Wednesday, October 29, 2008

How Outsourced Call Centers Are Costing Millions In Identity Theft


By Ben Popken
A former Chase call center rep tells the story about this one thief who was able to rip off one customer for over $40,000, thanks to his constant outwitting out the internationally out-sourced security department. It wasn't that hard. Over and over again, he was able to commit credit card fraud just knowing the guy's name, social, and mother's maiden name.

The Americans would beg and plead with the Filipinos to not unblock the account, and over and over again they would. Says our insider, "if US security had been able to intervene from the get-go, he would never have been able to do so much financial damage. For the rest of his life, the true owner of that account will be dealing with the effects of this crime." It's not the outsourced place's fault, though. They're just following orders. It's whoever designed the laminated binder they were blindly following that should really be held accountable. Read the whole messed-up story below.

Our insider writes:

A guy calls up on the direct number, his voice is distinctive: deep, but nasal, like he has a cold. I ask for his name and account number. He tells me his name but says he doesn't have his card with him. Step two: I ask for his social security number. He "ums" and "uhs" for a second and I'm certain I hear a faint rustling of papers in the background. The number he gives me isn't linked to any account on file. As soon as I tell him this, he hangs up. It was odd, but I wrote it off. Calls came at a snails pace and it wasn't unusual to have 20 minutes in between them. So when a couple of minutes later I got another one, it was strange. Once again it was a call from the direct number. I ask for name and number and the voice is strikingly similar. The name he gives is different but again he has no number. I ask for the SSN and again I can hear papers rustling while he stalls. This time an account pops up. He fails verification of the mother's maiden name and immediately hangs up. By this point I'm laughing about it with my co-workers because he seems such an inept thief. As the nights go on, we start to get more calls from him. I say "we" because this was the only call center that the phone number goes to and there were only about 15 of us on staff at any given time. He had the same mannerisms for every interaction and it became such that as soon as any of us got one of these calls we immediately put him on hold (usually making up some innocent sounding excuse) and tried to put him through to security. The problem with the Philippine security department quickly became apparent.

The US security department had access to LexisNexis. If you're not familiar with it, it's basically a encyclopedia of everybody's life. Previous addresses, family member's names, jobs, schools, anything and everything that could be linked to your name and/or social security number. As an example of how incredibly (and frighteningly) thorough it is, when my now 30 year old brother was a tot, he liked to respond to junk mail with a fake name; this fake name came up as a former occupant of my parent's address when I got a chance once to do a search on myself (we had it in collections). Chase didn't trust the Philippine department to have it though. In fact, the only information they had the ability to verify was what was on the account: name, social security number, mother's maiden name, and recent purchases if they felt like being that diligent.

Here's the part of the story where some poor guy's account get's completely f-ed. This thief had been bounced to the out-sourced to security so often that he must have made a check list of any possible questions they would ask him. Through whatever means, he managed to get the answers to these questions. Now when he called, he could give us the information we were asking for, but by this point we knew his voice so well that we still tried to get him to security. It worked like this: We put him on hold and dial the extension for security. We get a security rep and start to explain the situation; we tell them he was able to give the right information, but that we know is the same guy that's been calling for weeks and we are certain he is not the account holder. They begrudgingly take the call. Minutes later another one of us gets a call from a security rep saying they are giving us a customer who has been cleared by them. And here the thief was back in our department. For those of us who had come to know him, the fight waged on night after night.

Chase is a revolving door. If you work there longer than a year, you're considered to have seniority. The few of us who knew this account was being raped could do nothing to protect it. Some newbie wouldn't know about the situation and would let the thief have his way with the account. The US security department became aware of the issue and put blocks on the account as well as incredibly long notes that explicitly said to not remove the block for any reason at any time. But sure enough, over and over, the guy would call in overnight, talk to the out-sourced security, and the block would be removed. Again, they were only able to verify with him with information that he was already known to have, yet that never seemed to deter them from clearing him.

Things got quiet for a while, and we thought maybe he'd finally been stopped from unblocking the account. Turns out that he'd actually been caught, but only after more than $40,000 in fraudulent charges on this one account. I cannot stress enough that if US security had been able to intervene from the get-go, he would never have been able to do so much financial damage. For the rest of his life, the true owner of that account will be dealing with the effects of this crime.

I wish I could this was the only time I saw the security department failing at securing an account. There was a consistent problem with the overt cultural difference. A man calls in and says he's the cardholder "Angela" and you find yourself trying to explain to security that Angela isn't a man's name and the odds of it really being his name are slim. And they just see it as cut and dry: He says he's Angela, so he must be.

To be fairer than Chase deserves, I'll note that I've been out of there for almost two years, so it's quite possible that it's all ponies and rainbows now. I'm gonna go ahead and assume though that it's run as poorly as ever.

Original here



No comments: