When you get a new or replacement credit card in the mail, you have to call the number on the back to activate it, or else you can’t use it, right? Wrong. Despite the sticker on the back that says, “For security purposes, this card is not active,” credit card companies are mailing out cards that can be used without phone activation. This is a problem if the letter containing your credit card is intercepted by an identity thief, like what happened to reader PC Guy. The kicker? He didn’t even request the card, it was a forcible reissue when his store-branded card switched from Visa to Mastercard. His story, inside.
One afternoon, I received a call on my cell phone with “unavailable” appearing on the Caller-id. Ordinarily, I might have just ignored it, but I answered the call and an electronic voice informed me that it was Chase Fraud Services calling about unusual activity on my account–the call continued as follows:
Chase: Hello, this is Chase Fraud Services with an urgent call regarding your Chase Credit Card. We have determined there may be fraudulent activity on your account. Please take a moment to confirm recent purchases. Please press one to continue:
Chase: Did you make a purchase on (yesterday’s date–they waited one day to call me) in the amount of $14.95 at [redacted--internet site]?
Press one for yes or two for no.
Chase: Let me confirm, you did not make a purchase yesterday in the amount of $14.95 at [redacted--internet site]?
Chase: Did you make a purchase on (yesterday’s date) in the amount of $39.95 at (an Internet Data broker–for what I later found out was a background report on me)
Chase: Press one for yes and two for no.
Chase: Please hold for a representative.
[Five minute hold time in order to speak to a fraud representative.]
Chase: Sir, before we proceed with this call, I need to verify your identity. What are the last 4 digits…?
Me: Excuse me, but I refuse to provide you with any personal information. I did not initiate this call and I have no proof you are who you say you are. And for all I know, this could be a” phishing” scam.
[What in the world is Chase thinking by calling customers asking them to identify themselves? It's no wonder people fall prey to phishing scams.]
Chase: Sir, this is not a phishing scam, this is Chase.
Me: Well, that’s reassuring.
Chase: Sir, do you have your Toys-R-us Master Card in your possession?
Me: Not on me, but it is at home.
Chase: So you are confirming that you received it?
Me: Wait a second, this is a phishing scam! I have a Toys-R-us VISA and not a MasterCard. Besides, my card doesn’t expire anytime soon, so why are you asking if I received it?
Chase: Sir, I am going to suspend this account, and place a fraud alert on your credit report. Please do not use your card; we will replace it with a new account number.
Me: Wait a second, what the hell are you talking about? I haven’t used my card in months. It doesn’t expire, and it’s a Visa, not a MasterCard! Please explain what’s going on here.
Chase: Sir, we sent you a new card about a month ago.
Me: Why did you do that when it doesn’t expire anytime soon?
Chase: We had a branding change. The store signed on with MasterCard and as a result, we sent you a new card with a new account number.
Me: And is there a reason why you guys didn’t bother to notify me to expect a new card in the mail?
Chase: Sir, we have millions of customers, we couldn’t possibly notify every customer each time we send out a new or renewal card.
Me: Why is that? I signed up for Chase alerts, electronic statements and electronic notifications–it doesn’t cost you anything to email a customer.
Chase: Sir, I don’t make the rules.
Me: This is just outrageous. I don’t want yet a third account number generated. Please do not send me a new card. Just close the account.
Chase: Sorry sir, I cannot do that.
Me: What do you mean you cannot do that?
Chase: Sir, when we suspend an account for fraudulent activity, the system automatically generates a new account number. So there is nothing I can do. You will receive a letter from Chase, please sign and have it notarized and return it or you will be held responsible for the unauthorized charges.
Me: Wait a second, something doesn’t make sense. How did anyone manage to use the new card
if it requires activation from my home phone number?
Chase: That is a good question. Hold on a moment.
Chase: Sir, it was not activated. And rest assured that all these charges were declined as a result.
Me: Excuse me, but if they were declined, then why are you sending me a letter to be notarized?
Chase: Sir, it’s a procedure we must follow under these circumstances.
Still thinking that this bizarre conversation was a phishing experiment, I logged on to Chase online and confirmed that my available credit was reduced to zero on this account. The call was legit, after all! What we have here is a perfect storm of coincidences that led to this incident and if you think ID theft cannot happen to you, think again. The credit card was not stolen. It was not intercepted in the mailing process. It turns out that a careless Postal Service letter carrier delivered it to the wrong address, directly into the hands of a professional ID thief.
Without missing a beat, that person managed to use the card on the Internet for a small purchase at [redacted--internet site] presumably to see if it works, and then proceeded to use the card to pay for a background check on me at two data brokers. The Chase fraud representative lied–Chase did not, in fact, decline these charges.
In an attempt to find out who used my card, I called each merchant and I was informed that they are unable to give me any information because they could ultimately be held liable if I went after that person. I later found out they live in my zip code and through other sources, their name and address. (all three merchants agreed to immediately reverse the charges–something I asked them not to do, because I wanted Chase to investigate this).
I learned that the magnetic strip on the back of the credit card remains deactivated until a phone call is made to activate it. However the account number itself, will work if it is used online. [ed. The magnetic strip is just a dumb magnet. The "activation" occurs within the electronic credit card systems, not within the card itself]
I consider myself a savvy consumer having put in place measures to prevent this from ever happening in the first place:
1) I signed up for a credit report monitoring service that emails me whenever there is new or unusual spending activity.
2) I routinely shred all documents containing personal information.
3) I opted out at the DMA website and subscribed to Catalog Choice to eliminate junk mail.
4) I signed up for electronic statements to prevent misdirected mail
5) I routinely monitor my FICO score.
6) I signed up for credit card alerts sent to my BlackBerry.
7) I pay all my bills using Internet banking instead of sending checks in the mail.
Following this incident, I had to take additional measures to protect myself by placing a credit freeze on my credit report at all three credit bureaus as I learned that the “fraud alert” Chase placed for me is not foolproof. Apparently, if someone applies for credit electronically, the computer does not recognize the alert. (one reason why “Life lock” is a bunch of BS) Additionally, I went to http://www.optoutprescreen.com to opt out of pre-approved offers for credit and insurance and filed a report with the postal inspector regarding this incident. I also just learned that at least one bank will allow you to pick up renewal cards at a branch, instead of having it mailed to your home.
[Consumerist editors - you may want to use the following for an additional article--although it is related to this incident, it bears a separate warning:]
Do you frequently get a letter in your mailbox addressed to a neighbor? Or, perhaps, addressed to someone living down the block? Did it ever occur to you that if you are receiving that letter addressed to someone else, perhaps they are receiving your mail?
You may not be aware that the postal service has a regular carrier working your route on a five day work week. As mail is delivered six days a week, that means one day each week (usually on a Tuesday) a substitute carrier delivers your mail and they rarely know the route. These subs are not the most accurate to begin with and the postal service rarely keeps them on a regular schedule. So you can be sure that once a week mail will be delivered to the wrong address.
That is generally not a problem when all your neighbors are honest people. But, find someone who just happens to be in foreclosure or is about to be evicted and you may find yourself in my situation.With shoddy mail service, the banks are effectively playing Russian roulette with your account and personal information when they bombard you with balance transfer checks and unsolicited cards at random.
PC Guy is not the only one. KNTV did an investigation on this and the new credit cards they ordered were able to not just be used online, they could swipe them at stores, too. When questioned, Washington Mutual said they allow for small purchases to be made on non-activated cards as a courtesy to their customers. You know what would be a real courtesy? Protecting me from identity theft.