The other day reader Dave wrote us because he’d noticed a bunch of strange debits from Sprint on his bank account. Since he uses Sprint, he thought it was a billing error, albeit a serious one, because Sprint had debited $1,717.49 in the past two weeks. Dave hadn’t been able to find anyone at Sprint to help him reverse the charges and wrote to us for advice. Yikes!
We suggested he immediately call his bank and report the debts as fraud. We also gave him the Sprint executive customer service number.
It turns out that the charges were originating from someone who was swiping Dave’s actual debit card and using his PIN. One problem: His account is only 2 months old and he has never, ever, ever used his debit card. So how did a scammer get it?
I’ve been a Sprint PCS customer since late 2005 and haven’t made any changes to my account. Each month my bill is automatically paid through my bank.
2 weeks ago, however, Sprint started automatically withdrawing large sums of money from my bank account with no apparent reason.
12/27 – $300
12/27 – $300
12/31 – $300
12/31 – $300
01/10 – $300
01/10 – $217.49
$1,717.49 total taken out of my account in the last two weeks.I called Sprint and talked to 3 representatives, all of whom had no idea what is happening, and they could not commit to resolving it in a timely manner. All they could do is take a report and have the “back office team” take a look.
Have you ever heard of that happening before?
We replied, telling Dave that we thought he should call his bank immediately, and shared the number for Sprint’s executive customer service team.
Thank you. I’m talking to Ann Howell at the number you gave me and she is being very professional and helpful. Hopefully she will able to get this resolved. I sure appreciate the number.I’ll email you again with an update.
Dave
The update contained bad news.
Bank of America is telling me that the charges were created by someone in Reston, VA who is actually swiping my debit card and using my PIN to conduct the transaction.The thing is, though, that this debit card has NEVER been used. I only opened the bank account 2 months ago and have never used (or even intended to use) the debit card.
The debit card that automatically got sent to me when I opened the account has sat on my desk in my home, and has never been used. It hasn’t even been touched by anyone except for me.
The only possibility here is that someone has breached the security at BofA, stolen the account number and PIN, and generated their own card using this information. There is no other explanation.
Unfortunately, the fraud department works for BofA so I can probably forget about the idea of getting a fair investigation into this.
Anyway, that’s the update.
Dave
We asked Dave if he was going to be reimbursed for the fraud:
They put the money back in my account, calling it a “Temporary” adjustment.
So the implication is that if they decide that the fault is not with them, I guess they’ll take the money back again. This is the problem: the company is investigating themselves and there’s no third party oversight.
I’m very disappointed in Bank of America and I am quickly moving my funds to Wells Fargo and will be canceling my BOA account. I am also going to have to freeze my credit, as I have no idea how much information BOA leaked.
I am absolutely convinced that there is a security breach of some sort on their side. It’s the only possibility.
Dave
Dave is right, there obviously has been some sort of security breach. It’s possible that Dave is the victim of pretexing. Pretexting is a name for a variety of techniques that scammers use to trick individuals or institutions into revealing valuable personal information that they can use to help them commit fraud. For example, a scammer may call your bank and pretend to be you, using information that they have about you, in order to get the bank to disclose your account numbers or issue them a debit card in your name.
Here are the steps to take when you think you’ve been the victim of pretexting:
1) Call your bank and report the fraud. Close your accounts and open new ones. You may want to switch to another bank.
2) Call one of the three major credit reporting agencies and tell them to flag your account with fraud alert notice.
Equifax: call: 1-800-525-6285 and write: P.O. Box 740241, Atlanta, GA 30374-0241
Experian: call: 1-888-EXPERIAN (1-888-397-3742) and write: P.O. Box 949, Allen, TX 75013-0949
Trans Union: call: 1-800-680-7289 and write: Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92634
You can also “freeze” your credit report. Click here for instructions.
3) Contact your local police and file a report. The report will be valuable for your records even if the police don’t catch the scammer. Since Dave’s case may involve an inside job, we’d also suggest reporting it to the FBI.
4) Finally, you’ll want to contact the FTC. File a complaint with the FTC by contacting the FTC’s Identity Theft Hotline: 1-877-ID-THEFT (1-877-438-4338); TDD: 202-326-2502; by mail: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580; or online: www.consumer.gov/idtheft.
Your state may also have resources that can assist you, such as an “ID Theft” passport. Call your state’s attorney general’s office and ask for more information.
Anyone else have advice for Dave? Have you been there? What did you do?
Pretexing [FTC]
FBI Field Offices [FBI]
HOW TO: Get Through Having Your Identity Stolen
ID Theft Help [FTC]
How To Freeze Your Credit Report
More From Consumerist
-
Kmart Builds Holiday Ad Campaign Around Layaway Angels Of 2011
-
Walmart Considers Paying Its Customers To Deliver Online Orders
-
Lawyer Insists He’s Innocent Of Death Profiteering And Identity Theft, Wants New Trial
-
Someone Is Watching You Pick Your Nose Via Webcam & Sharing Photos With Fellow Creepers
-
Hyundai Pulls Awful Ad Showing Failed Suicide Attempt Using Car Exhaust Because It’s Awful
I keep getting emails from BofA to my army email address explaining about possible security breaches. The thing is though, I dont have any BofA accounts.
@myotheralt: almost certainly a phishing scam
I don’t know about you all but the USPS routinely opens our mail for us. The fun part is that its not ALL mail they open, just the stuff that contains financial details.
In fact just tonight they opened my Fidelity Mutual Fund ‘you changed your PIN’ recently. Thank goodness they did not print my pin in there.
Seriously, no joke. But whatcha gonna do, its probably not the local office.
