Editore"s Note
Tilting at Windmills

Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon Sign up for Free News & Updates

February 27, 2006
By: Kevin Drum

ID THEFT UPDATE....Michael Hiltzik's column today is ostensibly about his recent problems with AOL, but it's really broader than that. Turns out that someone recently opened a fraudulent AOL account with his credit card and it took him hours to finally emerge from AOL's call center hell and get a human being on the line:

When I instructed him to reverse the charges to my credit card, he offered to mail me an affidavit to fill out....Presently, my affidavit arrived. To say the least, it's a massive intrusion on my privacy. It requires me to mail AOL copies of my credit card bill, along with a personal utility or insurance bill as proof of residence. (Question: If I don't live at the address I gave them, how did I receive the form they mailed me?) It asks for the names of all authorized users of the credit card. And so on.

The whole affair is a great example of the ID theft problem that I wrote about last year. Too many companies simply don't care about fraud and ID theft because they don't have any incentive to care about it. After all, why should they bother wasting their own money tracking down ID thieves when they aren't the ones suffering the pain? Instead, the victim is the one who has to spend time, money, and emotional energy trying to sort things out.

But what if it cost AOL a thousand bucks or $10,000 whenever they opened a fraudulent account? No arguments, no excuses, and no safe harbors because they really, really think they've taken every reasonable precaution to prevent fraud. Instead, treat it the way banks treat money: if they lose it, they have to make good on it no matter how good their security is.

And you know what? That's why their security is so good. Hold AOL and other companies to the same standard and they'd discover a sudden eagerness to beef up their security too. Funny how that works.

Kevin Drum 12:58 PM Permalink | Trackbacks | Comments (56)

Bookmark and Share
 
Comments

How is it possible that the only two bits of the paper I read this morning are the two things you've blogged about?

Is Kevin really Shortstop? Questions must be asked at the highest levels...

Posted by: craigie on February 27, 2006 at 1:00 PM | PERMALINK

Instead, the victim is the one who has to spend time, money, and emotional energy trying to sort things out.

This is a good thing because the "victim" should start taking responsibility for his own recklessness in allowing someone to steal his credit card number rather than doing everything possible to prevent others from seeing it. But then liberals like you wish to evade the culture of responsibility and instead force others to pay for your own faults and mistakes.

Posted by: Al on February 27, 2006 at 1:04 PM | PERMALINK

Absolutely excellent idea.

Posted by: cld on February 27, 2006 at 1:11 PM | PERMALINK

I meant Kevin's idea about forcing aol to be responsible for their own lack of security is an absolutely excellent idea.

Posted by: cld on February 27, 2006 at 1:13 PM | PERMALINK

Yeah! Make sure you get the name and social security number of EVERYONE who might see your credit card number, in every restaurant, bar, and store you might use it in. And make certain to test the security of your credit card companies and every company that might store your CC number, by trying really hard to hack inoto their system. If you can, cancel you card with them or don't use their business again!

Anything less than this, and you deserve to have your credit card stolen. Its like wearing a short dress to a frat house.

Posted by: The real, real Al on February 27, 2006 at 1:14 PM | PERMALINK

You don't understand, Kevin. Corporations like AOL risk their only begotten capital, that we may join them in a blessed transaction.

Risk & Capital! Risk & Capital! For the love of jeebus! Why do you hate free market capitalism?

Jest so ya know: I'd rather have my identity stolen than ride in a car with Ted Kennedy.

Posted by: muddymo on February 27, 2006 at 1:16 PM | PERMALINK

Kevin: Apparently, you're not familiar with chargebacks. All the customer has to do is call the credit card company and declare that the charge is fraudulent. The money is restored, and the company (AOL) is fined a $25 processing fee. AOL can contest it if they want, but then they risk another $25 processing fee.

Posted by: Josh Yelon on February 27, 2006 at 1:17 PM | PERMALINK

How can they possibly invest that much time and money going after fraud? They are simply too busy going after $23.95 that one does not owe them.
Ever try to divorce AOL? "Oh, please don't go - we'll give you a free month to reconsider" - Even though you do not use this "free month", you will receive a bill for it - Then they will hound you for months for repayment. "Oh, the person who authorized that free month does not exist, and if she did, she did not have authority to grant a freebie."
Yes, you can talk to a real person - They have the good cop person, the bad cop person, the indifferent one, the bored one, the who gives a shit one, the one who speaks very little English.
And then "Please call Mrs Springsteen" begins daily.
They are vermin.

Posted by: thethirdPaul on February 27, 2006 at 1:21 PM | PERMALINK

Kevin- we have to do something about this problem, but who's at fault, AOL or the bank (or card-issuer)? I'm not sure why AOL should have the burden here.

And what procedures exactly is AOL supposed to use to prevent anyone from opening a fraudulent account? You think this questionnaire was an intrusion on privacy?! Just imagine what AOL would require of you to open an account if they were the ones responsible for verifying your identity - you'd be sending them copies of your damn birth certficate.

I don't know what the answer is.

Posted by: TidyBowl on February 27, 2006 at 1:22 PM | PERMALINK

I've got to second Josh's point. The principal substantial benefit of using credit cards is the ability to contest charges like this.

Posted by: cmdicely on February 27, 2006 at 1:22 PM | PERMALINK

My experience with AOL was this: they doublebilled me [double-debited my bank account]for several months. I didnt catch it right away because my billing period straddled the month - 15th to the 15th. So I wd see a debit in Jan and Feb on a bill, and thought it was for separeate months, and didnt realize for awhile that there were two charges every month.

You would think a problem like this would be easy to demonstrate and solve. Nooooooo. I spent hours in answering system hell. When I finally got to the first real person, they denied it could happen. "The system wont let that happen. Its foolproof." I said, apparently not, look at the bank statement. After several real people, the best I could get was the offer of a credit against future service. By this time, I just wanted a refund and a new service provider.

So I filed a small claims action. AOL invoked the small-print "choice of forum" clause - they asked the court to require me to travel a thousand miles to Reston, Virginia to contest a $200 doublebilling problem. Sad thing is, such provisions are enforceable in most jurisdictions. Myself, I think its violation of the consumer protection act.

So, your comment that these companies need their feet held to the fire in order to ensure security is absolutely correct. They certainly wont do it on their own.


Posted by: Wahooky on February 27, 2006 at 1:23 PM | PERMALINK

You mean make businesses part of Mr. Bush's culture of accountability? That's just crazy talk.

Josh: have you ever tried to actually get a credit card company to help you with a chargeback? When I had trouble trying to cancel a legitimate AOL account, I tried to get Citi to help by withholding the next month's payment. They said that if it was an ongoing monthly charge that I had authorized in the past, they wouldn't get involved.

Maybe the credit card companies are better about chargebacks at the beginning of a monthly charge arrangement, but I wouldn't count on it. Or maybe they're better if they become convinced of the fraudulent nature of the charge, but then that's the problem at the beginning of it all, isn't it?

Posted by: Robert Earle on February 27, 2006 at 1:25 PM | PERMALINK

You go, real real, tell 'em like it is.

I see liberals just asking for it all the time! The way they slide that card across the counter, with just a little flick of the thumb at the end.

It just screams, credit limit fifteen grand, baby!

Posted by: muddymo on February 27, 2006 at 1:26 PM | PERMALINK

The real problem is that there isn't any way to secure a credit card. Every time I eat out, I have to hand my credit card to the waiter. There's absolutely no way to stop the waiter from writing down my credit card number, short of not eating out (or not using credit cards).

There's also no way for an online service provide (like AOL) to determine if the credit card is being used by the rightful owner. I was the owner of such a business, and we spent hours trying to figure out a way to validate the customers. It's theoretically possible to invent games like "you give me your phone number, and I'll call you back to make sure that's really your phone number, and then I'll look you up in the phone directory to make sure it's really you." But the amount of labor involved would cost far more than the $14 product we were selling.

Posted by: Josh Yelon on February 27, 2006 at 1:26 PM | PERMALINK

Jest so ya know: I'd rather have my identity stolen than ride in a car with Ted Kennedy.

Fucking hilarious.

Posted by: craigie on February 27, 2006 at 1:26 PM | PERMALINK

Dear Tidy, Josh:
Just to jump in here for a moment, the procedure I'd expect AOL to use is to correlate the billing address on the card with the billing address the customer gives them, and to ask for the security code on the back (or in Amex's case,the front) of the card. This would weed out customers who scammed a credit card number, but don't have the other information.

Josh: It's all very well to let the CC company handle this, and I reported it to Amex, but I'd still like to know who used my number and how they got it. And there's no guarantee that the CC company will rule in favor of the customer, rather than the vendor.

Posted by: Michael Hiltzik on February 27, 2006 at 1:27 PM | PERMALINK

Seriously, Kevin? A $10,000 fine for conducting a transaction with a person who has fraudulently obtained a credit card or a checking account, despite having taken all reasonable precautions? I suppose its easy to imagine such a sanction against a company like AOL, a behomoth with a deservedly bad reputation. Does it sound as clever when it wipes out two weeks of gross receipts for the local coffee house or hair salon whose proprietor took all reasonable and prudent precautions? Your policy seems like it would be an equal opportunity disaster. Bad for businesses (but especially small, independent businesses), and bad for consumers in that it would be dramatically more difficult to use a check or a credit card.

Posted by: John M on February 27, 2006 at 1:29 PM | PERMALINK

How is it possible that the only two bits of the paper I read this morning are the two things you've blogged about?

Is Kevin really Shortstop?

(waking up) Whaaaa? I'm not making the connection between these statements. I didn't write your damn paper, baby.

Posted by: shortstop on February 27, 2006 at 1:37 PM | PERMALINK

No, see, you would know (just know) what bits of the paper I had read. Then, you would blog about them.

In that way, you and Kevin would turn out to be the same person. Or, two different people, living 2000 miles apart, sharing one brain.

Kind of like W and The Incredible Mr Limpet.

Posted by: craigie on February 27, 2006 at 1:43 PM | PERMALINK

I don't know what experience you have with banks, but in my experience they are closer to AOL.

If somebody writes a check on your account, you are out the money. You have to go to the police first and get a police report before they will even talk to you.

Posted by: DR on February 27, 2006 at 1:45 PM | PERMALINK

"treat it the way banks treat money:"
Well, not exactly. Finally had to quit B of A because they showed no capacity of will to track down my ID theft. I had pretty solid info that they weren't interested in. My local bank official said that as long as the bank was within its insurance limits, they didn't care that much and it was more cost effective to simply reimburse me. They preferred to "take the big picture" and work on improving overall security while individual cases didn't rise to a level of much concer. BTW, Hilzik is one business/economy writer worth reading consistently.
Martin

Posted by: Martin on February 27, 2006 at 1:48 PM | PERMALINK

Kind of like W and The Incredible Mr Limpet.

Oooh, which one are you?

Posted by: shortstop on February 27, 2006 at 1:52 PM | PERMALINK
Just to jump in here for a moment, the procedure I'd expect AOL to use is to correlate the billing address on the card with the billing address the customer gives them, and to ask for the security code on the back (or in Amex's case,the front) of the card. This would weed out customers who scammed a credit card number, but don't have the other information.

As more people ask for the "security code", etc., it becomes increasingly likely that anyone who scams the card number will also have the other associated information.

Much as I hate AOL, making the vendor responsible is generally inappropriate unless they have been grossly out of line with usual practice. Making the card issuer liable would in general be more sensible, and creates an incentive for card issuers to implement technical solutions to the verification problem.

There are solutions -- i.e., smartcards -- that significantly reduce the threat of fraud through cryptography. The US is, as I understand, far behind in implementation of such systems generally.

Posted by: cmdicely on February 27, 2006 at 1:54 PM | PERMALINK

Jest so ya know: I'd rather have my identity stolen than ride in a car with Ted Kennedy.

What about going hunting with Cheney ?

Posted by: spencer on February 27, 2006 at 1:56 PM | PERMALINK

I had the exact same thing happen, but I had muchless trouble, because I contacted my credit card company, and they reversed the charges, no questions asked. The burden isn't (and shouldn't) be on me to prove I didn't make the transaction. The burden is on the company to prove that I authorized the charge on my card. If AOL wants to try to prove to my credit card company that I authorized the charge, they're welcome to do so, but it's not my problem.

Posted by: Constantine on February 27, 2006 at 1:56 PM | PERMALINK

Josh: have you ever tried to actually get a credit card company to help you with a chargeback?

I can't speak for Josh, but MBNA was very good to me in withholding payment on a fraudulent charge (to a government agency, no less).

Posted by: digamma on February 27, 2006 at 2:01 PM | PERMALINK

Oooh, which one are you?

Silly rabbit, the point is that Bush and Mr Limpet are the same person! Sigh. I guess I'll have to do actual work today after all...

Posted by: craigie on February 27, 2006 at 2:02 PM | PERMALINK

Sigh. I guess I'll have to do actual work today after all...

It's a heavy load to bear, knowing that my obtuseness has driven you to work. But I could stand to do some myself.

Posted by: shortstop on February 27, 2006 at 2:08 PM | PERMALINK

Kevin: Hold AOL and other companies to the same standard and they'd discover a sudden eagerness to beef up their security too. Funny how that works.

The way things stand now - with lobbying, etc., you stand a better chance of persuading the Pope to excommunicate AOL employees who fail to preserve identities than to get either Congress or the Courts to establish such rules.

Posted by: Thinker on February 27, 2006 at 2:31 PM | PERMALINK

Recently, just for fun, I contacted AOL to report spam. The process was conducted in writing realtime with a live representative and took 20 minutes. I was persuaded by his/her stilted English that the AOL rep wasn't based in the US.

