Did you know that an inactive credit card can be breached, and have a charge applied to it? Neither did I, but it’s just recently happened. This is alarming for a couple reasons, but before speaking directly about Capital One, and their standards of maintaining credit card account security, I’d like to review a bit:
In the IT realm, whether we call it content, data, records, storage, personal info, or anything else, we’re speaking about information – anything that has the power to inform. And content, data, etc., has the power to inform the right people… and the wrong people.
Generally, we want to inform the right people by virtue of authorization paired with the need to know. We DON’T want to inform the wrong people – those who have no legitimate need, and who may have nefarious motives. We want a strong bar in place to prevent those sorts of folks from knowing any particular thing to which they are not authorized.
Whether IT or not, information security has always been of paramount importance: Access is everything. Even in centuries past, and on through today, information was and is protected and disseminated within standards, whether on stone tablet, parchment, tape, 8″ floppy discs, etc., and on through today’s e-mail, mobile media, social networking, the Cloud, and so forth.
So what happened at Capital One? Well, their standards are remiss, for one thing:
A customer received a statement with a bill for $6.99. The charge was processed from a company called Big Fish Games. There were a couple problems, though: This particular credit consumer did not make a purchase from Big Fish Games. Further, this person didn’t have a Capital One card, although he vaguely remembered that he might have had one once upon a time.
He called Capital One and found that:
1) He had had a credit card account, and card, in the past.
2) The account was paid in full.
3) The last payment, clearing the card’s balance, was made in April of 2009.
4) The card had been shredded; Capital One inactivated the card at that time. The consumer considered the card and account “gone,” “dead,” “buried,” etc.
However, as opposed to “dead,” this account was more like a zombie, rising to somehow process that fraudulent charge in July of this year. If you think about this from an IT perspective, it’s pretty incredible.
Consider what this means: Someone got hold of this person’s account information for an inactive credit card. They got a retail outlet to process a charge, and Capital One accepted that charge – even as the card remained in an Inactive status!
The customer care agents had no explanation, other than to assure the consumer that the charge was fraudulent, would be removed, and that the account would be (again) inactivated. (I’m not sure how you inactivate an inactive account. Maybe it can be placed on double-secret probation inactivation – with apologies to Animal House). They offered the issue of a new card. However, this consumer did not want a new card, and thus declined that. Can we blame him?
What is particularly bothersome is the failure of a simple flag… a bit in the right place… a “1” or a “0” would do the trick: Don’t process any incoming charges against this Inactive account.
I think Capital One has some work to do.
Why such a small charge? Well, fraudsters frequently try a small test charge against a breached account – if it goes through, a larger one follows. Or in some cases, particularly accounts that are paid with automatic online bill pay, a fraudster can run small monthly transactions for a good amount of time before they’re noticed by the cardholder.
Fortunately for this person, he does not engage in automatic online bill pay (a few liabilities there, but most folks appreciate the convenience, efficiency, and administrative benefits).
What lessons are here for us?
Remember: In the realm of risk, unmanaged possibilities become probabilities: View all business/IT activity through a security prism – and that includes personal business and, in this case, Capital One’s IT standing. For those of you who automate your bill payments online, be certain to check all accounts frequently.
NP: The Byrds – Untitled. Original vinyl LP.