With all the credit cards people apply to for miles, I just wanted to post a cautionary note regarding one of my accounts that got compromised.
I consider myself pretty savvy with paying attention to my finances. I use Mint.com to track my purchases and review them often. I review all my credit reports once a month. And I max out the password limit length for my logins and I change my passwords every so often.
I was surprised then when one of my credit card companies called me with concerns about suspicious charges. I definitely had not gone on a shopping spree that morning. It was still pretty early in the morning, and I need my coffee before I shop.
Since I am so focused on security with my credit cards, I inquired how this breach would have happened. All he told me was that it was an “extremely sophisticated hacker” and that “modern hackers can intercept things in ways they can’t keep up with”. I was near obsessed after this call. My home network was extremely secure and I didn’t think I’ve logged on anywhere public. I entered a new password after the agent on the phone reset it and continued obsessing to Keri.
The next day, I went to log into my account to check to see if the charges were removed. I was so frazzled the day before, I realized I forgot what password I changed my account to. So I went to reset it.
The website asked me a really easy security question. I have to use the easy ones usually because I never remember the answers to the more obscure ones. What’s my favorite flower? I don’t know! Yesterday it was a rose, today it’s a gladiola.
Lo and behold, when I type my answer to my security question, it allowed me to log in and change my password. I decided to “stalk” myself. I used information available from our blog and googled myself. Using just that information, I was able to come up with an answer to that security question. Holy cow!
I had always assumed security questions were always used along with the password or as a way to send the password information to an email address. I never thought it would be used instead of a password.
To make matters worse, this specific credit card had a shopping portal for the credit card which used the same password as the credit card login. This is how he spent the money on my card!
I was able to see the fraudulent orders through this account. The address on file for the order was a weird fake address that also had a complex looking code imbedded in the address. It made me wonder if mail deliverers (or people at another point in the supply chain) are in on this.
Either way, I changed all my security questions to include phrases that make sense to me, but don’t actually answer the questions. This is more information for me to remember, but it is worth it to keep all my credit cards safe.
Good luck with yours!