Will Bank Of America's Tellers Give Your Money To Just Anyone?
It seems, as in my experience, the answer to that is "Well, pretty much, yes."
In the wake of Bank of America's tellers, on SEVEN occasions, giving $12,000 total of my money to thieves armed with a fake driver's license in my name with the wrong expiration date, with no PIN number, no bank card, and no matching of my signature, a commenter here writes on this entry:
I've been sharing this story with my friend Jenn who banks with BofA, much like vlad she blamed the victim (Amy) and claimed her money was safe. We decided to test the system. Jenn* gave me her account number and her drivers license. We look nothing alike. I've got about five inches and forty pound on Jenn; my hair is brown while she's a blond bomb shell with a nose out of this world. Like Amy, Jenn only makes infrequent ATM withdrawals for minimal amounts ($100 - $200). Wednesday I was in another town for business and walked into a local BofA to see if I could withdraw money from Jenn's account, I told them "my" account number asked for $500 and handed them her license. A few taps latter I was told the available balance was $398 because it looked like my mortgage with country wide had just gone through and would I like to take the $398? I took $300 signed and walked out. Needless to say, Jenn is closing her account as I type and moving to a local credit union. Here's the best part, as I'm standing waiting for the money my phone rings, I answer "This is Carrie*" the bitch on the other side didn't even blink. Granted I had a valid drivers license and account number but neither of those things belonged to me and I DON'T MATCH THE PICTURE AT ALL!!!! I was in a town the account owners wouldn't go to and I broke the ATM pattern as well as the typical amount. Further, I now know that they had mortgage, who they have it with and when the payments (and amount) is due.Amy's case obviously isn't an isolated case and as frequent readers of this blog (I've seen both Vald and Snake comment before) you should know that Amy's not going to bend over and ask for more. Would you prefer she kept this information to herself? I personally am glad she's a bulldog and isn't going to let them get away with this shit. And no Amy, you're not boring me with this; I want to know what's happening! I find it disgusting that you would defend the bank and bait Amy (when she has better things to be doing) when, as Amy said, the bank is guilt of "flagrant negligence".
*names changed :)
BoA: Multiple layers of bullshit.
I keep seeing ads for WaMu bragging about how secure their web banking system is.
And all that isn't worth a bag of shit if the in-person system is subject to such simple attack. Hell, this wasn't even a good "Social Engineering" attack. She just said "Gimme her dough" and the bank handed it over!
brian at July 21, 2008 9:25 AM
I'm not bored either, Amy. Keep up the good work.
And I'll say again. I've not had good experiences with banks, while I have had very good experiences with credit unions.
Maggie45 at July 21, 2008 10:04 AM
Thanks so much, Maggie45. My neighbor suggested I join the SAG-AFTRA one (I'm in AFTRA for my TV appearances), but it's too far away, and I try not to drive very much, and really hate being in traffic. I know they have ATMs, but I sometimes need something at a branch, and it's smack in the middle of the traffic zone in the Fairfax District -- on the other side of town from me.
Amy Alkon at July 21, 2008 10:21 AM
Keep up the good fight and, no, not boring. I'm waiting with baited breath to see how this plays out. I'm rooting for you (in case that wasn't obvious) not only for your sake but for all of ours. If BofA gets away with it then it sets an example for other banks too and as the big banks keep gobbling up the small...
Oh, and I have to second the credit union experience. I've been treated more humanely in them than banks too.
Although recently, I wrote a check for my daughter's car insurance and the insurance company didn't use the check number and electronic transferred it with my routing information. The CU told me that was legal. I asked without a check number what's to prevent them or even an employee who wrote it down on a stickie note -- from using my routing information and withdrawing however much they wished. Their answer was disturbing (I wound up putting a stop on the insurance company) -- that I'd catch it at my end when the errors came up; it wasn't legal for anyone to do it without the paper check; if I questioned it and they couldn't come up with either the paper check or the authorization from me to access my account the money would be returned to me. When I explained that I found that disturbing since I live from pay to pay and having my funds withdrawn could very well mean I'd have no money to buy food or pay rent while it was disputed waiting for the money to be replaced, I got a shrug of the shoulders and advised to ban those kind of deductions.
I've stopped using paper checks at all. Now payday (automatic deposit), I go to the bank, get bank checks (cheap at my cu, same as money order from PO) to pay bills with (no routing info to my account) -- everyone including my landlord and people I've been doing business with for years (who knows when they'd unknowingly hire an untrustworthy employee) and withdraw all my cash. Anything else, transferred to my savings since they will not automatically pay anything like that from savings if checking is at 0 balance.
What kills me is that you have to know so much and spend so many hours nowadays preventing this. (They too encouraged me to check my accounts online daily.) The one was honest enough to tell me I was smart to use a PO box. It's ridiculous the effort you have to put into even if you're as financially challenged as me and have only savings and checking and mostly deplete those between paydays. I don't know how anybody with all kinds of accounts finds the hours in the day to keep on top of it all, especially since unless it's inherited or some other kind of windfall they've got to work long hours to accrue it.
And that's with normally intelligent, educated people. Those who are somewhat slow (no fault of their own) and just plain not knowledgeable (or don't have access to the internet), they can really be screwed and it's okay. Their problem. The banks can't be held liable for not better safeguarding the money you entrust them with. While we're all supposed to think it's safer than stuffing it into a mattress. (One fire or break in, it's gone; apparently, also could be with one identity theft along with your good name and possibily your freedom. Christ, I spent a lifetime minding the law to the letter because I didn't relish the thought of jail only to have to worry about some nutcake commiting a crime in my name?)
Why does this feel remarkably Twilight Zonish?
T's Grammy at July 21, 2008 11:02 AM
I'm bored with it, but that doesn't mean you're wrong.
In other security-related chat, I've been putting "check ID" on my credit cards for years. The only local (LA) retailer who bothers to check is whole foods, and I don't shop there much because I'm cheap.
Amy should do a blog empire of "How to Live a Grownup Life" with a thorough financial section. She could tell stories like this one and link others such as this.
I called a bank 45 minutes ago. (Actually Merrill Lynch, for a tiny old 401K that needs attention.) It took twenty minutes to get on a queue to be called back. When the phone rang I was on hold for two minutes until someone was free to talk to me. It's getting to the point where even these people can't keep up. And after all that, they wanted me to take a survey, because my opinion about their service is very important to them. The survey was, of course, automated.
The point is that corporate America now believes it's acceptable to run their customer service as a batch file. (Computer term of art; basically means lining up all your chores so that nothing exceptional can happen, starting the machine, and walking away before things go wrong.)
People need instruction on how to deal with this in terms of security, productivity, and ethics... Something a little more holistic than one of Cosmo's to-do lists.
I pity children of divorce (and others) who never got a chance to watch their parents handle these things close-up and over time. As fashions in finance change, it's like jumping between adjacent carousels or something.
(New personal policy: Any automated survey I take will reflect the least-satisfactory ratings to each inquiry. If they then care enough to pay someone to call back and ask what happened, I'll tell the truth.)
Crid [cridcridatgmail] at July 21, 2008 2:44 PM
Crid wrote: "In other security-related chat, I've been
putting "check ID" on my credit cards for years."
That's not valid, and it's in violation of your cardholder
agreement. If you try to use your card in the U.S. Post Office,
they'll reject it. Here's the instructions from Visa about what
to do if someone has "See ID" instead of a signature:
and provide current government identification, such as a
driver's license or passport (if local law permits).
card matches the one on the transaction receipt and the
additional identification.
http://usa.visa.com/merchants/risk_management/card_present.html"
Ron at July 21, 2008 3:41 PM
> in violation of your
> cardholder agreement.
I live on the edge, babe. I am badass.
Crid at July 21, 2008 3:52 PM
I read something about that, and I thought that it was only Visa's policy and didn't count for debit cards because the banks agreement supercedes the visa one. Or, I could be completely misremembering. Vegas does that to you.
christina at July 21, 2008 10:13 PM
> I personally am glad she's a bulldog
I believe that Amy is actually a terrier.
Marie L at July 22, 2008 11:50 PM
I am on the edge with Crid. Except that after my purse was stolen (at Christmas-time from my job) while I was in college, Capital One told me to write "check id" on the signature line to prevent future fraud.
Amy K. at July 23, 2008 11:40 AM
I work on the software side of banking, and what you have figured out about security is true. By and large, the credo is "Accountability not security".
There's a simple reason for this: When it comes down to it, security is always a compromise with usability, and banks are a customer-driven business. Those customers (both little guys like us and big corporations with actual pull) have decided they don't want that cost.
Look at parallels with airport security: they've done little more than the bare minimum - most of which is just playing security theater - and people are already griping: "I'll take my chances if I can just get through this line in under an hour!"
Those 'chances' they're talking about involve dying, it's worth an hour of their time, and this is not an uncommon sentiment!
