When identity theft becomes standard operating procedure

Data breaches, lost information spark similar response from vendors: Ho-hum, it's only theft

TJX Companies suffers a long-term hacker breach and information related to more than 45 million credit cards is accessed by unauthorized parties. To put this in perspective, there are only about 180 million adults in the United States (out of more than 300 million people). If you assume that most of those adults have some form of available credit (many won’t because of personal choice, incarceration, bankruptcy, etc.), this breach alone compromised a quarter of the U.S. population’s cards.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Of course, as TJX has stated, many of the cards were expired or otherwise protected -- but the percentage is nevertheless staggering.

At what point will we do something different to protect ourselves?

An even wilder story is that identity and credit card theft is so common these days that not only have readers become immune to the press stories, but the credit card companies and banks are treating it with an attitude that's almost laissez-faire. It’s becoming clear to me that credit card and identity theft are so common that affected companies are almost not caring. Here are some anecdotal stories that sparked that conclusion:

The first story was related to me by a CIO of a large world bank. He proactively scans his credit card bills online and noticed a charge from Yahoo for an e-mail account. Because he has been a Hotmail user for 10 years and has never used Yahoo, this surprised him. He called Yahoo and eventually got put to the billing department where he disputed the charge.

The agent tried to reassure him that it was probably just somebody else he had authorized to use his credit card, like a family member or employee. He asked them for the e-mail account name so he could confirm or deny that implication, even though he was pretty sure that wasn’t the case. Get this -- Yahoo wouldn’t reveal any of the e-mail information to him. They said he didn’t have rights to the information. He paid for it, but he didn’t have the right to hear the details of the account he had supposedly opened!

They -- and I’m not making this up -- essentially interrogated him for more personal information: his credit card number, CV number on the back of the card, birth date, place of birth, mother’s maiden name, and a secret question and answer that only he would know. At this point, I asked the CIO if he wasn’t really being phished, as the Yahoo agent was asking for all the information they would need to steal his identity, and per his claim he had no previous existing relationship with Yahoo. Personally, I would not have given the information.

Yahoo used the CIO's information to verify that none of personal information matched the account information given, and said they would reverse the charge and close the account. The CIO still wanted to know who opened the account, just in case it revealed some information that might be useful to him in determining how his card was compromised (the false account owner's location, name, date, etc.). Yahoo wants him to mail or fax an official letter requesting the information and reason for the request. This amazes me: The CIO had just provided Yahoo with every bit of evidence to prove the e-mail account was bogus, yet somehow that isn’t enough?

After discovering this fraud, the CIO called his credit card company to report the incident and get new cards. To his surprise, the card merchant said they didn’t normally cancel old cards and issue new cards until three separate fraud incidents were reported. Are they kidding? One isn’t enough? Apparently not; the friendly credit card representative said that one fraud incident could have been a mistake.

The very Italian CIO replied that his name wasn't John Smith, and it was highly unlikely that someone accidentally used his card, name, and CV number. He asked if he could at least have free credit history reporting. They said no. The representative replied that he had a “zero liability” card and he wouldn’t be on the hook for the fraudulent charges anyway.

What about the lost hours of productivity and personal time, and emotional stress he has to go through wondering if his card will ever be used again? What if the thief spends up to his credit limit and the next time the CIO goes to make a legitimate purchase, he gets declined? As a frequent traveler, he could be in a foreign country when his card gets declined and stuck there until he comes up with an alternative payment method. Zero liability doesn't mean zero hassle.

After hearing this story, one of the CIO's employees piped up with his own recent credit card fraud misadventure. His wife’s credit card was used fraudulently to purchase more than $5,000 of goods. The theft was only noticed because the couple realized that they hadn’t received a billing statement for two months. They called the bank and learned of the fraud: The thieves had stolen their credit card information, made purchases, changed their account’s mailing address, the e-mail address, ordered supplemental cards, and successfully extended the credit limit twice. These are common credit card fraud techniques. How long would you go unbilled before calling your credit card company?

The fraud could have been noticed a lot sooner if the merchant company sent a proactive notification of change of address or account information to the old mailing or e-mail address. But I guess that’s asking too much.

This time, though, the company canceled his wife’s stolen card and gave her free credit card monitoring service. Because the CIO's employee had the same type of card (only one number off from his wife’s card) and his account was opened at the same time, he asked if he could cancel his card, too, and get monitoring service. No dice.

These are examples of savvy credit card users trying to take proactive steps to prevent further credit card fraud, and the very companies that are supposed to protect them, at best, don’t have the same level of concern as their customers. At worst, they are indifferent to their customer’s plight.

On the other hand, both men canceled their credit cards with those merchants. In the end, the customer always has the final say.