We see a lot of Security Theater these days – supposed security procedures that are there primarily to convince the public that they are more secure, but which actually do little beyond cause massive inconvenience. Sometimes, however, the whole thing get so silly that the word “theater” would dignify it.
On Saturday night (UK time) Neil Gaiman tweeted to remind UK fans that The Graveyard Book was on sale for 99p at Amazon’s Kindle store. As my paper copy of the book is in California I figured I should pick up a copy. Much to my surprise, my credit card was declined; for a 99p transaction with a vendor that I buy from fairly often.
While I was logging into my Amazon account to try to sort things out I got a phone call purporting to be from my bank. As is depressingly common they insisted on asking me a bunch of personal questions of the type they warn you never to give out to strangers over the phone, while refusing to identify themselves in any way. I put the phone down, looked up the customer service number, and called them back (at considerable expense, of course, because their customer “service” line uses a premium rate phone number).
So yes, my credit card had been declined. No, there was no problem with it. I hadn’t missed a payment, nor had there been any suspicious transactions on it. The card had been declined because the bank uses a system that randomly declines card transactions as a spot check for fraud. It was all the fault of the computers. There was nothing that mere humans could do about it.
Anyway, with my card unblocked and book purchased, I waited for Monday, and this morning I went into my local branch to check that I had heard correctly. Apparently I did. And what’s more this is not just confined to credit cards, or online purchases. Apparently any of my cards can be declined at any time, entirely at random. This is for my safety and security.
I don’t suppose there’s a lot of point in getting annoyed with individual banks here. I’m sure that all UK banks do a similar sort of thing. I remember reading the small print on an RBS card agreement once and noticing that it said that if I told anyone any information about the card, including reporting a lost card to the police, that would make me liable for any fraudulent transactions on it. They do these things, in part because they can, and in part because we have become so obsessed with price comparison that banks, utilities and similar organizations are engaged in constant service-cutting programs so that they can offer “better value” than their competitors. It does occur to me, however, as we move faster towards a Phil Dick world in which our wealth and identity can be taken from us by a careless or unscrupulous computer system, that black economies based on barter and the like will grow so that people can continue economic behavior without being at the mercy of banks.
The icing on the cake came when I was just leaving. The lady in the bank that I had been speaking to asked me to make sure I forwarded any phishing scam emails that I received to the special address the bank has for such things, so that they would know to suspend my access to online banking. I’m not entirely sure she intended to say that, but it would not surprise me at all to find that the bank has a policy of assuming that anyone who receives a phishing scam will inevitably fall victim to it. You might want to remember this next time you feel public spirited about reporting suspicious spam. I know I will.
Oh, bother. I don’t suppose we could import the idea of American credit unions, which do everything a bank does excepting most of the evil and which are controlled by their depositors… or failing that compile a list of small banks that are less offensive…
I do agree that third-party economies are going to start springing up, and frankly it’s something I would be interested in helping with…
We used to have building societies. Then we had the “big bang” in the City and they all turned themselves into banks.
But even if we had them today I don’t think it would solve this issue. The fraud prevention software that my bank uses is not an in-house product, it is a third party system that is probably used by most other banks, especially the small ones as they are least likely to be able to afford to build such a thing.
Weird – I wonder how different UK and US banks are – I’ve reported phishing scams to a number of sources where I have accounts and never had a negative reaction. I can’t, of course, determine whether this is luck of the draw or different banking practices…
AFAICT it’s different banking practices. Here they will only suspend your debit/credit card if you really have a compromised account, and more than that, at least at my credit union, if you actually go in you can *walk out* with a new one, no waiting for the post…
And the security software here only denies when something is really suspicious, not randomly. And they’re able to put a specific travel alert on so they *don’t* block you if, say, a Yank from Seattle ends up in Sussex or Wiltshire… while my CU is large by CU standards, it’s *tiny* by bank standards, and they do in fact roll at least some of their own software…
Question is, what’s behind it…. UK rules or some security weenie’s idea of fun?
I’m always wary of anecdata, but my personal experience is that US banks are generally less officious than British ones. And I’m talking big banks here, not credit unions. But they all have their moments.
Back when I worked in a credit card call centre, the fraud system was set up to flag any ‘suspicious’ activity on a card, like unusually large purchases or foreign money transactions. And, as Glenn says, you could call us up if you were going abroad or doing your Christmas shopping and we could make sure those transactions weren’t stopped (well, we’d pass you through to another department who would do). 99p at a retailer you use all the time wouldn’t have been flagged. But this was almost ten years ago and I guess someone figured that system didn’t inconvenience the customers enough… Maybe they’ve just decided the Internet is evil. It took me half-an-hour and three phone calls to add a new standing order recipient on my on line account last month, even though I had to go through two security screens to log in.
It’s probably the tiny sum of money used for a credit card that may have alerted the bank. My credit card details were stolen this autumn, and whoever stole it tried to test it by using it to buy several items costing a pound or less. This they do just to test, and once they’ve got come proof that it’ll work then they go onto spending the colossal sums. I was told that it was precisely this kind of minimal transaction that was flagged up by the computers and the stop is put on the account to prevent any further fraud. A bugger for you in this case, but it worked for me.
It’s a good explanation, but I was told by the card fraud center that the block was the result of a random spot check, and my branch confirmed that such checks are made.
Credit unions are great, but being small they can actually be worse when it comes to this sort of thing. For several years, mine simply blocked all mail-order/Internet Visa transactions from several countries (including the UK) because they had so few legitimate mail-order/Internet transactions from those countries and so many fraudulent ones. The moral is, when it comes to credit cards, always have more than one, from different issuers.