Credit Card Hacked - Likely Equifax related

Doctor_NickDoctor_Nick Terminus
edited December 2017 in General
My Capital One credit card was hacked, likely through the Equifax breach.  Capital One's poor security coupled with a design flaw in Apple Pay create a potentially lucrative situation for hackers.  Basically, it looks like Capital One allowed someone not calling on my phone number to add their phone number and email address to my account because they knew my DOB and SSN when challenged.  Then they likely reset the password to my account online and went to town.  I am not sure how they found the CVV code, but I imagine there's probably a way,

The design flaw in Apple Pay is that it apparently doesn't alert you if a card in your Apple Pay becomes associated with another Apple device.  They likely could have done this with any pay service like Samsung Pay though, it's just particularly galling that Apple knew my credit card was active in two separate accounts.  These hackers bought thousands of dollars of merchandise at the Apple and Microsoft stores at a couple of malls in close proximity over the course of 2 days (my birthday, which I'm sure was not an accident) before the card was finally flagged for fraud.  Capital One allowed these guys to rack up merchandise charges greater than 1.5x my total 2016 merchandise spend in 2 days.  Though I suppose, these guys could always call in and approve the charges since they knew my DOB and SSN.    

I just told Capital One to not accept any account changes except from a known number, something which should have been standard operating procedure for them.    

So, if you have Capital One, at the very least I would call them and tell them not to accept any changes to your account from an unknown phone number.  I might ask them to change the card number.

I called Citi to check on my other card, and Citi has security questions set up on the phone line.  Mine are completely unguessable, so this method of credit card ripoff should not be possible with a company with halfway decent security.

FYI.  

Comments

  • DeeDee Adelaide
    edited December 2017
    Shit. Will the company reimburse you? 

    Edit: Sorry, that sounds dumb for credit - I meant you don’t have to pay the bill, do you? 
  • No, it's probably on the credit card company given that Apple Pay was used.  It's just pretty bizarre.

    It also means I have to file taxes early before these asses can commit tax fraud with my return. 
  • @Doctor_Nick are you sure it wasn’t your Apple account that was compromised? If they compromised that and restored an image of your phone to a burner phone, it would be another vector into that information.  I would hope you have 2 factor authentication set up for your account, so changes in location or adding a new phone, would alert you.  

    Do you have 2 factor set up on your Capital One accounts? I know I use a VPN and every time I sign in I have to validate via PIN texted to me that it’s “me”. 
  • Doctor_NickDoctor_Nick Terminus
    edited December 2017
    I have two factor authentication setup wherever I can.  Unfortunately, that's defeatable if the call center people will change the phone number and email on your account for some schlub who knows your social security number and EDIT: DOB.

    Apple doesn't have my backups, so they couldn't have done that.  Also, had they cloned my Apple Pay, I probably would have been alerted immediately by the Capital One app when they bought something.
    KingKobra
  • I've had Capital One for a long time and haven't had any complaints with them regarding times when my account was compromised (which has happened at least once).  But in that event, I was sent an email right away asking to verify a charge and when I reviewed I clearly saw it wasn't a purchase I had made.  I've had other situations where Capital One has suspected a charge is fraudulent and get an email after I've made a purchase and then I had to verify that yes, it was me that made that purchase.  But I also don't use Apple Pay or Samsung Pay or anything tied to my phone.  I'll physically use the card.

    But ultimately, my opinion, with the way technology is today, you're never truly safe.  If someone really wants to steal your identity or such, they'll find a way.  Best thing anyone can do is not make simple mistakes by falling for phishing attempts and willingly give out key information like a SSN.

  • JaimieTJaimieT Atlanta, GA
    It seems like if people get your SSN, you're fucked. We really need to change the system.
  • I have two factor authentication setup wherever I can.  Unfortunately, that's defeatable if the call center people will change the phone number and email on your account for some schlub who knows your social security number and password.

    Apple doesn't have my backups, so they couldn't have done that.  Also, had they cloned my Apple Pay, I probably would have been alerted immediately by the Capital One app when they bought something.
    There’s a hack going on right now with Apple where a pop up will come up on your screen asking for your log in and password but it’s actually a skimmer. Not sure exactly how it gets onto the phone but I’ve read that it’s happened to a few people. 
  • They'll still need you to approve the login if you have two factor authentication enabled. 

    Hatorian said:
    I have two factor authentication setup wherever I can.  Unfortunately, that's defeatable if the call center people will change the phone number and email on your account for some schlub who knows your social security number and password.

    Apple doesn't have my backups, so they couldn't have done that.  Also, had they cloned my Apple Pay, I probably would have been alerted immediately by the Capital One app when they bought something.
    There’s a hack going on right now with Apple where a pop up will come up on your screen asking for your log in and password but it’s actually a skimmer. Not sure exactly how it gets onto the phone but I’ve read that it’s happened to a few people. 

  • I have two factor authentication setup wherever I can.  Unfortunately, that's defeatable if the call center people will change the phone number and email on your account for some schlub who knows your social security number and EDIT: DOB.

    Apple doesn't have my backups, so they couldn't have done that.  Also, had they cloned my Apple Pay, I probably would have been alerted immediately by the Capital One app when they bought something.

    Fyi, I just called Capital One and was able to set up a code word for my account for call ins to customer service. Has to be provided before any changes can be made via phone. (Already had 2 factor verification set up for online access.)
Sign In or Register to comment.