Yesterday afternoon, I received a call from an unknown number. I answered it, and a heavily accented voice said "Hello, can I speak to mister..." there was a pause while she tried to figure out the intricacies of my surname, "Ehdan?"
I asked who was calling, and she said, "I am calling from American Express with important information about your card. Please can I take you through security?"
You know where this is going, don't you? I asked her to prove that she was from American Express.
"I assure you that I am. This is not a sales and marketing call."
Cue a fruitless half hour argument with her and her supervisor. I wouldn't give her my security details unless they could prove that they were actually calling from Amex.
I've written before about Credit Card scams. They're a prevalent and insidious form of theft. And companies like American Express are doing nothing to prevent them.
The information they demanded of me was all reasonably public - it doesn't take a genius to work out my month of birth and phone number. Of course, they cited data protection so there was nothing that they could say to confirm they were genuinely from Amex. Which, of course, didn't stop them from revealing to someone (who may or may not be me) that I have an Amex account.
As you can imagine, this lead to an impasse.
What's needed, as I patiently tried to explain to them, is a non-invasive way for them to verify their identity to me. For example, I could give them a verification passphrase. When they ring, they should answer the question "What's my passphrase" with "Ding Dong The Witch Is Dead" or some other phrase I've chosen. Or, they could ask me "What's your favourite cheese?" and only continue if I answer "Venezuelan Beaver Cheese."
Neither of those phrases reveal personally sensitive information, but they do indicate that the caller has access to Amex's systems - which is a reasonably proxy for them working for Amex.
Outbound caller-ID can be faked, the information that they ask from me is relatively trivial to discover, and credit card companies regularly warn people not to give away sensitive information. American Express don't seem to care about any of this, though. They know that there are simple steps they could take in order to reassure their customers that security is important to them.
So, why don't they?