ID is for…

I missed a credit card payment to Capital One this month. Sheer incompetence on my part, of course – simply a matter of missing the date. Not, you would think, the end of the world.

I became aware of my forgetfulness when Capital One’s callcentre staff phoned me on Friday morning. The conversation went as usual with these companies: “Can I speak to Mr Ben Pl…Pleuvy [or something similarly vague]?”. “Speaking.” “This is Capital One here, I need to speak to you on an urgent personal banking matter. For security, could you please confirm your date of birth.”

Hang on, whose security are we talking about here?

“I’m not giving you my date of birth. It’s personal information. I don’t even know who you are.”

Rather impatiently, I was told that if I doubted their identity I could phone them: “You’ve got the number, it’s on our bill.” Gee thanks. I did phone them – even though it cost me 7p plus 2p per minute. Their system told me to key in my credit card number. I did. It told me to key in my date of birth. I didn’t. The system put me through to one of their callcentre folk. He asked me for my date of birth.

“No.”

Pause.

“Sorry?”

“I said no. I’m not giving you my date of birth. It’s my personal information.”

“But if you don’t pass validation, I can’t talk to you. The system won’t let me see your account until you give me your date of birth.”

“So you want my date of birth because your system requires it?”

“Yes.”

“But it’s my personal information.”

“But I need it for security.”

“Then you’ll just have to write to me, won’t you? Goodbye.”

After that second call, I had a think about why I wasn’t playing – until then, I’d been reacting out of sheer irritation, partly at my own stupidity in forgetting the payment, partly at the mere fact of being called from a callcentre. My date of birth is my personal information. If it is so valuable a piece of information that it can validate my identity, then I don’t want to give it to someone I know almost nothing about – even if I’m sure they are indeed working in Capital One’s callcentre, I still know nothing about their personal integrity. If, on the other hand, it isn’t a valuable piece on information (because actually it would take very  little effort for anyone else to find out my date of birth), then the charade of giving it “for security” as though it is some kind of meaningful token is merely demeaning.

Call number three was pretty similar. Call number four came on Saturday morning. By that time, of course, I’d actually paid the bill, but Capital One’s systems apparently didn’t know that.

“Can I have your date of birth?”

“No.”

Sigh. “You have to pass validation or I can’t talk to you about your account.”

“So don’t talk to me about it.”

Sigh. “We aren’t going anywhere.” You got it. “You’ll have to put up with the calls.” She hung up.

Call four tried reasoning with me. “Why won’t you pass validation? You can ring us so that you know we’re Capital One.”

“I have rung you – and was asked for my date of birth.”

“Well, you have to pass security.”

“Not if it means giving you my date of birth.”

“We’re complying with the Data Protection Act.”

Well, no you’re not. You’re just trying to limit your risk under the Data Protection Act. Different thing altogether.

“You can ring us if you don’t believe we’re Capital One.”

“I don’t have any doubt that you’re Capital One – I’ve spoken to enough of you over the past 24 hours. My date of birth is my personal information. I’m not going to give it to you. In fact, I don’t even know what you think my date of birth is.”

“We aren’t going anywhere. You’ll just have to put up with the calls.”

“So you’re telling me you’ll keep ringing until I give you my date of birth? That sounds like harassment.”

“It’s important that we speak to you about your account.”

Not to me it’s not. At least, not if I have to bend to your will to enable you to do so.

But she’d rung off.

There was a call five, and may even have been a call six before Capital One’s systems obviously twigged that they’d actually had their money. The later callers were bad-tempered from the outset – their system may not allow them to see my account details until I’ve “passed security”, but it sure as hell let them see a note reading “This One Is Trouble” or words to that effect. The words “we’re going nowhere” were repeated. The threat to keep phoning was repeated.

This is a mess. I’m not precious about my date of birth. In fact, I am happy to give £10 to your favourite charity if you (so long as you’re not someone I know well) are the first person to email or DM me my date of birth any time before the end of April – but only £10, because I don’t believe it will be particularly difficult. So while I can think of lots of scenarios in which my supplying my date of birth provides some evidence of my identity, I can also think of lots of scenarios in which it proves nothing of the kind. I can also think of scenarios where a callcentre worker quietly harvests personal information to use for their own illicit purposes. Why should their systems pander to their paranoias rather than to mine? Capital One have never explained to me the systems they have in place – if any – to prevent their callcentre workers (overseas) from misusing my personal information.

Then there’s also that whole callcentre thing. The significant pause after you answer the phone, which means that a machine has dialled your number, not a person. The ridiculous “How are you today?” greeting. The utter failure to accommodate – the failure to have a Plan B for dealing with the maverick client – because “The system requires it”. This is not customer service – it’s (attempted) customer management.

I wouldn’t object to sharing a secret with Capital One – a password, a question and answer, some facts about my account. I wouldn’t mind if their callcentre staff were free to negotiate around establishing identity and to make a judgement on the basis of a conversation. But date of birth has become the standard mechanism for authentication, in spite of the obvious nonsense it is. And of course Capital One isn’t the only company to act like this – it seems to be pretty universal. It’s “what the system requires”. Well, not from me. Sorry.

Advertisements

4 responses to “ID is for…

  1. Trish Bailey

    Ben

    I think you were absolutely right to insist on not giving that information. I experienced a similar scenario some years back (when all including banks) outsourced their call centre activities. I was contacted following an application of a successful credit card which they wanted to discuss with me following the application in order to complete and activate. First question I asked where are you calling from? “abroad”.
    My reply, this conversation is now ending, if you wish to proceed you will get someone from inside the UK to telephone me otherwise, forget it. 3 more separate calls from them over the coming weeks until someone “exhaustively” explained they were acting within DPA and covered (in India!!?) . When they finished (together with some contradiction) my answer was reflective of yours “Well, no you’re not. You’re just trying to limit your risk under the Data Protection Act. Different thing altogether”. Asked by them “how do you know that” my answer “I specialise in it, its my job to know”. That ended that and I never used the service and they never called again. In the meantime I wrote to HQ in london using DPA to remove all details from all their systems home and abroad. FInally some months later I played dumb and asked to discuss this “account” to which their reply was “we cant find your record”. EXCELLENT!

  2. A man after my own heart. Come to that, Trish is a woman after my own heart! We maverick customers rule the world!

    And just how useful a security question is Date of Birth or Mother’s Maiden Name anyway?

  3. Fascinating reading and lessons learned from all of you.

    Next time I am asked I will follow suit – thank you!

    Józefa

  4. Cheryl Cooper

    Oh, you’ve hit a nerve here. You are not alone, Ben, and Capital One isn’t the only culprit. All credit card companies do this…

    I recently made the mistake of spending a few weeks in the USA and not checking that my credit card payments had been made before I left.

    I started to receive exactly the same kind of calls as you, and I aslo said that I was unwilling to provide any personal details to an unknown caller. Their frustration at not being able to follow their “validation script” was palpable.

    They continued to ring several times every morning around 8am and 9pm UK . As I was actually in California, this means they woke me up in the middle of the night on several occasions – you can imagine how willing I was to co-operate…

    MBNA are still sending me text messages asking me to call them immediately. This week I am outside the UK and they only provide a UK 0800 number, which I am unable to dial internationally. I texted them back asking for an international number I could call them on but of course their texts are sent out by a computer not a human and so not designed to respond to requests of this nature…

    On other calls, received from my bank, I’ve also been asked to provide my full name, address, date of birth, phone number and mother’s maiden name when I answer my mobile in a public place. I am not willing to announce this information to any passers by either…

    Best solution ? Pay off my credit card debts quickly !

    I will continue to refuse to give out personal data to strangers on the phone – whether they say they work for a credit card company, bank, telecomms company or not, it is, after all, basic good sense for personal data protection…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s