Posted by: Stuart Watson on February 27, 2006 at 2:37 PM | PERMALINK

He should go to credit card company first, not AOL. Though I assume he must have done this, it is still the credit card company that should deal with AOL directly, not the defrauded credit card holder.

Posted by: Yancey Ward on February 27, 2006 at 3:00 PM | PERMALINK

I don't know about most people, but my credit card fraud maximum is $50. If someone makes a charge on my account, I'll alert my credit card company that it isn't mine. If they stick me with the $50, I'll pay off the card and move to another one.

My wife had her credit card used illegally for a subscription to a costly industry-only publication where the subscription costs are around $1000 a year. The guy at the publication laughed when she informed him of the charge and said that my wife had just met her first Nigerian. (Phony subscriptions to expensive publications were a generic scam that emerged from that poor country most of whose bank assets are preposterously lingering in limbo.) The publication didn't charge us a dime. AOL has no authority to make a person jump through hoops: the seller should assume the risk when he sells on the strength of a pencilled in number. If the sellers don't want to assume the risk, they shouldn't accept credit cards as payment.


Posted by: Jeffrey Davis on February 27, 2006 at 3:12 PM | PERMALINK

With our online sales, we simply red-flag any orders coming in with Yahoo, Hotmail, or AOL email addresses.........wait a minute......

Posted by: OhNoNotAgain on February 27, 2006 at 3:15 PM | PERMALINK

An honest businessperson can't afford to "do the right thing" if it costs her extra money that her dishonest competitor won't spend.

Without rules, cheaters rule.
Without regulations, cheaters regulate.

Posted by: ferd on February 27, 2006 at 3:27 PM | PERMALINK

Josh,

"I was the owner of such a business, and we spent hours trying to figure out a way to validate the customers"

It actually only takes a couple of minutes, and it's a cop-out for businesses to claim that it takes too long or costs too much. It can all be automated and businesses are nuts if they think the ill will from fraudulent transactions costs less than doing some due diligence on orders that are placed online.

For example, we record the IP address during the online transaction, and then do a lookup (www.iana.org has links to all of the IP address registries) and see which region the IP address originates from. If there is a significant variation (usually there isn't with valid orders), then we require a phone call to the same residence as indicated by the billing address in order to validate the order. The same thing can be done with phone orders, for the most part, with caller ID. However, very rarely do fraudulent orders come in via phone, and we've never had one in the seven years we've been in business.

In addition, if we do encounter fraudulent orders with our online sales, we personally track down and call the card holder to notify them of the issue and provide them with the pertinent IP address lookup information, etc. to give to their bank's fraud department.

Posted by: OhNoNotAgain on February 27, 2006 at 3:37 PM | PERMALINK

ferd,

"An honest businessperson can't afford to "do the right thing" if it costs her extra money that her dishonest competitor won't spend."

This doesn't make any sense - those committing the fraud don't give a shit about who they're ripping off. They'll rip off you and your competitior with equal vigor. The question is whether you or your competitor let it happen.

Also, do you know how much chargebacks for fraudulent orders cost ? In addition, are you aware that you can lose your merchant account or be charged heavier fees if you receive too many chargebacks ?

Posted by: OhNoNotAgain on February 27, 2006 at 3:47 PM | PERMALINK

I had the exact same problem with K-Mart and Home Depot when a crook used my name and address on checks they manufactured and passed with a forged driver's license on it.

I became a defacto fraud investigator. I had to file the police report. I had to document that I was not the person that passed the checks. It was ridiculous. It stopped when I hired a lawyer and threateded to sue K-Mart and Home Depot for harassment. These companies don't care about their customers. It is all cost benefit analysis.

I will never shop at K-Mart or Home Depot again after the way I was treated.

Posted by: Kenevan McConnon on February 27, 2006 at 3:53 PM | PERMALINK

It is important to remember that the only victim is the merchant that was defrauded. The fact that they were defrauded only becomes our problem when the merchant's pass the buck. The merchants should have to prove that we were involved with the transaction regardless of how much of our information the crooks have. We should be able to simply deny involvement once and then the labor and energy should have to be expended by the merchant not the guy on the street that is being victimized by the the merchants. Shit rolls down hill and right now every individual is potentially at the bottom of the hill in a hole.

Posted by: Kenevan McConnon on February 27, 2006 at 4:38 PM | PERMALINK

I once had a problem with Hawaiian Electric Co. (HECO) because somebody used my name to initially obtain service at his residence on the other side of the island (about twenty miles from my home), and then declined to pay her bills. So they pursued me, instead.

When I inquired as to whether or not they asked for any sort of ID verification before approving service, they curtly told me that the company accepted accounts over the phone "as a convenience to their customers." Some convenience!

In their corporate world, it was up to me to prove conclusively that I never lived at that particular residence in question. The burden was not on them to prove that it was in fact me who had opened the account.

But when the matter went to court -- as some of these matters inevitably do -- the judge tossed out their claim against me because they had no proof that I authorized the account other than their own say-so. But there was no penalty levied upon HECO for the damage they caused me in terms of my credit rating, other than a very strongly worded admonition by the judge on their lackadaisical attitude toward fraudulent behavior. He strongly advised HECO to at least obtain a customer's signature before commencing to open an acount for somebody, and not rely upon mere voice verification.

Businesses need to be held accountable for the way they conduct their operations.

Posted by: Donald from Hawaii on February 27, 2006 at 4:43 PM | PERMALINK

I have a good suggestion for people who hold and use credit or debit cards, which can at least mitigate some ID theft or fraud.

Instead of merely signing the back of the card on the signature line as indicated, write boldly ASK FOR PICTURE ID. At least the thief can't go to the nearest store and use the card in person. Most merchants do look at the back of the card, and they will ask for a customer's ID if that is what's written on the back.

Posted by: Donald from Hawaii on February 27, 2006 at 4:54 PM | PERMALINK

As a heard of hearing person, I unfortunately once gave my ATM card to a complete stranger, who in turn new my passcode. From watching me enter it. I exchanged my card for a fake one that he had and then only later realized I had this other card. I was cleaned out 1200. The Police didn't believe me. And only filed a "a stolen property report" but nothing official. Citibank told me it was "impossible" for anyone to see my passcode without me giving it to them. (Because of the angle of their ATM machines.)

I had so many hoops to jump through and spent so many hours on the phone. That I eventually just gave up. I hope the guy enjoyed $1200 he spent at Rite Aid.

Posted by: DC1974 on February 27, 2006 at 4:55 PM | PERMALINK

I will never shop at K-Mart or Home Depot again after the way I was treated. Posted by: Kenevan McConnon on February 27, 2006 at 3:53 PM

Unfortunately this will do little to curb the reprehensible behavior. There are just too many customers out there.

Any customer driven away can easily and quickly be replaced by another rube... err, customer. Much like any bad employer can churn through employees with abandon. There are always replacements so they don't have to change their behavior.

Posted by: Dr. Morpheus on February 27, 2006 at 5:21 PM | PERMALINK

The real problem is that once you've been a victim of identity theft (like I have), you learn real quickly about this issue and realize how correct Kevin is for highlighting this issue.

There is no law today that says to any business that you must do a credit check on that person applying for credit. Even if the company IS doing its due diligence by checking credit, and even if they DO receive a credit fraud warning from one of the three credit agencies, there STILL is no law preventing them from granting credit to the would-be thief.

What am I to do? Pay $150/year for some "PrivacyGuard" scam that the three credit agencies offer that sends me an email telling me if someone has applied for credit recently. It's simply OUTRAGEOUS that the victim (me) is forced to pay $150 to a private company whose only obligation (or service, since I paid them) is to send me an email saying, "Yoo-hoo...someone is trying to buy a Gateway computer online - AGAIN!!"

We all pitch in with our taxes to pay for group security on the street - it's called the police force. Why should security online be privatized - unsecurely - and controlled by THREE companies? Isn't THAT a monopoly of some sort? What if there were only three police forces in the U.S. that you had to pay directly for protection, and then all they did was inform you, "Yoo-hoo...somebody's tryng to break into your apartment...you better do something about it."

THAT'S what Kevin is talking about on this issue. Make the companies pay for the externality that they are sluffing off on you and me and every other consumer. It SHOULD cost them something, because we are all paying for it somehow.

Read up on the economics term, "externality," to understand what I'm talking about. Here's a quick definition from Dictionary.com:

An incidental condition that may affect a course of action: Our economic system treats environmental degradation as an externalitya cost that does not enter into the conventional arithmetic that determines how we use our resources
=================

Vinson Valega
Consilience Productions
www.cslproductions.com

Posted by: Vinson Valega on February 27, 2006 at 5:49 PM | PERMALINK

I just received this email from Consumer Reports, with links in there for financialprivacynow.org
:

Dear Laura,

Dozens of companies, schools, and agencies routinely ask you for your Social Security number--along with other sensitive information about you. Unfortunately, they don't always keep your information safe.

Last year, data security problems put 55 million Americans at risk for identity theft. In the first month of this year, security lapses at a bank, a hotel, a home health company and a newspaper have already exposed hundreds of thousands more.

Tell Congress to help you safeguard your Social Security number with just a few common sense reforms.

