Wednesday, March 4, 2015

The closed account that wasn't

This morning I received an unexpected message to my mailbox. Wells Fargo was informing me that my account had been locked due to three attempts to log in with an incorrect password. This is pretty good security: an attacker cannot keep trying passwords forever since the account is locked after the third try, and the bank alerted me via the email they had on record for the rightful owner of the account. Locking the account is a common way to prevent an attacker from discovering a password randomly (though it does nothing to protect against an actual password that is stolen). Alerting the account owner means I can change my password and look for any unexpected transactions or other changes to the account.

Wells Fargo alerted me to an account locked due to repeated use of the wrong password.

Except I don't have an account with Wells Fargo.

Or at least I thought I didn't.

My first thought was that it was a phishing scam. Email claiming account problems is a common way to trick consumers into giving away legitimate usernames and passwords, as I have described in detail before. In this case though, the message looked legitimate, and the links were to the legitimate Wells Fargo web site.

After a little sleuthing, I discovered that I did in fact have an account with Wells Fargo. Several years ago I bought a new mattress set for my bed, and took advantage of the retailer's no-interest financing deal. It turns out that the retailer used a financing network that ultimately was fulfilled by Wells Fargo. By virtue of financing this purchase, I opened a loan with Wells Fargo, and had completely forgotten about it.

Still, this purchase was several years ago, and had been fully paid off well over a year ago. An open but dormant account is a great target for a thief, because fraudulent transactions might not be noticed for a long time.

Lesson 1: Shame on Wells Fargo for keeping this account open over a year after it was paid off. If you are a financial institution backing a purchase loan (for instance, financing a vehicle, or a major furniture purchase), close the account once it is paid off. A closed account cannot be used fraudulently.

Lesson 2: Shame on me for not noticing the account was still open. I check my credit report three times a year (you should too) looking for unexpected credit events (such as new accounts). I never expect to find anything, since I also put an Initial Fraud Alert on my credit report, which more or less prevents anyone from opening a new credit account in my name without jumping through some serious hoops - hoops that will generally cause an opportunistic thief to move on to easier prey - but I digress. US consumer protection laws allow me to obtain a free copy of my report from each of the three major credit bureaus one a year; I spread this out and request a copy from one bureau every 4 months. If you are a consumer, check your credit report periodically, looking for unexpected new accounts, erroneous late payment dings, and yes, open accounts that should be closed.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen