Fidelity card fraud

[big bang]

So my card was compromised and they made a large fraudulent charge to the account.
When calling the card company, I learned that they requested a new replacement card with the same account number to be sent to a different address and they also added a travel notice to Canada. The charge was made from Ontario Canada.
We took care of the regular steps with the card company of issuing new card, removing the charge etc.

However, what worries me the most is that they were able to bypass the security questions of the card company by knowing my last four digits of social security number, home zip code and home phone number.

Now I am very concerned that this might be a path for more complex fraud activity that I might get exposed to.
What do you suggest that I will do?

[livesoft]

My experience is that whenever you update your phone, e-mail, or address that all places send at least an e-mail and often a text that you have done so to the old e-mail, address, or phone number. I am not sure if this is how you caught the bogus charge or if you were just casually looking for bogus charges. Please inform us.

But credit cards would not work if card providers did not eat these charges themselves, so I suggest to not worry and stay vigilant.

[big bang]

My experience is that whenever you update your phone, e-mail, or address that all places send at least an e-mail and often a text that you have done so to the old e-mail, address, or phone number. I am not sure if this is how you caught the bogus charge or if you were just casually looking for bogus charges. Please inform us.

I received a fraud alert from the card company.
Per the agent, combination of the events triggered the fraud alert.

[livesoft]

I don't think you can change the last 4 digits of your SSN, nor your ZIP code, but you can cancel your home land line and ditch that phone number.

[The Man with the Axe]

What do you suggest that I will do?

Contact the three credit reporting agencies (Transunion, Equifax and Experian) and freeze your credit. It's free.

While you're at it, get your free credit report and review it to confirm there are no new accounts opened using your data.

Good luck!

[brcarls]

I recently had a fraudulent charge on my Fidelity card. What blew my mind is that they called me to ask if the fraudulent charge was legit and wanted me to confirm my identity with last 4 of social and other info... I said "You called me! I'm not giving you that info". I hung up and called the number on the back of my card.

Turns out the call was legit, but think of how easy it would be for a scammer to call you, say your card was compromised and ask for you to identify yourself to dispute the charges and get a new card issued. Then, she calls Fidelity and uses the info you just gave her to do nefarious things.

It is unconscionable that they cold call people asking for personal info. This trains consumers to give info to anyone who calls, legit or not. They should just tell you there is suspected fraud and you should call them back to sort it out.

[brad.clarkston]

I recently had a fraudulent charge on my Fidelity card. What blew my mind is that they called me to ask if the fraudulent charge was legit and wanted me to confirm my identity with last 4 of social and other info... I said "You called me! I'm not giving you that info". I hung up and called the number on the back of my card.

Turns out the call was legit, but think of how easy it would be for a scammer to call you, say your card was compromised and ask for you to identify yourself to dispute the charges and get a new card issued. Then, she calls Fidelity and uses the info you just gave her to do nefarious things.

It is unconscionable that they cold call people asking for personal info. This trains consumers to give info to anyone who calls, legit or not. They should just tell you there is suspected fraud and you should call them back to sort it out.

There really isn't a better way to do it, would you rather them not notify you and let you eat the charge after 30 days? The only other way would be by e-mail which is even worse.

As a customer I wouldn't get mad at the poor slob doing the calling. I would say "thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further" anything else is rude and not worth the anxiety.

[increment]

"thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further"

That is what they should tell you to do, not just train customers to give random bits of data to strangers who call on the phone.

[Doctor Rhythm]

"thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further"

That is what they should tell you to do, not just train customers to give random bits of data to strangers who call on the phone.

Absolutely! In my experience, the notification always says “fraud suspected, call # on back of card.”

[Mudpuppy]

However, what worries me the most is that they were able to bypass the security questions of the card company by knowing my last four digits of social security number, home zip code and home phone number.

All of that data is readily available on the black markets as a consequence of several large data breaches. I would suspect the source as being the Equifax breach, since they also targeted an account that would have been part of your credit report, but that's purely just a theory on my part. The important thing is to not treat any of that data as confidential and add additional security measures on your accounts, such as requiring a PIN or passphrase to access the account through the phone customer service.

[big bang]

Since yesterday I did the following:
Fidelity account - changed user name, changed password, setup two way authentication, set up my cell phone number with all the account alerts and locked all accounts so no transfers can be made.
Fidelity credit card - setup all activity alerts and security alerts to my cell phone.
Credit freeze - with all three major companies including fraud alert.
Anything else?

[Mudpuppy]

There's the minor credit bureaus too. The Wiki has a list: https://www.bogleheads.org/wiki/Credit_freeze

[xerxes101]

Since yesterday I did the following:
Fidelity account - changed user name, changed password, setup two way authentication, set up my cell phone number with all the account alerts and locked all accounts so no transfers can be made.
Fidelity credit card - setup all activity alerts and security alerts to my cell phone.
Credit freeze - with all three major companies including fraud alert.
Anything else?

I would also double and triple check your computer security. Is it possible that someone has hacked into your computer or e-mail account? Do you have good antivirus software installed and have you done all the OS updates? I don't mean to be an alarmist and scare you, but the events as you have described them raise the possibility of an identity theft (to me)....but I am no security expert...just my 2 cents...It is good that you did the credit freeze. If you suspect identity theft, perhaps you should talk to your home insurance company. I seem to recall that I have some coverage through my home insurance policy for cases of identity theft.

[MikeG62]

...When calling the card company, I learned that they requested a new replacement card with the same account number to be sent to a different address and they also added a travel notice to Canada. The charge was made from Ontario Canada.

I don't understand how/why they would send a replacement card to a new address and not send some form of communication back to you (either by e-mail or text or even snail mail). I'd want to know how they could have approved this request without notifying you (or requesting the person who called verify they were you through a secure text to your phone).

Fidelity VISA was our general purpose CC for well over a decade. Earlier this year, we obtained platinum honors status with BofA and now use their premium rewards CC as our new general purpose CC. The Fidelity VISA has been moved to my desk drawer.

[stockrex]

get a new laptop, I bought a sub $300 laptop from costco that I solely use for bills, etc.I have a few $200 laptops for the kids to use and not have to worry about viruses.

[JoMoney]

It happens, I had a card stolen in the mail, and following that a rash of identity theft of other accounts opened.
The perpetrator managed to pull my entire credit report from one of those shady looking, for a fee, online credit report companies, which I'm sure provided them with more than enough details for the further identity theft. I was able to report all the fraudulent activity and get it cleaned up, it was a hugely painful ordeal that I'm sure would have been even worse for a less organized person.
For reasons that I won't go into, I need my credit report to be open to soft-pulls on the regular basis, so a full "credit freeze" wasn't really an option. I did however report to the major credit agencies for a "Extended Fraud Alert", and anytime someone attempted to open an account I was first notified and could shut it down... I got notified of an attempt (I think twice) and whoever had it stopped trying after that.
Now I'm just vigilant about checking my credit history several times a year. It sucks, but that's the state of things these days. As far as I can tell the only other viable options are to pay someone else to monitor your credit history, a total freeze of credit (which may cost you and be problematic when 'un-freezing'), or just to have really lousy credit not worth stealing.

[big bang]

Since yesterday I did the following:
Fidelity account - changed user name, changed password, setup two way authentication, set up my cell phone number with all the account alerts and locked all accounts so no transfers can be made.
Fidelity credit card - setup all activity alerts and security alerts to my cell phone.
Credit freeze - with all three major companies including fraud alert.
Anything else?

I would also double and triple check your computer security. Is it possible that someone has hacked into your computer or e-mail account? Do you have good antivirus software installed and have you done all the OS updates? I don't mean to be an alarmist and scare you, but the events as you have described them raise the possibility of an identity theft (to me)....but I am no security expert...just my 2 cents...It is good that you did the credit freeze. If you suspect identity theft, perhaps you should talk to your home insurance company. I seem to recall that I have some coverage through my home insurance policy for cases of identity theft.

I have Norton 360 installed with the following features activated: Dark Web Monitoring and Secure VPN
I am not using the cloud backup feature. Should I?

[big bang]

...When calling the card company, I learned that they requested a new replacement card with the same account number to be sent to a different address and they also added a travel notice to Canada. The charge was made from Ontario Canada.

I don't understand how/why they would send a replacement card to a new address and not send some form of communication back to you (either by e-mail or text or even snail mail). I'd want to know how they could have approved this request without notifying you (or requesting the person who called verify they were you through a secure text to your phone).

You have a very good point.
I have not received any notifications.
Completely strange....

[Mudpuppy]

I don't understand how/why they would send a replacement card to a new address and not send some form of communication back to you (either by e-mail or text or even snail mail). I'd want to know how they could have approved this request without notifying you (or requesting the person who called verify they were you through a secure text to your phone).

There are two potential avenues here: a deficiency on the part of Elan's policies (Elan is the servicer for Fidelity VISAs) or a deficiency on the part of one of the Elan phone representatives. Most credit card companies have the ability to ship a new card to a different address than the billing address in case you lose your card or have it stolen while you are traveling. If the identity theft convinced the phone rep that they were Big Bang, they could easily exploit this feature.

While it would be a best practice to send a letter/email/text to the contact information of record when a replacement card is issued to a different address, I'm not familiar enough with Elan's current structure to know if they follow that best practice. I personally had a very bad experience when Elan took over my original credit card back in the 1990's and I refuse to do business with them anymore, which is the sole reason why I don't have the Fidelity VISA.

get a new laptop, I bought a sub $300 laptop from costco that I solely use for bills, etc.I have a few $200 laptops for the kids to use and not have to worry about viruses.

It's far more likely that the identity theft bought the information on the black market instead of putting something on the OP's computer. If it was something on the OP's computer, they would have just logged in to the website with the username and password of record. From how the OP has described this, it sounds more like they conducted a social engineering attack on a phone representative and was able to successfully answer the phone security questions.

Now if they instead did log in through the website and the OP uses a unique password for that site, then the OP should be concerned about keyloggers. But getting data from information dumps on the black market and then launching a social engineering attack on the phone representatives is far more common these days. For me personally, I know the black market has my medical information (Anthem breach) and credit card report (Equifax breach), plus who knows how many passwords from the various compromised websites.

That's why I use a password manager to have long, complex, and unique passwords for any website where I care to keep the attackers out. I do not use any password pattern schemes to generate a "unique" password because those schemes can be discovered if enough sites are compromised. I remember a small handful of complex passwords to unlock a work password database and a home password database, then use the password manager for the rest. For example, my Fidelity investment password is completely different than my Vanguard investment password.

[an_asker]

"thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further"

That is what they should tell you to do, not just train customers to give random bits of data to strangers who call on the phone.

+1! I would absolutely not give personal information to an inbound caller. That would be downright silly!

[Northern Flicker]

However, what worries me the most is that they were able to bypass the security questions of the card company by knowing my last four digits of social security number, home zip code and home phone number.

Do you use strong passwords as answers to security questions, or actual answers? If actual answers, how do you know they bypassed the questions?

What should concern you more is that the provider seems to think they are doing something in a secure manner when they authenticate you by asking questions most of which have answers that are in the public domain.

[Northern Flicker]

That's why I use a password manager to have long, complex, and unique passwords for any website where I care to keep the attackers out. I do not use any password pattern schemes to generate a "unique" password because those schemes can be discovered if enough sites are compromised. I remember a small handful of complex passwords to unlock a work password database and a home password database, then use the password manager for the rest. For example, my Fidelity investment password is completely different than my Vanguard investment password.

Do you generate random passwords as the answers to "security" questions? Password reset processes are usually the weakest link in authentication protocols in use today. From time to time going through the password reset process to be sure at least one step of it is properly secured is generally a good idea.

[ResearchMed]

"thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further"

That is what they should tell you to do, not just train customers to give random bits of data to strangers who call on the phone.

+1! I would absolutely not give personal information to an inbound caller. That would be downright silly!

This, an incoming call requesting personal information, is a special pet peeve of mine.

And sometimes, when I point out, 'Hey, YOU called ME. Can I have an extension number to call you back at, using the main number for <company name>?"
... to which they often get into a fine huff, and reply with some version of, "Well of COURSE I'm <who they announced they were>!! Who else would I be!??"



WHY... can't they understand this concern!?

RM

[ncbill]

I recently had a fraudulent charge on my Fidelity card. What blew my mind is that they called me to ask if the fraudulent charge was legit and wanted me to confirm my identity with last 4 of social and other info... I said "You called me! I'm not giving you that info". I hung up and called the number on the back of my card.

Turns out the call was legit, but think of how easy it would be for a scammer to call you, say your card was compromised and ask for you to identify yourself to dispute the charges and get a new card issued. Then, she calls Fidelity and uses the info you just gave her to do nefarious things.

It is unconscionable that they cold call people asking for personal info. This trains consumers to give info to anyone who calls, legit or not. They should just tell you there is suspected fraud and you should call them back to sort it out.

There really isn't a better way to do it, would you rather them not notify you and let you eat the charge after 30 days? The only other way would be by e-mail which is even worse.

As a customer I wouldn't get mad at the poor slob doing the calling. I would say "thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further" anything else is rude and not worth the anxiety.

With credit cards you've got longer than a single billing cycle (~30 days) to contest an unauthorized charge...did you mean debit cards?

[Mudpuppy]

That's why I use a password manager to have long, complex, and unique passwords for any website where I care to keep the attackers out. I do not use any password pattern schemes to generate a "unique" password because those schemes can be discovered if enough sites are compromised. I remember a small handful of complex passwords to unlock a work password database and a home password database, then use the password manager for the rest. For example, my Fidelity investment password is completely different than my Vanguard investment password.

Do you generate random passwords as the answers to "security" questions? Password reset processes are usually the weakest link in authentication protocols in use today. From time to time going through the passeord reset process to be sure at least one step of it is properly secured is generally a good idea.

I do that now. In my younger days, I was known to put in phrases chewing them out for the insecurity of their "security" questions.

[stockrex]

I travel a bit for work and pleasure, I found that 2 credit cards a year gets compromised.

Here is how they got mine:
1. Gas station reader in howell, mi
2. Ontario, CA airport parking attendant copied mine (watch her swipe again under the table)
3. YMCA, someone took a pic of card when I had dropped it accidentally
4. Online store with weak protection was hacked probably and card used to order Chipotle pick up order

What is worrisome for Op is they knew more about him and used that info.

I would slowly get all new cards, I started doing this, I use amex, citi for travel solely and every year after Thanksgiving I get new cards

If in doubt about home computers, switch as suggested, I agree that might not the source.

They might just wait a few months and try again, so keep an eye on it.

[Mudpuppy]

4. Online store with weak protection was hacked probably and card used to order Chipotle pick up order

I have to laugh at this one. They go to all the trouble of either running the hack or, more likely, buying the credit card number on the black market, and then all they do is order Chipotle.

[tuningfork]

4. Online store with weak protection was hacked probably and card used to order Chipotle pick up order

I have to laugh at this one. They go to all the trouble of either running the hack or, more likely, buying the credit card number on the black market, and then all they do is order Chipotle.

Credit card thieves often start with a small charge at a common place, hoping it will go unnoticed, to test whether the number is valid. Then they make large charges.

My Amex card was hacked recently. The crook made a small (less than $10) purchase at Amazon, followed by a several hundred dollar purchase. Since I never use my Amex at Amazon I immediately knew it was fraud. I have a different card exclusively for Amazon.

[an_asker]

"thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further"

That is what they should tell you to do, not just train customers to give random bits of data to strangers who call on the phone.

+1! I would absolutely not give personal information to an inbound caller. That would be downright silly!

This, an incoming call requesting personal information, is a special pet peeve of mine.

And sometimes, when I point out, 'Hey, YOU called ME. Can I have an extension number to call you back at, using the main number for <company name>?"
... to which they often get into a fine huff, and reply with some version of, "Well of COURSE I'm <who they announced they were>!! Who else would I be!??"



WHY... can't they understand this concern!?

RM

To be honest, the last time something like this happened, they left a phone number, but I called the number on the back of the credit card, and it worked fine.

[appliancejunk]

I recently had a fraudulent charge on my Fidelity card. What blew my mind is that they called me to ask if the fraudulent charge was legit and wanted me to confirm my identity with last 4 of social and other info... I said "You called me! I'm not giving you that info". I hung up and called the number on the back of my card.

Turns out the call was legit, but think of how easy it would be for a scammer to call you, say your card was compromised and ask for you to identify yourself to dispute the charges and get a new card issued. Then, she calls Fidelity and uses the info you just gave her to do nefarious things.

It is unconscionable that they cold call people asking for personal info. This trains consumers to give info to anyone who calls, legit or not. They should just tell you there is suspected fraud and you should call them back to sort it out.

The two times I’ve had fraudulent charges on my fidelity visa in the last four years they called me first too. All they asked me was, my name and asked if I made the fraudulent charges they detected. I said, nope not my charges. They said that’s all we need to know and we will take care of everything. Both times my replacement card was received the very next day as it was sent overnight via FedEx. I was very impressed both times.

[stockrex]

4. Online store with weak protection was hacked probably and card used to order Chipotle pick up order

I have to laugh at this one. They go to all the trouble of either running the hack or, more likely, buying the credit card number on the black market, and then all they do is order Chipotle.