The social security number was never meant to be a national identifier, but today you may have to provide it to enroll in school, get health care, apply for insurance, and much more. That means dozens if not hundreds of different companies and individuals may have access to your Social Security number.

If crooks get your number, they can open new credit accounts and just start charging.

That's why Congress should limit the widespread collection and use of your Social Security number, and give you more control over the information that is collected.

We expect identity theft legislation to move through Congress this spring, but the banks and credit bureaus will be there to fight it. Lawmakers need to hear from as many people as possible, so please forward this e-mail to your friends so they can join the call for tough identity theft protections.


Sincerely,

Jim Guest
President
Consumers Union of the U.S.
101 Truman Ave.
Yonkers, NY 10703

Posted by: Laura on February 27, 2006 at 6:13 PM | PERMALINK

Another economic argument is that ID theft is a perfect example of how legal rules can be structured to place the burden on the "least cost avoider." In the absence of transaction costs, it doesn't matter who the law says has to deal with ID theft - the business or the customer. But in the real world, it's far more costly for customers to deal with ID theft, because they're less likely to have easy access to credit and financial information, they don't have ongoing relationships with the relevant institutions, nor do they have the institutional expertise of businesses. So even from a market efficiency maximizing point of view, Kevin's idea of placing the legal liability on parties other than the customer is good policy.

Certainly, there are moral hazard problems, but I think they're probably minimal in the ID theft case. There are plenty of other incentives to protect your personal data.

Posted by: Ramey on February 27, 2006 at 6:27 PM | PERMALINK

I should add that it doesn't necessarily have to be the businesses that bear all or part of the burden. Knowledgeable policymakers can make rules that divide the legal responsibilities efficiently between the various institutions involved, including credit agencies, credit card companies, banks, etc.

Posted by: Ramey on February 27, 2006 at 6:30 PM | PERMALINK

I hate AOL. A couple of years ago I decided to drop my $9.95/month account. In early January I e-mailed customer service and asked them to cancel my account. I was billed again in February so I called the toll-free number that appeared on the billing. The rep told me that I couldn't drop service by e-mail only by phone (so much for being an INTERNET company), but that he would cancel my service and I wouldn't be billed in March. Sure enough I wasn't billed in March or in April either, but in May a charge for $19.95 appeared on my bill. I called AOL and was told that I hadn't received a bill because I'd signed on for a new plan that gave me two free months. Indignant I replied that I'd be an idiot to take 2 free months only to be charged twice as much thereafter. But the AOL rep was adamant that I had signed up for the new service. It was all in the call logs! I had to call back later and talk with a manager because I was unable to speak without yelling and spitting at that point. The manager was no more helpful. I don't remember much of the call as it was apparently answered in the Twilight Zone, but my parting question for the manager was how she could sleep at night or look into a mirror. In the meantime I cancelled my credit card with Citibank to avoid the charges but they kept coming. I went through dispute resolution and Citibank took AOL's side. (I no longer bank at Citibank.) After 3 more calls, I finally got the charges dropped and reversed in August. I heard later that Elliot Spitzer had sued AOL in NY for similar problems with cancelling accounts. AOL is apparently the Hotel California of ISPs. You can check in, but no one checks out. There is no other entity on earth that I can muster as much disgust for as AOL. I hate AOL.

Posted by: rb on February 27, 2006 at 6:49 PM | PERMALINK
I have a good suggestion for people who hold and use credit or debit cards, which can at least mitigate some ID theft or fraud.

Instead of merely signing the back of the card on the signature line as indicated, write boldly ASK FOR PICTURE ID. At least the thief can't go to the nearest store and use the card in person. Most merchants do look at the back of the card, and they will ask for a customer's ID if that is what's written on the back.

IME, retail stores (or rather employees, as this varies even within stores) seem to come in two groups:

1. Those that don't look at the card at all (particularly common in places where the customer swipes the card) or, if they look at the card , don't check the signature, read anything written on the back (except perhaps the printed security code), or even take note of the fact that it is not signed.

2. Those that ask for ID even if the card is signed.

I don't think writing "ASK FOR PICTURE ID" is likely to have much effect, in practice.

Posted by: cmdicely on February 27, 2006 at 7:08 PM | PERMALINK

Like some of the other commentators I don't really understand the problem. Amex agreed to reverse the charges so why deal with AOL at all?

Posted by: James B. Shearer on February 27, 2006 at 7:55 PM | PERMALINK

Technology could help:

Some companies are using "securid" gadgets that have a number that changes every minute or so. It would make sense to use these for all purchases made by phone or online.

For physical use of credit cards (at restaurants or stores), some or all of the account number should be magnetically encoded on the card so it is not visible to anyone.

But even if no new technologies are used, why don't credit card companies give us a separate credit card number for phone/online use? So that the store/restaurant clerk cannot use your number on AOL? (I suppose one could use two separate cards to do this -- but most people will not).

Posted by: JS on February 27, 2006 at 9:33 PM | PERMALINK

Kenevan McConnon: We should be able to simply deny involvement once and then the labor and energy should have to be expended by the merchant not the guy on the street that is being victimized by the the merchants.

That's the way it works. If it is not a "card-present" transaction ("card present" == proof that the purchaser had physical posession of he card), the merchant eats it; otherwise--if the merchant has followed the rules and it is a card-present transaction, the issuer eats it. In short, the primary burden of proof, and the risk for, e.g., internet and telephone transactions, is on the merchant.

Jeffrey Davis: I don't know about most people, but my credit card fraud maximum is $50.

That is the maximum liability for all credit cards in the U.S. Many issuers make a big deal out of "guarantees" (*cough*) of liability limits, when in fact they're all the same.

Michael Hiltzik: And there's no guarantee that the CC company will rule in favor of the customer, rather than the vendor.

For a card not-present transaction, the CC company, merchant, or processor doesn't have a choice--the customer wins (and that is a position scammers take advantage of, commonly referred to as "chargeback fraud"). Albeit, it can be a hassle, but I've found that--after having gone through this several times--the issuer will roll over immediately if you appear to have your records in order.

cmdicely: There are solutions -- i.e., smartcards -- that significantly reduce the threat of fraud through cryptography. The US is, as I understand, far behind in implementation of such systems generally.

Europe still suffers from the same type of fraud here in the U.S., and the "smartcards" (*cough*) used in Europe don't help, because telephone and Internet transactions don't use the "smarts" on the cards. AMEX tried to address it with the "AMEX Blue" card, and failed miserably (although that failure was due as much to an AMEX FUBAR as the immaturity of the technology).

Unitil and unless the smartcard readers are ubiquitous and reliable, the card-present/not-present problem will remain with us. (Personally, I think cell phones should and will become the "personal authenticator" of choice--I'm surprised it's not already happened; it is beginning to happen in other parts of the world.)

Kevin Drum: But what if it cost AOL a thousand bucks or $10,000 whenever they opened a fraudulent account?

In general I agree with the sentiment. But the problem is that the merchants/vendors are already shouldering most of the risk--the balance between between merchant, issuer, and brand (Visa, MC, Amex) is untenable. That is made possible by a virtual monopoly position by those brands--they dictate the rules, and the rules they dictate say they aren't liable for squat.

Check out the "Payment Card Industry" (PCI) standards (that's VIsa, et. al.) that mechants and processors are required to adhere to--and guess who's shouldering the cost? Maybe the brands would be more interested in investing in technology to help address some of the problems, but not as long as they can get someone else to pay.

Posted by: has407 on February 27, 2006 at 11:41 PM | PERMALINK

The "ask for ID" advice is wrong. Visa and Mastercard's rules say that merchants may *not* ask for ID, and that they are supposed to watch you sign the card in their presence. Refuse to do so and they are supposed to confiscate the card and return it to Visa/MC. Why? Signing the card is a legal agreement to the terms of your lending institution, not identification at all.

Posted by: Peter on February 28, 2006 at 12:30 AM | PERMALINK

Look, credit cards are a convenience for users, but they are big-time money-makers for issuers, who collect fees, and for vendors, whose sales are facilitated thereby.

The financial risk and responsibility belongs to the financial beneficiaries, not to the users. End of story.

Except, of course, it isn't the end of the story, because, unlike users, the financial beneficiaries have political clout and a ready-reserve of lobbyists and lawyers. All we get to do is vote, occasionally, and hope the votes are counted honestly.

Posted by: Larry Martin on February 28, 2006 at 7:06 AM | PERMALINK

Sure enough I wasn't billed in March or in April either, but in May a charge for $19.95 appeared on my bill. I called AOL and was told that I hadn't received a bill because I'd signed on for a new plan that gave me two http://ourfriends.bravehost.com free months. Indignant I replied that I'd be an idiot to take 2 free months only to be charged twice as much thereafter. But the AOL rep was adamant that I had signed up for the new service. It was all in the call logs! I had to call back later and talk with a manager because I was unable to speak without yelling and spitting at that point. The manager was no more helpful. I don't remember much of the call as it was apparently answered in the Twilight Zone, but my parting question for the manager was how she could sleep at night or look into a mirror. In the meantime I cancelled my credit card with Citibank to avoid the charges but they kept coming. I went through dispute resolution and Citibank took AOL's side. (I no longer bank at Citibank.) After 3 more calls, I finally got the charges dropped and reversed in August.

