Friday, March 22, 2013

Identity theft while at a hacker conference ... an ironic coincidence

It is disturbingly ironic to have had to deal with credit card fraud in the middle of a hacker conference. Thankfully this story has a happy ending. I have to give kudos to Walmart for their quick and professional handling of this incident.

This week I attended the BSides Austin event, a 2-day hacker "unconference" in Austin, Texas. BSides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.

As I sat down to watch a presentation, I received an email alert confirming a walmart.com order. I thought it odd because I had not made any such purchase. I thought it even more odd because it included an order for pre-paid cell phone minutes on a carrier I do not use, to be delivered via email.  Within 6 minutes I received 3 more order confirmations for similar purchases, followed by a confirmation that my account information (such as name, mailing address, and email) had been changed.  Uh oh.

By the time of the last email, I was already on the phone with Walmart's billing department to let them know something wasn't right. 

Now this is not the first time I have experienced something like this. I generally keep either throwaway credit cards (prepaid cards with just a few cents), or no card at all on any retailer accounts as a safety against this sort of thing. Somehow I had overlooked Walmart the last time I made a legitimate purchase, and left a live credit card associated with my account. That is a mistake I will try not to make again though.

The last time this happened (I don't see a reason to name the retailer, but they are one you would easily recognize), the business seemed more than a bit confused as to how to handle it.  It took several days and several phone calls to unravel that incident. At the end of that incident, I was free of any loss and my accounts were restored, but the retailer was no help whatsoever in following up with law enforcement.

This time around was very different. It took less than ten minutes on the phone with a single Walmart representative (Rene, if you read this, kudos!) to void all four transactions (before fulfilling them, despite the fact that the order was for electronically-delivered goods), and to freeze my account to prevent any further mischief. The representative then directed me to Walmart's identity theft reporting process, by which I can submit an affidavit and receive all business records related to the fraud.  

Crime such as this is notoriously difficult to prosecute, but at the very least I can now provide the FBI and local law enforcement with a trail to follow, a trail that very likely will fit into other trails they are already following.

You may wonder why I am so calm about this. It is because I have taken steps to minimize the risk that fraud presents to me, and I knew what to do to minimize the damage once I was pwned. I keep my financial business far separate from any other business (I log into my bank and credit card accounts only from a dedicated system that has no other purpose), I use only credit cards for online transactions (which in many cases have a $0 liability fraud guarantee, and which by virtue of being "buy now, pay at the end of the month" completely separates the purchase from my actual cash) versus debit or paypal (which have much looser consumer protection laws, and from which fraud may immediately empty the bank account, with some delay before the bank can restore my money). Lastly, and this is where I goofed, I do not usually leave live credit cards in my retail profiles - I would rather the inconvenience of having to enter the payment information each time I make a purchase. Besides, with a password manager that securely stores credit card information, the "inconvenience" of entering payment information each time I want to make a purchase is a mere two clicks.

After the fraud incident, I knew exactly what to do: call the retailer and void the transactions, as well as freezing my account; call the credit card issuer to cancel the account; then contact law enforcement.

Identity theft and financial fraud are a big deal, and dealing with them can be scary. But a few ounces of prevention can go a long way toward limiting the damage.

By the way, I am confident this was in fact just an ironic coincidence - despite attending a hacker event when the incident occurred, none of my personal information was anywhere near the conference!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen