Several reports have appeared recently describing how banks and other managers of money and credit have been misplacing private information and, in other ways, exposing customers to identity theft and fraud.  Though the following is not an account of fraud, it illustrates how stupid,  incompetent, or careless the people who manage our credit can be.

Phase One

I received a message on my answering machine from someone who said that he was from the fraud division of AARP VISA, a credit card I have from First USA Bank, which is now owned by Chase.  He wanted to check on some charges on the card and gave me an 800 number to call.  When I called that number, a recording asked me to punch in my credit card account number.  I did not comply but hung up.  Why?

As any banker or credit manager should know, only an utter fool would submit a credit card number when he doesn't know whose phone number he has called.  I had no way to be sure that the call on my answering machine had really come from AARP VISA; it could have come from a crook fishing for account numbers.  I was doubly suspicious because the number given to call did not match any phone numbers on my card or any of my records for that account.  Giving out credit card account numbers carelessly is precisely what we are told not to do by the banks themselves.  Surely, Chase/VISA, and especially their fraud division, knows that.

Indeed, I am especially wary of giving out this kind of information.  I have received via e-mail several requests purportedly from my two Internet service providers (AT&T and Comcast), requesting account information because "we are updating our databases" or some such.  The messages state that, if I do not comply, my account will be cancelled.  They represent a device known as "phishing," an attempt to collect private information and account numbers by fraudulent means.  Fortunately, I knew enough not to respond but forwarded the messages to AT&T and Comcast, who confirmed that they were fraudulent.

Phase 2

Anyway, convinced that the call from VISA was a fake, I decided to call the customer service number on my card.  When I did, the recording asked for my account number, which this time I gave because I knew where I was calling.  It then asked for the first three letters of my mother's maiden name – a standard security technique used by credit card companies.  When I did this (let's say it's APP), the recording told me that this was wrong and refused to take my call.

I knew that "APP" was right and was what I had entered when I signed up for the card.  I tried again, with the same results.  Since it was apparently impossible to reach VISA customer service by phone, I mailed a letter to them, explaining my dilemma.

Phase 3

A few days later, I received a letter from Chase/VISA.  It was not a reply to my letter (that one remains unanswered).  To my surprise, it informed me that the fraud department had indeed tried to call me.  Would I please call them back to verify some charges?  The letter had enough clues to make me believe that it was legitimate, but I had a problem.  If I called, I would again be asked to enter the first three letters of my mother's maiden name – and I knew I'd be stuck.

I decided to try anyway.  When I entered "APP" (the correct "code"), I was, of course, told that it didn't compute.  "Well, what the hell," I thought, and I tried three randomly selected letters.  No go.  I'm superstitious.  "Third time is lucky," I thought.  I tried another three randomly selected letters.  Bingo!  I was in and soon talking to a rep.

It turns out that the phone call that started the whole thing was legit and that Chase and VISA are stupid enough to expect people to enter account numbers when they call a mysterious 800 number.  It also turns out that "APP" was the right answer for my mother's maiden name, but the rep had no idea why it didn't work.  Finally, that I got through by punching random letters struck the rep as highly humorous, and she laughed out loud.  And get this:  I have since determined that, though I cannot get through to VISA by punching the right code, I can get through on the third try by punching any combination of three letters.

I determined that the charges they were questioning were legitimate, and I sent a second letter informing them of the glitches in their mother's-maiden-name "security" device.  Neither letter has been answered.

These are the folks whom we trust with our money and our credit.  Scary, isn't it?  With incompetence and stupidity such as this in the banks themselves, crooks may be the least of our worries.