Friday, February 20, 2015

Fraud Alerts

Recently Bank Info Security raised the question of whether fraud alerts can be used to garner customer loyalty.  I suggest that this is the wrong question.

In a world in which merchant, bank, and insurance systems are routinely breached by nation states and rogue hackers and in which hundreds of millions of credit card numbers, PINs, social security numbers, e-mail addresses, and dates of birth are freely traded for pennies in both white and black markets, it is hardly a question of "fraud alerts and customer loyalty."

I prefer to do business via proxies like PayPal, Amazon, and Apple Pay, that hide my credit card and bank credentials from the merchant.  However, I use my American Express card exclusively because all transactions to my AmEx account are communicated to me in real-time via the American Express app on my iPhone. Both AmEx and I understand that this is essential to our mutual security. It is not a mere convenience or customer loyalty gimmick.

Kenneth Chennault, CEO of AmEx, speaking before the President's "Cyber Security" urged that the regulation forbidding the use of SMS for this purpose be relaxed.  This regulation that was intended to discourage nuisances is in fact resisting a necessary use.

Anthem, the victim of the world's largest breach has offered to pay for fraud protection services for some of its customers, on an opt in basis. eBay, the victim of the second largest breach has not even done that. I think we need a law that requires all banks and credit bureaus to provide automatic notice of all activity to their subject's accounts on an opt-out basis.  While I am willing to pay for such a service, it really ought to be a cost to those who trade in data about me.

Rogue hackers, data brokers, and the intelligence agencies have all but destroyed the trust on which our commerce is based. Reliance upon periodic statements and late detection of fraud is no longer adequate. "Fraud alerts" are not a marketing feature,  In order to restore some order to our markets, "activity notices" need to become standard.


  1. Bravo! I agree. I also agree with your comment in SANS NewsBites Vol. 17 Num. 016, where you said:
    " wonders why the credit bureaus should be allowed to charge us so much to tell us when they sell data about us. One cannot opt out of the credit bureau databases and changing health insurance carriers is not as simple as not doing business with eBay" -regarding Anthem's Database Breach.

    Until there's a law that holds credit bureau's directly responsible for failure to do their job (which I feel includes due diligence to authenticate entities attempting to open lines of credit using my name+SSN), I fear nothing will change for the better. Along this line of thinking.... why isn't a "Credit Freeze" the default? ...then whenever a consumer specifically wanted a new line of credit, they could [authenticate] and un-freeze for a sufficient window of time. There- problem solved ;-D

  2. A serious risk with Fraud Protection companies are, they do not have the same regulations as banking companies. Thus allow the monitoring of a high potential Mark without the same "hassles" as obtaining thier bank account information.