Bank faxes credit card account statement to fraudster

PIPEDA Case Summary #2007-374

[Principles 4.3 and 4.7.1 of Schedule 1]

A victim of identity theft complained that a bank did not properly protect his personal information and, as a result, inappropriately disclosed it. The bank faxed a copy of his credit card account statement to an individual impersonating him.

Though the bank believed it had faxed the information to the true customer because the caller had passed verification, we could not determine for certain what questions had been posed to the imposter to authenticate him. There was no recording of the calls and no notations of what questions had been asked. We also noticed that some of the bank’s authentication questions were weak; others were strong. The Assistant Privacy Commissioner therefore determined that the safeguards in place were inadequate, and that the disclosure of the complainant’s personal information was inappropriate. During the investigation, the bank agreed to strengthen its authentication procedures and keep an audit trail of authentication questions asked. It also agreed that, when a customer requests that information be faxed to him or her, additional authentication questions are to be posed.

The following is an overview of the investigation and the Assistant Commissioner’s deliberations in these well-founded and resolved complaints.

Summary of Investigation

The bank in question delivers banking services to its clients via the telephone and internet. The bank stated that an individual representing himself as the complainant contacted its customer care centre, to request that it fax to him a copy of the complainant’s account statement from a month earlier. According to the bank, the caller passed the verification procedures, and a few days later, the statement was faxed to the number the caller provided. The account notes the bank provided to the Office did not indicate what specific questions were asked as part of the verification procedures, and there was no tape recording available of this call.

Later on the same day that the statement was faxed, an individual representing himself as the complainant called the bank again, passed verification and requested that a password be added to the account. (The complainant had not previously established a password for the account.) Shortly thereafter, the bank received another call, this time requesting a cash transfer. The bank does not process such transactions unless the card is present and the code on the back of the card is provided. As the caller was unable to provide this code and indicated that the card was not in his possession, the call was transferred to the bank’s fraud department, where it was taped. The transaction was denied even though the caller was able to correctly state the complainant’s name, address, date of birth, and telephone number. In the taped conversation, there is a brief exchange between the impersonator and the bank’s security department representative, who informs the caller that the bank would not assist him without the code.

The bank’s fraud department contacted the complainant at home and confirmed that he had neither called to request a statement copy nor a cash transfer. The bank closed the account, established a replacement account, and applied a password to it. According to the account notes provided to the Office by the bank, the fraudster made two attempts to obtain cash the next day but could not pass verification procedures because the account had been flagged for suspicious activity.

The Office reviewed the bank’s identity verification procedures used by customer service representatives (CSRs). The impersonator in this instance would have had to have had the complainant’s account number and been able to answer two (out of six possible) authenticating questions. Some of the information requested is information that likely only the cardholder, someone very close to the cardholder, or someone who has a great deal of knowledge about the cardholder, would know. However, two of the questions (date of birth and home address) are not likely to be known only by the cardholder. Furthermore, the response to another question could be gleaned by calling the bank’s automated voice response system.

While it was possible that the impersonator in this case already had a good deal of the complainant’s personal information, it was not known which questions were posed to the impostor. Therefore, we could not determine just how much information the impostor had.

Certain information about a credit card account is available through the automated voice response system (for example, the account balance, due date, recent transactions). The following information is available on a statement but not on the automated response system:

• Statement messages about the status of the account
• Recent changes/promotions
• The reference number of the transactions
• The account number
• The credit limit
• The client’s address

Although the complainant felt that the faxing of his statement resulted in further fraud against him and other institutions, it could not be determined for certain that this was the case. Two of these items (promotional information and the reference number) are not personal information. The impersonator already had the account number, leaving the account status, credit limit and address as possible pieces of information that he did not have. Since the verification procedures to obtain a faxed statement contain questions about the credit limit and address, it is likely that the fraudster already had this information. Moreover, the investigation established that the complainant’s address information was available on canada411, by conducting a search on the complainant’s name.

The bank tapes customer service calls at random. When a call comes into the customer service area and pertains to an account that has been flagged for suspicious activity, the call is transferred to the bank’s fraud department, where all calls are taped.

The bank does monitor customer service calls at random, and employees who fail to conduct a full verification are subject to disciplinary action. The bank noted that perpetrators of identity theft are often equipped with the necessary information to pass verification procedures. In situations where the caller has sufficient information to represent himself or herself as the customer, it is difficult for the bank to avoid disclosing information. Such disclosures, the bank contended, are made in good faith, with the belief that the bank is dealing with the true customer and therefore delivering the level of service its customers expect.

The complainant was very concerned that the bank would fax his account statement to a number that it did not have in its contact information. The bank stated that it is not a customary policy or practice to fax customer personal information, but that it is done on occasion in an effort to better serve customers. The bank does not collect the card member’s fax number as part of the customer profile because it does not believe that there is a business need to do so, and it does not want to collect more information than required for a credit card account. Since faxing is not done on a regular basis, and not all of its customers have a fax machine, the bank stated that there is no need to routinely collect such information. If a card holder requests that his or her account statement be faxed, he or she will receive the information as long as the caller has passed the verification procedures, and the CSR is confident that he or she is speaking to the true customer.

The Office compared the bank’s identification verification procedures with those of another similar type of bank. The practices of both banks were found to be analogous. While the other bank will also fax the account statement at the customer’s request, provided the customer has passed identification verification, it does not routinely collect the customer’s fax number as part of the profile. Like the bank at the centre of this complaint, it requires the code on the back of the card for cash transactions but not for faxes.

Findings

Issued March 23, 2007

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7.1 states that security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• There was no question that the complainant’s personal information was disclosed to an individual posing as him. The bank stated that it faxed the account statement in good faith to an individual it thought was the complainant because the person had passed verification.
• The issues to be determined then are whether it was appropriate to fax the customer’s statement to a number not listed in his profile; and whether bank’s practices for verifying identity were adequate to have reasonably prevented the disclosure.
• While the bank contended that it only faxes as a customer service gesture, the Assistant Commissioner was of the view that it is a practice that carries with it certain risks. The customer’s fax number is not collected as part of the customer’s profile; therefore, she found it difficult to see why the bank would agree to send a customer’s personal information to a number it does not have on file. Requests for duplicate statements should be mailed to the address on file.
• The bank indicated that it faxes if it believes that it is faxing information to the true customer. It determines this through its authentication procedures. In this case, as there was no recording of the call between bank and the impostor, it was impossible to confirm what specific questions were asked by the customer service representative to the individual claiming to be the complainant.
• In reviewing the procedures, the Assistant Commissioner noted that some of the procedures in place appear to be adequate in the sense that some of the information requested is typically only information the cardholder would know. However, she also commented that the date of birth and the home address were pieces of information that may be known by many individuals and not just the customer. In addition, one question could be answered by an impersonator if he or she had accessed the automated voice response system.
• While the bank believed it was sending the information to the true cardholder, there were some weaknesses with respect to the authenticating questions; consequently, without a transcript of the call or some other indication of the questions asked, the Assistant Commissioner could not know for certain that the customer service representative posed the stronger questions and was therefore certain that she was speaking to the true customer.
• She therefore determined that the bank’s safeguards did not meet the requirements of Principle 4.7.1, and the complainant’s personal information was improperly disclosed, contrary to Principle 4.3.
• To minimize the risks associated with faxing, the bank undertook to take additional authentication measures to ensure that the fax is being sent to the true customer. It also agreed to address the weaknesses within its current authentication procedures and to record on the customer’s account identification verification questions posed by its customer service representatives.

Given this, the Assistant Commissioner concluded that the complaints were well-founded and resolved.

Other Considerations

The Assistant Commissioner also referred to our Office’s recently issued Guidelines for Identification and Authentication. These guidelines are intended to assist organizations in devising methods of identifying and authenticating customers in ways that respect the fair information practices under the Act. They address different types of authentication, risk assessment, the role of the individual, as well as the importance of employee training.

See also

#381 Bank improves safeguards after individual’s personal information used fraudulently to open credit card account

#27 Man objects on principle to bank’s identification program