LIKE a lot of boomers, Allan Goldstein, 60, has mixed feelings about the online world he inhabits. As a college teacher — he’s the assistant director of the writing program at the Polytechnic Institute of New York University — he works with young people and feels pressure to keep current. He uses an electronic blackboard system to post his syllabus, class assignments and grades online, but he doesn’t trust it. “There are glitches,” he said. “The school’s system has crashed a few times. They want us to use it, but I back everything up on paper.”
While Mr. Goldstein will go online to check the balance and activity for his bills, he will not link to a credit card for automatic payment. “I’m suspicious — a lot of friends my age are,” he said. “I just don’t want to open up bank accounts to these guys.”
Partly, his caution stems from being a victim of credit card fraud several years ago. He lives in Manhattan and believes strangers sifted through his building’s trash and found receipts. He discovered they had changed the mailing address on his credit card account. At one point, he received a call from an auto dealership in the South checking whether he was seeking credit approval to buy a car. He wasn’t, but he did buy a shredder. “I’m on my third one,” he said. “It does credit cards, staples and eight sheets of paper at a time.”
Last summer, when T-Mobile announced it would charge customers who continued to pay bills via paper a $1.50 monthly penalty — an effort to stampede fogies like Mr. Goldstein into modern, greener pastures — he was successfully stampeded and opened his first account to pay online. And even though so many fogies complained that T-Mobile subsequently reversed its policy, Mr. Goldstein stayed online. “I figured here’s a baby boomer finally getting comfortable with paperless bills,” he said.
When his bank, HSBC, offered a higher interest rate for online savings, he seized the moment.
In mid-December, to increase his frequent-flier miles, he opened a new online American Express business credit card account.
Then on Dec. 21 he logged in for the first time to check the new account. He put in his user name and password, and up popped someone else’s Amex account — a woman in Florida.
“I could see all her personal information,” said Mr. Goldstein, who was both transfixed and fearful that he had instantaneously become a criminal. “I could see her name, address, e-mail. I could see what banks she’s with. I saw her recent shopping activity, recent payments, where she’d rented a car. She had an affinity account with a hotel chain, Starwood. I could see how to order an additional card. I could add an authorized user: me. I could change her billing address.”
Mr. Goldstein immediately called American Express’s customer service. “I got a woman in India,” he said, “I explained I’ve hacked into someone’s private account by mistake. She said she needed to hear from my wife — my wife’s the first name on the card. I said, ‘Don’t you at least want the information?’ ”
She didn’t. When Mr. Goldstein’s wife returned, they called back, reached a second person in India, who also didn’t want the information but did transfer them to a representative in the United States. She didn’t seem to grasp the situation, either, Mr. Goldstein said, but at least gave them a confirmation number to show that they’d reported themselves. “I was getting testy,” Mr. Goldstein recalled. “I said this is serious, hacking into someone’s account.” He threatened to go to the news media. “At that point she suggested maybe I needed to speak to a supervisor.” Instead of a person, they got voice mail. “I said: ‘You want to call me back immediately. I mistakenly hacked into an account.’ Never heard back.”
Mr. Goldstein waited a week, went online again and was still able to gain access to the Florida woman’s account. The Goldsteins then spoke to their fifth Amex customer rep, a man who, Mr. Goldstein said, did seem to grasp the seriousness. “He said this could be criminal,” Mr. Goldstein recalled. “We said, ‘Exactly.’ ” When the Goldsteins commended him for his efforts, he asked if they would repeat that to his supervisor. “In these times, maybe he was trying to hold on to his job,” Mr. Goldstein said.
The supervisor, their sixth Amex rep, said she could see that the technical people were all over it.
The Goldsteins went on vacation to St. Croix, returned Jan. 8 and, on Jan. 9, Mr. Goldstein could still hack into the account. “I could see all the shopping she’d done while we were gone,” he said. “I also saw she didn’t pay her last balance and it was a lot — over $4,000.”
He wondered whether anyone had told this woman what had happened.
That weekend, Mr. Goldstein laid out the saga for me (he said we had met years ago, though I had no memory of it) and on Monday morning — exactly three weeks after the Goldsteins first tried to turn themselves in — I called Rosa Alfonso, an Amex spokeswoman, who immediately grasped the seriousness. “This is all I’m working on,” she said.
I explained that Mr. Goldstein was eager to give her the information for the hacked account. But Ms. Alfonso said the privacy issues were so sensitive that she couldn’t take it herself and needed to work through a special executive customer service rep, named Ed.
“I told Ed the entire story,” Mr. Goldstein later reported to me. “Complete silence. I don’t know if he was stunned or upset I was taking up so much of his time.” Mr. Goldstein was surprised how little information Ed seemed to need from him.
About two hours later, at 11:55 a.m., Ms. Alfonso called Mr. Goldstein back to get the Florida woman’s user name and password. “I guess Ed didn’t have everything he needed,” Mr. Goldstein said. At 1:10 p.m., Ms. Alfonso phoned Mr. Goldstein to say the problem had been fixed. “She called it an ‘isolated incident,’ ” he said. “I mentioned that each time she called me, she sounded a little better. That’s when she called me ‘buddy.’ ”
Ms. Alfonso confirmed Mr. Goldstein’s story for me. She called the problem “an unusual case of two customers coincidentally having nearly identical log-in information, which led one card member to inadvertently log in to another card member’s account.”
“Our site remains secure,” she said.
She apologized, saying the problem should have been solved on the first call. When asked if any of the six unresponsive Amex reps had been called to account, she said, “We are taking the appropriate steps,” adding, “We have rebriefed the service representatives on the appropriate processes.”
As for the Florida woman, Ms. Alfonso said that while discussing specific cases wasn’t permitted, the policy was to notify card members of such a breach.
The one point she disputed was that Mr. Goldstein could have tampered with the authorized user and billing information. He would have needed “additional levels of authentication — meaning information only the true card member would have — to make these types of changes,”
Ms. Alfonso predicted Mr. Goldstein would have been caught by “our sophisticated fraud controls.”
As for Mr. Goldstein, this has confirmed his darkest fears. While young people know only an online world, boomers remember the days when customer service meant explaining your problem to the nice woman at the bank down the street. It makes us more ambivalent about technology.
At some point between the time the first four Amex reps failed to take care of his problem and the last two failed to, Mr. Goldstein contacted his bank and moved almost all his money out of an online savings account to a standard account.
The HSBC service rep warned him he was losing 1 percent in interest, and Mr. Goldstein said that was perfectly fine, he was cool with that.