When you get a new or replacement credit card in the mail, you have to call the number on the back to activate it, or else you can’t use it, right? Wrong. Despite the sticker on the back that says, “For security purposes, this card is not active,” credit card companies are mailing out cards that can be used without phone activation. This is a problem if the letter containing your credit card is intercepted by an identity thief, like what happened to reader PC Guy. The kicker? He didn’t even request the card, it was a forcible reissue when his store-branded card switched from Visa to Mastercard. His story, inside.
One afternoon, I received a call on my cell phone with “unavailable” appearing on the Caller-id. Ordinarily, I might have just ignored it, but I answered the call and an electronic voice informed me that it was Chase Fraud Services calling about unusual activity on my account–the call continued as follows:
Recording:
Chase: Hello, this is Chase Fraud Services with an urgent call regarding your Chase Credit Card. We have determined there may be fraudulent activity on your account. Please take a moment to confirm recent purchases. Please press one to continue:
Me: One
Chase: Did you make a purchase on (yesterday’s date–they waited one day to call me) in the amount of $14.95 at [redacted--internet site]?
Press one for yes or two for no.
Me: Two
Chase: Let me confirm, you did not make a purchase yesterday in the amount of $14.95 at [redacted--internet site]?
Silence…
Chase: Did you make a purchase on (yesterday’s date) in the amount of $39.95 at (an Internet Data broker–for what I later found out was a background report on me)
Chase: Press one for yes and two for no.
Me: Two
Chase: Please hold for a representative.
[Five minute hold time in order to speak to a fraud representative.]
Chase: Sir, before we proceed with this call, I need to verify your identity. What are the last 4 digits…?
Me: Excuse me, but I refuse to provide you with any personal information. I did not initiate this call and I have no proof you are who you say you are. And for all I know, this could be a” phishing” scam.
[What in the world is Chase thinking by calling customers asking them to identify themselves? It's no wonder people fall prey to phishing scams.]
Chase: Sir, this is not a phishing scam, this is Chase.
Me: Well, that’s reassuring.
Chase: Sir, do you have your Toys-R-us Master Card in your possession?
Me: Not on me, but it is at home.
Chase: So you are confirming that you received it?
Me: Wait a second, this is a phishing scam! I have a Toys-R-us VISA and not a MasterCard. Besides, my card doesn’t expire anytime soon, so why are you asking if I received it?
Chase: Sir, I am going to suspend this account, and place a fraud alert on your credit report. Please do not use your card; we will replace it with a new account number.
Me: Wait a second, what the hell are you talking about? I haven’t used my card in months. It doesn’t expire, and it’s a Visa, not a MasterCard! Please explain what’s going on here.
Chase: Sir, we sent you a new card about a month ago.
Me: Why did you do that when it doesn’t expire anytime soon?
Chase: We had a branding change. The store signed on with MasterCard and as a result, we sent you a new card with a new account number.
Me: And is there a reason why you guys didn’t bother to notify me to expect a new card in the mail?
Chase: Sir, we have millions of customers, we couldn’t possibly notify every customer each time we send out a new or renewal card.
Me: Why is that? I signed up for Chase alerts, electronic statements and electronic notifications–it doesn’t cost you anything to email a customer.
Chase: Sir, I don’t make the rules.
Me: This is just outrageous. I don’t want yet a third account number generated. Please do not send me a new card. Just close the account.
Chase: Sorry sir, I cannot do that.
Me: What do you mean you cannot do that?
Chase: Sir, when we suspend an account for fraudulent activity, the system automatically generates a new account number. So there is nothing I can do. You will receive a letter from Chase, please sign and have it notarized and return it or you will be held responsible for the unauthorized charges.
Me: Wait a second, something doesn’t make sense. How did anyone manage to use the new card
if it requires activation from my home phone number?Chase: That is a good question. Hold on a moment.
Chase: Sir, it was not activated. And rest assured that all these charges were declined as a result.
Me: Excuse me, but if they were declined, then why are you sending me a letter to be notarized?
Chase: Sir, it’s a procedure we must follow under these circumstances.
Still thinking that this bizarre conversation was a phishing experiment, I logged on to Chase online and confirmed that my available credit was reduced to zero on this account. The call was legit, after all! What we have here is a perfect storm of coincidences that led to this incident and if you think ID theft cannot happen to you, think again. The credit card was not stolen. It was not intercepted in the mailing process. It turns out that a careless Postal Service letter carrier delivered it to the wrong address, directly into the hands of a professional ID thief.
