I have a morning routine, as most do, and mine consists of checking our primary bank accounts to ensure everything is as it should be. You can imagine my anxiety when my password rejected and I was only able to log into my accounts after resetting my password. I then discovered that nearly 200,000 Ultimate Reward points had just vanished overnight. I called Chase right away while still clicking through to try to determine where the points had gone. I quickly discovered that late the night before someone had somehow obtained access to my login ID and within 21 minutes had requested a temporary password, then changed the password, changed the email address on my accounts, transferred all of my points out in “cash” to a bank account not at Chase, and then changed the email back to try to cover their tracks.
The rep I spoke with was at first somewhat dismissive, presuming that my husband had cashed out the points and simply failed to mention it to me. We went through all of the security interrogations (no, the irony of that was not lost on me), and she was able to discover that the points had been cashed out to be deposited into an account at another bank, not Chase, which supposedly had René’s name on it and carried the nickname “G-Baby”. She assured me that the only way the points could be cashed out like this and deposited to an account is if the account has the same name as the Ultimate Rewards account. I had no idea you could cash out the points and send the cash anywhere but to a Chase account, so this was news to me. Fortunately since we caught it immediately, we were able to cancel the fraudulent transaction and the points were returned to my account. We then changed the login ID and password as well and I then proceeded to do the same thing on every single account we have.
I requested to be transferred to the fraud department in order to request this transaction be investigated. After 3 attempts to transfer me to various fraud departments within Chase – online banking, credit card, business services – and each department claiming it had to be handled by another department, she finally reached the customer service fraud department and was told that if the transaction has been reversed and the account login ID changed and therefore secured there was simply nothing to investigate now. Chase fraud department just refused to do anything. When I later called to request new account numbers on all of my credit card accounts with Chase, since this criminal had full access to all of my online banking information for possibly 10 hours before I discovered it, all but one single rep told me I should have been advised to file a police report. I told them their own fraud department refused to even look at it and they were, literally, speechless.
I spent my entire day yesterday changing passwords and login ID’s and making other necessary adjustments to ensure my accounts are secure. You should know I am a very diligent person when it comes to keeping track of finances, and had I not been and not caught this transaction before it actually was processed, I would have lost $2000+ worth of Ultimate Rewards points.
So just who was a fault for this? My husband ran a computer company for 20 years. My PC is always up to date with the latest security software etc. I can tell you that the very first email I got from Chase to alert me about this let me know my password had been reset, that is, a reset request but NOT the link to reset it. This means someone had already been inside my account. While I cannot tell you this was an internal breach inside Chase, I got none of the normal warnings I get when I personally have to reset my password. Normally, whenever I use my laptop from an IP address not from my home, I get alerts to my phone and have to enter a code. I got none of this either also making me feel this had to be an internal Chase hack but I cannot prove that nor was Chase fraud department willing to help me. Most disappointing.
So what have I learned from this I wanted to share? Please continue to be diligent about checking accounts regularly and changing passwords routinely. I have personally updated, one by one, all of my account alert settings so I will be notified if something out of the ordinary happens with any of my accounts. It does take some work but truly a small price to make sure I’m not hacked again! – Lisa
Responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
I just don’t understand how Chase system did not detect that your account was being accessed from a computer you had never used. I have multiple computers (2 for work, 1 personal 1 for my wife) and if I clear any of their browsers for cookies and password I am always requested to very computer via email or tel on file, glad you got to see this so quickly and got your points back
Do you have a Windows PC I suspect your PC may have been compromised. Anti virus or reformat your hard drive?
@Nick – As mentioned in post, I (Rene) ran a computer biz for 20 years. All updates are current. No virus or spyware (checked with 2x sources each). This was not at our end.
I would freeze all your cards for a few days, esp chase. This could
have happened from a wifi spoof or a public computer. Get a copy of your credit reports if you can. Make sure this is not the tip of a bigger iceberg.
Did you get an email when this happened? Every time I’ve transferred UR points I got an immediate email with the subject “Your point transfer request was received” with details in the body about what I’d done (transferred them to BA or wherever). I also get an email alert every time any one of my cards is swiped. I feel like these alerts should be enabled by default given how frequently accounts are being compromised these days.
I also lost my Chase Ultimate Rewards® points due to hacking, about a year ago. Somebody managed to enter my account and used 40k points to order some electronics. I found out about this perhaps 1-2 months after the fact. I reported the issue to Chase and eventually they credited my points.