@neverest: I was beginning to think that maybe I was the only one who was actually getting good customer service from BoA. Then again, the fact that one of the charges to my account actually had someone else’s name on it probably made it much easier for them to figure out that I was telling the truth. I didn’t actually go to one of the banks, but I did not go to the website I was told to go to over the phone until after going to view my account on the website and seeing the same link on BoA’s website, and I only called numbers that were from their website.
This happened to my fathers business account multiple times with Fleet(before Bank of America took over). He went through at least 2 cards before they fraudulent charges stopped happening.
The bank was very quick to fix the situation for my father(it helps when you pay them money for holding your money). However, it still shows there is some sort of weakness in the way that the credit cards and PIN numbers are created and distributed.
I check my BofA account online twice a day: once in the morning and once before I go to bed.
This is how much I distrust them.
I’m intrigued by the detail that the thief was in Reston, VA. Is this just the site where he’s swiping the card? Could it be where the security breach happened?
I’m curious about this because I live in Reston. I don’t bank with BoA, but a friend does. And we’ve both fallen victim to debit card fraud in the last six months.
@randotheking: Completely, 100% wrong. You realize that magstripe cards can EASILY be cloned with equipment that is available quite cheaply, right? And PIN’s CAN be stolen. It’s harder than stealing just a credit/debit card number, but it’s definitely possible via many of the ways that have been discussed in this thread. All the thieves would have to do is clone a magnetic card to contain the stolen number and then enter the stolen/reset/guessed PIN (it sounds like the PIN might have still been set to the default). The problem is that the banks (and people like you, inexplicably) seem to consider PIN entry + magstripe some sort of magical security measure that can’t be breached. It’s not.
I find it amazing that members of this site would still side with BoA and not Dave. Makes me suspect we have BoA employees here. I count roughly 5 people who said they had similar problems with BoA so its not a anomaly. Myself, though not the exact same problem, but the same company and fraud dept, spent 6 months filled with phone calls, faxes affidavits and trips to the police dept, to finally get BoA to get their act straight and not destroy my credit because of their !@#$ups.
Good luck Dave, I feel for you man, I wouldn’t wish BoA on my worst enemy, although my nasty side would love to seem some here get innocently nailed by our screwed up, no oversight, banking system so they understand what a hell it can be.
@dave4dave: 1) The card …So the perpetrator somehow found out the PIN of the card that was originally assigned to it, or they changed it with social engineering/pretexting.
The default PIN could be one of two: 1234, or the last 4 of your SS. So even if anyone gets a card they dont want to use, change the PIN right off the bat.
It’s fairly easy to make counterfeit cards, it’s not that much harder for organized e-gangs to try random but known-sequence codes to see if un-used card numbers can be activated.
One question not asked to the Dave the OP: does he have a maid service or any house-workers that have access to his den/office? Just a thought.
@randotheking: PINS can totally be stolen, like from retailers who are supposed to wash out from the system all those PINS people punch in on the keypads, but then don’t.
“One question not asked to the Dave the OP: does he have a maid service or any house-workers that have access to his den/office? Just a thought.”
No, we don’t have anybody in our house except my wife and our four small children (all under 8 years old). Nobody is allowed in my home office except my wife and myself. We don’t have friends who come over (we just moved to this new city) so nobody else is ever in our house.
The PIN they assigned is completely random and 6 digits. It doesn’t match anything (it’s not the last numbers from a SSN, for example).
@dave4dave: Is this happening at a POS PIN-entry pad (like at a Sprint store, perhaps)? I’m trying to understand where Sprint would be processing a PIN-based transaction.
Do you think someone could have tampered with your mail? Do you have a locked mailbox, for example?
@NoWin: “The default PIN could be one of two: 1234, or the last 4 of your SS.”
Stupidest thing I’ve heard today. This isn’t 1954, they don’t do that anymore. I haven’t had a recognizable PIN on any credit or debit card in the last 10 years. It’s random.
@DallasDMD: I don’t want to be particulary picky in the error department. But its Voilà , not Viola. A viola is an instrument
The story sounds creepy that they are able to make a copy of a card and have the pin even if they do not have the physical card. Sound like an inside job indeed. It is also creepy that the fraud occurred in Reston. I only live less than ten miles from there….
@myotheralt: That is a phishing scam. Brick and Mortar banks do not do this.
I can’t help but add one “semi” positive story, this past staurday the fraud department of BoA contacted me to let me know that my card is being used in Egypt to purchase Jewlery! About 6K worth! Last time I was in Egypt, 1990! They acted quickly closed the account, reversed the charges and sent me a new card. Ofcourse my card was never stolen but someone has managed to get the number, but the security code was a bad guess.
Let me give you some valuable information. This is a classic counterfeit card and not a real big deal as far as perps are concerned. No one hacked into the banks system but more than likely some Atm system that the card was in. The bank is not the only company to have your card and pin number info. Anyway as far as catching the guy that did this…well don’t count on it, but thinking that opening another account with another bank will keep you safe it won’t.all banks have fraud just go ahead and ask them. If you have no intentions of using the card and its just going to collect dust, just have the damn thing closed out. That way no one can steal the card number.
@fankoush: No , all card numbers run in sequence so if you fall into the sequence of stolen numbers, then there is very little you could do to prevent it. But the security code on the card has nothing to do with anything because merchants often don’t ask for that.
As an FYI this is a purchase made with a stolen card number meaning it does not need the pin number in order to go through. more than likely it was done over the phone or on the internet. If thats the case then the perp did not need a pin because it is not being used as a debit. It can be used as both debit or credit and the perp used it as credit.