Subjunctive Identity Theft .. From American Express?

Say it ain’t so. Please. First of all, what is the subjunctive?

Subjunctive: a grammatical mood that expresses doubts, wishes and possibilities.

I also think of it as:

That which has not happened, but is in the realm of possibility.

Either definition, I titled this post thusly to describe a scenario I just experienced.

  • I pick up a voice mail from American Express, for a "non-sales purpose" (meaning, it’s not a marketing call). The recorded caller gives me a toll-free number.
  • I call the number, where I get a sparkly answering machine that sing-songs "American Express" to me and puts a representative on the line. The first thing the representative says: "May I have your account number?".
  • Umm .. I realize the process simply cannot start until I identify myself to the representative, but I am not about to give my account number in response to a voice mail with a toll-free number I don’t recognize.
  • I advise the representative I am responding to a voice mail from their office and that I’m not comfortable giving her my account number. I ask if I could give her my name and have her look me up that way.

She says she cannot.

  • I ask her why my phone number (which is not blocked) hasn’t identified me to their system.

She says this particular toll-free number doesn’t have that kind of detection.

  • I express my concern about this and suggest that this is a process that is rife with privacy and account risks.

She is apologetic.

  • Finally, I ask if I may call the phone number on the back of my American Express card to ensure I’m connected to their system.

She says that would be fine.

  • I dial in, get the same sing-song "American Express" and press keys to get another representative. I explain the situation to her and she asks me for my card number.
  • I reiterate my concern about the previous call.

She is apologetic.

  • As I know I’m speaking with the legitimate system, I will give her the card number for the affected account.
  • Note that I have three American Express cards, and there was no indication of which card was affected.
  • I give her a card number.
  • She confirms my zip code and another data point to confirm I’m who I say I am.
  • She busily cross-references my other accounts and finds the card with the activity that generated the call.
  • She describes erroneous data entry; specifically, the clerk fat-fingered my zip code on a recent purchase (coincidentally, woman’s shorts, from my recent coffee mishap, actually).

I confirmed I had made the purchase and thanked her for her diligence and we were finished. However, their process has severe security flaws:

  • Initial contact made by an automated voice mail. Note that anyone could have made the initiating call, and setting up a ‘drop’ (someone to pick up and role-play these questions) is trivial these days.
  • The voice mail doesn’t contain a unique case identifier. This would allow representative cross-reference the proper account once the customer calls in.
  • The first question asked is "what is your account number". Bollocks. See above.
  • No way for the representative to cross-reference accounts without an account number. If the representative had read certain data back to me to confirm my identity, I’d have been more comfortable with the call.

You could liken this to getting phished in an email with the subject line of "Your account is at risk" with a URL to click or phone number to dial in.

American Express: This is broken. Please fix it.

Credit card holders: this is a risk. Be very, very careful giving credit card information over the phone. Be hard on the companies who ask you for this kind of information without proper safeguards.

About Michael Coates
I am a pragmatic evangelist. The products, services and solutions I write about fulfill real-world expectations and use cases. I stay up-to-date on real products I use and review, and share my thoughts here. I apply the same lens when designing an architecture, product or when writing papers. I am always looking for ways that technology can create or enhance a business opportunity .. not just technology for technology's sake. My CV says: Seasoned technology executive, leveraging years of experience with enterprise and integration architectural patterns, executed with healthy doses of business acumen and pragmatism. That's me. My web site says: Technology innovations provide a myriad of opportunities for businesses. That said, having the "latest and greatest" for its own sake isn't always a recipe for success. Business successes gained through exploiting innovation relies on analysis of how the new features will enhance your business followed by effective implementation. Goals vary far and wide: streamlining operations, improving customer experience, extending brand, and many more. In all cases, you must identify and collect the metrics you can apply to measure your success. Analysis must be holistic and balanced: business and operational needs must be considered when capitalizing on a new technology asset or opportunity.

2 Responses to Subjunctive Identity Theft .. From American Express?

  1. Pingback: Phone Phishing Scam in the Wild « OpsanBlog

  2. Pingback: When Will Credit Card Issuers Learn About Online Fraud? « OpsanBlog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: