When Will Credit Card Issuers Learn About Online Fraud?

I have my doubts if ever.

Back in 2007, I posted “Subjunctive Identity Theft .. From American Express?”, citing a real-world case where American Express had identified suspicious activity on my account and left me a voice mail message with an 800 number to call.

Upon calling, the first thing the operator requests is my account number. Are you kidding me?

Seems Bank of America hasn’t learned either. I traveled abroad recently and used my Visa for a purchase. This triggered a ‘suspicious activity’ alert (reasonable, as I was obviously out of country). I get a nice email, the gist of which is:

We detected irregular activity on your Bank of America Credit Card on 05/14/2009. For your protection, you must verify this activity before you can continue using your card.

What can I do? Well, I can call a US 800 number (collect .. but would still cost airtime or hotel surcharges), or I can visit a web site:


Where the first thing they ask of you is to provide your credit card number:


Wake up, gang .. you didn’t fool me, but you’ll get some folks.

Elsewhere in the email, they say:

Want to confirm this email is from Bank of America? Sign in to Online Banking and select Alerts History to verify this alert.

Then, I notice their last time login beacon for me is incorrect (it’s over six months old .. kids, I pay bills with Bank of America .. and I’m not six months late on any bills). So, is it the real site, or not? One last check. I open my account, and voila: no alerts when I log in and no alert history link to click.

So, what’s going on? Both Firefox and IE display a tidy green fill when the real Bank of America site is opened:


But, not so much on the http://www.bankofamerica.com/myfraudprotection site .. first of all, it redirects to https://myfraudprotection.bankofamerica.com/Welcome.aspx (redirects are always suspicious), and notice how there’s no green flood anymore?

Further, when you mouse over the security icon in Firefox, you get:


The site is verified by VeriSign and your connection is encrypted. But is it really Bank of America? See the “(unknown)”? Is this an unknown (to VeriSign) web hosting company, or has Bank of America simply not verified the site with VeriSign through proper channels? Sure the connection is encrypted, but a certificate for connection encryption isn’t that hard to get.

If you started reading this post thinking it was a statement of insecurity on the Internet, please understand: that’s how I intended it. However, either Bank of America has done something really, really stupid in the eyes of the non-trusting public, or the site is bogus, pointing to a server within their firewall that has been compromised.

I think I’ll watch the papers for a few days .. in the interim, I’m going to sit on hold for a while tomorrow when I get to the office .. will let you know what I learn.

About Michael Coates
I am a pragmatic evangelist. The products, services and solutions I write about fulfill real-world expectations and use cases. I stay up-to-date on real products I use and review, and share my thoughts here. I apply the same lens when designing an architecture, product or when writing papers. I am always looking for ways that technology can create or enhance a business opportunity .. not just technology for technology's sake. My CV says: Seasoned technology executive, leveraging years of experience with enterprise and integration architectural patterns, executed with healthy doses of business acumen and pragmatism. That's me. My web site says: Technology innovations provide a myriad of opportunities for businesses. That said, having the "latest and greatest" for its own sake isn't always a recipe for success. Business successes gained through exploiting innovation relies on analysis of how the new features will enhance your business followed by effective implementation. Goals vary far and wide: streamlining operations, improving customer experience, extending brand, and many more. In all cases, you must identify and collect the metrics you can apply to measure your success. Analysis must be holistic and balanced: business and operational needs must be considered when capitalizing on a new technology asset or opportunity.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: