Paul Woolverton reports:
Retired Army Maj. Veronica Carter is furious with the USAA.
She says the financial services company failed to warn her when an identity thief or thieves called three times over the past month to try to persuade a customer service representative to withdraw money from her account.
On Oct. 6, someone made the third call, then a fourth one later that day, Carter said.
The thief on the fourth call knew Carter’s social security number and the make and model of her car, she said.
That was enough information to talk a customer service representative into writing a check from Carter’s account for $2,900 and sending it via FedEx to a woman in Anne Arundel County, Maryland.
Read more on FayObserver.com. I suspect most consumers might agree with Carter. What do you think of USAA’s explanation as to why they don’t call consumers to alert them or question them – that it would be “ineffective” and lead to consumers ignoring alerts? Is their anti-fraud executive’s alternative advice satisfactory:
He would like all of his customers to use a tougher security protocol.
For example, USAA has systems in which customers use verification codes – generated on the fly on their cell phones or sent via text message to their phones or by email – to help confirm that the company is not talking to an identity thief.
The company’s cell phone apps can use voice recognition, facial recognition and fingerprint recognition to confirm the customer’s identity, Swenson said.
Okay, but how many senior citizens may not have cell phones or email? Should consumers have an option to instruct USAA, “Notify me by phone of any failed attempt to access my account?”
Social Engineering at its finest.
There are a couple of things wrong with this picture. One is that all people who were in the military and who have obtained a security clearance should not use the standard answers for any type of challenge and answer schemes. Make up a theme for the answers. There is no reason to think its a test you have to pass when giving answers. The only exception to this rule is your credit report questionaires.
Speaking of credit, one should be monitoring the credit reports and have alerts sent to them should something go amuck. At least then you can call the company in question and interject that the actions they have taken is a result of identity theft and that you will seek damages accordingly. Most companies rather write off any loss than have bad press and a paying a fistful of cash for a handful of lawyers.
For bank accounts, or any type of account for that matter, call the bank and have them make a note in your file that limits the withdrawal of cash to any third world country or other financial institution. Have them call you on any withdrawals that is over XX amount of dollars. Put a cap on how much funds can be withdrawn from your account on a daily basis, or over a weekend.
There are literally hundreds of ways to protect yourself from fraud. Sure in the end the person has to jump through a few security hoops, but guess what – thats the way security is meant to be. Expecting security with lax measures will get you absolutely no where except broke and ticked off.
Every business has its social engineering hits. But if there are multiple requests for cash from different phone numbers ( USAA should have caller ID on all lines – its best practice) something is terribly wrong. If there aren’t any notes in the customers account about trying to withdraw a larger than normal amount of money with a few days, the USSA process is broken. These issues should be flagged for review, and the customer should be notified about the potential identity theft activity so they can take appropriate action on their account as well as any others they may have. One can assume that the crooks have a copy of their credit report and are looking for larger sums of withholdings to tap. Those that were affected by the OPM or any other breach should take matter into their own hands to protect their valuable assets because these businesses aren’t perfect. Placing warnings on accounts will make the companies even more liable should some one successfully steal anything from the account(s).
Become Proactive, vice knee jerk reactive.