|
Banks are selling
your private information
Last in a five-part series: Halloween
Horrors
By Holden
Lewis • Bankrate.com
Imagine how astonished you would
feel if you opened your credit card statement and found a $19.95
charge for a pornographic Web site that you had never viewed.
Picture yourself explaining the
transaction to your boss if the charge was on a company card. Or
calming down your spouse and offering desperate assurances that
the charge was some kind of mistake.
For about 900,000 people, this scenario wasn't
an abstract horror. It really happened. Even scarier is how and
why investigators say it happened.
A crime occurred, officials say -- a crime made
possible by an everyday banking practice: the sale of sensitive,
personal information.
And it might not be your bank that peddles data
about you. When it comes to credit card numbers, it could be the
bank used by a local store where you charged something recently,
the bank for a distant mail-order company you've used your card
with or the bank that processes card charges for a company you dealt
with over the phone months ago.
False
billing for services
Authorities say a California bank sold millions of credit card
numbers to a company controlled by Kenneth Taves so the business
could use the numbers as a "fraud scrub" while processing credit
cards for adult Web sites.
But Taves is now charged with billing huge
numbers of those credit card accounts for access to porn sites card
holders never visited and pocketing at least $45 million. Taves
has denied the charges.
If that's not scary enough, consider this:
- The card numbers that Charter Pacific Bank
sold to Taves weren't necessarily those of the Agoura Hills, Calif.,
bank's customers, according to the investigators. Most of the
numbers belonged to customers of merchants that had accounts at
the bank.
- It didn't matter that the bank sold account
numbers but not cardholders' names or card expiration dates. Accounts
were still charged, without a name, expiration date or signature,
because the amounts were small enough to escape scrutiny.
- Apparently, the bank broke no federal laws
when it sold the account numbers."They have not done anything
wrong," says bank spokesman Steven Fink. "They have not been accused
by anyone of doing anything wrong."
The bank has stopped selling credit card numbers
to merchants, Fink says. He notes that in the days before credit
cards had magnetic stripes, cashiers checked card numbers against
printouts of card numbers to cut down on fraud. The database that
Charter Pacific provided was an electronic version of those printouts.
Criminal
record no barrier
In fact, banks sell all sorts of information -- including Social
Security numbers and checking and credit card account numbers --
to whoever has the money to pay for the data. The information might
be provided to an affiliated brokerage selling mutual funds (just
as your certificate of deposit is about to expire) or to a telemarketer
who calls you at dinnertime to sell you a health club membership.
| Preserving your privacy |
|
Jason Catlett, president
of Junkbusters
Corp., has some suggestions for keeping your information
private, but he cautions that they aren't foolproof.
-
Read the fine print
in your bank and credit card statements, especially passages
dealing with privacy and the selling of data. "Very few
people look at the fine print to see just how open the
doors have been left," he says.
-
Follow the directions
for opting out of information sharing and hope for the
best. "That's not always effective," Catlett says. "I've
personally had some dealings with financial institutions
where opt-out didn't work."
-
Pressure political
leaders to tighten privacy laws. The 'financial modernization'
bill may come to a vote before the end of the month. Find
your congressman's position on the privacy provisions
in the bill at the sites for members of the House
or Senate.
|
"There's no legal impediment to them doing that,
provided they haven't said they won't," says Jason Catlett, president
of Junkbusters
Corp., a privacy consultancy and advocacy company.
And even if the bank that issues your credit
card promises not to sell information about you, another bank might.
For example, if you charge a meal at a restaurant, the bank that
services the restaurant's credit card transactions could sell information
about you.
That apparently happened when Charter Pacific
Bank sold a database containing more than 3 million credit card
numbers last year to Taves, who was on probation at the time for
check counterfeiting. Bank officials say they didn't know of Taves'
criminal record. And the law doesn't require banks to check for
criminal records in its buyers' pasts.
"In my opinion, Charter Pacific should not be
trapping account numbers as part of its backroom operations for
companies and selling its account numbers," says Edmund Mierzwinski,
consumer program director for the U.S.
Public Interest Research Group, a consumer and environmental
watchdog organization. "Essentially, they're selling information
about other people's customers."
The
mysterious charges
After the account numbers were sold to Taves, thousands of those
account holders were billed for Internet pornography services that
they had not ordered, according to the Federal Trade Commission.
Some of the victims didn't even own computers. Cardholders received
statements with mysterious charges from businesses with names such
as Netfill, N-Bill, xbc.com, TAL Services, Online Billing and Discreet
Bill. The FTC says Taves ran those companies.
The fraud scheme was made possible by Charter
Pacific's sale of the account numbers, authorities say. The California
attorney general's office has said that the bank apparently did
not break any criminal statutes.
A spokesman for the Federal
Deposit Insurance Corporation would not comment on any specific
case. "In general, the issue of selling products is a business decision
for the banks," he says.
Charter Pacific has said that the sale of credit
card numbers was "provided entirely as a vehicle to prevent fraudulent
activity," and the bank says it has stopped the practice and will
refund money to victims.
A
bank gets in hot water
Congress is now considering whether to regulate banks' use of
customers' personal information, and some states cast a disapproving
eye on the practice -- especially in the wake of Minnesota's lawsuit
against Minneapolis-based U.S. Bancorp and the subsequent settlement
this summer.
U.S. Bank and its holding company, U.S. Bancorp,
were accused of selling customer data to MemberWorks, a telemarketing
company, for $4 million and a 22 percent commission on sales to
those customers. MemberWorks sells everything from dental insurance
to travel packages through what are called membership programs:
You pay a fee to become a member, then you get discounts.
Late last year, Dorothy Christensen, 90, of
Robbinsdale, Minn., discovered about $200 in unfamiliar charges
on her U.S. Bank Visa card. She used the card mostly to buy prescriptions,
but her bill contained charges for a couple of purchases she didn't
recall. One was for SmartSource, a MemberWorks program that promises
discounts on computer games and software. Another charge was for
Essentials, which MemberWorks describes as "a unique membership
program that lets you take advantage of savings on fashion merchandise,
fitness products and personal grooming items."
The elderly woman, now deceased, didn't own
a computer and had no interest in computer video games, according
to affidavits filed with the Minnesota attorney general. She didn't
want fashion merchandise or fitness products, either.
Minnesota Attorney
General Mike Hatch's staff discovered that U.S. Bank provided
MemberWorks with customers' personal information, including credit
card account numbers, account balances and credit limits, checking
account numbers, Social Security numbers, marital status and bankruptcy
scores.
No,
not personally ...
When MemberWorks sold memberships to U.S. Bank customers, the
fees were billed directly to their U.S. Bank credit cards or debited
from their checking accounts. The MemberWorks telemarketing scripts,
approved by U.S. Bank, instructed callers to tell bank customers
that the telemarketer didn't "personally" have the customer's account
number, according to the attorney general.
| If you've found unauthorized
charges on your credit card |
|
Card holders who found mysterious charges by Netfill, N-Bill,
MJD Services or Webtel can get
detailed information compiled by John G. Faughnan, who
was billed for unauthorized charges in 1998.
|
Minnesota sued U.S. Bank and its parent company
for violations of the federal Fair Credit Reporting Act. That lawsuit
was settled in July. Without admitting any wrongdoing, U.S. Bank
promised to stop sharing personal information with other companies
marketing nonfinancial products, and to allow customers to opt out
of information sharing to affiliates and outside companies selling
financial products.
"U.S. Bank did eventually hear the cries of
their customers," says Leslie Sandberg, spokeswoman for the Minnesota
attorney general.
Cops
'R' Us
By settling the lawsuit, U.S. Bank gets to police itself. Such
an arrangement is fine to the banking industry, but consumer advocates
don't necessarily like it.
"The problem with self-policing is enforceability,"
Mierzwinski says. "The kinds of self-regulation that we're looking
at, where the banks and data dealers don't tell anyone what they're
up to, that's no good."
Mierzwinski has testified before Congress in
favor of "opt-in" legislation, in which banks would not be able
to sell data about a customer unless the customer gave the OK. Right
now, some banks (such as US Bank) allow customers to opt out --
to ask that their private information not be shared.
Mierzwinski says banks understand that information
is money, and they guard both zealously.
Banks, he says, "have a lot more information
than, for example, your video store has. The bank has a lot more,
and they'll be looking to make a lot of money on it."
-- Posted: Oct. 8, 1999
|
