March 14, 2006 at 10:00 AM ET
What if a desperate identity thief digging through your trash found a credit card application ripped into little pieces, taped it back together, filled it out and mailed it in? Would he get the credit card?
The answer, according to one man's experiment, is clearly yes.
Rob Cockerham is a credit card company's nightmare -- in this case, JP Morgan Chase & Co.'s nightmare. Armed with a roll of tape, a digital camera, a blog, a lot of irritation about those unsolicited credit card offers and a rapier wit, Cockerham set out to embarrass the company's credit card division about one month ago.
It was that mountain of credit card applications, so familiar to any adult American with a wallet, that drove Cockerham to perform his experiment.
"I get a heck of a lot of credit card applications in the mail," he writes. "I almost always tear them in half and throw them away. Sometimes, if I am feeling particularly paranoid, I'll tear them into little bitty pieces." But, he wonders in the blog, "Is that good enough?"
So he mimicked the steps an ID thief might take. He performed reconstructive surgery on a Chase MasterCard credit card application with Scotch tape. For good measure, he changed the address on the application, to see if Chase would mail the card directly to an identity thief. And he used his cell phone number, much like a criminal would. He documented it all, mailed it all in and wondered what would happen.
The answer -- and the punch line -- wasn't long in arriving. Cockerham's card was mailed to the new address, his father's house, on March 4, less than a month after the tattered application had been sent in.
"I still can't believe it came," Cockerham told MSNBC.com. "Crazy."
The saga is documented on Cockerham's Web site, cockeyed.com, under the heading "The Torn-Up Credit Card Application."
In his blog, Cockerham pulls few punches. At one point, he points to a Chase Web site on ID theft, where the company recommends that consumers "tear up" financial solicitations before throwing them away, "so thieves can't use them to assume your identity.
In honor of Cockerham's humor, this column is being renamed the Red Scotch Tape Chronicles for a day.
Situation called an 'Internet prank'
Chase spokesman Paul Hartwick called Cockerham's Web site an "Internet prank." The company, he said, takes fraud detection seriously and employs 1,000 people to "protect our customers."
Applications that arrive in damaged form are customarily transferred to an electronic format, he said -- often by machine. So it's possible a human being never handled the taped-up application and never had the chance to spot the obvious sign of trouble. He refused to discuss Cockerham's application specifically, citing privacy concerns. But he said in general that an application that was filled out with a former address and a phone number that may at some time have been connected to the individual applying would likely pass a fraud test and be approved. The obvious implication is that Cockerham's father's address and Cockerham's cell phone number might have been in Chase's system somewhere, or at least in the database Chase used to verify the application.
"We have sophisticated systems in place to protect our customers, and to offer credit to customers who are creditworthy," he said. When asked if Cockerham should have received the credit card, given the state of the application, he answered, "Yes."
(For the complete text of Chase's response to the Web site, see the bottom of this blog).
That answer seems hard to believe. It is believable that a machine might have automatically re-entered Cockerham's application, so no human being was involved who might have noticed the tape. But that explanation hardly inspires confidence in the system. Neither did an incident in December, when Chase issued a Visa credit card in the name "Never Waste Trees" to another prankster.
On the other hand, Chase is a bit unlucky that it was targeted by Cockerham's comic wrath. It's hardly the only company that has issued credit cards in embarrassing fashion. For years, underaged children and pets have been getting credit cards. But zero percent balance transfers aren't limited to domesticated animals. Even Alan Greenspan once testified before the U.S. Senate Banking Committee that "dogs, cats, and moose are getting credit cards." That was six years ago.
Not much has changed since, other than about 25 million people have become victims of identity theft, according to the Federal Trade Commission.
It's time to face the facts
Clearly, some credit card applications are hardly screened for fraud.
Card issuers will respond with a card to any application that comes back with any signs of life -- and they'll deal with fraud later. That's how the credit industry works.
A certain number of high-risk applications will turn out to be fraudulent, but many won't, the thinking goes. And the banks can afford to play those percentages. To them, identity theft is just a cost of doing business, another line item like paper and postage and electricity. If there's a person behind that hastily approved application who must deal with credit report black marks, well, so be it.
The mind-set appears entrenched. Cockerham said he got an anonymous e-mail in response to his blog from a credit card industry worker with a confession: His employer tells him to approve literally everything -- even applications that come in with the words "stop sending me these." The issuer figures the consumers might change their minds once they have their hands on the plastic, Cockerham relayed from the e-mail.
Don't think the ripped-up application scenario is far-fetched. While I was researching the book "Your Evil Twin: Behind the Identity Theft Epidemic," many police officers in the western half of the United States told me there is a tight connection between identity theft and methamphetamine addiction. Meth addicts, who can stay awake for 30 hours or more, have been known to obsessively stitch together shredded documents to commit crimes.
For years, I've been quoting experts who say banks don't do a very good job verifying credit card applications. They often don't even check to see if basic information like birthday or street address is correct.
So each of those 5 billion pre-approved applications that carpet bomb American consumers every year is an identity theft ticking time bomb. Cockerham drives this point home with a sledgehammer. An application stitched together with Scotch tape? With a cell phone listed under phone number, and a change-of-address request?
At a time when ID thieves are unrelenting, when thousands of consumers around the country are reporting thousands of dollars mysteriously missing from their bank accounts, withdrawn via the magic plastic from places like Russia and Canada -- this is no time for banks like Chase to approve credit card applications that have been taped together. What more proof is necessary that the system is broken?
What needs to happen
It is time for Congress to take another look at this industry. In 2003, the Fair and Accurate Credit Transaction Act was passed. In it were new requirements for credit issuers meant to protect consumers from this kind of thing. Obviously, the rules aren't working.
It's time credit card companies were told to stop slinging 5 billion credit card applications around the country every year.
But don't hold your breath. Consumer advocates have pushed for such moderate safety measures for decades with hardly a budge from Congress or the industry. Back in the 1960s, the industry used to skip the application process altogether and mail unsolicited live credit cards to consumers, which led to an enormous crime wave. It took the better part of the decade, and an act of Congress, just to stop that practice. Pre-approved credit card applications, which are one teeny-weeny step away from that, soon replaced the mailing of unsolicited credit cards. We've been dealing with the junk mail and the theft ever since. And we will be for some time.
So for now, Cockerham has this advice for consumers who are equally frustrated by pre-approved credit card offers. Tearing them up, it seems, isn't good enough.
"You should probably buy a shredder today," he said.
A consumer can also call 1-888-5OPT-OUT to get off the specialized marketing lists credit bureaus give to credit card companies, or you can visit www.optoutprescreen.com and fill out the forms there to accomplish the same thing. In about six weeks, most of the applications will disappear. But be warned, you will be asked to supply your Social Security number. There's no other way to get off the lists.
Chase statement on Cockerham's Web site, delivered via e-mail from Paul Hartwick
Chase Card Services/Business Affairs:
"When Chase receives an application for credit, we are legally obligated to appropriately handle it. In rare instances, we receive torn or otherwise blemished applications. Still, we analyze each application by checking it for complete, accurate and critical information and conducting a series of credit and fraud reviews. If the application passes those reviews, we will issue a card to the applicant.
"Although this particular incident clearly is an Internet prank, Chase takes these matters extremely seriously and always seeks to improve its processes to serve and protect our card members. Chase is actively involved in fraud protection. We use sophisticated systems to monitor and detect fraudulent activity and employ over 1,000 people dedicated to protecting our customers. In addition, consumers are protected under MasterCard and Visa's zero liability policy and are not liable for any unauthorized purchases made with their cards."