Miles Earn and Burn

EDITOR’S NOTE: This is a bonus guest post from SideShowBob233 thrown together after another run-in with a bank.

After hearing about another recent incident with a similar result, I wanted to share my story and my lessons learned from having my American Express account hacked. 

I woke up to a bunch of emails from AmEx showing my password was reset, my phone number was changed and there were some gift card redemptions.  Not a pleasant thing to see, but I had to get the kids to school so I had to put it off. The emails were hours old anyway, whatever damage happened was already done.  

When I checked later, I found the scammer had managed to reset the password on one of my personal Platinum cards, (because who doesn’t have more than one $695 annual fee card lying around under a pile of rakes?) get into my login, and apparently used chat to go to town (he – and I’ll refer to the scammer as he but it could have been a she as I’m all for equal opportunity scamming) seemingly had my 3 digit code from the back of the card and possibly my security word, but I’m not sure.  Below is a redacted (to protect the innocent, or in this case the mildly guilty) chat log of the scammer’s interactions with AmEx:

2 AM local time, SideShowBob233 is snoring loudly while sleeping in a room filled with rakes:

Amex chat: Hi Bob, please select one of these options, or in a few words tell me what you need help with.

Scammer: Hi. My name is SideShowBob233 (the 233 is my IQ). I want to request my pending points to be available. I want to use them right now. I make all my payments through Autopay and all my payments are on time. I also have orange hair.  

Amex: A Customer Care Professional will be with you shortly.

Amex: Hi Bob. This is Francis [likely not the Pope – but I wasn’t 100% sure]. I see that you are chatting to accelerate pending points.

Amex: Let me go ahead and review your account and also browse the internet while I make you wait.

Amex: Kindly verify the last five digits of the card in question and then when you last had sex

Scammer: 96969 and right now

Amex: Thank you. I am checking on it.

Scammer: Let me change that last answer as I’m already done 😬

Amex: Are you referring to the 69,420 points?

Scammer: Yes

Amex: I have accelerated pending points and it has been added into your reward points balance.

Scammer: Thank you kindly now can you help me scam some more?

Scammer: Can you help update my new office or business phone number on my accounts, cell number remains the same and I also want to use some of my Platinum card rewards balance and order 1 $69 egift card.

Amex: To update the number, I will help you to update it on the account.

Amex: Please share the business phone number you wish to add on the account.

Scammer: The online option does not seem to work, When I add the gift card to cart, the page keeps on loading

Amex: I kindly ask that you consider switching to a different browser, or alternatively, you may clear the cache, cookies, and browsing history of your current browser.

Amex: After doing so, please open a new tab and log into your online account once more; this should resolve the issue.

Scammer: I am not doing all of this right now. Can you just order it or I will try later?

[Note the angryish/insistent tone – red flag]

Scammer: XXXXXXXXX (his phone number – surprisingly NOT 1-800-SCAM-MER)

Scammer: This is the new business phone number

Amex: Do you have platinum card handy ending with 96969?

Scammer: I do

Amex: Perfect. To proceed, I will need to ask you a few security questions to ensure the process is conducted accurately on your account.

Amex: To protect your account security, please answer the following question.

Scammer: Submitted

Amex: To protect your account security, please answer the following question.

Scammer: Submitted

Amex: I have added the business number to the account.

Amex: I have ordered your $69 egift card. You will receive confirmation E-mail for the same and it will be available to use in next 4-24 hours.

Now some comments: 

The scammer seemed to have had to have both the 4 digit code on the front and 3 digit code on the back of my card.  Not clear how they got it as the card rarely leaves my house and in fact is almost never used.  It was replaced recently, which is how I am guessing it was compromised – but I am not more than 69.420% convinced that’s the case.  A swiper wouldn’t get the 3 digit code on the back but I guess if there was a camera there too, it could have.  The card was used in person exactly one time, at a Saks a few weeks ago. Did not see anything on the card reader and I was there a while; our family likes to buy stuff at Saks for some reason (might be the large clown shoes they sell).  

Now SideShowBob233 you say to yourself, again out loud while streaking through your backyard again because it’s the only way to talk over the voices you’re hearing in your head, how could you have prevented this?   I have some ideas only some of which come from the voices in my head. 

First, turn on two factor authentication in your logins.  I always avoided it and complained extensively in the few cases where AmEx forced it on me (My friends, neighbors and even random hobos near Dollar General can confirm my complaining).  No longer.  Yes, it’s a PITA but it would have kept the scammer out of my login.  Second, turn on 2FA some more.  If you don’t know how to do level two 2FA, what are you even doing with your life?  I mean come on dude.  

Also change your security word periodically, I don’t know if the scammer had mine or not, but mine was a word nobody would ever guess (not, it’s not rake, not even with a 69 after it), if they did they would have had to have gotten it from Amex rep when I called in the past.  It’s not something you’d know about me either.  P2 doesn’t even know it.  

Not many people are aware of it, but the AmEx card numbering scheme is very outdated, and there are not all that many unique numbers on AmEx cards.  Losing your card and getting a replacement number gives a very predictable result, both for the new card number AND the expiration date, meaning the 4 and 3 digit codes are the only things that are really secure once your card number is compromised.  This is likely what led to the tons of Facebook $2 fraud but who knows, maybe Zuck just needed a new island.  So if a number is compromised consider losing the card 2-3 times to randomize it a little bit (both the replacement expiration date and the last digit).  

My case had a (mostly) happy ending – AmEx apparently caught the fraud and invalidated the cards before I even called.  After uploading a DNA sample, stool sample, and Clorox wiping down my scanner, my accounts were cleared and I am now free to go back into the AmEx void to be scammed again.  My scanner still isn’t speaking to me though.  

– SideShowBob233

SideShowBob233’s two factor authentication (level two) helps protect lunch.