Consumerist
The other day reader Dave wrote us because he'd noticed a bunch of strange debits from Sprint on his bank account. Since he uses Sprint, he thought it was a billing error, albeit a serious one, because Sprint had debited $1,717.49 in the past two weeks. Dave hadn't been able to find anyone at Sprint to help him reverse the charges and wrote to us for advice. Yikes!
We suggested he immediately call his bank and report the debts as fraud. We also gave him the Sprint executive customer service number.
It turns out that the charges were originating from someone who was swiping Dave's actual debit card and using his PIN. One problem: His account is only 2 months old and he has never, ever, ever used his debit card. So how did a scammer get it?
I've been a Sprint PCS customer since late 2005 and haven't made any changes to my account. Each month my bill is automatically paid through my bank.We replied, telling Dave that we thought he should call his bank immediately, and shared the number for Sprint's executive customer service team.2 weeks ago, however, Sprint started automatically withdrawing large sums of money from my bank account with no apparent reason.
12/27 - $300
12/27 - $300
12/31 - $300
12/31 - $300
01/10 - $300
01/10 - $217.49
$1,717.49 total taken out of my account in the last two weeks.I called Sprint and talked to 3 representatives, all of whom had no idea what is happening, and they could not commit to resolving it in a timely manner. All they could do is take a report and have the "back office team" take a look.
Have you ever heard of that happening before?
Thank you. I'm talking to Ann Howell at the number you gave me and she is being very professional and helpful. Hopefully she will able to get this resolved. I sure appreciate the number.The update contained bad news.I'll email you again with an update.
Dave
Bank of America is telling me that the charges were created by someone in Reston, VA who is actually swiping my debit card and using my PIN to conduct the transaction.We asked Dave if he was going to be reimbursed for the fraud:The thing is, though, that this debit card has NEVER been used. I only opened the bank account 2 months ago and have never used (or even intended to use) the debit card.
The debit card that automatically got sent to me when I opened the account has sat on my desk in my home, and has never been used. It hasn't even been touched by anyone except for me.
The only possibility here is that someone has breached the security at BofA, stolen the account number and PIN, and generated their own card using this information. There is no other explanation.
Unfortunately, the fraud department works for BofA so I can probably forget about the idea of getting a fair investigation into this.
Anyway, that's the update.
Dave
Dave is right, there obviously has been some sort of security breach. It's possible that Dave is the victim of pretexing. Pretexting is a name for a variety of techniques that scammers use to trick individuals or institutions into revealing valuable personal information that they can use to help them commit fraud. For example, a scammer may call your bank and pretend to be you, using information that they have about you, in order to get the bank to disclose your account numbers or issue them a debit card in your name.
They put the money back in my account, calling it a "Temporary" adjustment.So the implication is that if they decide that the fault is not with them, I guess they'll take the money back again. This is the problem: the company is investigating themselves and there's no third party oversight.
I'm very disappointed in Bank of America and I am quickly moving my funds to Wells Fargo and will be canceling my BOA account. I am also going to have to freeze my credit, as I have no idea how much information BOA leaked.
I am absolutely convinced that there is a security breach of some sort on their side. It's the only possibility.
Dave
Here are the steps to take when you think you've been the victim of pretexting:
1) Call your bank and report the fraud. Close your accounts and open new ones. You may want to switch to another bank.
2) Call one of the three major credit reporting agencies and tell them to flag your account with fraud alert notice.
Equifax: call: 1-800-525-6285 and write: P.O. Box 740241, Atlanta, GA 30374-0241
Experian: call: 1-888-EXPERIAN (1-888-397-3742) and write: P.O. Box 949, Allen, TX 75013-0949
Trans Union: call: 1-800-680-7289 and write: Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92634
You can also "freeze" your credit report. Click here for instructions.
3) Contact your local police and file a report. The report will be valuable for your records even if the police don't catch the scammer. Since Dave's case may involve an inside job, we'd also suggest reporting it to the FBI.
4) Finally, you'll want to contact the FTC. File a complaint with the FTC by contacting the FTC's Identity Theft Hotline: 1-877-ID-THEFT (1-877-438-4338); TDD: 202-326-2502; by mail: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580; or online: www.consumer.gov/idtheft.
Your state may also have resources that can assist you, such as an "ID Theft" passport. Call your state's attorney general's office and ask for more information.
Anyone else have advice for Dave? Have you been there? What did you do?
Pretexing [FTC]
FBI Field Offices [FBI]
HOW TO: Get Through Having Your Identity Stolen
ID Theft Help [FTC]
How To Freeze Your Credit Report
Comments
I pray to god the rest of the stories I've read her about BofA and fraud involving them don't make your story be a repeat.
I doubt this error came from BoA. But rest assured Dave, you will most likely get your money back permanently. I had a similar situation where I lost my card. I called up to report it lost and BoA cancelled the card and sent me a new one. A year later, $500 of charges were made to the card, and when I called their fraud dept they said the charges had been swiped - with the OLD card.
The reason you don't really have to worry is because your BoA check card is also protected by Visa's rules regarding theft liability.
2 years ago BoA allowed someone to supposedly come in off the street and open up a private and business checking account in my name with only a Costco picture ID. This highly implausible explanation was all I could ever get their fraud dept to admit to me, and I never found out the real details.
Of course i didnt find out about these new accounts until BoA called me, and wanted me to pay up on over 30k in overdrafts.
I dont have the time to go into how long this took me to get cleared up, but bottom line, I wouldnt trust BoA to take my trash out.
i love that the victim decided to email consumerist before talking to his bank....
the consumerist: we'll dish out common sense if we have to!
snicker
This happened with a company credit card at one of the companies I worked at. The bank (a local Ohio bank) called us with regards to POS transactions taking place in Mexico. We had the card in our possession--seems someone was able to make a copy of the card and use it. Very scary. They did refund us the charges and issue us a new card but REALLY??? These scammers are getting GOOD which is scary.
I'm not getting something here- if it was only BofA, what does the Sprint thing have to do with it? Sprint does have his bank details, minus his PIN number. The money was taken from an ATM I assume (I thought ATM's had limits to how much you could get out in one day from them). Why does the statement show Sprint as having took it? I'm just really confused...
@BubbaJudge: Banks let this kind of thing slide under their radar but ding customers for every action they take to pull in more cash. Wouldn't it make more sense to do more to deter large fraud like this and not lose the money in the first place rather than looking for new fees on customers to make up for it?
Has anyone had a nightmare story like this with a small bank or credit union? They seem to always come out of the big banks like BoA, Wachovia or Wells Fargo.
If someone actually obtained the card itself AND the letter with the PIN number somewhere between them being printed and the rightful owner pulling them out of the mail box those are all potential fraud points.
Are these printed in a secure facility owned by BoA with BoA employees. Or is this another thing farmed out to a third party? Do those letters ever sit somewhere other than the post office? Are BoA employees taped where they are processing them? Otherwise the only other possible sources would be postal employees or someone stealing it out of a mail box. Someone could take the envelope out of the mail box, steam it open copy the card, reseal and put back in the box. Sounds paranoid. But our rural route boxes right on the road sit with mail in them all day long while everyone is at work. There was something I read a few months ago about postal employees grabbing netflix movies out of the mail and taking them home to watch them. It wouldn't take much for a postal employee to borrow your card and pin letter for a day either.
Dave might be able to tell for sure what happened if he tries to use his card. I'm pretty sure it wouldn't work, if someone else had reported his card lost or stolen in order to get a new card and PIN.
This is scary, the same thing actually happened to me on 1/10/08. Bank of America alerted me that someone swiped a physical card to make purchases in states I've never been to with my BOFA check card. What scares me the most is that I live ten miles from Reston Virginia. I think something is amiss at Bank of America and they arent telling everyone the full story.
@bohemian: That's a good point...I don't know if mail is printed with the account number or if it just prints with xxxxx and then your last four digits.
I had a very similar thing happen to my BofA account two weeks ago. It still continued AFTER the card was cancelled.
I left BofA because of this.
It was the first time I ever felt my money was not safe in the hands of a bank.
Card numbers follow a known format. Anyone who knows the algorithm or has access to a number generator can generate valid credit card numbers. It is just a matter of finding one that corresponds to a valid bank or credit account (not that hard).
Additionally, magstripe programmers can be had or built from parts very cheaply and easily. Viola, instant credit card with someone else's account number without ever taking their card.
I'd be playing call a clearing house on this bit. Giving Visa a jingle will let them know that something funny is happening at BoA and they will give them hell over it. Their next to zero tolerance policy carries over to distributors.
Someone post some fraud complaint numbers to raise some of the major CC companies?
Actually Dave is shit out of luck.
It's one thing for the card to be present, but its another for the card to be present and the PIN used. Visa will NOT do a chargeback no matter what and the fraud department more than likely will not take a hit. You'll have to pull some very nice strings through BoA to get this one fixed buddy.
Sorry, but I also find it hard to believe.
@robdew2: It still continued AFTER the card was cancelled.
And THAT is why I will never open any kind of personal credit card with BoA (I am forced to use my work card from them).
The problem isn't just with BofA. I shuddered when Dave mentioned that he pulled his money out of BofA and put it in Wells Fargo. I had a wallet stolen and despite promptly reporting it to both the police and Wells Fargo, for months afterward Wells Fargo was honoring checks on the account and debit card purchases. Finally a Wells Fargo employee told me that since my wallet with it's drivers license was stolen, the thief had access to so many pieces of identification that even if I opened a new account, the thief could still access it by simply saying he lost the account number. I pulled everything out of Wells Fargo and put my money in the Patelco Credit Union, one of California's largest. Because many Credit Unions have agreements with others around the country, I can use other credit union offices as if they were my own bank, and their ATM's without a fee. Because I travel extensively for work, I've made use of this nationwide.
Just as good as using one of the major banks... and with credit union benefits.
@forever_knight: Ditto.
Dave's animosity towards BofA without knowing what happened seems premature. Perhaps he should wait until Bank of America's fraud department makes a statement before complaining about lack of third party oversight. They did credit his account and they're no evidence from his story that they're predisposed to screw him over and decide to reverse that.
And then if the outcome isn't satisfactory for Dave, it's time start rallying the torches and pitchforks.
@ManicPanic: I had a similar experience with one of my own cards a few years ago. I got a phone call from my CC company asking if I had recently tried to buy $800 worth of groceries at a Publix in Florida. Both me and the card in question were home in the Upper Midwest at the time, and I hadn't been to Florida since 1984.
Apparently what happened was the scammer attempted to use a counterfeit card, which just happened to have my account number. Luckily, the charges never went through and I was set up with a new account right away.
@youbastid: But not by federal law -- which is why I no longer have an actual debit card, just an ATM card, which can't be used to buy things in stores since it doesn't have the VISA logo.
@youbastid: It's not necessarily covered by Visa zero-liability rules if it's a PIN-based transaction.
I had my Bank of America details stolen as well - from an unused debit card. Definitely seems like a security breach... not sure if it's actually BoA's fault or craft scammers trying bulk numbers of cards or what though. Aside from this I've had nothing but a great experience with BoA.
@randotheking: I doubt he's the one who screwed up, and if they really aren't his charges he should well be able to recover the money, even if he has to fight hard for it. If he can prove he wasn't in the store where the charge went through, he should be OK.
Same thing happened to me while using Wells Fargo. Debit card in my pocket and someone was using a pin number.
@JD: This has concerned me greatly for years, both my personal and company credit card companies include the full account number on all communications. Same with banks. My former bank even printed the full account number and my name on ATM receipts! (I think that has been fixed since, but if your money is at Arvest, take a look). Bohemian's steamed envelope idea is completely plausible and has kept me up more than one night.
@bohemian: I had a similar situation with a small local bank years ago. By coincidence a college roommate and I banked at the same institution. Somehow, when he changed his address at the end of the year, my address was changed as well. He received my statement and account info, ordered some checks and had a grand old time.
A few months later, my dad called me because I was in the newspaper on the court docket for check deception. All of the banks' bounced check notices were going to "me" at the roomie's address. Back in those days, I didn't pay much attention to my finances, I just went by educated guessing that I was spending less than I was depositing - meaning I never even noticed I wasn't getting my statements.
Everything got sorted out eventually, roomie went to jail, I learned to balance my checkbook and call the bank if I don't see my statement when I think I should.
This thing happened to me a few years ago with a different bank. I was in LA and checked my balance online. There were 8 withdrawals from an ATM at a truck stop in New Jersey. The card never left my possession and the bank said the money was taken using the ATM card. When I pressed for details how it could happen that my card in LA could be used to take money out of a truck stop ATM in New Jersey, I got absolutely no details. They did put the money back in my account but they didn't seem too interested in figuring out how it happened.
Years ago someone used my debit card to buy gas in Germany. For some reason, Visa didn't bother flagging it as suspicious even though the same day I had transactions on another continent.
Luckily, they fixed things and refunded me immediately.
@randotheking:
But did they use HIS PIN, or did they get a new PIN issued?
Simple enough to find out.
Here's my guess about how some of this may be happening: compromised POS terminals. Some of these terminals can run custom software, and they obviously "see" the PIN in the clear before it's encrypted to be sent to the banks. If someone were to install some kind of malicious software on one (either remotely or as an inside job at some merchant) they could steal a lot of PIN's and card numbers. However, this does not explain a situation where the card was never used. That would seem to suggest a larger security breach of some kind.
