First Contact

Many consumers who receive a fraud alert from their bank may instinctively hang up, mistaking it for a marketing call.

In response, Citigroup Inc. has been fine-tuning its delivery of automated fraud-alert calls to debit cardholders. Subtle details such as how the bank introduces itself and even whether it uses a male or female voice can influence whether the customer stays on the line.

"It's critical that the first few words are to alert the customer or client that this is a fraud call, not a marketing call," John Gabrielle, the senior vice president of fraud operations for Citibank, said in an interview. "We tweaked the words because we were having a lot of hang-ups. I think people thought we were trying to sell something to them or trying to collect something from them."

A female voice, which Citi uses, has been found to keep callers on the line longer. Other factors, such as when and for how long the voice pauses between sentences, also play a part in how long the call's recipient is willing to stay on the line.

Citi has used technology from Adeptra Inc. of Norwalk, Conn., to conduct these calls for debit card users since 2008; its credit card unit has used the technology for even longer, Gabrielle said.

Lou Venezia, Adeptra's chief executive, said that although a fraud alert may require immediate action on the part of the customer, first and foremost "fraud is a service call, from a customer's perspective. You want to leave them with the fact that we are taking care of this … you don't want them to put their card away."

Though it is a call about fraud, "using the word 'fraud' in a strategy is actually not a good thing," he said. Using the customer's name and the bank's name first is an essential part of keeping the caller engaged.

Gabrielle would not share specific statistics on how this technology has helped cut fraud losses and improve customer retention after an incident, but he said it has proven effective.

Adeptra said the results of a customer communication psychology study echo Citi's experiences.

Unhealthy Practice

A team of Canadian medical researchers scouring file-sharing networks for exposed medical records found far more financial records are being inadvertently shared online.

The researchers looked only for files that were identified as legible documents: .doc, .pdf and so forth. Over the course of several months, the researchers downloaded files from 1,651 machines based in the U.S. and Canada, the technology news site Ars Technica reported Tuesday.

In the end, only about 0.5% of the files the researchers found were medical files. One and a half percent contained viruses, and even more were bank records. Two percent of Canadian files were banking-related, as were 5% of American files. These include login details, tax forms and bankruptcy documents.

These files are likely being shared by accident, such as when a user shares the computer's entire "downloads" folder, intending to share only music files but also mixing in any financial documents that were downloaded to the same computer.

"Although the numbers aren't as bad as one might have feared, the authors place it in context by pointing out the excessive lengths that people will go to in order to avoid disclosing this sort of information," the article said.

The researchers also found that many of the common search terms used on file-sharing networks are the sort that would turn up these medical and financial records. "This suggests that, however we may feel about exposing these documents, people out there are interested in obtaining them," the article said.

The data that the researchers downloaded over the course of the study is being kept on an encrypted DVD in a locked safe. In a year, the disc will be destroyed. Ars Technica notes that this is a trade-off: though it is ethically sound to isolate and destroy the data, it prevents any further analysis of the data set.

Envelope Please

Six hundred thousand Citibank customers received envelopes from the banking company with their Social Security numbers printed on the outside.

The envelopes contained yearend tax statements for Citi customers with mortgages and home equity loans, WBZ-TV, Boston's CBS station, reported Feb. 25. According to one Citi customer in Cambridge who the station found venting on Twitter, "That's messed up."

Citi told the station that the Social Security numbers, though visible, were obscure. "The digits were not identified as a Social Security number, and they were printed at the lower edge of the mailing envelope with other numbers and letters that together resembled a mail routing number," the company said.

In a letter Citi is mailing to the affected individuals, it blames the mistake on a "processing error." It is also offering 180 days of credit monitoring to those customers.

Unto the Breach

BlueCross BlueShield of Tennessee has been toiling since an October breach just to figure out which of its 3 million customers need to be notified.

On Oct. 2, a thief broke into the BlueCross office in a Chattanooga mall and stole 57 hard drives that contained the unencrypted recordings and screenshots from more than a million customer service calls, according to an article Computerworld ran Monday. Many of these calls included Social Security numbers in both the audio and the screenshots, but it has proven difficult to determine which ones contained sensitive information and which ones did not.

"Unfortunately … an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary," BlueCross wrote in a letter to the Maryland Attorney General's Office.

BlueCross is working with the forensics company Kroll Ontrack Inc. to sift through the data. In all, 500 full-time employees and 300 part-time employees have worked over two shifts, six days a week, to determine the extent of the breach, the article said.

So far, this process has consumed 110,000 work hours and has cost more than $7 million, exceeding the $6.75 million cost of the average data breach calculated by analysts at the Ponemon Institute. BlueCross has notified 300,000 people so far and plans to continue sending notifications for several months, the article said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.