My credit card data was stolen last month. I was lucky– the thief moved slowly and there were only two charges before the fraud computer kicked in. But it was still a hassle and an inconvenience, and at first, I had to push pretty hard to get the fraud staff on the job.
Of course, it’s the card that I use all the time: a Fidelity Rewards American Express. It’s only my fifth credit card in over three decades, and I’ve never used a debit card. I’ve had the American Express account for nearly four years. There are no fees and it offers a 2% rebate that’s painlessly credited back to my Fidelity investment account. Since our local Costco also sells gas and only takes Amex, I swipe that card for nearly every single purchase in our household. We live a low-key beach-bum lifestyle these days, and I use so little cash that I can go more than a month between ATM visits.
I’ve had one card stolen over the years, and one other data theft, but surprisingly this time I was the guy who caught the online fraud. (First time ever.) I was waiting for a refund from a company and I was checking my account website to see if the credit had cleared yet. To my surprise, I saw that my Amex card had a temporary authorization for $1.30 at a cosmetics store– in Florida.
No, it’s not what some of you are thinking. My spouse and I have been married for over 25 years, but we’ve kept our finances separate because we were overseas (and underway) for most of our Navy careers. You couldn’t be confident of balancing your accounts, let alone know what each other had spent. Back in the good ol’ 1980s, it took so long for your credit-card bill to be forwarded by APO snail mail (and for your paper check(!) to be mailed back to the U.S.) that you were lucky to make your payment before the due date. Back then I was also underwater for over 90 days at a time on submarine patrols, so my card was unreliable. The fraud computers would regularly suspend it whenever I returned from sea and tried to use it.
This means that my spouse and I have had separate personal finances ever since we married. Separate paychecks, separate checking accounts, separate ATM cards, and separate credit cards. We have separate credit histories. We don’t use each other’s cards, and we regularly track our spending in Quicken. We almost never have one of those “Oops– honey, I’ve been meaning to tell you…” conversations.
Two months ago at USAA’s blogger conference, we saw how frighteningly easy it is to duplicate a credit card. A very cheerful exec from their banking services division did it in about 90 seconds. (Of course he’s cheerful– he can give himself a credit card whenever he wants!)
He started with his USAA corporate credit card and a fistful of hotel “room key” cards. He showed us how to buy a card reader on eBay (a completely legal item for small businesses) which even comes in a smartphone model. He showed us where to buy the hardware to write the credit-card data onto a magnetic stripe. (Also completely legal– and cheap!) He swiped his corporate card on the reader, fiddled with his laptop for a second, and then started swiping hotel key cards through the writer.
After making a dozen copies of his corporate credit card, he was also ready to go online with the same card data to buy more stuff. Finally, he showed us how to wirelessly transfer the data (by smartphone) so that your credit card data can be swiped by a clerk as you’re making your purchase– and sent overseas before you even sign the charge receipt.
When I saw that $1.30 “temporary authorization” on the website summary of my card purchases, I knew immediately that it wasn’t mine. I knew that I still had my credit card, and I’d been using it with local businesses where I’d been shopping for years, but none of that mattered. I knew that a clone of my card was being tested (5000 miles away from me) so that someone could start their spending spree.
Either that or someone in a store five time zones away from me had made a data-entry mistake and accidentally typed the wrong card number (my number) into their cash register.
Guess which scenario the card services company thought it could be.
The credit card services company, FIA Card Services, is part of Bank of America. BofA has been a popular media punching bag for a few years, and maybe we’ve been too harsh on them. You can assess FIA Card Services however you want– as a galaxy-spanning enterprise with decades of eagle-eyed security experience at handling credit-card fraud, or as a disorganized Megacorp “Office Space” zombie lurching about cluelessly.
I discovered the fraud on the weekend between Christmas and New Year’s, so perhaps they were down to a skeleton staff. I phoned them on a Saturday evening in Hawaii, which made it very late at night for the Mainland call center. Whatever time zone they were in, I could tell that the A-Team was not on duty.
Even after I explained the problem, they started at the beginning of the script. First I got the “Credit Card 101” lecture:
“Sir, do you still have your card in your possession?” Hey, pal, that’s why I called.
“Have you tried to use it recently?” Yeah, see all those Costco charges? In my ZIP code?
“Have you bought anything online?” Yeah, but are any of those companies flagged for fraud?
“Well, sir, it could be someone else in your household using your card.” Um, no. It’s theft. Seriously.
Then I was upsold:
“Would you like to purchase our monitoring service that…” No, I’d like to report a crime.
Then they went for “computer glitch”:
“It’s only a temporary authorization, not an actual charge, and that might not be the final amount. It’ll clear up in a couple of days.”
I could see where this was going, so I asked him if he was recording the call. When he affirmed, I told him that I was formally notifying FIA Card Services of an unauthorized use of my credit card and that any fraud would be their problem. As you might expect, he was cool with that. Apparently, the call center script doesn’t have any tripwires for customers slinging words like “theft” or “crime” or “fraud”. I had no desire to get to know the supervisor on duty that night, either.
Our daughter was home from college, so we had plenty of activity in the house. I dropped this problem and we resumed surfing our usual routine. I even used that Amex card the following Wednesday with no problems.
But when we came home from surfing on Thursday morning, our answering machine was blinking like a holiday light show. I had calls from both a computer and from a human who was “urgently” trying to reach me. Good thing I hadn’t needed to use that Amex card in the surf break, either, because it was “suspended pending resolution of the matter”.
You would think that FIA’s fraud department would want to speak to me as soon as my return call connected. You would think that they’d leave a callback number ringing directly in the cubicle of the person working on the problem. You would think that they’d have an expedited service for customers returning their call– especially for calls about fraud.
You would be wrong.
At this point, I was beginning to wonder if FIA Card Services even has an “A-Team”.
When I called back, a cheerful computer audio track insisted on telling me about my card balance and my last dozen transactions. I had to wade through the usual “interactive” voice “response” menus to get to a live human. Then I had to be transferred to the fraud department, where I was again put on hold. I’ve revised my opinion of FIA’s abilities from “eagle-eyed security” to “zombie”.
While I was waiting, I logged on to my account. Yup, the card had been used to buy a ticket on Norwegian Air– and $381.25 to Sweden seems like a good price.
The fraud squad hadn’t even read my call center file. When they launched into their own Credit Card 101 lecture, I mentioned that I’d already called FIA Card Services on this problem. I was put back on hold while they reviewed their records, and they returned to inform me that they’d reverse the charges. They also said that they’d canceled the card and would issue me a new one in “five business days”.
In Hawaii, when someone on the Mainland tells you it’ll be there in five business days, what it really means is that it takes five business days to get to the West Coast. They don’t understand that from there it can take another week to get to Hawaii. I pointed out that I’d already been inconvenienced by FIA Card Services on my first phone call and again on this call, and they needed to reciprocate with some of the famously advertised Amex rapid response. FIA grudgingly admitted that they could FedEx the card to me on Saturday morning– in just 48 hours.
Sure enough, it arrived only 96 hours later. Good thing I asked for expedited service.
My USAA credit card covered the four-day gap… admittedly at a smaller rebate rate, but with no drama.
I activated the new Amex card with no problems, the charges have been reversed, and the old account data was transferred over. I didn’t have any automatic payments linked to that card, so I didn’t have to scramble to update anything. Life goes on.
A week later FIA piled insult on top of injury by requiring me to fill out not one but two fraud statements– in two separate envelopes on two separate days. The website had already been updated and my new card had charged up a storm. However, they still snail-mailed me paper forms to fill out, add my signature, and snail-mail back.
So how do I keep my card data from being stolen again?
Beats me. I still don’t know how it happened the first time, and if FIA knows then they haven’t told me. Was my credit-card data skimmed at the Thai restaurant in our local shopping center? Was it the genetic testing that I ordered from 23andMe.com? The books I ordered from Amazon.com? Was the card data stolen two months ago during my Mainland travel and eventually sold to someone who finally got around to using it?
I’m going to do some basic follow-up to protect against more credit fraud problems. I’ll request a free annual credit report from one of the three agencies every four months (as usual) to make sure that this incident doesn’t slop over onto my records. I’ll add a fraud alert to my credit file for the agencies to keep an eye on.
My new credit card number is on file with Amazon.com but I’m not going to store it on any other websites unless it’s absolutely necessary. If I do, I’m going to use a one-purchase number provided by FIA’s website. I’d love to get an e-mail alert from FIA Card Services every time my credit card is charged, but they don’t seem to offer that convenience.
If my credit card data is stolen from the new card, though, then I’m done with FIA Card Services. Of course, I have a fairly hefty credit limit built up with them, and I’m reluctant to mess with that. I’d like to keep a high credit rating for our insurance rates. I’m retired and I don’t plan to borrow more money, but if I decide to refinance a mortgage then I’d also like to do it on that high credit rating.
I won’t have to give up Amex if I give up FIA– I can just sign up for a Costco rebate Amex card and enjoy their customer service.
Are there any other steps I should be taking to recover from this fraud?
I’ve actually had fraudulent charges multiple times on multiple cards, but it’s always been resolved quickly and easily. Maybe it’s the wrong attitude to have, but my information is out there in so many ways and places that I try not to worry too much about preventing theft, and more about catching it immediately. I spend about 5 minutes every day logging into all of my financial accounts, scanning for any suspect activity. I have 2 cards with Chase, and they allow you to dispute a transaction on their website.
You may want to consider freezing your credit in case there’s an identity theft. Clark Howard has an excellent guide on how to do this without paying someone else an arm and a leg to do it: http://www.clarkhoward.com/news/clark-howard/personal-finance-credit/credit-freeze-and-thaw-guide/
I went through a similar PITA theft issue with USAA a couple of months back, and they were slicker than cat…wait…can’t say that in a public forum. Anyway, aside from the hassle of having to change my automatic payments, it was quick and easy – one phone call. They caught it way before I did, and I’m fairly diligent about checking periodically, as Anjali recomments.
Wow, what a mess. I’ve had our card number stolen several times, but it’s never been difficult to fix (our primary card is through USAA), and they never give me a run around when I call to say I spotted something. I keep regular check on our accounts, so have always been able to catch stuff quickly. I don’t use a debit card for anything but the occasional ATM use when I absolutely need cash, and I try to stick with ones inside a bank whenever possible. Thankfully, I’ve never had issues with that one.
Thank goodness I have not been a victim of fraudulent transactions – and I hope not! But I am aware of the credit card writer because it’s all over the news. We just have to be more vigilant with our credit card transactions.
I’ve had a few of these happen during the past 5 years. I finally filed a local police report (in case it was my favorite restaurant or someone I know who took my cc info). I also did all the Clark Howard stuff mentioned above, PLUS I started a new credit card that the family uses exclusively for bill payments- that way if my ‘wallet’ credit card is compromised I don’t have to call up the insurance, utility, cable, cell phone companies etc and give them new cc billing info. The separate cc for bill pay tactic has worked great so far.
Great idea. I never thought of having a cc just for my home expenses.
We have our cc stolen about every 18 months. I travel to see my family and that is when it seems to happen. USAA now requires me to put travel notice on my cards. They are excellent about catching anything that looks suspicious. They always handle the case courteously and quickly. Maybe USAA needs to become your primary card for everything except COSTCO? It really is the main reason we stay with USAA.
Kiplinger’s had a good article on how to prevent card skimming: http://www.kiplinger.com/article/credit/T048-C011-S001-how-to-guard-against-card-skimmers.html
Good advice, although I’d be hard-pressed to pay attention most of the time.
I’ve noticed that our Costco gas pump card readers now have red perforated security tape on them, so I guess it’s hard to add a skimmer without the employees eventually noticing that the tape has been messed with.
Thanks for the comments, everyone!
@Anjali, I’m OK with being a public figure and it was a big help to see the problem on FIA’s website, but I was not at all happy with the snail-mail and telephone bureaucracy. They still seem to need signatures on paper and formal notification before they can act.
@Jason, thanks for Clark Howard’s link; I hope that the fraud alert takes care of this. I’ll look at my free credit report in another four months and revisit the decision. I froze my Dad’s credit when he went into his care facility, and that process seems to work well. But my spouse and I are contemplating yet another mortgage refinance in a few months, so a credit freeze would get in the way of our short-term plans.
@Gubmints, I’ve started putting our utility bills on a dedicated separate card too.
@Janette and everyone who mentioned USAA, I’ve always had good credit-card service from them. The difference between Amex’s 2% rebate and USAA’s 1.5% rebate seems a lot less significant when you add back the hassle factor of dealing with FIA’s fraud process.