How being a victim of fraud - and later in a position to decide fraud outcomes - led me to fix the problem.
By Lou Steinberg
I recently watched this ABC7 news segment in which Benjamin Manley of Napa, Calif. described how Bank of America denied his fraud claim – even though he reported the fraudulent transactions to the bank as they were still occurring. I encourage you to check out the video – Mr. Manley’s story is alarming.
For me, watching the segment is déjà vu. Ten years ago, my wife and I were victims of a very similar bank fraud. Like Mr. Manley, we had irrefutable evidence that we were not physically in the same city when the fraudulent transactions occurred. Also, like Mr. Manley, despite infuriatingly obvious evidence to the contrary, when it came time for the refund, the bank notified us that we had stolen the money from ourselves.
Ironically, I later went on to become Chief Technology Officer at TD Ameritrade, where I had to weigh in on difficult decisions as to whether to reimburse our customers when fraud was claimed. Given my experience, I took extra care to ensure fairness and to maintain TDA’s outstanding reputation for treating customers well. I believe I did that.
After leaving TDA, I created Authoriti, a new company with the goal of beating fraudsters by flipping the model and putting bank customers in control of all their transactions. The Authoriti Permission Code™ smart PIN technology is specifically designed to prevent fraudsters from executing transactions in your accounts. You control your money and your personal information, and banks have the confidence that you are who you say you are and the actions you are instructing them to take are real.
Like Spider-Man gaining powers from a radioactive spider, I’m hoping my toxic encounter has given me the ability and insight to help us defeat fraud worldwide. You know about Mr. Manley’s case. Let’s run a post-mortem on my case to give you a full picture of the problems we are facing. This could easily be you!
Part 1. The Con
My wife and I had a bank account at a local Connecticut branch of a national bank. I arrived home one day to find a message that said, “The fraud-detection system at our bank has noticed unusual activity on your debit card account. Please call us.” Of course, that was great to know. Except we didn’t have debit cards on any of our accounts.
I believe that debit cards don’t have the same level of consumer protection as credit cards. My ATM card is an ATM card, not a debit card.
I called the number and learned it was, in fact, about the account I had opened in town. After sitting for years without us touching it, someone had drained the account. So, the “unusual activity” was that the balance was now zero.
What really happened was that a “heavy-set, dark-haired woman” (the bank’s description to me) walked into a branch of the bank in Florida with a fake ID that had my wife’s name, this woman’s picture, and my driver’s license number. The robber had apparently acquired a profile online that mixed some of our license data.
Part 2. The Robbery
The fraudster walked into the branch and said, “Hi, I’m Mrs. Steinberg. I’m moving to Florida from Connecticut. Here’s my driver’s license. I’d like to open an account.” Because she was opening an account and only deposited $100, the fraud alarm bells were not going off.
Then she said, “and I’d like a debit card.” Then, “I’d like to link it to my other accounts.” And they said, “fine.” So now she’s got a bank debit card, and she’s linked the new account she created to my real account.
She then visited several different branches of the bank over the course of a couple of days, taking out cash from tellers (rather than ATMs). She would make four or five stops a day taking out thousands or tens of thousands of dollars at a time. She did this until the account got to zero.
Part 3. It Gets Worse
The bank undertook a multi-month investigation, only to come back and say, “We think your wife went to Florida and took all the money out.” Just like the ABC7 story, they accused us of defrauding them.
We quickly and easily proved where my wife was. She is a school teacher and, on the dates in question, hundreds of school employees and kids could verify that she was in school. Further, she didn’t look anything like the description of the fraudster from the bank’s security cameras. They didn’t care. In fact, they dug in their heels.
After a few months, because of the size of the theft, they escalated the case to their senior fraud investigation team, and I used the last quiver in my arsenal. I noted that by not checking the fraudster’s driver’s license number as part of their account opening process, the bank had violated the Patriot Act. If they had, my name would have come up. It just goes to show you how fragile our system of entity authentication and transaction authorization really is.
Part 4. The Sting
One day I was on the phone with the senior team for the hundredth time. But this time, it was moments before I went up on stage at a SIFMA conference. For those of you who know me, you know that I couldn’t resist the opportunity.
I said, “In five minutes I’m giving a talk on stage to your regulators and I’m going to tell them a fraud story. I’ll tell them that you gave away my money, that the fraudster used a fake ID, that you apparently didn’t run the ID according to the Patriot Act. I’ll tell them that even though the person on the video doesn’t look like my wife, and even though she has hundreds of witnesses that put her at school in NY while the money was being taking out by in person in Florida, you claim we’re defrauding you.”
“The only thing I don’t know is how the story ends. The clock’s ticking because I’m going on stage. What would you like me to tell your regulators?”
And the senior fraud person said, “We’re going to put the money back.”
But what if I hadn’t found myself with this sudden leverage? I suspect that I would have been out the money. Using me as Exhibit A and Mr. Manley’s case as Exhibit B, the banks’ approach to fraud does not appear to have changed much over ten years. They still blame the victim.
Bank of America’s statement to ABC7 was this: “As fraudsters become more sophisticated, it can be even more difficult to determine whether the customer or an imposter engaged in the activity.” My statement to BofA is: “it doesn’t have to be that way.”
Today at Authoriti, I’m taking my learnings and focusing on what we really need to do to fix the problem. Authoriti has improved the control of information by allowing consumers and businesses to easily and securely create Permission Code smart PINs. Permission Codes contain detailed instructions (including who, what, when, and where) which are encrypted and digitally signed with private keys to authorize specific actions, such as authorizing the movement of money and granting fine-grained access to personally identifiable information.
Authoriti both eliminates fraud risk and improves customer experience by giving confidence that the other party is who they say they are, and that their requested transactions and activities are fully authorized.
Lou Steinberg is a co-founder of Authoriti.