Page 18 - GS210902
P. 18
View
told me the Amazon issue was due to my phone not being
The very point of salery point of sale fully provisioned, which could take a few more days.
The ve
At this point, I was in contract with another mobile network
but the smartphone I wanted was not in stock. To further
complicate matters, I learned I could not port my phone
number to the new device. Instead, I would have to notify
vendors, colleagues and friends of a new phone number all
over again. As if this were not enough discouragement, the
carrier had also been hacked, putting millions of existing,
new and potential customers, at risk, including me.
I got hacked: Delete, repeat
Throughout the password reset process, my old phone
now what? number kept resurfacing like an old stain, even after I’d
deleted it from my online account profiles. I called vendors
to make sure they deleted the phone number from every
By Dale S. Laszig nook and cranny of my account settings. This would
prevent hackers from using the old number for password
DSL Direct LLC resets and two-factor authentication.
ike millions of others, I got hacked. I discovered After changing my username, I realized how easily hackers
the breach when attempting to log into online could find it. All they had to do was click on “forgot my
banking. A customer service agent confirmed username” and enter my stolen credentials to see the
L my password had been reset the day before. We new one. Bad actors could use the same tactics to set up a
quickly determined that a hacker, posing as me, swapped new password. What’s the remedy? In some cases, it was
my phone’s SIM card and used the bank’s one-time token necessary for a supervisor to fully erase my old credentials
to gain access to my account. from a customer database. Service providers also set up
alerts concerning suspicious activities.
After helping me log in and remove the compromised
phone number from my bank account, the agent suggested The remediation process motivated me to fully audit my
that I visit a local branch. Ironically, that same week I had digital profile, using the PCI Data Security Standard (PCI
attended a conference focused on digital commerce and SSC) as a guide. The PCI Council guidelines are designed
bank transformation. And yet, here I was, walking into a to protect sensitive data.
local branch for the first time in years, looking for customer
service. Best practice
“I’m surprised the online banking team didn’t tell you “The standard itself provides an actionable framework
about our appointment-only policy,” a bank representative for developing a robust security process—including
said. “My 9:30 is already waiting for me.” She did, however, preventing, detecting, and reacting to security incidents,”
take a few minutes to review and advise me that I'd done the PCI Council wrote in the introduction to the Self-
everything possible to secure my account. Assessment Questionnaire. “To reduce the risk of
compromise and mitigate the impact if it does occur, it is
Digital reboot important for all entities that store, process, or transmit
cardholder data to be compliant.”
After securing my bank account, I contacted my carrier.
An agent remotely reprovisioned my SIM card, assigned a I’m grateful to infosec leaders whose guidance helped me
new phone number and texted a link for optional security weather this storm. If you find yourself in a similar dilem-
protection, assuring me the first 30 days would be free. I ma or just want to stay safe, there are steps you can take
pushed back. to secure your digital identity, such as credit freezes, pass-
word management and frequent activity monitoring. Your
“Isn’t that like locking the barn door after the cows get company and managed services providers can help.
out?” I asked. “My data was stolen on your watch and now
you want to bill me every month for protection. Who’s the
criminal now?” Dale S. Laszig, senior staff writer at The Green Sheet and managing
director at DSL Direct LLC, is a payments industry journalist and content
The next few days were a blur of reset passwords and texts, strategist. She can be reached at dale@dsldirectllc.com and on Twitter
and friends sending challenge questions to confirm it was at @DSLdirect.
really me. During this time, I discovered my new mobile
number was linked to another Amazon account. My carrier
18
