One of the benefits of being employed in Internet-related industries for the past several years (currently for an online software company, previously as the digital media manager for a content firm) is that I work with lots of developers. They’re smart people, and they have a way of making the people around them smarter in terms of dos and don’ts on the Internet. One of the side effects of this is that over the past several years, I’ve become much more serious about online security. I make strong passwords. I don’t buy from companies online that aren’t reputable. I don’t authorize various apps without first vetting them. I don’t click on links in tweets or emails.
And yet, this year I’ve learned that even as someone who takes more caution than a lot of people in terms of online activities, what I’d been doing was not enough.
This summer, my WordPress website was hacked and as a consequence my hosting was suspended. Despite having a strong password and keeping my plugins up-to-date, my theme had a hole that I did not close quite quickly enough, and months later—way after I had performed the fix that I thought would work—this vulnerability came back to haunt me. I had to scrap my entire site and start over. I still haven’t put a real theme back in place, as you can see.
A couple months later, my Yahoo address book was compromised. More than likely this happened because an application I had authorized my Yahoo account with had been hacked, but there’s really no way to know for sure. Like I said, I don’t click on links in emails. (And I don’t use my Yahoo account for email, anyway. I use Gmail.)
Then, on Tuesday, I woke up to discover that my debit card number had been stolen and more than $200 had been charged to it. I immediately called my bank and had the card canceled, and they confirmed that it was just the card, not my actual checking account, that had been compromised. I know I’ll probably never find out how this happened, and it’s bugging the shit out of me. It could’ve been a card skimmer installed at the bank where I make my check deposits or cash withdrawals via ATM, though I rarely do this and I would hope the bank would inspect their machines regularly for these devices. It could’ve been a skimmer installed at any of the stores I use my debit card at: The grocery store, the gas station, the salon, etc. Hell, a rogue waiter could’ve copied my card when he or she took my debit card to the back to run it when I paid for a meal. I did do something stupid recently, though: I ordered food from Jimmy John’s on two occasions and paid with my debit card over the phone. I realize this is stupid. I had reservations about doing it. But it was pouring down rain, I was at work, and I was starving. Stupid is as stupid does, and I’ll sure as shit never do that again, even if it wasn’t the Jimmy John’s employee who stole my debit card number.
The thief racked up $150 in iTunes charges—11 individual transactions—but unfortunately I have no way of knowing what kind of music he or she bought. Nickelback, I’m sure. I do find some irony in someone stealing a debit card number to legally buy music instead of just torrenting it. Wouldn’t that have been easier? The thief also bought $50 in flowers (aw) and made a $20 transaction with some online merchant I’ve never heard of. It’s only identified as “gwa, Inc. dba,” which doesn’t turn up anything definitive in a Google search.
My bank assured me that they’ll refund me 100% of the charges, but unfortunately I have to wait for all of them to clear before I can file a fraud report. Then an investigator will be assigned to the case, and when he/she decides my fraud claim is valid, they’ll refund me the money. iTunes charges generally take 4-5 business days to clear, so it could very well be several weeks before I get my $200 back. I guess I should feel lucky it was only $200; the bank told me they blocked a $400 charge at BJs.com. Yeah, BJs. I checked it out. It’s not as sexy as it sounds.
So here’s where I am now: I’m running a tighter website ship, keeping all of my plugins up-to-date still but also paying attention to any security holes reported by WordPress and taking care of them immediately. If another one pops up and I think my site could have been compromised, I will immediately take it down and rebuild it from scratch. It’s probably good for me to get back into doing that, anyway, since I don’t do web development at work anymore.
I also started using 1Password as a way to keep track of my online identities while being able to use strong, randomized passwords for each individual account I have. If one website gets compromised, I just have to worry about changing that one account’s password. No more trying to remember where else I used the same username and password and having to change it, too.
While the only way to fully prevent credit card fraud is to never use a credit or debit card, I will never, ever provide my credit or debit card number over the phone. And when I go out to eat at a restaurant that requires taking my card out of my sight to pay, I’ll use a credit card instead of my debit card. At least that way, if the card is compromised it won’t be taking money right out of my checking account.
And for anyone else who has a website, uses online identities and pays for things using a card, I fully recommend beefing up your security, too. It can’t hurt, and you’re never too safe. Right? Right.