Nov 172009
 November 17, 2009  Posted by  Breaches, Business, Featured News

So you keep a credit card or debit card on file with a business so that you can call up to conveniently make a payment by phone? One individual found out that the convenience enabled a stranger to authorize $1000 in deductions from his bank account to pay his Sprint account.

A blogger who elsewhere identifies himself as “Mike” recently posted a somewhat peculiar story on his blog in which he alleged that some unknown third party had called up Sprint Nextel’s pay-by-phone number, and by providing only the blogger’s phone number and zip code, was able to access his account balance and then — without his knowledge or approval — authorize two payments to his account from the card that he had on file.   He alleges:

over the past 4 days since the two charges to my account from my bank account for over $500.00 each i have spoke with over 17 reps from sprint most don’t know what to even say and forward me to the fraud department. most of the fraud reps and there support teams are up in the air about what to do ( yes i have filed a police report and they are following through with it ) the sprint rep did tell me that the payment was made via *3 on a sprint phone but because of privacy laws and policy’s at sprint they can not tell me who made these charges even tho they broke my privacy agreement by letting someone make payments after accessing my account with only my phone number via *3 on there sprint phone.

Somewhat curious about his claims, I contacted Sprint to get their response and comments. According to a corporate spokesperson, Sprint acknowledges that anyone calling up the pay-by-phone system with just a phone number and zip code could find out the user’s account balance, but they assert that that is consistent with their privacy and security policies because anyone calling up solely with that information could not access the bank account number or other Sprint account-specific information such as records of calls made, etc. Nor could a caller access money in the customer’s account.

But could a third party call up and authorize a payment to your account from your debit card or credit card without your knowledge or authorization? Sprint says that yes, it’s possible and explains:

One of the reasons that we opted for the zip code + phone number combination is that it actually serves as a privacy-enhancement feature to many customers. For example, the scenario in which a third-party most often accesses pay-by-phone on behalf of a Sprint customer is within a family relationship. So, if a parent typically pays the phone bill for their teenager, the teenager does not have to reveal his/her private PIN information and the parent/relative can still pay the bill via pay-by-phone.

As with many things relating to privacy, it’s a balancing act of convenience (as in the scenario above) and the individual’s privacy (and, of course, complying with all applicable laws.) Our feeling is that the current process strikes a reasonable balance.

In this case, the customer had no idea why someone would call up and reportedly authorize two $500 payments from his bank account without his knowledge or approval and he reportedly filed a police report. He did not indicate whether the bank and Sprint reversed the charges, but was clearly upset with Sprint for what he describes as inadequate privacy and security protections for the pay-by-phone system. And certainly, most consumers can envision the havoc that could be created if our bank account balance was suddenly $1000 less than what we thought it was and checks or other payments started bouncing.

As far as Sprint is concerned, their procedures will not change, for now. But as a corporate spokesperson informed this site by e-mail:

The blog post that you forwarded brings up some privacy questions and it’s a scenario that we will continue to monitor to see if we need to adjust our procedures. Based on the people I’ve spoken with in the company, the issue detailed in the blog post was the first instance they were aware of where a third-party, for whatever reason, moved money from a customer’s bank account into their Sprint account.

Sorry, the comment form is closed at this time.