Bank's antifraud tactics stun security expert: How much do they know?
- — 15 December, 2009 08:31
Checking out of a Hilton hotel in London, security expert Roger Thompson was told his Visa card had been declined due to suspicions it was stolen, a situation that only got more disconcerting when he learned the bank that issued the card had more personal information on him and his family members than he ever imagined.
In a tale he relates in his blog, Thompson, chief research officer at AVG, said he was compelled to answer questions on the phone from a Wachovia Bank representative in its fraud-prevention division to prove he was really Roger Thompson and not a credit-card thief checking out of the London hotel.
It turns out Thompson's Visa card was flagged and suspended because he hadn't told the bank he was travelling overseas, a requirement he didn't know the bank had. But the "scary bit" about it all, he says, is that the bank fraud-prevention representative didn't just ask him to give the correct answers to questions such as his mother's maiden name, which he had provided to the bank for fraud detection purposes, but also a host of other questions about his daughter-in-law that he had no idea it knew.
"I was in shock," Thompson says about what he found out that Wachovia Bank had stored "at their fingertips" related to his daughter-in-law -- information Thompson thinks the bank may have found out through Facebook.
"They used her maiden name, they knew she was my daughter in-law, they wanted me to best describe the age range for this person," Thompson says, adding that he was in "shock and indignation" about how they would know all this, including how long she was married.
The bank fraud-prevention representative indicated it was all "publically available information," he says. At the hotel on the phone, Thompson answered the questions about his daughter-in-law, the bank lifted the suspension on his credit card, and he paid his bill and left for the airport.
Thompson says he wracked his brain to figure out where the bank may have gotten this information about his daughter-in-law but he could only reason it was from Facebook, where she's a friend.
Thompson , a security expert with decades of experience in identifying malware, fraud and hacker exploits of social-networking sites, such as MySpace and Facebook, says he doesn't see this as an issue around Facebook per se. Rather, this is about what kind of data that corporations may be collecting from Facebook or other social-networking sites -- if they are. He adds this strikes him as a serious data-privacy issue, and he notes that if a bank has this kind of database information on him, "they probably have it on you, too."
Wachovia, now owned by Wells Fargo, wasn't immediately available for comment on whether they do harvest information from social-networking sites for purposes of fraud detection or where they are obtaining personal information of this type not voluntarily provided by a customer.