Thursday, August 26, 2021
Like millions of others, I got hacked. I discovered the breach when attempting to log into online banking. A customer service agent confirmed my password had been reset the day before. We quickly determined that a hacker, posing as me, swapped my phone's SIM card and used the bank's one-time token to gain access to my account.
After helping me log in and remove the compromised phone number from my bank account, the agent suggested that I visit a local branch. Ironically, that same week I had attended a conference focused on digital commerce and bank transformation. And yet, here I was, walking into a local branch for the first time in years, looking for customer service.
"I'm surprised the online banking team didn't tell you about our appointment-only policy," a bank representative said. "My 9:30 is already waiting for me." She did, however, take a few minutes to review my account and advise I'd done everything possible to secure my account.
After securing my bank account, I contacted my carrier. An agent remotely reprovisioned my SIM card, assigned a new phone number and texted a link for optional security protection, assuring me the first 30 days would be free. I pushed back.
"Isn't that like locking the barn door after the cows get out?" I asked. "My data was stolen on your watch and now you want to bill me every month for protection. Who's the criminal now?"
The next few days were a blur of reset passwords and texts, and friends sending challenge questions to confirm it was really me. During this time, I discovered my new mobile number was linked to another person's Amazon account. My carrier told me the Amazon issue was due to my phone not being fully provisioned, which could take a few more days.
At this point, I was in contract with another mobile network but the smartphone I wanted was not in stock. To further complicate matters, I learned I could not port my phone number to the new device. Instead, I would have to notify vendors, colleagues and friends of a new phone number all over again. As if this were not enough discouragement, that carrier had also been hacked, putting millions of existing, new and potential customers, at risk, including me.
Throughout the password reset process, my old phone number kept resurfacing like an old stain, even after I'd deleted it from my online account profiles. I called vendors to make sure they deleted the phone number from every nook and cranny of my account settings. This would prevent hackers from using the old number for password resets and two-factor authentication.
After changing my username, I realized how easily hackers could find it. All they had to do was click on "forgot my username" and enter my stolen credentials to see the new one. Bad actors could use the same tactics to set up a new password. What's the remedy? In some cases, it was necessary for a supervisor to fully erase my old credentials from a customer database. Service providers also set up alerts concerning suspicious activities.
The remediation process motivated me to fully audit my digital profile, using the PCI Data Security Standard (PCI SSC) as a guide. The PCI Security Standards Council (PCI SSC) guidelines are designed to protect sensitive data.
"The standard itself provides an actionable framework for developing a robust security process—including preventing, detecting, and reacting to security incidents," the PCI SSC wrote in the introduction to its Self-Assessment Questionnaire. "To reduce the risk of compromise and mitigate the impact if it does occur, it is important for all entities that store process, or transmit cardholder data to be compliant."
I'm grateful to infosec leaders whose guidance helped me weather this storm. If you find yourself in a similar dilemma or just want to stay safe, there are steps you can take to secure your digital identity, such as credit freezes, password management and frequent activity monitoring. Your partners and managed services providers can help.
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