Without missing a beat, that person managed to use the card on the Internet for a small purchase at [redacted--internet site] presumably to see if it works, and then proceeded to use the card to pay for a background check on me at two data brokers. The Chase fraud representative lied–Chase did not, in fact, decline these charges.
In an attempt to find out who used my card, I called each merchant and I was informed that they are unable to give me any information because they could ultimately be held liable if I went after that person. I later found out they live in my zip code and through other sources, their name and address. (all three merchants agreed to immediately reverse the charges–something I asked them not to do, because I wanted Chase to investigate this).
I learned that the magnetic strip on the back of the credit card remains deactivated until a phone call is made to activate it. However the account number itself, will work if it is used online. [ed. The magnetic strip is just a dumb magnet. The "activation" occurs within the electronic credit card systems, not within the card itself]
I consider myself a savvy consumer having put in place measures to prevent this from ever happening in the first place:
1) I signed up for a credit report monitoring service that emails me whenever there is new or unusual spending activity.
2) I routinely shred all documents containing personal information.
3) I opted out at the DMA website and subscribed to Catalog Choice to eliminate junk mail.
4) I signed up for electronic statements to prevent misdirected mail
5) I routinely monitor my FICO score.
6) I signed up for credit card alerts sent to my BlackBerry.
7) I pay all my bills using Internet banking instead of sending checks in the mail.Following this incident, I had to take additional measures to protect myself by placing a credit freeze on my credit report at all three credit bureaus as I learned that the “fraud alert” Chase placed for me is not foolproof. Apparently, if someone applies for credit electronically, the computer does not recognize the alert. (one reason why “Life lock” is a bunch of BS) Additionally, I went to http://www.optoutprescreen.com to opt out of pre-approved offers for credit and insurance and filed a report with the postal inspector regarding this incident. I also just learned that at least one bank will allow you to pick up renewal cards at a branch, instead of having it mailed to your home.
[Consumerist editors - you may want to use the following for an additional article--although it is related to this incident, it bears a separate warning:]Do you frequently get a letter in your mailbox addressed to a neighbor? Or, perhaps, addressed to someone living down the block? Did it ever occur to you that if you are receiving that letter addressed to someone else, perhaps they are receiving your mail?
You may not be aware that the postal service has a regular carrier working your route on a five day work week. As mail is delivered six days a week, that means one day each week (usually on a Tuesday) a substitute carrier delivers your mail and they rarely know the route. These subs are not the most accurate to begin with and the postal service rarely keeps them on a regular schedule. So you can be sure that once a week mail will be delivered to the wrong address.
That is generally not a problem when all your neighbors are honest people. But, find someone who just happens to be in foreclosure or is about to be evicted and you may find yourself in my situation.With shoddy mail service, the banks are effectively playing Russian roulette with your account and personal information when they bombard you with balance transfer checks and unsolicited cards at random.
PC Guy is not the only one. KNTV did an investigation on this and the new credit cards they ordered were able to not just be used online, they could swipe them at stores, too. When questioned, Washington Mutual said they allow for small purchases to be made on non-activated cards as a courtesy to their customers. You know what would be a real courtesy? Protecting me from identity theft.
More From Consumerist
-
FTC Warns Against Scammers Trying To Cash In On Aurora Theater Shooting
-
Your ZIP Code And Your Name, That’s All Retailers Need To Track Your Behavior
-
Woman's Social Security Number Displayed To Millions During Democratic National Convention
-
Scammers & Spammers Try To Cash In On Sandy Hook Shootings
-
How To Figure Out If A Charity Might Be A Scam
@Trai_Dep: They are. You aren’t liable for any charges that were incurred because of failed security.
It’s true. i used a new card the other day without calling to “activate” it. They like to use the phone time to try to sell you other stuff.
@missjulied: how do you know he had recieved a letter with pin information without opening his mail? that is very wrong and how are we to believe that you haven’t stolen his idenity if you are willing to break the law by opening mail that doesn’t belong to you.
This is so fake. Someone wrote this for his freshman creative writing “discover dialogue” assignment.
This just happened to me yesterday. I was mailed a new credit card from BANK OF AMERICA I’m guessing because it was a few months away from expiring. There was no activation required or anything. I was shocked. Thank god I checked my mail soon after it was delivered.
Credit card fraud? Yes.
Identity theft? No.
For it to be ID theft, someone would have had to have opened up new accounts and/or loans in his name, or otherwise abused his contact info.
BOA sent my replacement card already activated to my house…the replacement card they were sending me because they had to close the prior account due to fraudulent use. They even sent two of the cards in the mail, the rushed one and the standard shipping one.
@Jeff the Riffer: Did you RTA?
“Without missing a beat, that person managed to use the card on the Internet for a small purchase at [redacted--internet site] presumably to see if it works, and then proceeded to use the card to pay for a background check on me at two data brokers.”
From the article, it appears that through some sort of spying, skiptracing, or other subversive technique, the OP was able to get the address of the dude who tried to steal his money and then attempt ID theft.
Question: When do we get to hear the story about him going to the person’s house and shoving his foot up their ass?
I’ve always wanted to catch someone trying to steal large amounts of items or money from me just so I could fuck them up beyond repair. Or, maybe make their lives really miserable by fucking with them relentlessly, and THEN kicking the crap out of them. I have dreams, hours long (well, in dream land), of me destroying the lives faces, and bodies of the people who broke into my car and stole all of my cds and stereo equipment. I really envy the OP for the chance that he has. Hopefully, we get to hear a follow-up!
That is scary. Personally, when I get a new credit card it comes through registered mail and I have to sign for it at the post office after showing ID. Is that just a Canadian thing? Either way, I’m thankful.
@RhymePhile:
The DMA is a very legitimate organization. They were the only non-antispam/ISP group at the FTC Spam Hearings years ago that supported extremely strict legislation against spam, since they recognize that bombarding people with crap they don’t want simply reduces the number of responses over time.
Yes, they’re somewhat responsible for the deluge of junk mail you get every week – but they also have respectable guidelines which they encourage all of their members to follow, including opt-in practices.
I had a similar experience with Chase switching me from Visa to Mastercard about 7 years ago. But they didn’t call me, I found out as I signed in at their website when it instructed me to call them immediately. I called and learned that the Mastercard which I knew was coming (they had sent a letter a month earlier to inform me) was pre-pwned and someone tried to buy $500 of stuff at Neiman Marcus. Chase had denied the transaction and shut down my account. They sent me a second Mastercard. Eventually both cards arrived in the mail, and neither envelope showed signs of tampering, so it’s a complete mystery how someone got the card number.
As the nice person on the phone reviewed the past two weeks of purchases with me, it was disconcerting how Chase couldn’t distinguish between purchases I made on my existing Visa card in the days leading up to the incident and the purchases the thief tried to make on the not-yet activated new Mastercard.
Side effect: Ever since then, a few times a year I get Neiman Marcus catalogs in the mail.
Let me clear up one thing about the postal service. You have a “Regular” letter carrier who does indeed work 5 days a week. They are on a rotating schedule with their days off advancing by one day each week. So if they are off on Monday this week they will be off on Tuesday next week and so on. They get one 3 day weekend every 5 weeks when the Friday (last day of old week) and Saturday (first day of new week) run together. On the Regular’s day off, they have a regular carrier called a T-6 on your route. It is the same guy every week. This is his route. He has 5 routes that he is responsible for and carries each of them during the week. as a result of needing to know and memorize all 5 of the routes, he is paid an extra paygrade over a Regular carrier. His day off rotates as well. Your house will be delivered by your Regular or this T-6 carrier every day, and the only time there will be a stanger carrying your mail will be during the vacations or sick days of your Regular.
Having said all of this, there is always the possibility of mail being misdelivered. I will make no excuses for any carrier because mistakes are made period. Mail is sorted to some extent by a computer these days. That barcoding at the bottom of your mail shows your zip code, route, and address. When the computer misplaces a letter it is bundled in the wrong address. Ultimately it is the job of your carrier to double check before putting the mail in the box and catching these misplaced letters, but since they are humans they do make mistakes. It happens to everyone. Because it happens once, there is no reason to then assume that because you had a misdelivery to your house that the rest of the houses on your route also got misdelivered mail. People need to realize that the guy who is delivering the mail is a human and is not infallible. He’s working in the snow while you are home because your company shut down. He’s delivering from a boat when a hurricane drowns your city. He’s delivering after an earthquake has devastated your town. Remember those times as well as that one misdelivery if you can. Humans do screw up. Too bad it happened that your mail went to a thief. The thief is to blame in this case. Sure the mail allegedly went to the wrong house but it is possible that the thief stole it from your mailbox too. Any way, the sticker is BS and that is the story.
@Syrenia: Was your husband authorized to discuss the account? If not, as per privacy laws, they’re not allowed to take what he says into account. Most people don’t keep track of what cards their SO is on, so that might be why you were further detained.
@johnva: If they’re asking for “personal information,” you need to find a better bank. If they’re asking you to confirm yes/no to purchases that you’ve made, you’re not in danger. The safest, failproof, least arrogant move is to call the customer service line on your card/statements. (I know you probably know this, but I can’t reiterate it enough!)
Reading your later comment, yes, the suggestion to leave an automated message to call the Frd. Dept is a better method, but would the response rate be as high? (We don’t use the automated menus like Chase does, so I can’t speak for those, but having a live person on both ends of the line really expedites the process!) Many people find fraud verification calls irritating and choose not to respond (or don’t receive the messages, are too rushed, etc.)
@sohmc: See above. Back of the card, ask to speak with the fraud department. A typical fraud rep can’t answer those piercing questions!
@humphrmi: Intriguing. I’ll have to read up on that. I’ve used SecureCode fobs for other purposes, but not customer service.
@SuperJdynamite: You’re subject to extra verification. Some of the home phone systems are set up to activate entirely through the NIVR (not the best method, considering ANIspoof devices costing under $30 can copy and display anyone’s number these days.)
@NotATool: Basically. Depends on the bank, but you’re not far off. Try using it for large or suspicious purchases and let us know how that goes.
@forever_knight: Agreed! Face it folks, identity theft is a part of modern life, and you can never fully protect yourself from it. Diligence is admirable, but it’s never foolproof.
@ceilingFANBOY: now with 100% more fanboy: The rushed cards are always pre-activated, because they are delivered (ostensibly) to you personally, or someone authorized to sign on your behalf.
And I haven’t even talked about the article yet!
@johnva: caller id can be spoofed very easily…
Okay.
1) Stealing someone’s card from the mail is not ID theft, it’s mail fraud. ID theft/account takeovers typically involve data that can be used to impersonate the victim and obtain new credit. Account takeover can rely on stolen mail, but not just the one card… it’s when someone who possesses this data (DOB, SSN, mother’s maiden name, knowledge of existing credit/previous addresses/contact info) alters your account without your permission to add on other users, change your address, etc.
Mail fraud doesn’t have to rely on any of the above, all they need is an intercepted card. Not ID theft. If I stole your Amazon.com package, same deal.
2) The Chase rep sounds like a tool.
3) But hearing “Aha! This is a phishing scam!” ad nauseam would make anyone flinch.
4) The letter doesn’t need to be “notarized” … in other words, “certified by a licensed public officer who serves as an impartial witness to the signing of documents” (thanks Google). You need to sign it. Big difference.
5) I’m sorry to rag all over your unpleasant and unsettling experience, but it’s quite irritating to hear people who don’t know what they’re talking about bandy about terms like they’re experts. This has bothered me for some time at Consumerist, but, hell, not like I’m an expert in much either! Editors… work with me here!
I live at 726 Winfred S. There exists (and not far away either) a 726 Winfred N. Things I’ve expected to show up here show up there, and things that should be showing up there show up here. USPS, UPS, FedEx, DHL. You name it.
Wow I got mad just READING this.
I think it’s probably safe to give out the last 4 digits of your account number unless you have a real reason to think the person on the other end of the phone is a fake. Don’t give out all of the digits, however, whatever you do.
I usually hate commenting on these because most of the comments that are irrelevant exist anyway and push down good material. But, a friend of mine in New York complained constantly of this, he lived at * ** Way, and another person around the corner at * ** Drive would get his mail, and vice versa. Including his netflix, which they would watch and return a few days or a week later.
They complained to the postmaster several times, nothing happened. Deliver all important mail registered, dammit. How hard is that? To say “you gotta sign for this letter”. Sure, it costs more, but is your credit score worth less than $1.20?
Though the company is entirely the subject of this post, I would like to use this opportunity to reiterate my pure, unadulterated hatred of Paypal.
Paypal, for helping thieves steal from me and not doing anything about it (except for reporting me to a credit agency), I hate you so much.
More on this later.
@Mrs. Basil E. Frankweiler:
Even though I suggested it, I’m flip-flopping. As @satoru said, giving your PIN to CS would be the worst idea ever, because it doesn’t change, only the token does. I hadn’t thought it through, now that I have, it sucks. Sorry. But there’s got to be some better way to do this, some way that you can verify the identity of a company that calls you and claims that they want to fix a problem that you don’t know about yet.
BTW great nick. I read that novel as a kid and loved it.