Amex Don't Get Security

Yesterday afternoon, I received a call from an unknown number. I answered it, and a heavily accented voice said "Hello, can I speak to mister..." there was a pause while she tried to figure out the intricacies of my surname, "Ehdan?"

I asked who was calling, and she said, "I am calling from American Express with important information about your card. Please can I take you through security?"

You know where this is going, don't you? I asked her to prove that she was from American Express.

"I assure you that I am. This is not a sales and marketing call."

Cue a fruitless half hour argument with her and her supervisor. I wouldn't give her my security details unless they could prove that they were actually calling from Amex.

I've written before about Credit Card scams. They're a prevalent and insidious form of theft. And companies like American Express are doing nothing to prevent them.

The information they demanded of me was all reasonably public - it doesn't take a genius to work out my month of birth and phone number. Of course, they cited data protection so there was nothing that they could say to confirm they were genuinely from Amex. Which, of course, didn't stop them from revealing to someone (who may or may not be me) that I have an Amex account.

As you can imagine, this lead to an impasse.

What's needed, as I patiently tried to explain to them, is a non-invasive way for them to verify their identity to me. For example, I could give them a verification passphrase. When they ring, they should answer the question "What's my passphrase" with "Ding Dong The Witch Is Dead" or some other phrase I've chosen. Or, they could ask me "What's your favourite cheese?" and only continue if I answer "Venezuelan Beaver Cheese."

Neither of those phrases reveal personally sensitive information, but they do indicate that the caller has access to Amex's systems - which is a reasonably proxy for them working for Amex.

Outbound caller-ID can be faked, the information that they ask from me is relatively trivial to discover, and credit card companies regularly warn people not to give away sensitive information. American Express don't seem to care about any of this, though. They know that there are simple steps they could take in order to reassure their customers that security is important to them.

So, why don't they?


2 Responses to “Amex Don't Get Security”

  1. Martin Seeger Image of Martin Seeger

    Why won't they?

    Such measures would cost them money and annoy the average customer. Unluckily most people have no sense for data security.

    Reply
  2. Paco Hope Image of Paco Hope

    My credit card company does this. But when I point out that I don't know Who THEY are, they say "please call us on the phone number that is printed on the back of your card". That's a fair response.

    Reply

What Do You Reckon?