Credit card thieves often start with a small charge at a common place, hoping it will go unnoticed, to test whether the number is valid. Then they make large charges.

My Amex card was hacked recently. The crook made a small (less than $10) purchase at Amazon, followed by a several hundred dollar purchase. Since I never use my Amex at Amazon I immediately knew it was fraud. I have a different card exclusively for Amazon.

They tried to buy $78 worth of Chipotle,

[sabhen]

Just few weeks ago, Fidelity called and said a suspected charge was made on my CC. I have not used it in months. Anyway, Fidelity issued a new card. Now, I keep a watch on all transactions

[MikeG62]

Just few weeks ago, Fidelity called and said a suspected charge was made on my CC. I have not used it in months. Anyway, Fidelity issued a new card. Now, I keep a watch on all transactions

I have alerts set on pretty much all of my CC's for any transactions where the card was not present for the charge/purchase. This is in addition to alerts for any large purchases. I've always identified fraudulent charges through these text alerts - while the charge was still pending.

It's easy enough to set up these alerts.

[bpreloader]

Since yesterday I did the following:
Fidelity account - changed user name, changed password, setup two way authentication, set up my cell phone number with all the account alerts and locked all accounts so no transfers can be made.
Fidelity credit card - setup all activity alerts and security alerts to my cell phone.
Credit freeze - with all three major companies including fraud alert.
Anything else?

In addition to the above I would contact Fidelity and ask if they can add a passphrase or codeword to the account. With that enabled you would have to provide the codeword in addition to the traditional verification questions in order to make any changes to your personal information. The codeword should not be anything that could be associated with you. A good codeword would be something like "blue banana's" or the like. My credit union referred to it as a codeword, Bank of America calls it a verbal password, Im not sure what other financial institutions would call it but I would ask.

I implemented this after someone was able to update my mailing address and have a card sent to the new location. Fortunately I was alerted that the card had been sent and was able to get it stopped. I then went to the bank and had them change all of our credit cards along with our savings/checking accounts and requested that a codeword be associated with our accounts.

[dumbmoney]

I recently had a fraudulent charge on my Fidelity card. What blew my mind is that they called me to ask if the fraudulent charge was legit and wanted me to confirm my identity with last 4 of social and other info... I said "You called me! I'm not giving you that info". I hung up and called the number on the back of my card.

Turns out the call was legit, but think of how easy it would be for a scammer to call you, say your card was compromised and ask for you to identify yourself to dispute the charges and get a new card issued. Then, she calls Fidelity and uses the info you just gave her to do nefarious things.

It is unconscionable that they cold call people asking for personal info. This trains consumers to give info to anyone who calls, legit or not. They should just tell you there is suspected fraud and you should call them back to sort it out.

You're absolutely right, and this was clearly a mistake, not policy - somebody got confused and thought it was an incoming call.

[BrandonBogle]

They should just tell you there is suspected fraud and you should call them back to sort it out.

There really isn't a better way to do it, would you rather them not notify you and let you eat the charge after 30 days? The only other way would be by e-mail which is even worse.

As a customer I wouldn't get mad at the poor slob doing the calling. I would say "thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further" anything else is rude and not worth the anxiety.

I trimmed that for you to highlight the better way to do it. That said, I do concur with being calm and not getting worked up. I would also add "please be sure to notate your call on my account so customer service can direct me correctly.".

"thank you for notifying me and I will call right back on the the 1-800 number to verify your identity before going further"

That is what they should tell you to do, not just train customers to give random bits of data to strangers who call on the phone.

Absolutely! In my experience, the notification always says “fraud suspected, call # on back of card.”

+2

Since yesterday I did the following:
Fidelity account - changed user name, changed password, setup two way authentication, set up my cell phone number with all the account alerts and locked all accounts so no transfers can be made.
Fidelity credit card - setup all activity alerts and security alerts to my cell phone.
Credit freeze - with all three major companies including fraud alert.
Anything else?

Try to find a way to lock down your cell phone service so it cannot be easily switched to a different phone through similar means of answering simple questions to your provider.

[novemberrain]

I don't think you can change the last 4 digits of your SSN, nor your ZIP code, but you can cancel your home land line and ditch that phone number.

You can change your zip code by getting a USPS or UPS mail box . I did that after my credit card got hacked. I changed my CC address to the PO Box.

Another thing to do is use Apple Pay for as many transactions as possible. That way I don’t physically hand over the card