Another Letter to Macy’s

Macy’s doesn’t seem too interested in protecting their customers against fraud, so I’ve written them again and copied the California Office of Privacy Protection. Hopefully we will get some results. The contents of the letter are found below.

November 18, 2005

Macy’s Customer Service
P.O. Box 8067
Mason, OH 45040

CC: Office of Privacy Protection
Department of Consumer Affairs
400 R Street, Suite 3080
Sacramento, CA 95814

Dear Macy’s Customer Service,

On October 5, 2005, I wrote a letter (a copy of which has been included in this mailing) to Macy’s customer service with a concern about the security of the credit card mailing methods. I have not yet received a reply. I was fairly certain that someone at Macy’s would be interested to know the ease in which fraud could be committed on their customers’ new credit cards.

Since that time I have received two promotional offers in the mail from Macy’s. I hardly think your sales and offers are more important than your customers’ identity theft concerns.

Due to the apparent lack of interest in the protection of your customers’ credit card accounts, I have sent a copy of this letter to the California Office of Privacy Protection. I hope that between all of us, we can come up with an acceptable solution.

Sincerely,
Stuart Matthews
2240 Larkin Street
Apartment 103
San Francisco, CA 94109

October 5, 2005

Macy’s Customer Service
P.O. Box 8067
Mason, OH 45040

To Whom It May Concern –

I have recently received a Macy’s Visa card in the mail. I have noticed a stunning security problem with the way the card is sent.

The credit card number, as you know, is shown on the back of the card as well as the front of the card. On the back of the card, it is printed in black ink. The glue used to affix the credit card is placed directly onto this part of the card. When you remove the card from the paper, guess what gets left behind on the paper? That is right – the credit card number, and the three-digit security code. This, in combination with the credit card holder’s name and address, is almost all that is needed to make charges to the card. The only other thing needed is the expiration date. A nefarious individual can quite easily guess this date in a short amount of time. They can either start trying dates starting from one month after the current month, or they can easily apply for a Macy’s card of their own and see what the expiration date is on that, which will be close to the date of the stolen card number.

Many people throw this piece of paper away unmolested. The only personally-identifiable information they should expect to be on this paper are their name and address. Not everyone will have as good of eyesight as I do to be able to notice the small numbers left behind on the glue. I hope you correct this error quickly and update me with any actions that have been taken to prevent fraud due to this error.

Sincerely,
Stuart Matthews
2240 Larkin Street
Apartment 103
San Francisco, CA 94109