MailCase Locking Mailboxes Uncoveres AmEx Security Flaw

Secial Report from MailCase Locking Mailboxes
Stolen Mail

The mail truck drives down Walden Ridge Lane every afternoon between 2:00 and 2:30. Nobody knows this better than Sheila (last name unknown).

Walden Ridge Lane
Walden Ridge Lane

Sheila has a drug problem and has turned to crime to pay for her drug habit. Five months ago Sheila said she started working for an identity theft gang. Her job? Steal mail.

"It's pretty easy," Sheila said, "I check out a neighborhood first to see when the mailman comes, then I wait about 20 minutes, walk up and down the street with my bag and get the mail."

What is she looking for? "American Express cards," She replied. "Well, I look for all credit cards, but I make the most money from American Express cards."

When asked why American Express cards Sheila simply
said? "I don't know, that's what they pay me the most for."

Identity Theft Using American Express Credit Cards

MailCase investigators have pieced together what they believe is a new identity theft scam that exploits a major flaw in the credit card activation system used by American Express.

Most credit card activation systems require multiple levels of authentication:

  1. You call to activate your card from the phone number associated with your account. Most homeowners use their home phone number.
  2. The card holder enters the 16 digit number found on the front of the card.
  3. MasterCard, Visa, and Discover require an additional step of providing the last 4 digits of your Social Security Number, a PIN, or a code word determined when the account was first established.

Most American Express cards do not require the third activation step. When you call to activate your card from your home phone, American Express uses caller ID to automatically detect your telephone number and activates the account based on your home phone number matching the phone number on the account.

Centralized Phone Box
Centralized phone box. As many as 5 homes tie into this box

Relying only on caller ID to authenticate the card holder is the fatal flaw in the American Express activation system.

How the Scam Works

The scam is remarkably simple. Drug addicts like Sheila steal as much mail as possible and turn it over to the criminal gang. They sort through the mail pulling out all new American Express cards.

Now they have the card in their hands with the 16 digit number on the front. They also have the address of the cardholder since the address is written on the envelope that the card came in.

Next, the criminals stake out the addresses for each American Express card they found. They are looking for telephone boxes. Every house with a land-line has a box on the exterior of the house where the telephone line comes into the house.

From that box the telephone line goes to a central box nearby the home where telephone lines from 4 to 6 houses come together. Sometimes this central box is located on the ground and sometimes the central box is located overhead on a telephone pole.

Lineman's Phone
Lineman's phone clipping into central box

The criminals prefer to work from the centralized boxes. Their favorite is to work from a central box located overhead on a telephone pole. Because of the height and special equipment needed to climb these poles, nobody suspects that the person at the top of the telephone pole is an identity thief.

MailCase Investigators suspect that when criminals don't have easy access to a central box they will brazenly work right from the box on your home.

ID Thieves Call and Activate Your Stolen Card

Using a simple Lineman's telephone, the criminal can easily clip into your phone line and with your new American Express card in hand they can call American Express and activate the card. Since the criminal has tapped into your phone line, the activation call is essentially coming from your home phone. American Express thinks it's you calling, and activates the card without further authentication.

Phone Box Outside of Home
Phone box where landline enters home
Lineman's Phone
Lineman's phone clipping into a home phone box

The entire process of tapping your phone line and calling to authenticate the American Express card could take less than 5 minutes.

Can Credit Monitoring Protect Me?

"Credit monitoring services like Lifelock and Triple Alert cannot protect against this type of identity theft" reports Matthew Prestwich, President of MailCase "Those services are great for protecting against somebody fraudulently opening a new account, but for a stolen AmEx card, the account already exists so activating it won't generate any kind of alert."

"The number one thing we would like to see is for American Express to add a third authentication step" added Mr. Prestwich. "This would basically solve the problem."

Protect Yourself with a Locking Mailbox
Rich Bronze MailCase
MailCase Locking Mailbox

Until then, what can you do to protect yourself? "Get a P.O. Box at the post office, or buy a locking mailbox for your home" replied Mr. Prestwich. "If you see somebody in your neighborhood working on phone or cable boxes, look for a company truck. If you don't see a truck, call the police. Do not approach the person. If they are a criminal, they could be dangerous."

"Next you need to immediately call AmEx and see if your account was just activated. If so, cancel that card" said Mr. Prestwich.

As for our drug addict Sheila? "I've been caught a couple times and even spent some time in county lockup," she said. "I don't steal mail no more but I know lots of people still do it. Gettin' money that way is too easy."