italdesign

I've read some related threads and got some ideas. Here's our situation. DH moved overseas back in June for a year-long assignment. Right after that, he started having fraudulent activities:

-Paypal account compromised in June. Thief transferred money from bank and charged amounts to a credit card in the account. CC dispute is still ongoing.
-Amazon account (and AP by association) compromised in June. Whenever we reset the password, it always becomes inaccessible again the next time.
-One unauthorized CC app in June. This is the only request for new credit we are aware of so far.
-A CC address was changed in July or Sep. After we alerted the CC company and requested replacement card to the real address, we are told the letter bounced because our address has been changed in USPS (oddly though I'm still getting letters in his name at the real address).

Another activity happened a few months before: back in March a hotel account was compromised. Thief changed email and booked a stay using pts in the account.

Someone has clearly obtained his information and done some damage. The good thing is they haven't been too ambitious so far. But I have to assume they have his sensitive info such as SSN, bday, address, and maybe a few passwords, and can do more damage if their hearts desired. With that in mind, here's my plan:

-Place security freeze on the 3 credit bureaus. Do we need to worry about small ones like ARS?
-Change passwords to something stronger.
-Add a passphrase challenge to accounts, to be required when calling.
-Monitor credit on CreditKarma and CreditSesame. Do we need something stronger?

Should we also file a police report? Anything else?

One complicating issue is that DH, the victim, is out of the country for at least a year. If anything requires his presence, we have to find a way around it.

CDTraveler

Definitely file a police report. It will give you more leverage with CC companies re fraudulent charges.

Have you checked the family computers for malware which might be used to obtain the compromised info?

Also, once I had the police report in hand, I would close every compromised account, including email, and set up new ones with as much fraud protection as you can get from the various institutions. I had checks stolen a while back, and the bank put all sorts of fraud codes on the replacement account, which stopped a few problems before the criminal transactions could go through.

Father-of-3

You need to change your passwords and security questions on EVERYTHING. I'd also use different answers to the security questions. For example if your first car was a Ford Fairlane I would answer "Moldy Bagels" for one account and "orange pajamas" for another. It will make it a pain in the ... for you with complex passwords and security questions but should better protect those accounts.

Also you should go for 2-factor authentication where available. PayPal with give you a secure token for $5. It's well worth it but again makes this more complicated for you too.

Q54701

I have no words of wisdom but want to say I'm very sorry this has happened

chgoeditor

This happened to me a few years ago, so you have my sympathies.

A police report is a must. I'm surprised that none of the affected companies have asked you for one yet.

I'd highly recommend splurging on a credit monitoring service. I use Experian's, which automatically renews my fraud alerts with each of the other credit reporting agencies.

Also, lock down your credit reports so that any new credit inquiries trigger a call to your home phone for you to verify that the inquiry is legit. (You can also give creditors a one-time password that expires within a few days but which allows them to run your credit report.)

Two-step authentication for every account where it's available is essential.

Have you scanned your computers and phones for viruses? The fact that your Amazon account passwords are reset regularly makes me suspicious. Also, check the answers to your security questions. The thief might have changed them, allowing them to gain access to your account each time you're locked out.

I highly recommend a password manager such as Roboform. I have ~2K saved passwords and no two passwords are alike. All I need to remember is my single master password and I have access to my long, complex passwords for every possible account.

Where is your husband based for the next year? How is he accessing the internet? I know several friends who have been hacked after using their phones in China...I can't help but wonder if there's a connection between his overseas assignment and your issues.

Document every conversation you have with creditors. You'll be surprised how many don't do a great job of annotating accounts and following up on promised actions.

Tchiowa

First thing, make sure you've got a good bank and good CC company.

This has happened to me twice. Once a hotel in Florida near DisneyWorld copied my Amex number and sold it (I know that because they got caught eventually). Amex called me in California to see if I had purchased furniture in Atlanta. They refunded all fraudulent charges, changed my card, and kept me informed while they tracked down the culprit. (Idiot bought some music CDs on TV and had them sent to his own apartment.)

Second time was in Indonesia. I saw the charges and called Chase. Again, they handled it quickly and with no fuss.

BTW, if you don't think it can happen, check your e-mail. I use hotmail. Go to Hotmail, Edit Profile, Security, Recent Activities. You'll see you are under constant attack. I just looked. 17 attempts to log into my e-mail in the past 24 hours. Wrong password each time. Tried from Iran. Russia. Turkey. All kinds of strange places.

rubesl

It's a PIA, but put two factor identification on everything you can (second factor is a one time passcode that is texted to you). You can set it up for most email accts., for sure. Here is an article that may help:

http://socialcustomer.com/2014/04/ho...nd-others.html

Good luck!

beachmouse

Income tax paperwork gets filed as soon as possible as you get all the documents you need from employer and financial institutions to do so. Income tax refund fraud is becoming common and you want your correct return filed before the scammers can file their fake one.

And yeah, lock down the credit reports, not just a 90 day fraud flag. The credit bureaus make it hard to do so for free, even with a police report in hand, so just go ahead and pay for it rather than chasing he documentation they claim they need to do so gratis.

italdesign

Thanks for all your suggestions and condolences.

Amazon is the one case we don't know if it's hacked or not. DH couldn't access it from Singapore, whereas I could from the US (until DH tries again and causes a lock). So it could simply be blocking access based on location. We have't dug deeper.

The one occasion I fear it wouldn't work would be if I'm traveling overseas and need to use a different computer (which doesn't happen often). I would have set the master account with 2-factor authentication, but wouldn't have access to my phone or email (which may also be inaccessible due to 2-factor authentication), so I may be locked out of all accounts since I need the master account to know any password.

Singapore. We have suspected possible security problems with the networks there. But I also used it there for several weeks and had no problem yet. So nothing conclusive.

chgoeditor

I'm not sure about other companies, but Google allows you to print out a list of one-time codes that you can use in the event you can't access your phone or email. You could then create a Google Voice account and use that number for the two-step authentication on other sites. It would make me a little nervous in case your Google account is compromised, but better than nothing.

Yahoo allows you to answer a challenge question that you've created rather than getting the call/text message. My question is very specific yet esoteric -- it's not a question that's used on any other website and it asks for the first and last name of a person who was in my life 30+ years ago. (And asks it in a sufficiently vague way so that even someone who knew the answer might not actually understand the question.)

JMN57

If you suspect the networks, get a vpn account.

italdesign

Awesome. Good to know gmail has thought of these corner cases already.

gfunkdave

In fact, all of the cryptographic 2 factor auth solutions so this. Google gives you 10 backup codes. Apple, Microsoft, Evernote and others give you one.