So, yes, financial institutions can be more secure. For example, you could have a call back at a pre-established number to certify validity of a credit charge. You could call them, but then again, anyone could call them - it's better if they call you. Granted, you wouldn't want a cell phone as it could be stolen too easily; it'd be a house phone ... so preauthorize your exact spending & vendor before you leave your house. When you go to do it, realize that to be secure, none of the things they would use to identify 'you' can be personally identifying due to privacy concerns (isn't that amusing?) so you'll need some sort of key fob or challenge-response one time certificate or the sort. And just getting THAT would require fingerprinting and blood sampling and weekly re-validations to really be even reasonably secure that you're still really you. You changed your hair cut? Lost a few lbs? Don't exactly match your drivers license? Well, we just need a note from your state-certified hair dresser and authorized fitness trainer - or how can we know it's really you and not a clever lookalike? Granted, paying for a #4 combo meal at mcdonalds with a debit card would take around 2 hours plus planning, but it's secure.
Somewhere in there, between this extreme and no security at all lies what we have today; it makes criminals take some effort, but it's not foolproof.
It's like a front door. Yes, you locked it, but someone could steal the key, pick the lock, smash it down or just go in through the window. You'll avoid the crime of opportunity, but some determined individual could still get in, and there's always, always the human factor.
Banks, by and large, accept that. They don't like it any more than you, but humans are ingenious creatures and always find a way around security systems. So, they focus on accountability. If they can track it, eventually they can assign blame, and hopefully get the money back. Just checking the balance on your ATM card generates between 8 and 16 accounting records on every machine involved.
So, if your current bank's security isn't up to your particular idea of where the balance marker should be put between usability and security, you shouldn't worry. Most banks do offer more security (you may have to pay for it).
You'll have to find out what's available to you at your bank - like velocity limits (# of charges, by time, by amount), call backs, multifactor authentication, no-debit accounts, and so on.
So, no magic bullet, no simple habits will protect you any reasonable amount. If you want security, your biggest cost will be convenience. If it only takes you 30 seconds to get money from an ATM, or to sign a credit card slip - that's how long it will take a successful thief. In the end, the best chance you have is increase the work required to make it unattractive.
QW at July 23, 2008 4:02 PM
Forget the state hairstylist for a moment. We're talking THE most minimum due diligence that wasn't done. At this point, I'm wondering if somebody could walk into BofA with a license in the name of Santa Claus plus my account number, and get my money.
So, let's review BofA's "security" procedures -- or rather, lack thereof, in respect to the seven times they allowed thieves to ass-rape my bank account.
B of A didn't:
1. require a PIN number
2. verify that it was my signature
3. care that the expiration date was wrong -- if they even checked at all or noticed it was wrong before the thief got my money for the seventh time.
4. they didn't flag my account for withdrawals from teller windows, which I almost never make (maybe I've made one in the past five years), and certainly not in large sums.
5. they didn't flag my account for many, many withdrawals of large sums of money from teller windows in a very short amount of time.
6. they didn't flag my account for having these large sums withdrawn in places I have never been and probably never go. I'm a writer. I write seven days a week, and rarely leave a five mile radius around my house. I usually take out $200 when I put my syndication checks in the ATM. And almost always from the ATM at my branch, and probably around the same times and days.
It seemed BofA's level of checking was merely HOPING it was me, doesn't it, from what I describe above? SEVEN times.
And again, we're not talking retinal scans or anything like that. We're talking about THE most basic checks not done, and protections not in force.
I know other banks aren't like this. My sister couldn't get money out of her Wells Fargo branch, where they know her, because she forgot her ATM card. She says they check her signature and she has to punch in her PIN.
None of that went on at BofA, and when a woman with MISSING TEETH! went to ask for $1,500 of my money on at least one of these occasions. Gee, bet that woman just got a book advance, don't you think? Perhaps a little tome on "The History Of Dental Care In The Middle Ages: A Love Story."
Amy Alkon at July 23, 2008 4:51 PM
P.S. If anyone knows any BofA tellers current or past, who'd like to talk about how their bank verifies it's you -- if at all -- please send them my way. I will not post their identity.
Amy Alkon at July 23, 2008 4:53 PM
To nitpick:
- Most banks don't require their tellers to be signature experts, and any potential ensuing customer kerfuffle from challenging someone's handwriting combined with the ire of those behind them means that they never will be. It's likely the standards are higher when the amounts become higher - such as 100,000USD and above. At that point, they may verify your signature or at least require a senior bank official to sign off on it.
- The 'flagging' you're talking about is usually offered either when requested, or as an additional paid service/protection plan from banks. As far as I know, it's only ofttimes standard with certain level credit or debit card. Your mileage may vary.
This is because the tellers have no idea what's standard for your usage. You wouldn't want them looking at your last 10 transactions without your explicit approval. It's also still a tricky problem for a computer to determine 'trends that appear suspicious'. Trends that seem common sensical to you and I are very difficult to put into a program with good success. People accept that programs like spam filters only work 90% of the time, and lose an occasional important (valid email) - but can you accept that from a bank dealing with your money? False positives are especially damaging to the financial institution's image - say you're paying for friends at a fancy cafe and you splurge, or on vacation in the Caribbean getting a hotel room. That doesn't match your spending trends, so your credit card is declined - though a nice call is left at your home phone asking you to authorize it later. Since this is so common, it has a larger impact than the relatively rare chance that one of these transactions is a theft.
The only defaults FI's usually provide by default is out-of-country transactions require manual approval by someone at the bank. Even that may be because of the additional expenses (time, effort, $) the bank incurs on them, more than security.
If you work with a bank though, usually you can set up limits like "I will never pull more than 200$ a day from the ATM". Sadly, in person, you can still get around it as the authorization is implicit. After all, the person who has the authorization to change a restriction is requesting something that voids a restriction.
The bank doesn't worry as much about that, since it's a minority of the number of cases, and if they appear in person, they have the thief's image on video. Someone specific is culpable and that's enough.
- Last, pin numbers are not required with checking accounts - only for debit cards which may be associated with any given number of accounts (you can even have a savings account linked in). While some banks do use their debit cards + pin as an authorization mechanism for in-bank teller services, most don't. Even if they did, it can be bypassed - it's only there for convenience.
so ...
As an addendum to what I said in my first post; not only do you have to check out what your bank provides, sometimes you have to pick a different bank to get what you want.
As far as individual financial institutions go, I am currently an ex-BofA customer, and I've heard many bad things about them, some of which I can personally confirm.
I personally use Wells Fargo, and I've been pretty happy with them, but you need to pick a bank that matches your needs. They are all different, after all.
... and as a caveat:
No matter what bank you pick, you'll face similar problems. Remember: the motto is Accountability, not security. Don't be too surprised; this is exactly how our police work too. They deter crime not by physically stopping it, but by apprehending a criminal after the fact and placing them in the justice system.
QW at July 24, 2008 8:16 AM
We're not talking about tellers become expert forgery detectors but about them looking at a signature to see if it is remotely like that of the person who has the account.
I don't think you understand the level of negligence here.
Amy Alkon at July 24, 2008 8:39 AM
I have had an account with Bank of America for about four years now. I have never had an experience like the situations mentioned in your blog. In fact when I was shopping in a town about two hours north of where I live my credit card was shut down for activity outside of my normal range. A representative from the bank called my cell phone within ten minutes to verify the charges I was trying to make. It is unfortunate that a few associates could change your entire opinion of a multi billion dollar company. This would be like saying you never receive help at Wal-Mart. While they may never have someone to help you in a department you still continue to shop there for two reason...price and convenience. I also see multiple postings by people who don't want to give their fingerprints to cash a check, or people complaining for having to show their ID's because they feel that everyone in the world should know who they are without verifying their identity. I hope that you are able to receive the same world class service I receive at my Bank of America and the associates who didn't follow proper procedures are held accountable for their actions. Sincerely, Jason
Jason at August 11, 2008 6:38 PM
Okay...this whole site is the biggest load crap I have come across yet and I couldn't be more serious. I think it's crap that you have had service at Bank of America that has impacted you SOOOOOO profoundly that it has resulted in the establishment of this website. Simply...to bitch rather than calling the SERVICE DEPARTMENT to seek resolution. For those who didn't realize, a service department is initially established for complaints such as these. It is there to RESOLVE issues (for those of you who obviously didn't know). Rather than trying to get the problem fixed...I come across this crap! I love Bank of America- period. I hate broad generealizations- they aren't fair. I support complaining to the appropriate people to stop the non-compliant employees! Not commenting on 'The Goddess' Dog' website crap site and what not. Doesn't seem too difficult to me but...thats just me. Everything will always be someone else's fault and thats why this whole '.com' is mind blowing. Then, I find comfort in the fact that there are only about twenty of you out of the billions of customers there are complaining. That speaks volumes to me. Sometimes I feel like there are people who clutter together, miserable people, who just like to complain. Doesn't really matter what it's about...just like to complain. I need to end this comment...I feel like I've wasted about five minutes of my life here already. Get a life!!! I feel sorry for each and every one of you who spent more time here than getting to the bottom of things with the company you bank with. More important people with answers and authority.
Bank of America Customer Service Line:
1-888-432-1000 (took me about thirty seconds to find it, fyi).
Little Miss Furious at August 13, 2008 3:59 PM
Leave a comment