Credit Reporting Bureau Hacked: What Next?

Two immediate actions will greatly help you — and six more things will happen over the next 6 to 12 months. Immediately, you’ll want to:

1. Take Equifax up on their offer of the free monitoring service.

2. Place a “freeze” on all credit reports on each of the 3 services (yes, you have to pay some of them, but it’s worth it). Also do a freeze on the business-to-business company called Innovis.

Note: If your kids already have a social security number, put a freeze on their credit reports, too. (They shouldn’t have anything in the report except their name, address, and social security number.)

What Next?

Over the next 6 to 12 months, banks, auto financing firms, and landlords will implement more and more bureaucratic requirements to prove your identity.

1. Whenever a bank, brokerage, or insurance company provides 2-factor authentication for web log in, use it. Same for voice biometrics at their call centers.

2. Whenever you get a notice from a bank for a credit card you did not apply for, follow up in 2 calls. First, call the toll-free number and stop the application. Second, get the number for the ID theft department and ask for a 7-year fraud alert on your credit report.

3. Don’t let your drivers license or state ID expire. Make sure you keep it up to date. An expired ID is no longer good enough.

4. Likewise keep your passport up-to-date. If you do not have one, get one. In the US, an expired passport is no longer considered valid ID. The law changed.

5. Make sure you have a copy of your birth certificate. Order one now from the Bureau of Vital Records in your county or state. You’ll need to send a photocopy of your ID.

6. Be prepared for more and more bank/financial documents to require a thumbprint and Medallion Guaranteed Signature (which credit unions cannot provide — only commercial banks).

Image Courtesy of GIPHY

We Only Sell to Smart People?

In my opinion, a lot of product and engineering managers in hi-tech are unwittingly hostile to potential customers. Their attitude, almost incredibly, can be misinterpreted to mean: “If prospects aren’t smart enough to understand our products, they do not deserve to buy them.” While no one ever said this in actual words, the constant conflict over how to market products and services indicates there is something under-the-surface.

One submerged aspect is revealed in the question: How you shop for technology?

  • Engineers and product managers have the intellectual capacity to review detailed specifications and make rational assessments of which products/services perform best.
  • Executives, on the other hand, often focus on productivity and efficiency enhancements. They may not understand the technical details, but they respect and understand cost/benefit analyses — especially when costs can be reduced.
  • Mid-managers with operational responsibilities take the broadest view of all three by considering how technology will affect processes and staffing. It’s may seem illogical, but mid-managers will gladly choose a product that is technically inferior if the selling company is easy to work with, provides excellent training/support, and takes ownership of the employee change management process.

I’ve head these three groups called “tribes” within a corporation: The Executive Tribe, Operational Tribe, and Technical Tribe. The starkly contrasting values of these three tribes can be seen in their answer to a basic question: “What are people?”

  • To members of the Executive tribe, people are expensive.
  • To the Operations tribe, people are how you get anything accomplished.
  • To the Technical tribe, people are single largest source of error.

Moral of Story: The companies that can address the values and concerns of these three tribes will be far more successful selling to large enterprises and agencies.

Image courtesy of GIPHY

Extreme Corporate Laziness?

I’m all for avoiding unnecessary work. I got an email from the bank that issues my airline credit card. They wanted me to provide updated housing and income information.

Naturally, I suspected this was a phishing scam. But, a careful review of the email headers and links showed they were truly from the bank in question.

So, it got me to thinking: What a bunch lazy so-and-so’s.* On the surface that might seem like a mundane request. However, this particular bank also has the mortgage on my house, receives my payroll check through ACH automatic deposit, and provides me with a free credit score every month. If anyone should know my housing and income situation it’s the very bank asking for these data.

To compound the laziness, every year I get a pamphlet that reminds me I cannot opt-out of the bank sharing information with their subsidiaries and vendors who provide contracted services. For example, I cannot opt-out of the retail banking division sharing my payroll deposit status with the credit-card division. Likewise, I cannot opt-out of the mortgage services division sharing my mortgage status with the credit-card division.

Alas, it appears that banks simply do not leverage customer information to provide a unified and integrated user experience. Despite the trillions of dollars banks have invested in computer systems, we are still stuck in the 1980s when it comes to customer service. Call the wrong department and one is flatly told “I cannot help you.” Sometimes they won’t even transfer you, but make you hang-up and call a different number.

The dictionary definition of “lazy” is “unwilling to work or use energy.” Yes, that seems to fit in my opinion.

* My 7th grade homeroom teacher never lost his temper nor used an obscenity. “So-and-so’s” was his all purpose phrase for those beneath contempt (lol). I used it in my blog post our respect for this fine man.

