Friday, 18 January 2008

World's most expensive thermometer

We weren’t particularly impressed with the accuracy of the thermometers we have at home, and with the prospects of Dylan catching childcare viruses more often than not we wanted to put our hands on reliable thermometering services. We’ve identified a nice Vicks underarm model, and because of its rarity we ended up ordering it through a pharmaceutical website based in Queensland, Home Pharmacy.
Normally, this would have been the end of the story. However, a couple of days ago, while doing a routine check on my credit card, I noticed that I have bought a laptop from Dell for $2000. I know that Haim would like me to buy a laptop, but I didn’t recall actually doing so. Then I noticed that my Amex is almost $6000 over its limit and that I owe Amex $12000 more than I recall. In short, someone was using my credit card to have themselves a spending extravaganza, and while I can only speculate as to how they got my credit card details I would say the timing of this with the purchase of the thermometer is too much of a coincidence; this is either a pharmaceutical inside job or someone managed to hack their website.
Luckily for me I have discovered the breach just one day after it took place. I immediately called Amex to report the problem and spoke with someone who was obviously in India. The line was so bad I could hardly hear them and the advice they gave me was rather lackluster (e.g., “we can’t cancel the card” and “don’t worry, any further transactions would be blocked because the card is over its limit”, which fails to explain how it got to being so far over its limit). What I did manage to understand, though, was that I need to talk to Amex’ fraud department, and they only operate from nine to five.
Guess what I did at nine AM sharp the next morning? While it seemed I was talking to India still, it also seemed as if this time around they knew what they were saying. My card was immediately cancelled, a new card will be issued to me soon, and I will not need to pay for the transactions that are not mine (well, at least until Amex fails to find a scapegoat). What I will need to do is, “Mr Reuveni, do you agree to sign a statutory declaration identifying the transactions that are not yours?” - No, I would like to pay the $12,000 out of my own pocket. And, “Mr Reuveni, do you agree to us calling on the police if we deem necessary?” – Well, isn’t that what I or Amex should be doing here and now? The only difference between credit card identity theft and your regular car theft is that there’s no car chase involved this time around, but the rest is exactly the same.
During the call I also learned that my card was used for airline tickets in Thailand, car rental in the USA, a PDA in Australia, putting money into some credit fund account in the USA, a Macbook, and some iTunes music to name just a few things (why would a criminal bother buying music in the first place?).
Now, if I was running Amex, I imagine I would be able to track down the culprits pretty quickly: If someone downloaded music in iTunes you can tell what their IP address is, and if someone bought a laptop from Dell you can tell what their address is (Dell doesn’t operate shopfronts, it’s all home delivered). But I’m not running Amex, and Amex didn’t even ask me if I have a clue as to the cause of the identity theft; all they asked me, several times in different guises, was whether I gave my card details to unauthorized persons.
Half an hour later things got really interesting. Jo got a call at home from Calculator King, where “my” PDA was bought. It turns out they were suspicious of the transaction and they wanted to verify it with the payer. I talked to their administrator, and it turned out that my correct address was provided with the order but my phone number was incorrect: it was similar, so it would look like it belongs to my area, but it was different, so they wouldn’t be able to contact me. Calculator King actually found me by doing incredible detective work and looking me up in the phone book.
Anyway, they faxed their order form to me. In my hands I now had the name and South Australian address of a potential co-conspirator (assuming this affair is not just the results of a sick teenager who wants to prove he/she can abuse someone else’s credit card and picked someone up at random from the phone book). I could also see that the transaction was made through an IP address originating in China. Within a matter of minutes, Amex had the same order form faxed to them by me.
If life was an American film, I would now be running to the nearest supermarket, buy one large flamethrower, and take the first flight to Adelaide in order to turn my nemesis into powder. However, being me and being that life is not an American film, I shall resort to blogging instead.

It does seem as if when the dust is settled I will not be affected by this entire charade, either than some minor damage to my heart. However, I do have plenty of criticism towards American Express. They were never inspirational in their service, always giving away the impression of a totally greed based company, but with this incident they were so far truly bad.
How the hell was someone able to spend almost $6000 over my credit card limit, for a start? When I asked them that question I was told they “will need to have this investigated”. And then there are the transactions themselves, which would look dodgy to a six year old: Why would I buy flights in Thailand, rent a car in the USA, and buy a laptop in Australia at the same time? How come the administrator at Calculator King was able to sniff the bullshit but Amex wasn’t?
A company as big as Amex should be able to identify that something has gone wrong and block the card or contact me to verify the problem immediately. I recall when we flew around the world in 2005, I had to call Visa (the card we intended to use during the trip) and give them a detailed account of where we intend to be and when so that they will not block my card midway through the trip. American Express, on the other hand, does not seem to be bothered by such bureaucracy; they probably rely on covering fraud costs through the exaggerated rates they charge, which cause many (if not most) vendors in Australia not to accept them in the first place.
Well, given the quality of security Amex had offered us, I don’t see us remaining their clients much longer.
A second lesson I take out this incident is not to trust small merchants to be able to securely handle sensitive online information. I trust Amazon and Flickr to have much better security than I have at home, but your average middle of nowhere merchant cannot be trusted the same way; from now on I will think thrice before buying from such a merchant that does not accept Paypal.

In conclusion, I can report that we have received the thermometer and that Dylan is currently running at 36.5 degrees. It was well worth the $12,000.


MC @ EC said...

Phew, what a drama, hope it works out OK. It would be interesting to know how financial institutions work out what is deemed suspicious activity because you would have thought with your case alarm bells would have been screeching. I'm not a big fan of CBA, but I have to say when I was attempting to buy some Get Smart DVDs from Time Life in the US via their web site (and that was a drama but another story) within five minutes of making the transaction a call was left at home for me to call their security department, I got a call at work to call them, which I did. They just wanted to check whether I really did want to put the transaction through as they had marked the site as one that was "risky" and they had put a block on my card. Now although I was impressed by the speed of being alerted, the episode left some questions in my mind such as whay had this transaction been target in particular. Sure I don't regulary purchase stuff from overseas, but I have done so in the past without any calls from the bank. Was it because the site had previous complaints for people asking for refunds because they didn't get their merchandise (this seems highly plausible given my experience)? And lastly did they, which the operator seemed to lead me to believe, put a block on my whole credit card, because what if I was OS, a genuinely needed to make transactions, I wouldn't be able to make tranactions until I had called them complaining that my CCard didn't work. It's a mystery...

Moshe Reuveni said...

Indeed, the bastards work in mysterious ways.
Sources on the inside tell me that the banks run dedicated software to detect suspicious transactions, and amongst the criteria are location and frequency. I don't know more than that, but I do think that given it is the banks occupation they should have subject matter expertise on the matter. Unlike Amex, who seem to say "we don't care, we'll just hike our rates to compensate".
With regards to your last question on "what if I was overseas", the answer I know is that your card would be blocked, fair and square. Our Visa card's policy specifically says something like "if you don't want your card blocked while away, tell us where you're going to be". "And when".
Anyway, we've already applied for a different card. They promise "an answer within 60 seconds" and after 60 seconds got a message saying that in two business days they'll send us a reference number through which we can track the status of our application.

pseudowife said...

I had a similar experience to mc with the CBA. I was melting my Mastercard one day, buying up supplies for renovations on our house. Whilst I was making the fifth transaction of the morning, the CBA rang me on my mobile because there had been "unusual activity" on my card. It was being used in Australia, in my home state and none of the amounts were huge (the biggest was a few hundred). I had spent just over $K when they rang. I thought it was a pretty good service.
Pity Amex doesn't seem to care.