This is a story of a credit card fraud that happened to my wife and I just before the holidays. It’s an amazing one that apparently involves insiders working at Chase.com and UPS, but the fraud is only half the story. The other half is about incompetence, poor call center training, broken security processes, and how once again the weakest link in any business process is the person trying – or not trying – to do their job.
So if you’re counting on Chase to protect your identity or work proactively to solve a serious identity theft against you, read on. You may want to reconsider placing your precious identity in the hands of this clown car masquerading as the largest U.S. bank.
This is also a story about how, once the rogue human element is inserted into the picture, automated call centers and logistics systems make it too easy to steal – in this case by intercepting newly ordered Chase credit cards from a UPS distribution center, using a pilfered security code to activate the cards, and then going on a heckuva holiday spending spree. And it’s the story of how hard it is for one of the biggest banks in the world to fathom that it’s just been stung by a not –very-sophisticated inside job. Chase would rather blame the victim than heal itself.
The story begins one morning three weeks ago with the receipt of an email from Chase, the issuer of my Southwest airlines credit card, that alerted me to the pending arrival of a “the new card that I ordered.” It also cautioned me to contact Chase if I hadn’t ordered it, and as I hadn’t ordered it I immediately called the call center.
And thus began a comedy of errors that has run now for three solid weeks. First I was told not to worry, that this must be some kind of routine re-order. I persisted, and was then told that indeed my wife had ordered the new cards the night before. I told them she hadn’t, and I was asked, I swear, if I was sure that she hadn’t. Yes, I was sure. I was even asked if I had actually asked her if she had ordered the card. This conversation was going south quickly.
Having filled my idiot quotient already, I forced the call center agent to put her supervisor on, and he and I determined that some sort of fraud was happening, though with a curious twist: the new card was being sent to our home address. Nonetheless, we cancelled the card, retired the account number, and ordered new cards to be sent to us. And we put a new security password on the account so that all future activity would be required to “go through” the new password. For the record, the new password was written down on a piece of paper and my wife and I then entered it into our respective computer systems using a relatively elaborate code.
That afternoon, armed with the tracking number for the fraudulent card (but not the new ones, Chase didn’t give that tracking number to me) I began to track the package on the UPS site. At 3 pm a notation showed that the packaged was being diverted from home delivery to a pickup at a UPS facility, on the request of the receiver – not me, but obviously the woman who had pretended to by my wife. This made some sense, as it wasn’t obvious how the thief planned to get a hold of the card once it had been delivered to my house. It would be soon, however: I hadn’t counted on the UPS side of this scam.
At 6 pm a new notation showed up in the UPS record, indicating that the thief had changed her mind and was now requesting it to be delivered to the house. Which meant that we were going to get three cards the next morning (a Friday): the two new cards and the original fraudulently ordered card.
Friday morning comes and around 11 am I get a call from Chase, checking on some recent activity with my new card. New card? Yes, one of the cards I ordered the previous day – and secured with a new password known only to Chase and me – was being used at the Apple store in San Mateo, CA (above 45 minutes south from here) to great effect,while the other one was shopping its little heart out at SunGlass Hut in Napa, this time 45 minutes to the north. Merry Xmas.
Having never seen these cards, or even having an inkling of the new account number, I was dumbfounded. I immediately asked to speak to a supervisor, and was told that the cards were signed for at my house that morning at 9:50 am. I told them that was impossible, as I was home all morning and saw no no sign of UPS.
Maybe, it was suggested, with the utmost seriousness, UPS had showed up and someone waiting outside my house signed for them. Also not possible – Amber the wonder dog goes into serious intruder alert mode at the site of a UPS truck, and would have been barking up a storm at the site of a truck and some stranger in front of my house receiving some packages. In other words, the package had not only not been delivered, it hadn’t even made it to a delivery truck but had been stolen from the UPS distribution center in San Pablo, CA sometime after its arrival scan. (I checked with a UPS driver on this: had the thief diverted it from a delivery truck, the package would have been located in the electronic manifest of the truck and the driver would have become suspect #1 in about two seconds. UPS drivers, unlike the seasonal help UPS hires in the DC during the holidays, are pretty unlikely to risk their jobs and pensions for a relatively minor fraud like this one.)
Then, I asked the Chase supervisor the two questions that have bedeviled Chase since that day: 1) how can you activate a new card that is password protected without the password, and 2) how can someone intercept a package from UPS without a tracking number? Bear in mind, I had encrypted the new password on our computers and I had never received the tracking number.
Absent a reasonable explanation that has escaped me for these two weeks, I have to conclude that it was an inside job: Someone at Chase stole my wife’s identity, ordered the first card, and then, noticing that it had been cancelled, stole the new password and tracking info, passing the latter on to his or her partner at UPS and using the former to activate the card. The fact that this theory seems possible is reinforced by Chase’s inability to actively investigate this fraud: Their investigative incompetence has left a security hole a mile wide in their credit card operations, and anyone who knows what I know about how Chase deals with fraud would have easily been able to pull this off with some reasonable assurance that Chase would be unable to figure it out.
Indeed, this is where the farcical elements of the story begin to pile up. Chase has now spent the last three weeks attempting, and failing, to figure out how this fraud could have taken place without the involvement of someone inside Chase: it’s clear that their investigation is centered on a desperate attempt to show that no inside job took place.
Instead, some pretty silly alternative scenarios have been suggested. The best was the theory that someone in my house listened in on the phone call and obtained the new password. I have interrogated my wife, my two young children, and Amber, and none of them apparently stole the data. (Amber broke and confessed to sleeping in the bed while we were out of the house, but that was it on our end.) Chase has also continued to assert that no identity fraud has taken place from inside Chase, and that, rest assured, Chase is working to resolve the matter. (I have learned that “rest assured” is Chase’s little call center mantra, it’s probably on a poster hanging up next to a picture of Chairman James Dimon. Trust me, it’s one of the great oxymorons of modern business.)
And, just to be clear, without revealing too much, if this fraud was accomplished by listening in on my phone calls, the scam could have been much more comprehensive. Nuff said on that.
There is one other scenario that has degree of possibility with respect to authorizing the pilfered credit cards: judging from weeks of dealing with Chase’s call centers, including people who claim to be two and three levels above the level one responders, it is possible that some gross incompetence in the Chase call center allowed the person who diverted the cards from UPS to activate them without the password (using my mother’s maiden name), though I was assured by Chase that a call center rep can’t even enter the activation screen without the password. This still doesn’t solve the question of how someone can pull a packaged out of a UPS distribution center without a tracking number, unless another poorly trained Chase call center rep gave out the UPS tracking number to a caller without correctly verifying their identification.
I leave open this possibility because it turns out that poor training and gross incompetence is Chase’s forte when it comes to call center operations. One of many examples: After the replacement cards were intercepted from UPS, we had them cancelled and two new cards ordered, with yet another new password set up for the account. The new password, I found out five days later, hadn’t actually been entered into the system, or it had been entered and erased by someone. It was a heady moment when I first called in and tried to access the account with the new password, only to find that I had to use a previous password to check on a fraud notification alert (see below on how they mucked this one up too).
Chase, in a rare moment of humility, acknowledged this failure to record the new password was an error. The fact that a call center managers (this was a manager) is unable to press ‘enter’ when placing a new password on an account, means almost anything is possible inside Chase, much more probable than my wife hiding the fact that she’s ordered new credit cards or that someone is lurking in the basement listening to my phone calls.
One more in the list of noteworthy failures inside Chase: when I got the new cards on Saturday, I notified the Chase fraud desk that I would be traveling to Boston that Mon. (which is why I was still even working with this company: I needed a credit card for my trip and my only other one was Amex.) The following Wed. I received a travel notification alert from Chase that indicated that someone had placed a notification of pending travel on the account. I called (and was rejected from the account because I was using a new password that had actually never been entered. Luckily I still remembered the old password), I found out that the travel alert was the one I had placed on the account five days earlier. Five days! The people who went on the shopping spree has spent thousands of dollars in the space of an hour, imagine what someone could do for the five days it takes for the fraud alert to show up. So much for a proactive fraud alerting system.
The story unfortunately has yet to be resolved. Chase has basically been trying to end its investigation of the fraud for the last three weeks, calling me periodically to say that their Center of Excellence has determined that no fraud occurred. I have asked three different supervisors to provide answers to my two questions regarding the password and tracking number, and after a week there has been no answer. They did admit the other day that there had been a pattern of credit card diversions from UPS in Northern California, but that of course has nothing to do with Chase.
At this point the only reason I am hanging on to the cards is to see how this will all pan out and to see what Chase is going to do for me once they finally admit that the fraud occurred inside Chase. I’m thinking a three-year subscription to a credit card alert service for starters. Just starters.
So, the moral of this long-winded story is simple: It’s possible to be the largest bank in the United States and be ill-equipped to deal with credit card fraud to a shocking degree. Despite however many millions Chase must spend on protecting its credit card holder, it’s clear that they don’t train their people well, they don’t have strong, bullet proof security processes, their investigation processes are pitiful, and they’re overall default mode is to blame the victim and ignore the obvious.
But most important is how vulnerable Chase is to relatively clever gang of credit card thieves working inside Chase and its logistics partner, UPS. This is the Wikileaks effect in the consumer credit world: you can build the best security system in the world, and yet a single individual with inside access can circumvent it with little effort. The trick is to not only be able to prevent such an occurrence – some of which can be done by better hiring practices, particularly during seasonal hiring rushes – but also to be able to consider the impossible – an inside job – and investigate it thoroughly and passionately. Chase has been mailing this investigation in from the get-go. They need to clean it up before they kill off whatever reputation they think they still deserve.