 

Image via GIPHY

Advice to Brides?

It is a truth universally accepted that a beautiful wedding requires substantial attention to details. Even so, things can go wrong. While I’m not wont to give unsolicited advice habitually, I have been to my fair share of weddings where things did not go according to plan.

For the sake of love, I offer three tips:

#1 – Big problem? Call the florist! Did the preacher get in a car accident the night before? Did the dog eat a large chunk of the wedding cake? Your florist has seen it all and will have a solution.

#2 – At the rehearsal, make sure to tell the boys in the groom’s party “don’t lock your knees.” Standing tall is good, but “locking your knees” can actually cut off circulation and cause a grown man to faint. The stunning beauty of the marble altar is the last place anyone would want to hit one’s head.

#3 – Despite the playfulness and good intentions, please refrain from smashing wedding cake into each other’s mouths. I will grant it might be funny in the moment, but those photos just won’t hold up as funny as the years unfold.

Image courtesy of GIPHY

What does pushing the crosswalk button do?

Who hasn’t seen kids wildly pressing the crosswalk button a dozen or more times as they wait for the light to change? They hope that pressing the button repeatedly will speed up the process so they don’t have to wait so long.

It doesn’t work that way.

But, why not?

crosswalk-button
Crosswalk button

It’s a good example of how the design and function of something doesn’t match the user’s wants. From a purely engineering viewpoint, pressing the button switches the next green light sequence from standard to alternate. Standard is a short period of time suitable for cars to cross the intersection. Alternate is a longer amount of time that a pedestrian would need. After the first press, pushing the button again and again does nothing.

Back when traffic lights were controlled by cams and relays, having an alternate, longer green cycle was a huge breakthrough.

Isn’t it now archaic? In the digital age, there’s no reason why pushing the button repeatedly couldn’t be processed differently. More like a game, no?

Bank Stupidity?

This really happened:

Thank you for calling [bank-name] lending services, how may I help you?

Hello, someone is using my name, social security number, and date of birth to fraudulently apply for credit cards with your bank.

May I please verify your name, social security number, and date of birth?

After a moment of stunned silence, I explained: Yes, but, that’s the info the fraudsters are using to fraudulently attempt fraud by fraudulently impersonating me for fraudulent purposes.

Sir, I cannot help you if you won’t verify your identity.

Does this qualify as stupidity? The Merriam-Webster dictionary defines stupidity as “the state of being foolish or unintelligent.”

My late father used to observe: “Ignorance can be fixed, but stupidity cannot.”

Suggestion:

When a customer wants to report identity theft, fraud, or any of the like, the alternative “out-of-wallet” verification should be used. That method is far from perfect, but it at least it wouldn’t make a customer wonder about your company’s intelligence.

Note: “Out-of-wallet” is the jargon for asking questions based on an individual’s credit report. This is called “out-of-wallet” because it attempts to circumvent nefarious actions by people who find a lost bank card. The lost card is “out-of-wallet.”

Also note: My guess is that most banks are like this, so the specific bank’s name isn’t really that important.

Image courtesy of GIPHY

First-Name Basis?

Nothing reveals corporate sloppiness more than addressing customers by a name they do not use. I’m referring to the rampant practice by interactive  voice response (IVR) units and customer call center personnel using the first name datum in all customer interactions. I know many people — including some of the most successful people in the world — who use a nickname or their middle name socially and professionally:

FirstName-PolitenessMan

It’s Larry Ellison, not Lawrence

. . . Mary Kay Ash, not Mary Ash

. . . Zig Ziglar, not Harry Ziglar.

Maybe in the interests of national security, these people use their legal name on airplane tickets and opening banks accounts, but that isn’t the same as giving permission to use that legal first name. Good customer service demands that companies make a note of a person’s preferred name in their data bases. It’s a minimal courtesy.

Also, as the customer, people should be allowed to opt-out of “first-name basis.” Again, it should be very easy to store this option in the data base.

My blessed mother had an interesting approach to this situation. When customer service reps or shop clerks would attempt to address her by her first name she would cheerfully say: “Oh, please feel free to call me Mrs. Minko.” She wasn’t scolding people, just indicating her preference.

>>> Update: On a related note, when it comes to speech-to-text voicemail transcription, an end-user name should be spelled correctly. For example, if a person’s name is spelled Jaymes and the voicemail is being transcribed to text, then the way Jaymes spells the name should be used. Yes, this is an extra step in the speech-to-text process, but it matters.

