The online (fraudulent) giveaway event
True story: last weekend I received an email alert from American Express notifying me of a large purchase at Walmart.com. A large purchase I did not make. Called and spoke with a representative at American Express and he canceled the transaction and issued me a new card. Crisis averted. The next morning my wife noticed a large amount of money paid to Walmart.com from our personal checking account – not the same amount as the attempted American Express purchase. Now things are getting serious. Further investigation found a third purchase, also to Walmart.com on my wife’s Wal Mart charge card. All three purchases not made by either of us.
Long story short, we weren’t responsible for the fraudulent charges and we were able to catch the purchases quick enough that Wal Mart didn’t give away any merchandise. The big question we asked was how did our charge and bank account information get compromised? My AMEX and my wife’s Wal Mart card are safely locked away in a safe and we rarely use them. We are very careful with who has our bank account information.
Hacked or cracked or simply whacked?
Turns out the would-be thief broke into my wife’s Walmart.com account and made the purchases in her name using her stored payment methods. So thankfully, the thief did not get our full account numbers, just picked and choose accounts already connected. They made the purchases and were set to pick them up at their local Wal Mart. The flaw in their plan? My wife received the pickup paperwork and not them – there was no way for them to pick up their stolen merchandise. The system did protect the consumer, and that’s a wonderful thing.
Improvements forthcoming
There are a couple of personal security procedures that this has highlighted for us. The first (and most obvious) is to use long complex passwords and change them often. My wife’s Walmart.com password cannot be found in a dictionary but it was only eight characters long and minimally complex. I’m just as bad, but she hadn’t changed the password in a very long time. None of us like to be forced to change our passwords on a regular basis because remembering what you use can be difficult – especially if you deal with a lot of different site log ins.
One solution we are going to implement is instead of a password, using a passphrase. We humans are pretty good and remembering words and phrases. Instead of using a single “word” for the password, use a long phrase, and make it complex. An example would be something like “1 L0VE to Wa!k a1ong th3 Beach at N!ght”. With this simple phrase, I just created a 40-character password using capitalized letters, numbers and punctuation that is darn near hack proof but easy to remember.
Clean up that account
Another not so obvious change we are going to make is to remove any unnecessary payment methods from our various online retail accounts. While it is very convenient to have all of this information stored with the account, it makes it really easy, as in our case, to spread the fraud around. Only add payment methods when you need them and then remove when finished. Yes, this is more work but it limits the possible accounts someone could use against you.
Our mini-breach happened during the holiday shopping season, but just as easily could have happened at any time of the year. Stay vigilant with your bank and charge accounts and report any suspicious activity to the appropriate people as soon as you see something odd. Most of all, wherever possible, start using pass phrases to secure your online accounts. You’ll thank me later.