Also, very recently, my Amazon account was hacked too! Somebody tried to order expensive electronics and I only got an email from Amazon about how a cc I had on file could not be used. Fortunately that issue was also resolved.
Note that the hacking may also happen by attacking the Chase or Amazon servers, directly or via the servers of their partners. Your computer doesn’t necessarily need to be compromised for a hacker to gain access to your account.
@Jac Matrino – Txs for your comment. As a side note, I did over the last week for the 1st time ever do the AMAZON sync and used 1 UR point to get the discount off an order. I will not be doing that again nor re-sync my Amazon and UR points accounts!
This is a good argument for using a password manager program. These make it very convenient to use unique, strong passwords for each of your accounts. I have been very happy with 1Password, but there are several other great ones.
This is not new. I’ve been hacked before with a similar set of experiences. I was shocked at how Chase didn’t even want to bother looking into things, I did some investigation of my own and was willing to send information, too.
BEWARE! The third time I got hacked, Chase decided to close my accounts. ALL OF THEM. Business and personal checking and credit cards, even my kids’ savings accounts. I have almost perfect FICO, pay all cards off every month and never late on any payments. Over 10 years of business relationship done.
I was not given an explanation, I even thought that my MS or credit card churning was at fault. Months later, I found out my accounts where flagged as fraudulent. This was after sending letters and faxes to their corporate offices.
Less than a week ago I began receiving alerts, that somebody was resetting the chase.com password for my (old/dead) account. Even though I’m not their client anymore, my online account still exists, so I assume that they where fishing for new accounts. Good luck with mine! 😉
Please set your alerts, it’s the best thing you can do for early prevention of fraud.
thanks for the post, it prompted me to check my avios, and sure enough, the balance is 0, it was over 90K
now to try and get it fixed
didn’t this happen last year also?
Wow.. it’s interesting that my co worker was just telling me this morning that how her stolen purse in Bosnia had the thieves using her credit card. she immediately called and cancelled Chase cards, so they reissued the new ones and that NEW card was being used in foreign country as well. The Chase rep asked my co worker if the card was in her posession and when the card was verified they said that they are doing an internal investigation of leak because the thieves are not just using the account number, but made the physical cards as soon as they are sent out to the customer. She had to get new cards made 3 times in past 6 months.
If you have an ID theft program like lifelock notify them or if you have a good homeowners policy it likely includes ID theft coverage. It might be worth a call to them to see what else you should do. Many times the ID theft will surface weeks later when they sell your bank account numbers and then cash checks with the numbers.
Someone got into my SPG account and cashed out all of my points for iTunes gift cards…fortunately, I caught it within hours because I was getting emails from SPG stating how I cashed out my points.
They were so nice about it and cancelled the guys transactions and gave me back all of my points. Definitely check your points regularly.
Anytime my chase account has any change I get an email. To my old address that says just to let you know that the changes been made to your account and that happens within seconds of my changing it. It almost seems like it’s an inside job from somebody at Chase to be able to stop that simple notification of changing your username didn’t send an email to the old email address at any point. Sorry that all happened to you I went through it years ago . No I change everything every three months, I keep them all exactly the same, which some people say is bad to do but that way nothing is written down anywhere in my world and if I need to change something I know exactly what it is. My wife works for the government has never been hacked by using this process.
My husband’s Amex account was hacked a few years ago, and several credit cards mysteriously were sent to a different (temporary) address and charged for thousands of dollars…before Amex fraud protection contacted my husband to clarify and thereby discover the fraud. The charges were immediately reversed and the accounts/info all changed for all of the cards…but Amex then mysteriously didn’t investigate the fraud as they originally indicated they would. It was very, very strange.
So my husband was extremely annoyed and suspicious…and so filed a police report. That forced a police investigation and Amex fraud investigation which suggested that an Amex employee most likely was the perpetrator of the fraud!
No wonder that Amex mysteriously didn’t want to pursue the matter.
Makes me believe that Chase’s fraud department didn’t want to pursue your incident because they suspected the same thing–an internal perpetrator that would make Chase look bad if it ever came to light in the media. So a bad scenario can get made worse because a bank is more concerned with its PR than true security and honesty.
Dec 12 I got e mail from Chase alerting me of similar transfer of 100k+ . Immediately called Chase. Fortunately, they were very helpful. It was a transfer just like yours to an outside checking account.
Chase seems to have worst security of any bank.