Adventures in Customer Service #24,681

One morning I found someone’s ATM card on the sidewalk. It was only a few blocks out of my way, so walked to one of the branch offices of the bank that issued the card. I tried to give it to one of the platform officers who was standing at the printer. I said: “I found this on the sidewalk on 16th Street.”

With a look of exasperation she said, “Well, actually, you should . . .” but she didn’t complete that thought. Instead she made a pivot and said, “I’ll take it.”

I wonder if this is an example of a growing trend that only pre-defined problems can be addressed. If something out of the ordinary happens, it automatically splits into two problems. Whatever the customer thinks is a problem, plus the obstacle that the customer service person doesn’t want to deal with it. (In my case, I’m not even the customer, so perhaps that makes for a third obstacle: No obligation if you’re not a customer?)

I tried to ask what the correct procedure should have been by prompting: “If you want me to do something else, I will.”

With a tone of weary defeat in her voice, she only repeated: “I’ll take it.”

To be fair, this particular branch is a wonderful corporate member of my neighborhood community. They host in their courtyard the annual holiday tree presented by the merchant’s association. The corner of their building has a faux balcony about 3 feet off the ground. They have never challenged the long-standing community practice of posting memorials on the balcony rail of community friends who have passed away.

Also to be fair, I may have interrupted at a bad time. Heaven knows that when a printer is acting up, the last thing I want is someone interrupting me (LOL).

Image via GIPHY

The 3rd Perp in the W-2 Phishing Scam?

In systems theory, a useful tool is looking past the “presenting problem.” When it comes to the W-2 phishing scam, we find the typical explanation: Humans are the weakest link in cybersecurity. (Info Sec magazine* called this particular phishing scam an “epidemic” because more than 55 companies have been identified as victims and CSO magazine** reports it as more than 60 companies.)

The standard narrative is that one individual in finance or HR fell for a phishing email that looked like it was from his/her CEO. In the case of Alpha Payroll Services, reported in CSO magazine, the employee who complied with the fake CEO request was fired. “Alpha Payroll leadership promptly terminated the employee, hired experts to assist in the investigation and response, and has been in contact with law enforcement, including the Criminal Investigation Division of the IRS and the FBI, regarding the incident.”

What I haven’t heard once in the coverage is any acknowledgement of how truly insidious this phishing scam is: It’s the companies with decisive and commanding CEOs who are most likely to be victimized. The very attributes that make for a charismatic leader are the ones that have been exploited the most in this scam.

From a “presenting problem” view point, we have two perpetrators:

1. The cybercriminals who devised the scam and exploit reponses

2. Employees in HR and Finance who fall for the scam

But when we look past the presenting problem, we have a third actor:

3. CEOs who request reports and data expecting unquestioned obedience

In the cases that have been documented in the press, not one analyst or journalist has suggested that CEOs send emails to their entire company granting permission to challenge requests from the CEO. Instead, they  either talk about awareness training for all employees or the need for sophistical data loss prevention systems.

In most of the high-tech companies I’ve worked for, it was standard operating procedure to respond to any request from the CEO within 3 hours — even if the requests were sent at 11pm or 4am.

Security awareness training often starts with the instructor saying: “Don’t be the weakest link.” I think that is wise counsel to both rank-and-file employees and executives.


* http://www.infosecurity-magazine.com/news/55-companies-and-counting-fall-to/

** http://www.csoonline.com/article/3064675/security/alpha-payroll-fires-employee-victimized-by-w-2-phishing-scam.html

Rethinking “Date of Birth” to Verify Identity

Recently, I received a robocall purporting to be from a nationally recognized pharmacy chain. As part of the interaction, the computer-generated voice asked me to enter my date of birth.

Rule-of-thumb: If you haven’t signed up to receive robocalls from a company, hang up and dial the company in question yourself. It could be a scam*

It’s difficult to gauge the probability that the call really was from the national pharmacy chain. Regardless, it baffles me how anyone could think date of birth was useful in verifying identity. Date of birth is a very easy datum to obtain on most people.

Young-Frankenstein

There are many genealogy sites that aggregate public records such as birth and marriage records. The purpose of these ancestor look up sites may be perfectly wholesome and innocent, but that does not preclude nefarious use. Additionally, many counties publish their tax rolls online (including name, address, photos, mini-blueprint of your house, and assessed taxes).**


* The FTC website is a good source of information about defense against robocalls: https://www.consumer.ftc.gov/articles/0076-phone-scams#Robo

** This information has always been public, but before digitization, the process usually meant visiting a government building, going into the records basement, and pouring through analog paper records. The digital age has changed all that.