This complex tale started on Saturday and has not yet fully played out. I’m breaking the story now, but there will be updates to this post as additional details are known. Please read the post in its entirety before asking any questions… but questions are welcome.
The Players
ING Direct: My favorite bank, which I recommend often to both my friends and readers. Widely known for their helpful customer service, the fact that this is happening with them is mind-boggling. I’m truly disappointed.
Rick*: A friend of mine from college, who recently moved for a new job. Rick’s been having a little trouble getting established in his new apartment: the DMV mailed him his new license, but the US Postal Service seems to have lost it. His beater car isn’t behaving, so he’s planning to replace it with a new or recent-used car, paying about half cash and getting a loan for the other half. He doesn’t have much of a credit history. These facts may seem random, but they’ll all come into play in his story.
Creepy Shadow Company that Collects Information and Sells It: As of right now, we do not know what company this is. All we know is that they collect information about me, you… and of course, Rick. They then use this information to formulate multiple choice questions about a person. If you’ve ever tried to pull your credit report, you’ve come across these types of questions. They’ll ask you something about a loan you have, or a previous address, to make sure that you are you. They then sell these questions to credit reporting agencies and lenders, who use this information to validate your identity.
Rick’s Story: A Perfect Storm
With all of his car trouble and not being able to get his license (the DMV says talk to the post office, the post office says talk to the DMV…), Rick’s been getting quite frustrated lately. As his friend, I encouraged him to take things one step at a time, and focus his efforts on getting a bank account that’s accessible in his new location. He’s heard me gush before about how much I love my ING Electric Orange Savings account, so he asked me how long it would take to open one of those.
Because I knew that Rick already had an ING Orange Savings account, I told him that it would take less than a minute to fill out the forms to open one of their checking accounts. After all, I did it, and it took me only 42 seconds! (Yes, I timed it.) Rick was truly excited about the idea of getting one of their accounts and having a debit card with fee-free ATMs in every 7-11. He logged into his ING account and went to sign up. But he hit a snag — a pop-up came on the screen telling him he needed to call ING’s 1-800 number and validate his identity.
I’ll let Rick tell this part of the story himself, as he presented it in an email to ING Direct’s Ombudsman:
Once I connected with the representative, I provided my current address, phone number, date of birth, and [Social Security Number], as well as my ING Direct pin.
The final step, I was told, was a series of multiple choice questions which would complete the identification process. I answered the first two, both of which were applicable to me. The last three concerned a person with whom I am not familiar, so I answered accordingly. When the representative put my answers into the system, she informed me that, based on answering too many of them incorrectly, I would never be permitted to open an Electric Orange account. [emphasis added]
I thanked the representative and hung up. Assuming (erroneously, as I would find out) that the check was performed through one of the three credit bureaus, I immediately began contacting them, requesting copies of my credit report, and attempting to question the information they required for identification purposes. I cleared two of the three credit reports with no problem – the third will arrive in the mail, but based on my later interaction with ING, I suspect it will be clean as well.
Having used up my available routes, I decided to inquire further with ING regarding the identification process. I called the same security department phone number and talked with another representative. This time, I explained the entire situation again, including my efforts to check my credit. She explained that the identification procedure is not conducted through a direct credit check with any of the three credit bureaus. Instead, a third party company produces a series of questions that they believe will positively identify me. When I asked whether I could contact the company directly, or provide alternative forms of identification, she claimed that there was no other manner by which I could disprove the answers to the questions and prove that I am, in fact, myself. [emphasis added] The representative gave me this email address as a point of contact for continuing with this issue.
So, the apparently unchangeable bottom line is: there exists a company whom I have never explicitly authorized to store my personal information; this company is responsible for determining whether or not I know enough about the unverified information that they maintain to conduct business with their client. The company does not accept corrections to the information, and may at any time in the future damage my ability to establish relationships, financial and otherwise, with other organizations.
I view this matter as a very serious breach of my trust in ING as an organization.
Rick’s frustration is justifiable, and it’s actually worse than he explained in this email. In order to obtain his three credit reports so quickly, Rick put a fraud alert on them. This was my idea, based on the information we had at the time, so I take responsibility for its consequences. Once Rick receives and verifies his final credit report, he can remove the fraud alert. But we’re both concerned that this may affect Rick’s ability to get the car loan that he really needs at this point. His old car has too much damage to justify repairing it, but he needs to either get a new car or repair it within 30 days of having moved to his new state. I don’t know if having a fraud alert (even a removed one) on his credit reports is going to make this difficult… or impossible.
I pointed out in my description of Rick that he doesn’t have much of a credit history. This is important because, as I said, most of the time these verification questions will be about loans you hold or have held. Because Rick doesn’t have history like that, his “known associates” were used to validate his identity instead. The problem is they asked about someone who is not actually known to Rick.
Stephanie’s Thoughts
I am disappointed in ING Direct. This policy seems completely unlike them, and I do not understand it’s purpose. If the idea is to protect me in the case of someone trying to open an account in my name, how does it help me? Think about it: if some identity thief came along and tried to open an ING Electric Orange account in my name, I’d be the one banned from ever opening the account! It prevents the theft by hurting the victim. In the case of Rick and others like him, he’s banned from an account for life because of a five-question quiz that he had zero chance of answering correctly. He was doomed from the start, with no recourse.
I am truly frightened by the unknown company in question. ING told Rick that they cannot tell him the name of the company that they get their information from. There’s incorrect information being used to identify Rick, but he has no way to correct it. This company, whoever they may be, scares me. They collect information on all of us, from public and (likely) private records, and sell it, and we don’t even know who they are. Even if I knew who they were, this idea makes me devastatingly uncomfortable.
At this point, one of the companies we’re exploring with such an information service is LexisNexis. Brought to my attention by the Bargaineering post Request & Check Your Specialty Reports Annually, the LexisNexis Accurant Person Report “contains a wealth of information, including voter registration, possible associates, property (aircraft, watercrafts!) owned, etc.” [emphasis added]. Rick is planning to request his free LexisNexis Accurant Person Report, but there’s a snag there: he has to submit two forms of identification, one of which must be government issued and include his current address. Remember how I told you Rick’s new license is lost somewhere between the DMV and the post office? Awesome.
Once Rick finally gets his license and photocopies it along with a second form of ID and submits it to LexisNexis, they helpfully say it will take 30-60 days to receive his report. And that’s just until he gets his report – we have no idea how long it will take to dispute any incorrect information on it. Honestly, this could take years to sort out. Hopefully it doesn’t… but what do we do if LexisNexis is not the company supplying incorrect information about Rick’s identity? Questions like that are why this may take a long, long time.
What I want to see happen
I want a comment from ING. As both a customer and affiliate of theirs, I demand a statement. I want that statement to include the name of the company they contract for these validation questions. Just like credit reports, consumers have a right to see these reports and dispute incorrect information on them. We cannot exercise that right if we do not even know the name of the company by whom the information is provided.
I want ING’s statement to include a formal declaration of their policy: is it true that if a customer fails this validation test once, they are banned from opening the account for life? Does it extend to other ING accounts? Is he now never allowed to get an ING Direct mortgage? They’ve already said that Rick is free to keep his Orange Savings account and keep using that. I’m not sure that he’ll want to keep that account when the dust settles on all this, but it’s good to know his current account will not be affected.
Lastly, I want you to take this situation seriously, and take full advantage of your right to annual reports. Had Rick followed that advice when Bargaineering first published that article, this situation might never have occurred. If you pull your specialty reports once a year, you may be able to prevent this for yourself.
Your questions and comments on this situation are welcome, as long as they are in accordance with my comment policy.
*Of course, Rick isn’t his real name. If you know who Rick is, please respect his privacy if you choose to comment.
Update: ING Responds!
Of course, the thing I’m most concerned about (beyond the absolute given to me by ING) is that the whole identity verification process is nothing more than what Bruce Schneier (a well-known security guru) describes as “security theater” (http://en.wikipedia.org/wiki/Security_theater). ING ignores the fact that the only way to request an account the way I did was by having already authenticated as myself. They then force me to call them and pass even more details about myself over the phone (an insecure matter when talking to a human), including the very same authentication information I had to use to request the account.
At this point, as far as they’re concerned, I’ve given them every bit of information that they’ve ever needed to know about me. The request for additional information is strictly arbitrary. Also, any competent social engineer, knowing this process, would be able to find out answers for those questions in relatively short order, considering that everything they asked me is a matter of public record.
So, as Stephanie said, the only thing they’ve done by implementing this process is to exclude the edge cases (in which information is incorrect or fraud occurs) from ever opening an Electric Orange account. Useful? I think not.