My Chase IHG was recently attempted to be used for ~$90 or so in electronics from somewhere I didn’t recognize. The card hadn’t been used in over six months and was in a safe the whole time. Luckily Chase fraud alert caught that one, cancelled the card and changed my account number. The card info wasn’t stored anywhere online either – odd for sure!
when I got a substantial amount of money taken what do we do about reporting it stolen and taking another bank that started taking your bank 20 years ago
Sorry this happened to you and I’m glad you got the points back, but it did make me curious to see if you were going to cut a Chase Sapphire card in half.
@John – See this post for a tip on how to destroy one (ps you will love the background music): http://renespoints.boardingarea.com/2014/02/06/creative-ways-destroy-old-chase-sapphire-preferred-cards-fire-anyone/
You don’t talk about your password policy. Do you use complicated unique passwords for every site, at least the critical ones? If you don’t then most likely:
– You used the same password on Chase as you used on another site. Something like a news site that requires a login to comment or whatever. Just some other site that didn’t have perfect security.
– That site was hacked, revealing all the userids and passwords. There are lots of dumps like this all over the internet. You can check if you have been hacked by entering your email address at:
haveibeenpwned .com
Yes its a legitimate site. Feel free to check by googling around before you trust me.
– They then tried that email address and password at a variety of different sites using an automated program and discovered it worked at chase.com.
– You should also change your password for your email account. That’s another possible vector for this.
– Like others have said you should be using a password manager to keep track of and generate unique passwords for every site. Yes its a minor pain. This is life in 2015.
– Passwords should be as long as possible. Anything under 12 characters or so isn’t good enough anymore and can be cracked using automated programs that run on dedicated hardware.
@Glenn – Good point but this was not a password issue for us. But yes, we use and recommend VERY hard passwords.
I have a Chase account and it is extremely difficult to log in from another computer for the first time. I have the secondary level of protection enabled. Maybe you should do the same (A security number is sent to my phone before I can log in on a new computer).
I also had a very similar experience. Someone tried converting 200k+ points to cash from my account a couple months ago. After several calls to the Chase fraud department, I learned that someone had called in, first with my SSN and my fiancee’s card # (she’s an authorized user on my account). They couldn’t provide the business name, so they called back the next day and accessed it with only my info. With that combination of information they had, and the ability to get more info and call back, I can’t think of any circumstances other than an inside job. I had to pull teeth to get Chase to give me even those details about the transaction. I would think there would be some traceability since it was going to a bank account, but they said there was nothing more they could or would do unless I filed a police report, and that seemed useless since I got the points back.
What I don’t understand is that didn’t Chase we can’t transfer to anyone but our spouse, partner with the same address and au users only? And no alert like Chase always make a call to give you the code or email you the code. Didn’t they find that strange?
@Kay – Yes, VERY strange.
Could be ISIL
Have you noticed a sudden urge to kick Trump in the face ?
This is a good example for having 2 factor authentication – if it’s available, you should enable it. Google, Amazon, Ebay, Paypal, etc. all offer this extra layer of security.
You need Dashlane. Trust me, it’ll give you peace of mind.
Hi Rene;
I thought you might be interested in this:
Today, the USPO declined my visa debit card for a money order. That never happened before and evidently it’s particular to Simon Mall visa gift cards only. This was the 1st time I bought cards there….Lori’s place is very close to the mall, so I thought it would be a piece of cake. It was a HUGE hassle! The post office couldn’t say why it was declined, so I had to call the mall office. They completely lied to me and said it was the post office that made the decision not to do money orders with these cards.
NOT TRUE….the friendly clerk at the post office showed me their internal memo, which said that it is the card issuer that establishes the rules. Needless to say, I will never buy another thing at Woodfield Mall. Not only did the cards not work as debit cards, but it took a visit to the mall office and a threat of exposing them in public for selling cards that do not work as the instructions and the mall customer service people say it will. Finally, after a long discussion, the mall manager’s office was able to get me through to assign PIN #s on each of the 5- $500 cards I bought.
Enter Meijer Supermarket….finally, two successful money orders until the manager came out and demanded to see the gift cards, after which she refused to do another one because my name was not imprinted on the card. LIE>>>>I had just called their corporate office to ask if I could do this and they assured me they could. Thankfully, I had 2 in my pocket.
Next stop Walmart…..
This time I was prepared with my real debit card in hand, which I held up to the clerk and said, “is it ok to use my debit card to buy a money order?” A quick glance at the card and she said it was fine. I said the amount I wanted and pulled off the quick switch and just swiped the gift card instead; entered my PIN # and Voila! did it twice and didn’t want to push my luck with another card.
Anyway, I hope this helps some of your readers!
Sent from XFINITY Connect Mobile App