Wednesday, March 4, 2015

The closed account that wasn't

This morning I received an unexpected message to my mailbox. Wells Fargo was informing me that my account had been locked due to three attempts to log in with an incorrect password. This is pretty good security: an attacker cannot keep trying passwords forever since the account is locked after the third try, and the bank alerted me via the email they had on record for the rightful owner of the account. Locking the account is a common way to prevent an attacker from discovering a password randomly (though it does nothing to protect against an actual password that is stolen). Alerting the account owner means I can change my password and look for any unexpected transactions or other changes to the account.

Wells Fargo alerted me to an account locked due to repeated use of the wrong password.

Except I don't have an account with Wells Fargo.

Or at least I thought I didn't.

My first thought was that it was a phishing scam. Email claiming account problems is a common way to trick consumers into giving away legitimate usernames and passwords, as I have described in detail before. In this case though, the message looked legitimate, and the links were to the legitimate Wells Fargo web site.

After a little sleuthing, I discovered that I did in fact have an account with Wells Fargo. Several years ago I bought a new mattress set for my bed, and took advantage of the retailer's no-interest financing deal. It turns out that the retailer used a financing network that ultimately was fulfilled by Wells Fargo. By virtue of financing this purchase, I opened a loan with Wells Fargo, and had completely forgotten about it.

Still, this purchase was several years ago, and had been fully paid off well over a year ago. An open but dormant account is a great target for a thief, because fraudulent transactions might not be noticed for a long time.

Lesson 1: Shame on Wells Fargo for keeping this account open over a year after it was paid off. If you are a financial institution backing a purchase loan (for instance, financing a vehicle, or a major furniture purchase), close the account once it is paid off. A closed account cannot be used fraudulently.

Lesson 2: Shame on me for not noticing the account was still open. I check my credit report three times a year (you should too) looking for unexpected credit events (such as new accounts). I never expect to find anything, since I also put an Initial Fraud Alert on my credit report, which more or less prevents anyone from opening a new credit account in my name without jumping through some serious hoops - hoops that will generally cause an opportunistic thief to move on to easier prey - but I digress. US consumer protection laws allow me to obtain a free copy of my report from each of the three major credit bureaus one a year; I spread this out and request a copy from one bureau every 4 months. If you are a consumer, check your credit report periodically, looking for unexpected new accounts, erroneous late payment dings, and yes, open accounts that should be closed.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.