BECU.org invites members to report their travel to help alleviate problems with remote card purchases.
However, the signup page includes this section that leaves a customer knowing what to do. The BECU site uses “dates” and “date” above the form. Which is it? Are the two fields for two departure dates (suggested by “dates” or is the second one for a return date (suggested by “date”?
This is an example of bad user interface that confuses and frustrates a customer — and likely leads to phone calls for clarification.
How many times do we consumers sit through a barrage of security questions by banks and other institutions to confirm our identity? BECU (Boeing Employees Credit Union) forces a person to answer at least four questions (credit card number plus three other ID questions) before they will ever talk to you about your credit card. They claim all these questions are for my security.
BECU even puts in a blog security tips, such as this one from 2020-10-27 from BECU’s own security officer.
Note the caution about using public WiFi access points and being in public with your credit card number. Mr. Murphy provides good advice.
However, would you hire Sean Murphy for your security officer when the same Credit Union invites a person to send the full card number, full name, phone, and email address by unencrypted email?
That’s just what BECU offers when disputing a credit card charge. On the BECU website is a PDF form used for disputes. At the bottom of the form there is an email address you can send the completed form (and other documents) to, presumably after you have scanned or saved the form into a PDF.
Not only does BECU say you can send the information by unencrypted email, BECU also wants the card holder to send to a non-BECU domain name with no explanation of who is receiving it.
When the phone representatives were asked why BECU is inviting card holders to send sensitive information by unencrypted email, the representatives explained that “the email goes straight to the right deapartment.” This kind of financial bullshit hides the issues that a) the email is sent without encryption and b) that the unencrypted email could be snagged by by someone as it is passes through any number of mail servers, and c) that someone could break into the email account of the sender and find the unencrypted information in the sent folder.
The Payment Card Industry Data Security Standard (PCI DSS) 4.2 states: “Never send unencrypted PANs by end user messaging technologies.”
The PCI Security Standards Council (SSC) defines “cardholder data” as the full Primary Account Number (PAN — Credit Card number) or the full PAN along with any of the following elements:
Cardholder name Expiration date Service code
Look at the BECU form. It wants the full 16-digit account number AND the cardholder name. Clearly, the form is collecting “cardholder data” and more.
Many institutions clearly advise against and forbid sending and receiving credit card information by email. See the very small list below.
BECU and Sean Murphy should adopt the same security procedures that nearly all institutions adopt regarding credit card information by email. Not doing so demonstrates the hypocritical contradiction in their security procedures.
As I type I’m sitting in a laundromat washing some big blankets. What prompts this entry is the alert from the Bank of America shown in the image here. So, instead of sitting in the massage chair (which is a decent deal in this laundromat), I figured I better call Bank of America because it says that if I did not look up my ID I should call them immediately.
I did just that and wasted 30 minutes of my time and ended up being trained to ignore these messages.
Here’s what went down. I called the number. There was no warning in the alert message that I need to have my debit card number or account number handy. So, I had to call back after I dug one of those numbers out of my pocket.
The phone number does not go to a dedicated security group. Instead I have to listen to all the options and then wait for someone to answer.
I tell the representative that I got an alert and am calling because I did not look up my ID. All the representative could tell me was that a Chrome browser was used for the look up.
I asked what the WAN IP# was associated with the lookup. She couldn’t tell me. (This should have been in the alert message.)
I know my WAN IP#s (plural, because I have three ISPs coming into the house and two WiFi hotspots when mobile) or can easily get them. If the WAN IP# was the main one at home then I would know there is no nefarious activity involved. Instead, this would be associated with the password reset that I did (which brings up another issue discussed below).
The first representative thought someone else in the Bank of American might be able to tell me the what the WAN IP# was for the ID lookup.
So, I am transferred to a different representative who knows nothing more than the first. “I just don’t have that information” she says.
I asked to talk with a supervisor. After holding for six minutes, I’m told none is available, but one can call me back. Ok, I gave my number and said they can call me back if it is in this century. Bank of America is not swift on returning calls.
So, what have I learned after I followed the instructions to “please contact us immediately at 1.800.933.6262”?
1. The bank does not have a dedicated security number, even though one is led to believe there might be from the alert message.
2. Bank staff does not have adequate information to properly deal with alerts.
3. The ID lookup was probably associated with the password reset I did — without an ID lookup — so the bank’s programming is sending out false alerts.
4. The Bank of America has designed a system that cosmetically makes them look good and concerned about your security, but they are not.
After not being able to determine a) if there even was an ID look up, b) if an ID lookup was associated with a password reset, and c) if my home WAN IP# was associated with the alert I essentially wasted 30-40 minutes.
The bank gave me general comments like “maybe someone mistyped their ID” which tell’s the customer nothing and does not provide any details to help a customer relax or take action.
The big lesson from Bank of America: Ignore Bank of America alerts, because the Bank won’t help you with them anyway.