The Chase Bank Whodunnit

12/13/2017 in Hong Kong, I realize that what I thought was the PIN for debit card is not the PIN for the debit card.

I call Chase to get the debit card PIN. I make the call from my hotel room.

I give Chase debit-card services all identifying information for my debit card, including mother’s maiden name.

Chase debit-card services tells me they can’t send me my debit card number because my address has recently changed. This is odd because I haven’t changed my address recently. Debit-card services tell me that the address change came from the credit-card department, and begin to connect me.

I establish with the credit-card department that the “address change” was a switch from ZIP+4 to ZIP+6.

In this telephone call, which began with a call about my debit card, nobody says or inputs my credit card number.

For the six months before this I had had no contact with the bank about either card, and experienced no fraud.

The next day, December 14, 2017, there are three fraudulent charges to my credit card:

  • $11,873.10 to MUSIC FOR BETTER LIFE in Switzerland (Tel. 41 79 954 8882—a cellular number)
  • $72.50 to Omega Travel Ltd. in Great Britain (Tel. 0198685029)
  • $1,763.44 to Omega Travel Ltd.

When my credit card stops working, I call Chase. At first I am unable to access my account because my mother’s maiden name has been changed.

Eventually I convince them that I am me, and learn that someone has accessed my account using my mother’s maiden name, and changed my mother’s maiden name. This required knowledge of a) my personal information; b) my credit-card number; and c) Chase’s internal procedures.

Who stole my identity, how do we know, and (for extra credit) why will Chase do nothing about it?

8 Comments

  1. The call that was made to chase (to obtain the PIN), was it a direct call or did it go through an operator? Maybe an employee at the hotel used some sort of man-in-the-middle attack and the first call you made was actually answered by an identity thief?

    1. Direct call from my cell phone. Chase has a record of it. I considered the possibility that the call might have been intercepted, but I did not give Chase my credit-card number in that call, so that explanation becomes much more complicated.

  2. Still could be a MitM attack – the agent could have either made the change themselves (although that *should* be logged).

    The odd thing is that the charges were in Europe, where they *should* be requiring chip cards…

    Chase won’t investigate too hard because they have a budget/insurance for fraudulent charges, and tracking down the perps is usually pretty difficult.

    Interestingly enough, if you go to Omega Travel Ltd’s website, they have a sentence in Chinese in the page header, which links to a site entirely in chinese. Which makes it more likely that this was done by someone in Hong Kong.

    Did you use that credit card while you were there? Maybe swipe it in a reader, or hand it to a clerk? It could be that someone there stole the card # then, and then social engineered their way into changing the information on your account.

    1. There certainly are more complicated solutions. I’ll stick with Occam’s Razor: Credit-card department does not have record of calls to debit-card department, so debit-card contractor, who is already fairly safe since she is a nym in Bangalore, feels even safer scooping up and reselling credit-card information that happens to come across her screen.

      1. Keep in mind there *should* be an audit log of who changes information on your account, especially things like authentication/security information. So, the changing of your mother’s maiden name should have been logged somewhere, which means that if the person in debit-card person changed that, her name/ID is tagged to that. When they changed the maiden name, did they also change anything else? (Address, PIN, etc.)

        The fact that you were able to talk your way into your account after they changed your security information is troubling, since that means if you can do it, someone else could as well.

  3. How close are you to your neighbors on either side of your residence? The Zip+4 to Zip+6 address change might be suspicious.

    There are a few scenarios I can think of:
    Neighbors who know you very well.
    Ex-wife who you never removed from the account.
    Card skimmer in Hong Kong (but only if Chase Bank has an easy way to change your PIN – maybe online)

    The last two, depending on the specific circumstances, might promp Chase to do nothing about it.

Leave a Reply

%d bloggers like this: