Super Security Guy

Wednesday, April 25, 2012

Wayde York


Trying to be healthy by eating at Jared’s favorite sub shop, I ordered a salad but my debit card was rejected.

Money in the bank was no problem since I immediately checked the balance with my Android phone app.

At this point, the Security Guy in me leapt to the fore. After buying food with another piece of plastic, I went home and called the bank. The bank told me “you canceled your card during an 11 minute call last night.”

It’s been decades since I’ve forgotten what I did the night before and I told the bank I did not cancel my card. I was told the information needed to close my account included information that could be found on my Facebook or through Spokeo, plus the last-deposit-made.

The last-deposit-made information requirement to close my account sent me straight into incident handling mode. (After all, I was recently certified in that field). Since someone had to get into my account to get the last deposit, I ‘knew’ someone had broken in.

I immediately had them close my checking and savings, and open new ones, and apply byzantine money transfer maneuvers.  But wait, there’s more.

While I was talking to the operator, I tried to login to my online banking account and when I put in the username/password, I couldn’t get in! The bad guys had changed my login. More red lights were flashing and the bulk of my security expertise poured in to the rescue.    

I asked the bank if they were going to investigate the breach, and the operator sent me to a supervisor. When I explained the events to the supervisor, the real story turned out to be very different. My security guy shine was dimming.

Turns out, days before this event, I had questioned a “low and slow” 5, 6, 8 dollar charge on my account that occurs randomly by an organization called Homerealty (close but not the exact name).

The bank took my question and presumed it was a breach and had canceled my card at 10:30 pm the night before. They also noted the charge came from the cafeteria run within my company’s building. Knowing that, I knew the charges were legitimate.

Instead of someone talking to an operator for 11 minutes, closing my account, the technician was in my account for 11 minutes investigating and killing my card. The notification of this closure was sent to me at 10:30 pm, to my online bank account mailbox.

Shame on me for not checking that one regularly. Thankfully, the supervisor was able to hit the “never mind” button and undo all the incident handling I had done.

In the end, there was no hack, no breach, just a bank being prudent (and telling me while I was asleep.) And the failed login wasn’t super hax0rs trying to run my bank account, I mis-typed the username.

I guess sometimes being in the security business, we may get too zealous too quickly.

At least I do...

Possibly Related Articles:
Security Awareness
Passwords Authentication Security Awareness Online Banking Debit Cards Information Security Infosec Account Takeover
Post Rating I Like this!
Marc Quibell Funny story!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.