America Online never stops telling us about how vigorously it strives to protect its members from spam, viruses, spyware, identity theft and all sorts of other fraudulent behavior on the Internet.
What it doesn't talk about is this: What chance do we have when AOL itself is a participant in, or at least a beneficiary of, the fraud?
That's the question implicit in the story I'm about to relate.
About a month ago, a couple of suspicious charges appeared on my American Express card statement. AmEx informed me that the vendor was AOL. This was odd: I hadn't signed up with AOL. In any event, I use the card in question -- a corporate card issued by The Times -- for business expenses and travel only. American Express obligingly suspended the charges and opened an investigation.
Meanwhile, I started my own inquiry by calling AOL. After much wasted time and effort (I believe that trying to speak to AOL by telephone was originally devised as a torment for mortals in purgatory), I was able to inform a phone rep that my credit card number had been used fraudulently and that I wanted the online account closed. She asked for my account number and screen name. When I replied that the whole problem was that I didn't \o7have\f7 an account number or screen name, she refused to take any action. Instead, she gave me a number for AOL's fraud department.
Considering that the fraud guys, if they're doing their jobs properly, will cost AOL money by weeding out improper accounts, it's hardly surprising that they're \o7very\f7 hard to reach. The first time I called, I spent 53 minutes on hold, at which point the battery of my cordless phone expired. Moving on with my life, I didn't try again for another three weeks. This time I was on hold for 57 minutes, but the cordless held out. The live representative I finally reached took down my credit card number, scrutinized the account and terminated it on the spot. The following conversation ensued:
Me: "Can you tell me how this happened?"
AOL: "Somebody had your card number."
"Who?"
"We couldn't tell you."
"Why not?"
"You'd have to subpoena the records."
"I'm going to need a subpoena to know who stole my card number? How do I go about getting a subpoena?"
"Well, you could contact your district attorney's office."
When I instructed him to reverse the charges to my credit card, he offered to mail me an affidavit to fill out. AOL would credit back the false charges I listed on the form, he said, but only if they were incurred within the previous 90 days. "We feel that 90 days is enough time for someone to inform us that they did not start an account with us," he said.
"Really? Do you have any idea how difficult it is to get through to you?"
The rep acknowledged that many customers might not receive a credit card statement showing a fraudulent charge until a month after it was made. That's 30 days down the drain. Some people don't have the better part of a few hours to waste on hold until AOL gets around to picking up the phone on its own schedule. This phone number, by the way, is the only path to the fraud department -- AOL doesn't accept such complaints online, or by fax or e-mail. So another couple of months might elapse before some people get through. Ninety days can pass in the blink of an eye.
Presently, my affidavit arrived. To say the least, it's a massive intrusion on my privacy. It requires me to mail AOL copies of my credit card bill, along with a personal utility or insurance bill as proof of residence. (Question: If I don't live at the address I gave them, how did I receive the form they mailed me?) It asks for the names of all authorized users of the credit card. And so on.
Plainly, none of this would be necessary if AOL followed reasonable security measures and identity verification procedures at its end. Its sign-up program evidently can spot whether a card submitted for billing has been fabricated or reported lost or stolen (it then refuses to open the new account), but it doesn't appear to verify the submitted billing address or otherwise determine whether an unauthorized user might be exploiting a stolen number. Otherwise, the system presumably would have refused my AmEx card, because it's doubtful that whoever used my number also had my billing address handy. Anyway, forcing complainants to jump through hoops for redress is simply unconscionable.
