Saturday, January 27, 2007

Western Union Lost My Money

As the CEO of a company directly involved in fraud detection and consumer security, I spend a lot of my time traveling around the world, meeting with banks and ISPs. One of the subjects I talk about a lot is the growing problem of identity fraud. However, until recently, it had never affected me directly. Then a few days ago, it happened - someone stole $2,500 that I sent internationally via Western Union, using a stolen passport, in what seems to me to be a sophisticated, insider scam.

It started with my need to get $2,500 urgently to my daughter in Santa Barbara, from Singapore, in South East Asia. As I was attending the Forbes Global CEO conference in Singapore at the time, Western Union seemed like a good bet - as a means of effecting an instant transfer of funds between Singapore and the US. As I was in sessions most of the day, my wife volunteered to go to the Western Union outlet in Lucky Plaza, on Orchard Road, and send the money. She filled out the forms and sent it off. We were told the money would be available instantly at any outlet in California.

A day later, we got a call saying the money had not yet arrived in Santa Barbara. We checked with Western Union, and they told us that the money had cleared their system, and been picked up by the recipient at 3.57pm the day before. However, we knew that it hadn’t been. Clearly, something was amiss.

Over the next few hours, we called customer service several times. Gradually, the story emerged of what appeared to us to be an “inside job”. Within a few hours of the transfer taking place, someone, bearing a faked Canadian passport in the name of the recipient, turned up in Inglewood, California, roughly a hundred miles away from Santa Barbara, and claimed the money. This person knew the name of the sender, their nationality, the amount of the transfer, and the name of the recipient.

This information is available only to a Western Union employee - with system access - within California. This is why I am convinced that this theft was an “inside job”. How Western Union plans to combat this will be interesting to watch - the ease with which this theft was carried out, and the well-oiled nature of the response suggests to me that I am not the first, nor will I be the last, victim.

What happened next was exactly what happens to all ID fraud victims - lots of filling out of forms, and waiting for customer service to finish their “investigation”. But once this was complete, Western Union reacted with reasonable speed, and ensured that everyone got their money back. They even refunded the fees. But even though that kind of action is nice to see from a company that advertises itself as “the service you can trust”, that doesn’t mean they are off the hook entirely, in my book. Here’s why:

When my wife and I went back into the Western Union outlet within Lucky Plaza in Singapore to ask about how to file a police report on the loss, what we saw as we walked in the door was nothing short of amazing: laid out on the countertop were hundreds of photocopies of passports, the details of which were clearly visible to any customer standing in line. On top of the closest pile was the passport of a Miss Gau from the Philippines. Her birth date, her full name, her address, and other information were clearly visible - and eminently stealable. When we asked the counter clerk what the photocopies were doing sitting there, she said she was “filing them for the monetary authority”. Great.

Western Union, I would normally be addressing you as a prospective vendor, but this is personal: you clearly have some very basic work to do here, when it comes to cleaning up your information handling processes, stopping internal fraud, and protecting the identities of your customers.

Incidentally, AIG, one of our service partners, tell me that the average victim of identity fraud loses $2,500 in the scam, and spends several days filling out forms and waiting for results, plus a lot of non-productive time on the phone. That was my experience exactly.

No comments: