The Fraud Blog with Tracy Kitten

Account Takeover: My Story

Account Takeover: My Story

I got a first-hand lesson in account takeover this past weekend, when I awoke to a string of text messages from my bank about insufficient funds that had been covered by my overdraft protection. I love my mobile text alerts. Anytime the balance in my checking account falls below $100, I get a text.

Since my Blackberry serves numerous purposes (like doubling as my alarm clock), I was quick to check into my depleted account. I had been dinged with a $6.64 charge from a store in Odessa, Texas, late Friday afternoon - a test, I suppose. When that went through, I got hit again with a $31.26 charge at a Wal-Mart in Aurora, Ill. From there, three consecutive $90 charges hit the account within a matter of what appears to be minutes - all from that Wal-Mart in Aurora Ill.

By the time I called the bank at 9 a.m. Saturday, the account had already been flagged, and the debit card shut down. That's a good thing. Later that afternoon, I received another text from my bank, telling me the fraud department had picked up on suspicious account activity and needed me to contact the bank immediately.

Now, communication between the customer service department (which I called) and the fraud department (which shoots out the alerts) was a bit delayed and seemed uncoordinated, but I'm OK with that. I'd rather they be sure they notify me -- so the rather-be-safe-than-sorry approach was not bothersome.

But other parts of the experience were bothersome. For one, I had to get transferred several times, from one department to the next, when I called Saturday morning and then again on Monday. No one can tell me anything about the suspicious transactions, since all are still pending. I can't even file a claim until the transactions post; and even then, it will likely take two business days to get the funds reimbursed.

How long it could take for the pending transactions to post, no one seemed to know - which strikes me as a bit odd. My own transactions usually post within minutes, so I'm sure the fraud department is investigating - or at least I hope that's the case. But none of the customer service agents in the claims or fraud department seems to know anything about how investigations are handled. That's a little frustrating.

I've had cards breached before, and the response time and information flow were much more, shall we say, reassuring. My Discover card got breached once, and Discover called me in the evening as soon as the suspicious activity was picked up. I was told an investigator would be calling within the hour, which he did; and I shared with him all of my most recent transaction history. I would expect my bank to follow the same methodology, but such has not been the case.

So now I wait -- who knows for how long? And since it was my debit card, well, my access to cash has been severely crippled.

Here's what I know from writing about this sort of fraud for the last seven years: My card was likely compromised several months ago, but the fraudsters held on to it for a while. My account details could have been snagged from any number of places. I've traveled quite a bit over the last year, since first opening the account.

Then again, I have considered a few other possibilities:

Skimming: I had dinner at a local restaurant a week ago - the last time I used the card before the takeover. Maybe my card was skimmed by one of the employees? No one else I dined with has reported any problems, but it's a possibility I have to consider in light of recent skimming incidents.

Intercepted Messages: I only use text-based banking. It seems more secure, but who knows? Much of what is transmitted from cell tower to cell tower is not encrypted in the same way traditional financial transactions are. Perhaps my correspondence was intercepted. I'm just exploring all the possibilities. And finally, I wonder if I am the victim of lax internal controls; or, perhaps, a breach of the call center's security measures.

Insider Fraud: One thing I don't like about my bank -- and I've mentioned this to customer service several times -- is how my identity and account are verified when I call in. The bank asks me to enter my PIN, which I think is completely insane. Not only am I entering my PIN, or giving it to the customer service rep to whom I'm transferred when I don't automatically enter it, I also have to provide the last four digits of my Social Security number. Right there, anyone with a little acumen could put the pieces together and tap into my account.

I don't know how all of this will unfold, but a little more information from customer service would have made me feel a little more valued as a customer. I hope it all gets resolved soon, but I do have to wonder how I'll feel about my banking relationship when it's all over.

Update: Account Takeover Pt. II: The Investigation

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.