How frustrating! I had similar experience with my local bank. The identity verification system asked me a badly worded question, so I answered “wrong”, but of course all I had to do was go down to prove I am a real person. In another instance, I was asked about a family member who I had no knowledge of- until I realized they were just giving me the first three letters of my mother’s name.
If ING wants to continue dominating the online banking world, they should really have an alternative method of verification available- credit reports often have mistakes, and these verification systems are even worse, so banning someone based on them is extreme.
for a company that follows every persons every move they don’t seem to smart. maybe a double check system should be part of their everyday workings.
can Rick get a lawyer involved? at least to get the company’s
name so he can fix this problem.
i really wanted to thank you for all this information. i was looking for a new bank to change mine, because since a little time ago i feel very uncomfortable, it seem like they’re cheating on me, and i say ‘this is enough’. i was looking for some information on the internet and just find your blog. it’s nice to read what a person sincerely thinks. you’re doing a great work here!
Here in the UK, this kind of thing is done by Equifax, i.e. one of the Credit Reference Agencies. Are you certain ING are not just being obtuse about where these questions are formulated from?
I would call ING back and speak to a different person. I think the original rep she spoke with that said an independent company supplied the security questions is just wrong. I believe the 3 credit reporting bureaus have all the info they need to create their own security questions, since they’re collecting tons of loan payment data from lenders on a daily basis. So what the first rep said just doesn’t make sense.
LexusNexus is one of several data mining companies, which are in the business of collecting data on all Americans and selling it to direct marketing companies, but i still think you’re barking up the wrong tree by pursuing them to clear this up.
Customer service reps are only as good as their training, and this one could have made a mistake.
You might try contacting FDIC. They regulate the behavior
of banks. ANd this month, Congress is working on legislation
for the creation of the Consumer Financial Protection Agency. It is
being headed by Rep. Barney Frank. You might want to forward
this story to Frank’s office – it’s right in his ballpark.
I had this happen to me when I tried to open a WAMU accout two years ago. I failed the so-called security check test.
Hi Stephanie & “Rick”- Thanks for your passion about this. As a direct bank, we aren’t able to meet with all our Customers face-to-face so we need some security measures to safeguard our Customers’ personal account information & protect their accounts from any potentially fraudulent activity.
One of those measures is to ask a few questions at account opening to which only the Customer should know the answers. We give our customers two opportunities to answer these questions correctly, as Rick experienced, before an account can be opened. If a Customer can’t answer these questions correctly at that time, we are unable to confirm his/her identity and cannot open the account for him/her.
There are several companies out there (e.g. eBureau) that provide this service. They get their information from various sources including credit bureaus. (Your recommendation that people check their credit reports annually is important; however the verification process we use does not access your credit. In other words, Rick’s credit was not affected in this process.)
We’ll work with Rick to see if there was another issue that may be causing him a problem. Our intent is not to turn down business or cause our Customers grief. It’s to prevent them from having to deal with the pain of someone stealing their identity or worse, their money.
We wish Rick the best of luck in his new job, locating his license and looking for a new car.
I think it’s time we deviated from big banks and held our governments responsible for money issues, rather than the suits and customer service people of major corporations.
Rick’s story is frustrating and infuriating – acquiring information about yourself should not be as difficult as this, especially when the option of incorrect information is present, and most people would rather let it slide than jump through the hurdles of correcting it.
The same thing happened to me with ING. I was attempting to open one of their “orange” accounts and was presented with multiple choice questions about myself. They ranged from “what road did you previously live on” to “which one of these lenders currently holds your mortgage”.
I answered them all correctly, and I was denied an account because I somehow answered them incorrectly.
Well, that is disturbing and less than encouraging. I hope that ING proves more forth-coming about who exactly is providing the data for these security questions.
The same thing happened to me because I misplaced my PIN. When I called and spoke to ING customer service they claimed it was a “third party” and they couldn’t do anything about it. I am removing my money as soon as I get my new PIN from this bank. It is scary that because of random WRONG questions and answers generated from a third party company, you lose access to your account.
I just tried to open an ING Electric Orange account, and failed the identification security test as well (And then I googled ING security problems to get to here).
What I do not understand is why did I have to go through filling out all my personal information such as social security numbers, address, phone number, birth date, and even routing/account number, etc. previously? Aren’t all of those personal information enough to say I am the person applying for the account. It doesn’t make sense. And sorry but after going through putting all that sensitive information only to be declined by silly multiple choice questions, I am going to say that I don’t trust ING and moving my “personals”/money elsewhere.