Banking Security

Ok, so this morning at SEVEN IN THE MORNING my cell phone goes off with a call from my bank about some suspicious activity on my account. Not a huge deal, I think, because I bought a lot of stuff recently and some of it was from overseas, and that usually causes them some deal of heartburn. But the weird thing is that the voice on the other end of the phone isn’t the voice that I normally hear when I call into chat with my bank or check on my accounts. So I was a bit confused, seeing as how my bank, the Bank of America, has a voice that they use for automated customer service and that voice is a guy. This warning voice was a female automated voice. I think it odd that when warning me of a possible problem that they’d use a voice that, while obviously not human, also isn’t the voice that they use for normal business.

So I was a bit put off by that, but whatever. I also had an email from the bank. Now’s where it gets really weird. The voice mail left me one number to call(866.242.6289), while the email gave me another number (877.833.5617) to call. Neither number was the number that I was familiar with (800.432.1000) and so I’m not thinking things are going well. In fact, at this point I’m not sure if my bank is contacting me or if I’m the focus of a couple of phishing scams.

I figure I have to call, because if it’s not the actual bank, we have other problems to deal with, so I call first the 866 number, get a voice I don’t know claiming to be an automated system at Bank of America, which then asks for the 16 number that is my check card. Um, not just no. Fuck. No.

So I call the 877 number, and get yet another voice that again asks for my 16 checkcard number. Again, not gonna happen fuckers. Why? Because if this was a scam, what a brilliant scam it would be. Give people a call, leave them a message to call you back and ask them for their checkcard number using an automated voice claiming to be the real bank worried about security, and, BAMMO! instant money.

So, rather than make a big problem out of this I call the number I know and use and ask to speak to a real person an associate. Now this is where it gets interesting. I ask the girl I get to put me through to a human being at the fraud protection unit so that I can fix all this. She says ok and transfers me off to…

… wait for it…

Automated Female Voice Number 1!

I so totally feel like the banking version of the dating game has swallowed my life. Not impressed, I disconnect and go back to the main number I know, get the system to pass me off to a real person again, and ask this kind lady, who at least tried, to get me to a person. She tried the other number they had, and it put me to AFV1 again, but again, at least this woman tried to do something else.

At this point, I was over it all and since I had called a number I knew I figured it would require me to wear a tinfoil hat to think that it was a conspiracy that large in the bank. So I put in my checkcard number and then tried to authenticate the transactions.

Well, this is where it gets, if you can believe it, even dumber. Because now it reads back transactions using the business name, not the DBA name, because it’s an automated system that can’t think. It also reads back the $1.00 testing charges that companies use to verify addresses and whatnot on larger purchases, and those transactions aren’t real and can’t be verified by the general public because they aren’t ever shown to the general public. So I hear one of these, from a company I don’t immediately recognize, and, given that it’s a system, I have three options – approve, deny or pause for more time to figure out the transaction.

If you hit pause, what do you think happens?

  1. The system gives you a minute or so to go find receipts or open checkbooks or whatever you need to do to find the transaction.
  2. You go to the next transaction and will come back to this unknown one for further review at the end.
  3. You get disconnected and told to call back another time.

Yep. Number 3 it is. So I call back to the normal number that I use, get a guy who has obviously dealt with this issue before who manages to not only transfer me to a REAL PERSON at fraud, but who does so immediately. Then the real person at fraud goes over my transactions, we see that all is well, and we both move on.

After I recount this entire farce for him so he understands that an hour of my day was taken dealing with a system that is flawed from the get go. So now I’m going to do a service for Bank of America, and I hope they listen. Here’s how your fraud system should work.

  1. BofA internal systems suspect fraud.
  2. BofA automated voice, the one we all hear when we call the normal BofA number, calls the customer’s number on file and tells customer to call the regular BofA and use the possible fraud menu options number to verify transactions.
  3. BofA automated system sends email to customer that also tells customer to call regular BofA number and use the possible fraud menu options.
  4. BofA main customer service number has options for possible fraud and transaction verification for customers to use. And yes, I realize that you want to have your customers put in the 16 digits of their check card to verify that they actually have them, that’s fine. As long as I’ve called you, and I know who I’ve called because it’s the number printed on the back of my check card, then I have no problem with giving you the other numbers on said check card.
  5. All is well and no one is wondering if they just got scammed by a phisher.

So, Bank of America, you’re on notice. Fix your processes. These both suck and are dangerous. You shouldn’t want to have your customers in the habit of calling different numbers for access and security. If you want secure access, they must be together logically.






4 responses to “Banking Security”

  1. […] this one falls under “we really don’t believe it’s a problem” but then, so my the last article. I can’t believe that it’s nearly 2009, we’ve figured out that it doesn’t […]

  2. D in Seattle Avatar
    D in Seattle

    I go the same email. Fortunately I was able to good the phone number and got your site. I totally agree the BofA process is messed up.

  3. Rick Koenig Avatar
    Rick Koenig

    Just about the same situation happened to me Aug 1, 2010. Same suspicious-sounding email, same result asking for my 16-digit account number first.

    Like you, I decided No Freakin’ Way. So BOA still has a pretty bad fraud management system. But read on for the positive side of this.

    Called BOA’s main number, and they gave me the fraud department number – same one as on the email, so that email looks legit. Also the email said that my personal account (secure access) would have a copy of the email – which it did.

    And so we did some verification stuff – I gave him my information, he told me his mother’s maiden name which matched my records (Ok, only kidding about that last bit, but there’s no way to verify their end.) Anyway, he could tell me the transaction and amount that was dubious. (But then, so would a scammer, since they put the transaction through, right?)

    Anyway with some other verification stuff, they then offered to send me a new card (7 days) or I could stop by a local branch and they’d give me one temporarily. I can do that pretty easily, so that’s my plan.

    Amounts involved were small-ish – $15 for one, and under $10 for another. But that would be a typical tactic, they said. Try some small amounts, hope they weren’t noticed, and then slam you with a big charge.

    So except for some initial concern, turns out Bank of America was doing the right thing, even if I could question their methods for verifying information.

    I have my other issues with BOA, but I’ll give them a B+ for this one, and for quickly reacting, taking action that is in my best interests, and assuring me that invalid transactions would be fully refunded.

  4. Gary D. Avatar
    Gary D.

    We are in 2011 now and not much has changed! I got an email of suspicious activity and found it odd because I don’t know of anything I did to trigger it. I am thinking this is either a phishing email or someone is actually using my credit card number. I check the links in the email account and then bring up legit BofA sites, but the email is not asking me to go to the bank website, its asking me to call a phone number. I search for the phone number using Google and it is associated with a bunch of security related websites, some are BofA. I finally found the phone number on the BofA website, so I feel comfortable to call it. I enter my credit card number and am transferred to a human. I tell the woman that I am suspecious that I followed a phishing email’s instructions (even thought I’m feeling pretty comfortable at this point), she was very nice and validated their identity by providing a couple of transactions that I had done recently. Although the process has not changed (much), it did cost me some time to validate them before I called. I agree that I should have been able to call the regular BofA number and press option X or something.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.