BECU Hypocrisy on Security

How many times do we consumers sit through a barrage of security questions by banks and other institutions to confirm our identity? BECU (Boeing Employees Credit Union) forces a person to answer at least four questions (credit card number plus three other ID questions) before they will ever talk to you about your credit card. They claim all these questions are for my security.

BECU even puts in a blog security tips, such as this one from 2020-10-27 from BECU’s own security officer.

Note the caution about using public WiFi access points and being in public with your credit card number. Mr. Murphy provides good advice.

However, would you hire Sean Murphy for your security officer when the same Credit Union invites a person to send the full card number, full name, phone, and email address by unencrypted email?

That’s just what BECU offers when disputing a credit card charge. On the BECU website is a PDF form used for disputes. At the bottom of the form there is an email address you can send the completed form (and other documents) to, presumably after you have scanned or saved the form into a PDF.

Not only does BECU say you can send the information by unencrypted email, BECU also wants the card holder to send to a non-BECU domain name with no explanation of who is receiving it.

When the phone representatives were asked why BECU is inviting card holders to send sensitive information by unencrypted email, the representatives explained that “the email goes straight to the right deapartment.” This kind of financial bullshit hides the issues that a) the email is sent without encryption and b) that the unencrypted email could be snagged by by someone as it is passes through any number of mail servers, and c) that someone could break into the email account of the sender and find the unencrypted information in the sent folder.

This is the same kind of short-minded thinking by WA Employment Security Department that suggested sending picture ID and Social Security number by unencrypted email.

The Payment Card Industry Data Security Standard (PCI DSS) 4.2 states: “Never send unencrypted PANs by end user messaging technologies.”

The PCI Security Standards Council (SSC) defines “cardholder data” as the full Primary Account Number (PAN — Credit Card number) or the full PAN along with any of the following elements:

Cardholder name
Expiration date
Service code

Look at the BECU form. It wants the full 16-digit account number AND the cardholder name. Clearly, the form is collecting “cardholder data” and more.

Many institutions clearly advise against and forbid sending and receiving credit card information by email. See the very small list below.

BECU and Sean Murphy should adopt the same security procedures that nearly all institutions adopt regarding credit card information by email. Not doing so demonstrates the hypocritical contradiction in their security procedures.


How ESD subverts appeals and due process

Washington State Employment Security Department (ESD) is, for at least one claimaint, not forwarding appeals to the Office of Administrative Hearings (OAH).

The reason, according to an ESD agent: “Your appeal requests have been received, but have not been forwarded to OAH because there is no denial to appeal”.

Are appeals restricted to “denials”? Not according to Washington Administrative Code.

WAC 192-04-020
Unless the context in this chapter clearly indicates otherwise, the following terms and phrases shall have these meanings:
(1) “Appeal” means a request for a hearing before and decision by the office of administrative hearings in a matter involving unemployment insurance benefits.

A “denial” would be considered one kind of “matter involving unemployment insurance benefits”. Other errors can also be considered a “matter”.

Appeals are the setting to sort out differences between ESD and others — claimants and employers.

In fact, appeals do happen even when there is approval (no denial) of benefits. An employer can object — through appeal — that the employee does not have a right to benefits. This is why Determination letters are also sent to employers in regular (non-pandemic) times.

The ESD reason to deny forwarding to OAH on the basis “there is no denial to appeal” is simply, bureucratic bullshit that thwarts the purpose of appeals and prevents due process.

In this case, there is no denial of benefits.

The “matter” not being forwarded to OAH are ESD’s false assertions the claimant has one or more claims out-of-state or with the Railroad Retirement Board. These false assertions were made in three separate Determination letters. The claimant has never filed for claims as asserted.

The claimant refuted the assertions and asked ESD repeatedly for information about why ESD determined the claimant had an out-of-state or railroad claim.

ESD did not respond to those requests.

The claimant wants the record to be clear there is no such claim. Further, such assertions may, in fact, reflect the possibility the claimant is the victim of identity theft in another state. If that is the case, corrective action needs to be taken.

Because ESD did not respond to requests for information, the claimant filed appeals.

ESD is, in this case, not following the Washington Administrative Code to provide due process and is not cooperating in fighting potential identify theft.


FedEx Fiction

We regular citizens have enough to deal with in daily life. Then a big corporation comes along and wastes our time with customer service fiction. FedEx is another great example. The inbound package tracking page offers this additional information to supplement the “by end of day” message:

Want to know when your package will arrive?

See your estimated delivery time wtih FedEx Delivery Manager. Sign up or Log in.

Check out the image.

Ok, so I go to sign up and discover that I’ve already signed up. However, the address needs to be changed. I change the address and then FedEx says it has to send me a verification code by US Mail that will take 3-5 days. That makes the the statement “See your estimated delivery time with FedEx delivery Delivery Manager” a fictional, misleading statement.

I called FedEx to complain about this fictional and misleading statement. The rep and supervisor both said the estimated delivery time was between 8am and 8pm. Hmm, that is no different than saying by end of day. So what is the point of a Delivery Manager that is supposed to give you a closer estimated time before end of day?

To answer that question, the phone support people said that because the delivery is by Ground, there is no “estimated delivery time.” Then why put a message on the tracking page saying I can get an “estimated delivery time” for a Ground shipment that does qualify for estimated delivery time?

Big corporations with big bucks are frequently short on brain power when it comes to common sense customer service. This FedEx situation is just another example of poor thinking.