@johnva: Or mail theft, possibly. I'm always a bit paranoid about sending stuff through the mail like credit cards, but when my MC expires in March I will have to have a new one sent to me before that -- by mail.
At least with check cards, if this ever happens to me I can say "Hey, I cancelled my check card and went ATM-only when I dropped my card and cancelled it right away, this is therefore fraud no matter how many times you swear it has a PIN attached, check your records. If you don't cancel the debits I'll be leaving, and suing you".
@Jim: You want to know how easy ID theft would be if you had enough information? I do most of our day to day financial tasks because my SO is just too freaking busy to. I need access to statements for two of his loans so I can look at transaction data. I can only get limited information on one of them over the phone because I'm not officially on his loan. But there is absolutely nothing stopping me from setting up an online account for that loan & bank account. He knows I am going to so I have his permission to do that so I can monitor the loan payments etc. But anyone with the account information and a valid email address could fake their way in. Shudder.
Sorry but when you make purchases on your visa/mastercard atm card you dont need your Pin number unless you are swiping it at a machine, if Sprint charged his card you dont punch in your pin over the phone.
You can use it and have the $ taken right from your account but it doesnt require a pin number.
Also you have multiple withdrawls one on 12-27, another on 12-31, and another on 1-10 why didnt you call the bank and cancel your cards and/or account? Were you on vacation and not aware? I check my accounts everyday I watch for all my transactions to clear its how I balance my bank account so I notice anything out of the ordinary. If I see something I call my bank right away.
Pay attention and monitor your life or you will get taken in big time. Its easier to clear up fraud and identity abuse if you catch it right away, harder if you let it go for months.
Opps that reminds me I need to get a print out of my credit report heh heh
All the scammer needs is the account number, especially for a new account. I can see it now:
Hi, I just opened a new account and I haven't gotten my debit card.
Sir, we sent it out on XX/XX/XXXX
Oh that explains it, I forgot to give you my change of address, I recently moved and used the old address.
Oh ok, can you give me your new address?
New card, new pin, and the old one in the desk drawer is probably deactivated.
Most of these posts are filled with uninformed and unfounded paranoid rantings. In general, depositors' accounds held in federally chartered banks are mostly protected from liability from unauthorized electronic transfers under Regulation E. See 12 CFR ยง205 (2007). As long as a customer tells their bank that either 1. their card was stolen/lost within two days or 2. unauthorized charges appeared on their account statement within 60 days liability is limited.
Strange, this same thing just happened to a friend of mine with Sprint - minus the debit card issue. She had them billing her on automatic deduction and they deducted the same amount from her bank account several times, causing her to bounce checks.
Also, this is why I do not allow banks to issue me a debit card. I don't believe in having a card where money can be taken from my account directly. As much as the bank says you're protected, it's at their discretion to reimburse you or not. I feel so much more secure having a credit card that I pay off every month. i don't see what is so hard about that for people, and debit cards are dodgier than you realize.
@TechnoDestructo: Companies dont send the PIN and Card out together. Since he has admitted to already having his card, but the card is magswiped, there is no way it's fraud.
@shor0814: It's not that easy. You have to be calling from the home phone number listed on the account, if you aren't then additional security questions are asked. If you fail, no deal, if you pass, information changed.
I had a friend whose account number somehow got linked to another person's ATM card so when the other person withdrew, it came from my friend's account. The other person notified their bank when they noticed deposits weren't showing up (but of course not when debits weren't showing) and my friend had already flagged her account and after a few weeks they figured out the issue.
He's being told the person used his PIN. Most likely, the purchases are credit card type purchases on a dummy card with his number debit card number on it.
What's surprising is if you look at the dates, there's a good 2 weeks on time between all those purchases. Why didn't BofA contact him first letting him know there might be suspicious activity on the card? I've had my credit card company call me when I made several 1 dollar transactions on ebay. BofA should've stepped up to the plate on this.
Interesting, this just happened to me as well. Except with another bank (People's) and there was a Sprint Charge (Reston, VA which I think is where their bills go), Direct TV and Cablevision. All services that I don't use. They are currently investigating but I did get a provisional credit. I find it totally baffling how this can happen while I have my card in my possession.
I hope to hear more comments on this, especially since I'm experiencing it now.
Pretexting? Didn't that used to be called 'social engineering'?