Friday, May 9, 2014

Thanks, Bank of America

We have learned that your Bank of America® credit card information may have been compromised at an undisclosed merchant or service provider. This does not mean fraud has or will occur on your account, but we are taking precautionary steps to help protect your account.

We're mailing you a new credit card with a new number and deactivating your old card on 05/14/2014. Your new card should arrive within 5-7 business days in an unmarked envelope. Upon receiving it, please:
Activate your new card immediately so you may continue making transactions without interruption 
Destroy your old card and start using your new card

If you've set up recurring payments with a store or service provider, provide those companies with your new credit card number and expiration date 
Keep in mind that if you have a Personal Identification Number (PIN) it is secure and remains unchanged 
Remember, your account has the Total Security Protection® package which provides you with greater defense against theft, loss and fraudulent use of your card.
-----

Dear Bank of America,

Thanks for the heads up. I'd like to ask a few questions, though:

How is it that an "undisclosed merchant or service provider" could compromise my credit card account? What does "undisclosed" mean, and undisclosed to whom? Don't you have standardized security measures in place for all merchants and service providers that use your services? Was it just me, or is this a systemic BoA problem that affects millions of other customers? What was the nature of the compromised activity, and how are you dealing with the issue (other than making me jump through these hoops?)

How can I properly evaluate this risk and possibly avoid similar situations in the future when the only statement provided is "this does not mean fraud has or will occur"? Don't you have algorithms and monitoring systems designed to red flag purchases that are inconsistent with my history? (You certainly did when I drove through Canada and suddenly found my card inactivated so I couldn't buy gas, or call you with my cell phone. That was a good one, thanks!). What does it mean if other "compromised" activites occur again? Are you going to just keep replacing my cards? And what does this say about the rigor of your monitoring systems?

Lastly, and most importantly, do you have any idea what it takes to change all the autopay accounts most cards are currently registered under? (rhetorical question, I'm sure you do and don't really care). It's not insignificant. Utilities, banks, brokerages, Netflix, Amazon, PayPal, cable tv... on and on and on (I'm sure other customers have more accounts than I do, things like smartphone and computer apps, music services, etc. Maybe even country club accounts like your executives enjoy). The time and aggravation involved in calling, emailing, and simply trying to remember all these accounts is, well, let's just say it again, not insignificant, and doesn't enhance anyone's productivity. In fact, it occurs to me to ask: why don't YOU call and update all my accounts? You have all the information.

So Bank of America, I'm asking you, please explain your Total Security Protection package and how this makes my life better? I was under the impression that you had tighter controls on your services than you actually do? What about your claims that unwarranted purchases can be identified quickly and won't be credited to my account? If all that can be undermined by one "compromised merchant or service provider" what does that say about your service?

Since it looks like I'll have to change the information on all my accounts anyway, maybe it's a good time to start looking at other card options.

by markk
Image via:

[ed. Tried responding to this, but here's the reply: "Because email is not a secure form of communication, please do not reply to this email. If you have any questions about your account or need assistance, please visit http://www.bankofamerica.com and select the Contact Us link."

[Thanks again, BoA!]