Tag: high severity

Stalled engine.

GM’s partnership with HSBC isn’t creditworthy.

med

ENABLER:
HSBC Card Correspondence
1441 Schilling Place
Salinas, CA 93912

OFFENDER(S)
TS (initials only displayed here; I am in possession of full names, called out in emails)

CHARGE
HSBC allows customers to sign up for their affiliate-branded GM Credit Card and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the HSBC Inn CSR has accurately acquired, the customer’s proper and true email address.


DOSSIER
Towards the beginning of 2009, I started receiving email from HSBC, meant for their customer, TS. It appears that he used my email address as his sign up address, and HSBC doesn’t employ a confirmation loop, TS, who is a GM Card cardholder, is not getting these messages. He’s also not getting his payment messages, his “great offer” messages and more. I am.

I happen to be a member of one of HSBC’s other affiliate card programs, so when I called (see REHAB ATTEMPT below), they wanted my information to add to their case notes. I purposely refused to give them that as I didn’t want them to “accidentally” screw up MY file. They don’t need it anyway, but nothing has changed.

EVIDENCE
Note that the actual customer’s full name and the last four digits of their account number is included in the email.

example-hsbcgmcard

UNSUBSCRIBE VIA LINK?
No. You can update your “email preferences” if you sign in, but as I am not the intended recipient, I don’t have the customer’s login information. HSBC requires personal information to have the login information sent to the customer, so I was not able gain access to the account to disable it.

CAN-SPAM COMPLIANT?
NO [click for explanation]

REHAB ATTEMPT
I’ve called several time to try to rectify this situation, all to no avail. In each case, I’ve been unsuccessful in getting an HSBC CSR to understand the intricacies of the situation.

RESULT
No change

DEVELOPMENTS
As you read this, I have received no response at all from anyone at HSBC.

Overdrawn.

You’d think a bank would do better than this.

med

ENABLER:
Bank of America, N.A.
101 South Tryon St., 8th Floor (email responses go there)
Charlotte, NC 28255-0001

OFFENDER(S)
LA | VL | LP | LV | LM (initials only; I am in possession of full names, called out in emails)

CHARGE
Bank of America allows customers to sign up for their Online Banking and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the Bank of America CSR has accurately acquired, the customer’s proper and true email address.


DOSSIER
Bank of America is one of the banks with which I have a relationship, which makes this post even more important. I’ve banked with them for a long time, and for the most part, they are pretty good about getting their systems down, but in this case, they’ve continued to fall down on the job.

I’ve received multiple email messages for each of several of their customers. Some are notices for mortgage payments due, account application updates, survey notices and so on. I, too, get these notices as a B of A customer, so I know what they look like, and I’m very aware (and wary) of phishing attempts.

Bank of America, as you’ll see in the evidence below, not only allows their customers to give them inaccurate email addresses, but they send out emails to their customers complete with their full names, email addresses and the last four digits of their account number. This is dangerous, as an attempt at social engineering is far easier with that information in hand than without.

EVIDENCE
Note that the actual customer’s name has been redacted, but I have that, as well as the last four digits of their account number.
example-bankofamerica

UNSUBSCRIBE VIA LINK?
Yes, but that would only stop the symptom, not the problem.

CAN-SPAM COMPLIANT?
Yes [click for explanation]

REHAB ATTEMPT
I’ve contacted the Online Banking support team on numerous occasions, explained the issue, and have had both good and bad experiences with the CSR’s response. At no time have any of Bank of America’s representatives understood completely what I’ve explained, and given that the emails continue, nothing has been accomplished.

11/20/09: I searched online for the highest ranking security official within the Bank of America organization, former assistant director of the Criminal Investigative Division and former acting executive assistant director for Law Enforcement Services at the FBI, Chris Swecker, and called their Charlotte offices and asked for his office. They eventually gave me his voice mail. I left a clear voice mail as to why I was calling, with an explanation of the issues and what needed to be fixed.

RESULT
No change

DEVELOPMENTS
As you read this, I have received no response at all from anyone at Bank of America.