A friend shared a rather disturbing story yesterday.
“Someone tried to steal all of my Chase points last weekend,” he said, his eyes wide. “I have over a million [points].”
Ben (not his real name) received an alert from Chase’s fraud detection department. When he called in, the agent asked Ben if he authorized a points-to-cash redemption of his Ultimate Rewards points, which would then be transferred to a bank account.
Ben, in fact, had not.
(If my math is correct, a million Ultimate Rewards points translates to $10,000 cashback. That’s a chunk of change.)
Apparently, an identity thief called Chase and provided correct answers for Ben’s:
- Credit card number
- Mother’s maiden name
- Security question answer (i.e. “What was the first school you attended?” or “What is your favorite sports team?”)
- PIN code
The Chase rep handling the request apparently sensed something was amiss — and sent Ben an alert asking him to call.
“Chase was so good about it,” Ben said. “They caught it, stopped it, and waited until I reached out to [them]” – unlike the time Rene’s account was overnight drained of almost 200,000 Ultimate Rewards points with no notice!
In the end, Ben still has his million points. And Chase has a life-long, happy customer. And because Ben holds the Chase Sapphire Reserve® card, those million points are worth $15,000 when redeemed through the Chase travel site.
He doesn’t know who tried to steal his points.
What Can You Do Protect Something Like This?
Enough Internet searching can give identity thieves plenty of information about us — including our mother’s maiden names.
Whenever filling out an application, my late neighbor Chuck never gave his mother’s actual maiden name.
“What, are you kiddin’ me?!” he once said when we talked about credit cards and identity theft. “I’m not using that as a way to identify me! It’s so easy to hack!”
He wasn’t wrong.
Chuck instead used a common word he’d remember (like “planes” or “spaghetti” or something).
The same goes for other questions. (Do you really think a computerized application will correct you if you say your favorite food is “Frankenstein” or “Star Wars”?)
So it’s a good idea to randomize as much as possible your answers to security questions — and not repeat them across financial institutions. Ben’s security questions were the same with his Amex cards, personal bank account, and business bank account. He’s currently resetting all of them — and ensuring there’s no overlap.
What Do You Do to Avoid These Situations?
Do you have any tips or tricks to share? Tell us in the below Comments section!
–Chris
Featured image: ©iStock.com/romankosolapov
Responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
2 step authentication is a must. Many companies even perform 2 step authentication when you call. Call your financial institutions and ask if they can perform 2 step authentication when you call and if they can flag your account to require it everytime you call.
I always end my security questions and maiden name with a pin. Smith1234 for example.
The same thing happened to me this past December. It was not caught by Chase. I actually received an email notifying me that my points were converted to cash and headed to an unknown bank account. The fraudster knew the same mm everyone information. If I hadn’t received the email and called immediately I would have had a harder time getting my points reinstated. My biggest disappointment was Chase did not catch it.
I also make up nonsense answers to the security questions. But to ensure I don’t forget what they are I enter them in the Notes area of my password management software.
Yes, making up nonsense answers and using password management software are great, but there is another issue. The trouble is that unlike passwords, the answers to these security questions typically are visible to employees and often are not even encrypted. People on the inside can sell your security answers to accomplices and should there be a data breach your security question answers usually are visible. Chase has the technology to apply other much better identification methods and they should. Security questions really provide a false sense of security and often are worse than nothing at all.
I find it concerning that all Chase credit card statements online or on paper thru the mail print the full complete credit card number. All other banks x out all but the last 4 digits of the cc number.
Use your points. Having a million UR isn’t a great plan. What’s your friend doing with those points? In addition to being stolen, they can loose value. They aren’t money in the bank. They don’t earn interest. Friends don’t let friends hoard points.
Most people would be better off with a cash back credit card. If travel is the reward you want, put the cash back in a dedicated bank account and let it accumulate.