and at the end of the day It’s the merchants who accept the stolen cards for goods sold that end up paying the price. Pity that more store-front retailers do not ask for proper ID before exchanges are made. Nevertheless, I filed a police report, put out an alert with the 3 major credit buruea’s, requested my credit reoprts and filed with the FTC. Whoever these people are have access to too much information that can ruin us like they have countless others who have been victims of Identity theft. These scams are big business – people need to protect themselves and be diligent in doing so.

  3. Pingback: Chase, UPS, and Credit Card Application Fraud | Funny about Money

  4. Pingback: Too Big to Fail? How about Too Big to Succeed? | EAConsult

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>