Posted by: CArL on February 28, 2006 at 4:00 PM | PERMALINK

At last, someone has offered an approach to this problem that would actually work!

Please stop feeding Al. Without attention, he'll starve and we can sweep his moribund carcass into a ditch.

I

Posted by: zak822 on March 1, 2006 at 9:22 AM | PERMALINK

Arts & Entertainment articles
Celebrities articles
Humanities articles
Humor articles
Movies articles
Music articles
Poetry articles

Business articles
Advertising articles
Article Marketing articles
Careers articles
Customer Service articles
Entrepreneurs articles
Ethics articles
Home Based Business articles
Management articles
Marketing articles
Networking articles
Public Relations articles
Sales articles
Small Business articles

Communications articles
Broadband Internet articles
GPS articles
Mobile Phones articles
Satellite Radio articles
Satellite TV articles
Video Conferencing articles
VOIP articles

Computers articles
Computer Certification articles
Data Recovery articles
Games articles
Hardware articles
Networks articles
Software articles

Disease & Illness articles
Breast Cancer articles
Colon Cancer articles
Leukemia articles
Mesothelioma articles
Multiple Sclerosis articles
Ovarian Cancer articles
Prostate Cancer articles
Skin Cancer articles

Fashion articles
Clothing articles
Jewelry articles
Shoes articles

Finance articles
Credit articles
Currency Trading articles
Debt Consolidation articles
Fundraising articles
Insurance articles
Investing articles
Leasing articles
Loans articles
Mortgage articles
Mutual Funds articles
Personal Finance articles
Real Estate articles
Stock Market articles
Taxes articles

Food & Beverage articles
Coffee articles
Cooking articles
Gourmet articles
Recipes articles
Wine articles

Health & Fitness articles
Acne articles
Alternative Medicine articles
Beauty articles
Cardio articles
Depression articles
Diabetes articles
Exercise articles
Fitness Equipment articles
Hair Loss articles
Medicine articles
Meditation articles
Men Issues articles
Muscle Building articles
Nutrition articles
Supplements articles
Weight Loss articles
Women Issues articles
Yoga articles

Home & Family articles
Babies articles
Crafts articles
Elderly Care articles
Gardening articles
Hobbies articles
Holidays articles
Home Improvement articles
Home Security articles
Interior Design articles
Landscaping articles
Parenting articles
Pets articles
Pregnancy articles

Internet Business articles
Adsense articles
Affiliate Programs articles
Auctions articles
Audio-Video Streaming articles
Blogging articles
Domains articles
Ebooks articles
Ecommerce articles
Email Marketing articles
Ezine Marketing articles
Ezine Publishing articles
Forums articles
Internet Marketing articles
ISP's articles
Podcasts articles
PPC Advertising articles
RSS articles
Security articles
SEO articles
Site Promotion articles
Spam articles
Traffic Generation articles
Web Design articles

Politics articles
Commentary articles
Current Events articles
History articles

Product Reviews articles
Book Reviews articles
Consumer Electronics articles
Digital Products articles
Movie Reviews articles
Music Reviews articles

Recreation & Sports articles
Biking articles
Extreme articles
Fishing articles
Gambling & Casinos articles
Golf articles
Hunting articles
Martial Arts articles
Running articles

Reference & Education articles
College articles
Homeschooling articles
K-12 Education articles
Language articles
Philosophy articles
Psychology articles
Science articles
Sociology articles

Self Improvement articles
Attraction articles
Coaching articles
Creativity articles
Goal Setting articles
Grief articles
Happiness articles
Innovation articles
Inspirational articles
Leadership articles
Motivation articles
Organizing articles
Spirituality articles
Stress Management articles
Success articles
Time Management articles

Society articles
Dating articles
Divorce articles
Marriage articles
Relationships articles
Religion articles
Sexuality articles
Weddings articles

Travel & Leisure articles
Aviation articles
Boating articles
Cruises articles
Destinations articles
Outdoors articles
Travel Tips articles
Vacations articles

Vehicles articles
Boats articles
Cars articles
Motorcycles articles
RVs articles
Trucks-SUVS articles

Writing & Speaking articles
Article Writing articles
Book Marketing articles
Copywriting articles
Public Speaking articles
Writing articles

Article search
Free articles
Publish your article for free
FREE Article content
Posted by: articles on March 2, 2006 at 7:09 PM | PERMALINK




 

 

Read Jonathan Rowe remembrance and articles
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon Sign up for Free News & Updates

Advertise in WM



buy from Amazon and
support the Monthly