When you are in security long enough, people in your daily life seem to seek you out when they have a problem that may be security related. This morning was one of those times, when a friend showed me her most recent ATM receipt in a panic. She had gone to the bank to confirm that $1,000 transfer she had expected had hit the account. Her savings balance: -$887,180.48.
My initial advice, after being a little surprised, was that she needed to go down to the bank branch to get this straightened out. She returned telling me that the teller said that it was fraud, that the fraud department was not answering the teller’s calls, and that my friend could call the fraud department directly. She asked me if I thought this could actually be fraud, a transfer made by some bad actor. I replied that I didn’t think a bank would honor any manner of withdraw of nearly a million dollars from an account that can’t cover the amount, and that this is likely not fraud but a clerical error of some kind.
My friend called the fraud department number provided, and connected with an automated message asking her to leave a message with her account number, phone number, and information on the nature of the fraud. By asking for a phone number, the fraud department was leaving the indication that someone would call back. She logged into her online banking account, and showed me the transfer, it was for $888,888.88. The balance was the amount of money she had in the account, minus this bizarre withdraw. I advised her that the money amount looked like a place filler, the kind of data a clerk at a financial institution puts in to fill out a field in an application. As a developer I had watched operations people do this before (usually with all nines) when an application had a required field (you can not move off the screen you are on without putting data in it) but the field is not actually used for anything, just a bad or legacy application problem.
The ATM receipt.
An hour later, no call, and she logged into her online banking account again. The transfer was gone, the account balance was back to normal, and no return call ever came from the fraud department.
So problem solved, but the way it was handled continued to bother me. The people physically at the bank were not empowered to take any action. A bizarre money figure was involved, and a problem was resolved without any further information. As a security professional, incident response is drilled into the collective mind of the industry: making sure people know what to do when emergencies happen, empowering people to respond properly, clearly written policies everyone can access, and ensuring everyone knows what response people to contact and how to reach them. In this case the front line bank professional suggested that the customer was a victim of fraud but there was no opportunity to speak to a person empowered to do any research and the problem was resolved with no further information or explanation.
I decided to see if anyone else had run into this. I started by checking out bankofamerica.com, and searching for the strange money amount $888,888.88. That produced no results. Searching for that money amount on Google exploded with results, some of which are detailed below. Ignoring any vitriol aimed at the institution itself (I have no issue with the bank: one policy or practice does not make an institution and BOA is associated with some key advances in online banking security such as one of the first wide scale mutual authentication implementations), it is clear that placing a negative transfer of this amount is standard operating procedure when fraud is suspected. In my friends case a money transfer came to her account that must have been flagged for some reason initially, and then quickly determined not to be a problem.
This approach has problems. Ostensibly the bank’s goal is to determine if there was fraud and if not to reintegrate the customer, if so get rid of the bad account and perhaps pursue further remedy. For that first case however, the handling of the fraud case that is not fraud will largely determine whether the bank customer remains a customer or not. If a bank appears to be looking out for both your interests as well as their own, the customer can leave with a positive reaction, or at least an understanding one. With this approach, the customer is left agitated.
So some things that might change to make this more palatable:
- A clearly written account alert online and on ATM receipts that indicates the account is in a hold state because of a potential fraud condition.
- Ensuring front line bank personnel, the tellers, can always access fraud personnel to review a case while a customer is in the bank branch.
- Ensuring someone can answer the phone when the fraud department is called, day or night, 24×7.
- Retiring the practice of entering a -$888,888.88 transaction in the account. At some point the bank will be responsible for a heart attack with this practice. More seriously, if the goal is to come to a timely resolution on determining whether fraud has taken place, having the customer start the interaction in a seriously agitated state, the near universal response to seeing that they owe almost a million dollars in their bank account, does not make sense.
- A follow up call if the fraud condition is resolved without the customer present and with a positive outcome (no actual fraud found), letting the customer know why this happened and that such investigations are for the mutual benefit of the bank and the customer.
- Add better information to the web site on what happens when an account is suspected of fraudulent transactions. Not enough where a thief is given a playbook of the bank’s response, but enough so that a customer is not left out in the cold wondering where their money went.
Invariably someone will bring up the cost of fraud is accepted as a cost of doing business, these customers and the associated money they bring in are a rounding error for the bank, and other such specious arguments. This has little to do with the cost of fraud itself, this is the cost of losing customers and potential customers to a strange incident response process. Regarding providing effective support, the fact is that hiring phone personnel or training your existing ones to handle fraud scenarios effectively is not a major expense when balanced against negativity related costs to the brand. If the fraud department of the bank is overwhelmed, more tasks on simple cases must be pushed down to less qualified but more numerous support personnel.
Will this make people happy they can not withdraw money because their account is on a fraud hold? No. It might however avoid losing that customer, and every person that customer talks to as a potential customer. It might make these experiences less life changing for the people involved. Because if the responses below are any indication, people leave this process very upset today. My friend is no exception.
The online responses of other persons:
Source: http://www.complaintsboard.com/complaints/bank-of-america-c74666.html
Source: http://www.reddit.com
Source: http://www.fatwallet.com/forums/textthread.php?catid=52&threadid=778747&print=1
Source: http://www.direction-connection.com/2007/01/31/why-bank-of-america-sucks/
Source: http://www.bankofamericasucks.com/viewtopic.php?f=1&t=3348
Source: http://volcanicensemble.blogspot.com/2006/12/bank-of-america-u-haul-of-banks.html
Source: http://bizcovering.com/business/how-bank-of-america-ripped-me-off/
Source: http://www.debtconsolidationcare.com/banking/bankofamerica-risk-assessment.html
Source: Facebook.com
Source: http://answers.yahoo.com/question/index?qid=20080212232923AAyprAW
Source: http://bankofamericasux.com/viewtopic.php?f=5&t=4143#p20696
Source: http://kaysthinkingroom.blogspot.com/
Source: http://forums.gibson.com/Default.aspx?g=posts&t=15077
Source: http://www.complaints.com/directory/2005/june/17/11.htm
Source: http://www.bankofamericasucks.com/viewtopic.php?f=1&t=3032&start=0
Related Posts:
these kind of things happen quite a lot in India and happened with me too…but as you said these alo get resolved by themselves….
OK, I’m not an accountant, but this practice doesn’t make sence from the point of view of the bank trying to “balance the books”, which (to my mind) would be a case of summing the account balances. Surely applying arbitrary 888,888,888 deductions would give a false “bottom line”? The 888,888,888 would have to be moved to another account for it to balance, and again give a false impression of credits and debits?
I wonder if the interest you earn on the account (a calculation based on your average account balance) is affected by the days that go by with such a huge negative balance.
I wonder if it’s done instead of using a locking mechanism because it allows additional transactions to be requested — more data about possible bad actors in the case of fraud.
Obviously they should indicate a fraud hold on receipts, online banking sign-ins, etc, but there may be interesting constraints to interbank processes that this is the most efficient way to mark the account as potentially defrauded, stop the bleeding, and still obtain data while working within the parameters of a system they can’t fully control.
Obviously a B of A statement on the matter would be best.
Thanks for posting this. As I must wait until morning to call the fraud department, at least I know there may be some reason for this madness. I appreciate that BoA is attempting to protect me and my accounts, but logging in and seeing a giant negative balance in bright glaring red made me only thing mean mean things about my bank…..
And by “thing” I meant “think”.
See what Bank of America did to me? It fried my brain. Boo, Bank of America. Boo.