Monday, 17 February 2014

An attempt at fraud, part 2

The same thing again. Someone filled in an online form for a credit card. The first I knew of it, was when an unrequested card arrived.

I called the card company, and we were soon able to determine that the fraudster had given my correct name, address and phone number (all of which is public information), but they invented an email address, and made a wrong guess about how long we've lived at this address.

So we've cancelled that card.

Also, the card from the previous fraud attempt arrived, but that's already cancelled.

I checked my credit rating at Experian. Apparently, the only flaw in my credit score is that I've never closed an account. Otherwise, my score is "excellent". More importantly, I was able to see the result of the first fraudulent attempt - I now have a CIFAS entry that mentions the impersonation attempt. In future, I would hope that any company asked to issue a credit card to my name, will check CIFAS and see this. So I doubt if there will be any more for me to do here.

In order to progress the fraud, the fraudster would have had to grab the post before we could get it. To do that, he'd have to put his hand in our post box. But the post box is locked, so that's not going to work.

Overall, this has been a very minor issue. The banks would be bearing any loss anyway, so their reckless issuance of credit cards is at their own risk. I'm still a bit surprised, however, that they're willing to take such a risk. Aren't banks supposed to be risk-averse?

I also found some information about the PCI DSS scheme.  That's the scheme that everyone processing card data has to comply with, and I can tell you, it's a right pain in the arse. I got involved a few years back, when I had to be compliant.

Verizon did a survey on compliance. I have no idea why Verizon (a telecoms company) would do that. But they found that only 11% of the companies they surveyed were compliant.

Apparently, 80% of companies are "mostly complient", which is like saying that the bucket you carry water in, has only a few holes.

I'm baffled. My understanding was that I wouldn't be allowed to accept credit cards unless I was PCI DSS compliant. Clearly, that isn't true.

11% compliance!

As an example, one of the twelve requirements is "have a firewall".  64% of companies are compliant. Which means that more than a third don't have a firewall protecting the systems that store credit card data. And yet the card industry allows this to continue.

If the credit card companies take credit card security so lightly that they allow 89% of companies not to meet their security standards, it's no surprise that they'll post out new credit cards at the drop of a hat.

No comments:

Post a Comment