Broken Capital One MFA Locking Up Points

I just got a frantic text from a friend today. “Capital One won’t let me transfer my points because I switched mobile phone carriers! I’m going to lose the award inventory, and they’re telling me that there’s nothing they can do. My points are locked up for an indeterminate period of time.”

Your Capital One points may end up in a weird AI-generated jail if you switch mobile phone companies

This is the first time I have heard of this problem, but indeed it’s true. Capital One has been notoriously fussy about its 2FA verification. They use a “data quality” service (such as the Phone Verification tool provided by Experian) to check whether a mobile phone number appears to be suspicious, and they can get back a lot of data from these services (mobile phone carriers and app providers can and do sell everything about you to data brokers, including carrier billing data and your approximate real-time physical location).

And that comes down to assumptions, and who is making them. To me, this has missing cultural context written all over it. Capital One has fired much of its US staff and moved a significant percentage of software development offshore. Incidentally, if you’re looking for a software job in machine learning, try looking in Bangalore. A carrier-authenticated mobile phone number totally makes sense for identity verification in a location like India, where everyone has a national ID card called an “Aadhaar” and real-name registration is required with mobile carriers using this national ID (I’m sure this capability is never abused).

This is not the case in the United States, where we don’t have a national ID, real name registration is not required for any form of telephone service, and data quality is inconsistent at best. First of all, the lines are blurred between mobile phones, VoIP services and land lines here: you can port to and from any of these and some services ring multiple devices on multiple networks at the same time. People don’t always register their phones with the carrier at all, or if they do, at the location where they live, or update the billing address when they move (most people get their bills online and pay automatically). When switching carriers, it can be weeks or even months before carrier data is updated, and billing data can be verified from the new carrier. So when you’re designing a system like this, and you have cultural context of how things operate in the US, you will understand that a mobile phone number isn’t authoritative and there should be other ways to verify a customer request.

Capital One, unfortunately, isn’t doing that. There is a whole Flyertalk thread of people complaining about this issue. If Capital One’s system can’t figure out how to send you a text message, you’re out of luck and you can’t transfer points. They’re in jail, customer service is a brick wall, and there are no alternate procedures. Nobody will help you and Capital One won’t even say where the failure is so you can try to get it corrected. That’s another hallmark of customer service in both American and mainland Chinese banking: if your situation doesn’t fit the script, nobody knows what to do and nobody will help you. Your job as a human is to figure out how to fit within the system as it’s (poorly) designed, and bend to the will of a computer.

My friend ended up completely stuck, and used some American Airlines points he forgot he had to book a different flight. For my part, I find it completely astonishing that Capital One has designed such a completely inflexible system for something as time-sensitive as points transfers. I totally get that SIM swapping is an issue, and that stolen credentials are a problem. There are, however, other entirely reasonable alternate verification methods that aren’t immediately obvious to someone in Bangalore. If any product managers are left in the US at Capital One, maybe they can help their offshore colleagues.