Discover Card: an identity theft imposter

Why do financial institutions insist on pretending to be identity thieves? I just made a big purchase on my Discover Card, and to verify the transaction they left a message on my answering machine telling me to call a number that’s not listed on my card or their website. (1-800-347-4996) Indeed, without calling Discover, their phone company, or the police, there’s no good way to track a random toll-free number. (It’s a little more dangerous for a crook to set up a nefarious number than a nefarious website, but it can be done.)

The irony is that Discover’s website has a quiz on the front page, where one of the questions involves a phishing attack identical to what Discover itself did, except that it’s done through email rather than the phone.

It’s not just Discover. This behavior is rampant among financial institutions. My retirement account (through Charles Schwab) has an option to send monthly reminders to check your online statement. The email has an embedded link, so you can click on it rather than typing the URL into your web browser. Which is exactly the behavior you shouldn’t do, since the link may be to an imposter site.

The reason they do this, of course, is because your security isn’t their priority. They’re not to blame if you fall for an imposter: except for training you to fall for the trick, they’re not even involved.

Actually, that’s not quite true. Credit card companies are on the hook for all but $50 from a fraudulent transaction. So Discover should be trying to prevent this sort of attack. Why don’t they? For one thing, it’s not a common attack yet. But the root cause is more subtle.

Companies secure assets, information, and transactions. Thieves attack the weakest link in an ecosystem. Companies worry about their own infrastructure and how people interact with it. Imposters aren’t part of that world: they create their own faux world. Banks aren’t used to worrying about how customers can verify their identity. Typically you know it’s your bank because you walked into it. Or called the number printed on your statement. That’s not a safe assumption now, if it ever was.

More important, security often consists of reacting to known attacks, rather than preventing potential attacks. In many cases, that’s a good thing, since attackers won’t try something novel unless the tried-and-true stops working, and you can waste a lot of time preventing imaginary threats. With credit card theft, tricks that worked decades ago work just as well today. But identity theft is still evolving, and the preventative measures– in this case, using the same phone number for all incoming calls– are cheap and easy.

(Computer security has the opposite dynamic: preventing whole classes of potential attacks is usually more fruitful than fighting known attacks. That’s because an attack can go from being unknown to being common in a matter of hours. And attacks need to be novel, since once a security hole is patched, it is fixed permanently.)

For the record, I called 1-800-DISCOVER, which is the number printed on my credit card, and had an agent transfer me to the fraud prevention department.

Advertisements

"I put a pea in my nose"

Sylvia said that matter-of-factly during dinner Saturday night. The same way she might announce that she’s wearing sandals. (Matter-of-fact for a three-year-old sounds surprised and slightly amazed to adult ears.) After calling the doctor and trying a few nose-blowing techniques, it was off to the emergency room.

The doctor gave her a nostril constricting spray, and had her try blowing hard several more times. Sylvia was remarkably calm as the doctor prodded the pea with a tool consisting of a tiny metal loop on a stick. Then we were back to blowing many more times.

Eventually the doctor used a trick which, according to the nurse, none of the other doctors know. She stuck an oxygen tube in the opposite nostril and had the nurse crank the oxygen to full blast. I restrained Sylvia, and the pea flew out her nose. The doctor was so impressed with how well-behaved Sylvia was that she gave her a big hug. And the nurse gave her an orange popsicle.

If Sylvia had been as well-behaved for us as she is for strangers, we wouldn’t have ended up in the ER. But that may be a little much to ask for a three-year-old.