in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Bank of America 866-242-6289: Legit Number For Debit Customer Protection Department

I normally don't blog about personal stuff on this blog (it's a corporate blog after all), but I thought I'd make a public service announcement today: the toll-free number 1-866-242-6289 is a legitimate Bank of America phone number associated with their customer protection department (for legal purposes, I'm going to have to give the CAVEAT that, at least, it was legitimate on June 8, 2012).

Why am I making this public announcement?  My debit card was compromised and I couldn't find out online whether the above is a legitimate, non-scammy phone number.

My Debit Card Compromised

I saw my work phone light up bright red.  Someone had left me a voicemail message.  Upon playing it, a pleasant yet mechanical female voice told me that the message was from BofA's ATM Debit Customer Protection Department.  My ATM card -- ending in the digits **** (starred out, but it was the correct number) -- showed "unusual activity" and I should call the above 866 number by June 22.  In other words, within two weeks.

I was given a message code to punch in my dial pad once I called in, no doubt to identify me.  The voice then noted that a "temporary hold may have been placed on [my] account" and would be removed "upon verification of activity."

As a guy who researches data security issues all day long it smelled phishy, as in a fishy phishing scam.  Could this be some kind of new ID theft or scam attempt that I hadn't experienced before?  I've certainly heard of it in theoretical terms and may possibly have run across a real-life story online.

I went to google.com to see if the 866 number was legit: I typed "site:bankofamerica.com 1 866 242 6289" and hit enter.  The Google operator "site:" searches within a specific website, in this case bankofamerica.com.  I got a notice that it did not match any documents.  A little unusual.

I typed "bank of america 866-242-6289" and hit "search" for a general lookup.  Sites with pages full of warring opinions on either side showed up, but these were message boards.  None of the websites listed were for bankofamerica.com, not surprising considering the results of my first search.

So far, everything was inconclusive.

I didn't want to engage in online banking because who knows how my card number got compromised?  No sense in getting my card number and banking information compromised.  What to do?  I did the only sensible thing: call the number on the back of my card.

I was ultimately rewarded with a lady telling me that the 866 number "is not on the list" of legitimate Bank of American numbers.  Furthermore, I failed the ID verification questions she threw at me: SSN, full address, etc....something didn't match up.

Uh-oh.  My internal threat level instantly shot up to "red."

What do I do? I asked her.  She couldn't help me out because I had failed in verifying myself.  I'd have to call in again and go through the entire process.  Frustrating, but from her perspective a totally legitimate move: I could be some Nigerian prince trying to pull a fast one on her.

I called in a second time, and waited a while.  A long while.  To kill the time, I fished out and booted up a secondary computer that I rarely use that runs on Linux, and logged into my online BofA account.  I soon realized why I failed my ID check: my address had not been updated after a move over a year ago, and since I don't receive statements via regular mail, I hadn't been aware.

I also noticed a couple of unauthorized charges for Experian credit monitoring and PrivacyGuard, "a comprehensive credit reporting, credit monitoring and identity theft protection service."

Long story short: the bank customer rep verified my ID, I cancelled the card, and I asked him if the 866 number was legit.

He said yes, it's on his list.  My instant, internal reaction: Dude, what gives?  The first customer rep had checked twice for that same number, and knowing how call centers work, probably from the same list.  No wonder there was a "scam / not a scam" debate raging in the intertubes.

He also transferred me to a fraud specialist who would work with me to get my money back.  Essentially, it was the department that I would have reached had I dialed the 866 number from the voicemail that started the entire process.

I connected with Rachel, who was a sweetheart.  She helped me deal with both companies to get my money back.  We had some downtime while the companies did their thing, and I asked her whether the 866 number was a legitimate one, for the tie-breaker.  After all, if anyone knew, it'd be someone who worked at the department, no?

She said that, yes, the number was a legitimate one for BofA, and that they had called to let me know at my number listed in their records.  When everything was cancelled, voided, updated, and ultimately over, I thanked Rachel and I hung up.  The entire process, from the initial unsuccessful call, had lasted 64 minutes. Had my debit card been used to fraudulently purchase more items and services, it would have taken longer to resolve.

Some Post-Experience Musings

I say post-experience, but plenty of them cropped up while I was on the phone.

Why doesn't Bank of American have the number listed on their website?

I thought about this for a while.  The 866 number could be temporary.  Although, when you consider the criminal epidemic involving credit and debit cards, this would appear doubtful.

Then there is the fact that finding a phone number at the Bank of America site is not easy.  It's not impossible, like at amazon.com, but you can't just enter a number in the search field.  Among other things, the information is compartmentalized based on which state you do your banking, so you do have to set up your query.  Maybe it's listed somewhere and I just missed it.

I briefly wondered whether the number was not listed as a security measure.  For example, let's say that the call I received was a phishing attempt.  If people don't immediately call the fraudulent number thinking it is a scam, perhaps they'll go to the Bank of America site to confirm the legitimacy of the phone number, just like I did.  Unbeknownst to us, the website is also compromised: the phishers also hacked the site, inserting the fraudulent number.  It's the perfect crime.

I quickly crossed-out that explanation, though: if hackers can insert a fraudulent number, they certainly can insert a brand new page with the fraudulent info.  In fact, even if BofA decides not list the numbers, period, a hacker could compromise the site anyway.

It seems to me that there is more to gain by listing the number than not.  Due to the heightened awareness of the existence of phishing scams, I'd imagine that a sizable number of the population would try to check the legitimacy of the number before calling it.

How many people do not directly call the 866 number, opting to do what I did because the whole thing seems phishy?

A natural follow-up to the first question.

Further musing on the issue, it must be frustrating to BofA.  They set up a number specifically to deal with the issue of compromised debit cards, but because of the environment we live in, does not get used to its full potential.

Instead, people like me tie up BofA's regular toll-free number, negatively impacting the entire organization.  Plus, I was asked to verify my identity when I called regular customer service and when I was dealing with the fraud specialist, despite being transferred internally (which, by the way, is totally understandable).  Imagine how much time must be eaten up verifying callers' identities.  Not how BofA wants to be spending their resources.

Why did the first customer rep not see the 866 number on her list?

Beats me.  Innumeracy?  Multiple phone number lists?  I don't know.  However, I should remark that contradictory responses like these spread on the internet, further causing confusion.

Why can't Experian's reps hang up the phone?

This is neither here nor there, but I found this out entirely by accident and thought it was interesting.  After we had concluded our dealings with Experian, Rachel asked the rep to hang up; she and I had to call up PrivacyGuard.  The Experian rep told us he does not have the ability to hang up the phone.  Rachel ultimately had to call me back because of this little problem but that was kind of weird on Experian's part.

I can see how that's one way of eliminating any complaints that an Experian rep hung up on a client, but it feels like a move out of the nowhere.  I mean, not being able to make outbound calls -- if your job is to take inbound calls only -- I can understand, but not able to hang up?  Definitely odd.

Why was my card used for credit reports for other people?

My card was used to pay for credit reports.  Credit reports on other people.

Apparently this is allowed because before "cancelling" the service, reps at both Experian and PrivacyGuard asked me whether I did not know the name of people whose credit reports I had paid for.  One was a "Bill A." and another was some guy out in Tennessee.  They knew my name and wouldn't have asked me about Bill A if it was not allowed, right?

I guess on the face of it, the ability to use someone else's credit card for obtaining a credit report or identity theft prevention services makes sense:  what if you decide to pay for your spouse's or life partner's or step-sibling's credit report, possibly because they don't have a credit card?  The option has to be there.

On the other hand, I was a bit puzzled: why would you try to protect yourself from ID theft by committing ID theft?  Yeah, debit card numbers are in no way ID's, but you get my drift....

I can only assume that hackers and scammers were using my compromised card to get information on other people to scam.  For example, maybe they were trying to figure out Bill A.'s credit worthiness (if good, ID and mortgage fraud come to mind as the next step).

As for the PrivacyGuard charge that showed up on my statements, there was a "$1 for the first 30 days" special offer, so it could be an instance where a hacker is testing the debit card number's validity.

Not So Bad

As experiences go, it wasn't so bad...considering that I had to cancel my debit card.  Everyone I dealt with was very professional and tried to be reassuring by explaining what they were doing, what they were going to do, what may have happened, etc.  Sometimes, it felt as if they were trying too hard to be reassuring, but then, it might be that I felt the pace to be a tad bit slow because of all the reassuring that was being made.

I honestly didn't need all the explanations that were being offered because I knew what was going on in general, but I can see how people who have better things to do than follow data breach stories all day long would find the explanations helpful.

Having to clean up after a breach of data is definitely a hassle -- at least -- no matter how pleasant the process.  But then, I already know this because I keep pointing out that it's always better to use encryption software to protect data and prevent a data breach than having to square away the loss of customer data.

By the way, in case you're wondering: I have no idea when or where the card was compromised.  I can tell you this much, though: it wasn't online.  I strictly use credit cards for such purchases.

 
<Previous Next>

Data Breach Costs: Utah ID Protection Sign Up Approaches 20%

Taiwan Laptop Encryption: Notebook Computer Missing From Missile Boat

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.