A Close Call with Verizon Wireless (a story of fraud)

This afternoon I received an unexpected call from Verizon Wireless, my cell phone carrier. A customer service rep was calling to ask me if I had requested a change in billing address on my account. I had not. She informed me that someone in possession of the last 4 digits of my Social Security Number had attempted to change the details of my account. She said that when she pressed the scammer for more identity verification, the scammer hung up. She then called me.

Great, someone out there knows some things about me, like my name, perhaps my Verizon Wireless phone numbers or account numbers, and at least the last 4 digits of my SSN. Frankly, I’m not terribly surprised. Every day there’s a new story about some web site that let itself get hacked and lost all their users’ personal data.

The Verizon rep and I danced a bit as I attempted to discern whether this call itself was a scam. I’m suspicious by nature and consider myself fairly information security-savvy. So when the rep asked me to provide her with the last 4 digits of my SSN, I got cagey. We eventually compromised by agreeing that if I could log into my Verizon account (which I could) and change a certain field, she should be able to tell me what I changed. We did that, and I was satisfied I was actually talking to someone at Verizon. (I also Googled the caller ID number while we were speaking, but caller ID can be faked).

The rep had me set a billing password on my account which would henceforth be used as an identity check instead of my SSN.

My rep paused and said, “Uh oh.” Apparently the scammer was at it again, with a different rep. My rep noticed that the name and billing address had been changed on my account, while we both sat there and watched it happen.

The rep apologized and put me on hold while she IMed and then called the other rep. The other rep was not following the procedure for verifying the customer’s identity. Had the scammer gotten that rep earlier, it could have cost me dearly.

I had to wonder whether my setting of the billing password had taken effect before or after the second rep let the scammer through.

My rep reached the other rep, and they dumped the caller. My rep also sent a message to other rep’s supervisor.

“This guy has apparently been at this all day,” she said. The scammer had been calling rep after rep, trying to find a chink in the armor, a rep who wouldn’t properly verify the customer’s identity. There were notes in my account log attesting to this.

My rep had me reset my billing name and address. She said they’d report the incident to the fraud division. No clue what could happen next there.

I asked my rep what the angle here was. “What we usually see is that they change the address, then order a bunch of stuff to be delivered to the new address.”

Crazy.

So I have a first and last name (probably fake) and New York City street address and apartment number of somebody who was attempting to defraud me.

I tried the NYPD first, but they told me I had to go through my local police. So I filed a local police report, got a case number. Tomorrow I’ll see I can raise the interest of the NYPD.

What else might this guy try to hijack? I’ll be checking all my bank and credit card accounts to make sure I’ve got all possible security controls in place. Since my SSN may have been compromised, I submitted for an automated 90-day fraud alert with Equifax/Experian/Transunion.

Kudos to this one rep at Verizon for following procedure and contacting me. But shame on Verizon for (1) letting this guy try this all day long to subvert the system and (2) hiring the rep that actually changed my account information without rigorous validation of my identity.

In which we try mint.com, and I discover my wife’s terrible secret

Mint.com is a whiz-bang personal finance management website. You create an account, turn over every bit of sensitive financial information you’ve been both protecting and hoarding since birth, and in exchange, mint cross-sells you financial products. Well, that’s not quite fair. It also gives you a wealth of insight into your financial picture, helps you create budgets, calculates your net worth, and puts a pretty bow on everything, while cross-selling you financial products. (They gotta make money somehow, right?)

I’ve known about mint.com for a while and finally got up the gumption to give it a whirl. My wife and I gathered all our account details for our various institutions, and I plugged it all in. What I found chilled me to the very bone.

I found … Earthlink.

image

When I met my wife in 2005, she had an Earthlink account. Earthlink was/is a provider of dialup internet and email services. They competed with AOL back in the day to see who could mail you more shiny coasters with the words “Free Hours” stamped on them.

By 2005, my future-wife had already abandoned dialup in favor of DSL service from AT&T. But she couldn’t part with her old Earthlink email address.  So she struck a Faustian bargain in which she would continue to pay Earthlink a nominal monthly sum (then around $3) in exchange for continued use of her old email address. This wasn’t unheard of. We’ve all been there.

Not long after we began dating, I introduced my wife to the wonders of Gmail, freeing her from the bonds of Earthlink and allowing her to save a few bucks a month in the process.

Fast forward to 2012, in which mint.com is presenting me with a unified list of every financial transaction committed in the past month across all our various bank and credit card accounts, including a charge from Earthlink for $5.95.

“Honey?” I asked sweetly, calling into the next room.

“Yes?” she replied.

“Do you still have an Earthlink account?”

“Oh, yeah. I need to cancel that…”

Resisting the urge to multiply $5.95 per month out over several years, I instead steeled myself and set about canceling the account.

I did a quick google on “earthlink” to get me to their home page. The page wouldn’t load! I thought, holy cow, is Earthlink completely defunct and yet still charging us $5.95 a month? Where’s the money going? Ironically, it turned out our Comcast cable modem was on the fritz. A quick modem reboot later, and I was (with her permission) logging into my wife’s Earthlink account and hunting for a cancelation option. Of course, there wasn’t one.

I instead tried for the Live Chat agent. Of the gauntlet of prompts required to reach a bona-fide Live Chat agent (do they have business cards?), one was “Cancel Account”. Choosing that option returned a message that, sadly, no chat agents were available to help me with that particular problem. So I changed my response to “Billing and Account Issues”, and was shortly chatting with an agent.

In short order, the agent informed me that to cancel the service, I would have to either call a phone number, send a fax or commission a carrier pigeon.

I knew calling was going to result in an amazingly long hold time, so as I dialed, I started working on a fax document. I figured while I waited on hold, I could build a fax machine from spare parts around the office.

Surprisingly, after just a minute or so of hold music, I reached a human being.  He tried valiantly to retain my wife as a customer by cutting the monthly charge down to just $3! As I dodged the agent’s various attempts at retention, I couldn’t help but imagine I had somehow called back in time to some bygone era, talking to a long-departed soul who didn’t know he was dead.

Sensing defeat, the agent played his last card and put me on hold while he spoke to his supervisor. Here goes, I thought.  It’s the let’s put him on hold for 10 minutes and hope he gets frustrated and hangs up ploy.

I hung in there. 11 minutes later, the agent came back with a confirmation number and the deal was done. I hope. We’ll see if mint.com agrees next month.