We weren’t particularly impressed with the accuracy of the thermometers we have at home, and with the prospects of Dylan catching childcare viruses more often than not we wanted to put our hands on reliable thermometering services. We’ve identified a nice Vicks underarm model, and because of its rarity we ended up ordering it through a pharmaceutical website based in Queensland, Home Pharmacy.
Normally, this would have been the end of the story. However, a couple of days ago, while doing a routine check on my credit card, I noticed that I have bought a laptop from Dell for $2000. I know that Haim would like me to buy a laptop, but I didn’t recall actually doing so. Then I noticed that my Amex is almost $6000 over its limit and that I owe Amex $12000 more than I recall. In short, someone was using my credit card to have themselves a spending extravaganza, and while I can only speculate as to how they got my credit card details I would say the timing of this with the purchase of the thermometer is too much of a coincidence; this is either a pharmaceutical inside job or someone managed to hack their website.
Luckily for me I have discovered the breach just one day after it took place. I immediately called Amex to report the problem and spoke with someone who was obviously in India. The line was so bad I could hardly hear them and the advice they gave me was rather lackluster (e.g., “we can’t cancel the card” and “don’t worry, any further transactions would be blocked because the card is over its limit”, which fails to explain how it got to being so far over its limit). What I did manage to understand, though, was that I need to talk to Amex’ fraud department, and they only operate from nine to five.
Guess what I did at nine AM sharp the next morning? While it seemed I was talking to India still, it also seemed as if this time around they knew what they were saying. My card was immediately cancelled, a new card will be issued to me soon, and I will not need to pay for the transactions that are not mine (well, at least until Amex fails to find a scapegoat). What I will need to do is, “Mr Reuveni, do you agree to sign a statutory declaration identifying the transactions that are not yours?” - No, I would like to pay the $12,000 out of my own pocket. And, “Mr Reuveni, do you agree to us calling on the police if we deem necessary?” – Well, isn’t that what I or Amex should be doing here and now? The only difference between credit card identity theft and your regular car theft is that there’s no car chase involved this time around, but the rest is exactly the same.
During the call I also learned that my card was used for airline tickets in Thailand, car rental in the USA, a PDA in Australia, putting money into some credit fund account in the USA, a Macbook, and some iTunes music to name just a few things (why would a criminal bother buying music in the first place?).
Now, if I was running Amex, I imagine I would be able to track down the culprits pretty quickly: If someone downloaded music in iTunes you can tell what their IP address is, and if someone bought a laptop from Dell you can tell what their address is (Dell doesn’t operate shopfronts, it’s all home delivered). But I’m not running Amex, and Amex didn’t even ask me if I have a clue as to the cause of the identity theft; all they asked me, several times in different guises, was whether I gave my card details to unauthorized persons.
Half an hour later things got really interesting. Jo got a call at home from Calculator King, where “my” PDA was bought. It turns out they were suspicious of the transaction and they wanted to verify it with the payer. I talked to their administrator, and it turned out that my correct address was provided with the order but my phone number was incorrect: it was similar, so it would look like it belongs to my area, but it was different, so they wouldn’t be able to contact me. Calculator King actually found me by doing incredible detective work and looking me up in the phone book.
Anyway, they faxed their order form to me. In my hands I now had the name and South Australian address of a potential co-conspirator (assuming this affair is not just the results of a sick teenager who wants to prove he/she can abuse someone else’s credit card and picked someone up at random from the phone book). I could also see that the transaction was made through an IP address originating in China. Within a matter of minutes, Amex had the same order form faxed to them by me.
If life was an American film, I would now be running to the nearest supermarket, buy one large flamethrower, and take the first flight to Adelaide in order to turn my nemesis into powder. However, being me and being that life is not an American film, I shall resort to blogging instead.
It does seem as if when the dust is settled I will not be affected by this entire charade, either than some minor damage to my heart. However, I do have plenty of criticism towards American Express. They were never inspirational in their service, always giving away the impression of a totally greed based company, but with this incident they were so far truly bad.
How the hell was someone able to spend almost $6000 over my credit card limit, for a start? When I asked them that question I was told they “will need to have this investigated”. And then there are the transactions themselves, which would look dodgy to a six year old: Why would I buy flights in Thailand, rent a car in the USA, and buy a laptop in Australia at the same time? How come the administrator at Calculator King was able to sniff the bullshit but Amex wasn’t?
A company as big as Amex should be able to identify that something has gone wrong and block the card or contact me to verify the problem immediately. I recall when we flew around the world in 2005, I had to call Visa (the card we intended to use during the trip) and give them a detailed account of where we intend to be and when so that they will not block my card midway through the trip. American Express, on the other hand, does not seem to be bothered by such bureaucracy; they probably rely on covering fraud costs through the exaggerated rates they charge, which cause many (if not most) vendors in Australia not to accept them in the first place.
Well, given the quality of security Amex had offered us, I don’t see us remaining their clients much longer.
A second lesson I take out this incident is not to trust small merchants to be able to securely handle sensitive online information. I trust Amazon and Flickr to have much better security than I have at home, but your average middle of nowhere merchant cannot be trusted the same way; from now on I will think thrice before buying from such a merchant that does not accept Paypal.
In conclusion, I can report that we have received the thermometer and that Dylan is currently running at 36.5 degrees. It was well worth the $12,000.