I think I am generally aware of the potential of a cyber-attack at all times. I also believe I know what to do in the event of an attack. However, the moment I realised I was under attack I got an incredible sinking feeling because the timing could not have been worse. There is never a good time. Cybercriminals do not care about anything. If they did their conscious would not allow them to attack the health service, the sick and the vulnerable. Regardless of the time, when you identify an attack there can be no other priority.
It was a very pleasant mid-May evening. I had just sat back at my laptop to respond to a few emails. Just at that moment I started receiving hundreds of spam emails a minute. Knowing this is often the first sign of a fraudulent attack on an online account so I started to look very closely at the email flow to see if I could spot anything untoward.
If cybercriminals have login details to one or more of our online accounts and they are in a position to extract value from that account, they do not want us to see any transaction confirmation emails. So, they bombard us with a continual stream of emails making it very difficult for us to spot the transaction emails in amongst the thousands of spam emails in the inbox.
The fact that I was looking at emails at that time was extremely fortuitous. I spotted a couple of “Thank you for your purchase” transaction confirmation emails drop through the screen as the email headers were scrolling down in Outlook. My suspicions were founded as I could see that at least one of my online accounts had been compromised.
The transactions related to an old account with an online stock photo service. That totally threw me. I change my online account passwords regularly, but I had overlooked this one as I hadn’t used it for over two years and I knew the debit card associated with the account had expired. As a result, I just didn’t give it the attention it needed and that as I was soon to discover was about to leave a door wide open to the cybercriminals.
I checked my bank account and although it was still showing in credit, there were no available funds. The pending transactions were sufficient to empty my account. The initial sinking feeling had now developed into a complex mix of anxiety, anger and helplessness. But, I had to press on.
I knew it was vitally important to keep calm to allow clear thought. I quickly established a strategy in my mind and proceeded with it immediately. I logged into the stock photo account and changed the password to prevent any further damage. I also opened up a chat conversation with their ‘help line’. I also called my bank. The burning question for the stock photo site was “Why did you accept and fulfil an order using an expired debit card?” I had a similar question for my bank “Why did you honour the payment request?”.
Having jumped through the hoops of my banks interactive voice response only to be told I was in a 30-minute queue for an ‘advisor’, I thought my bank were doing their very best to shake me out of my calm state. But that was only the start.
When the call-on-hold music was suddenly interrupted by the advisor I explained my situation and made what I thought was a reasonable request to block the payments. I was then told by the ever so friendly advisor: “I’m sorry but we cannot stop the transactions as debit card payments are guaranteed.” I quickly responded “That cannot be right as the debit card expired over two years ago along with the debit card number. How can you honour a debit card transaction with the wrong number?”
I was told that transaction requests on expired debit cards are assumed to be historically agreed purchases, and therefore, they are simply moved onto the current debit card. I was then offered the chance to talk to my bank’s Fraud Team so I accepted the offer to be transferred convinced I would be put through to someone more sensible.
After another 30 plus minutes waiting for the Fraud Team to answer passing through the random countdown statements “Your call is important to us. You are x in the queue.” I eventually got to speak to someone only to be told exactly the same thing followed by: “…and is there anything else we can help you with this evening Mr. Smith?” To which I could only reply “No.” as I wasn’t in the mood for discussing ISAs or updating my home insurance policy.
Meanwhile I had been bounced around on the chat service with the stock photo service and was now conversing via email which was an extremely frustrating experience and I was getting close to proving that my laptop could fly. The email responses I received were from a generic support email address but with different personal email signatures but with no personal contact details. When I received an email from someone having something helpful to say and asking for more information, there was no method to reply to them other than to the group email address. So, I replied with the relevant information only to receive a response from a random service person telling me they couldn’t help and I should email the person concerned. I emailed back and asked “How am I supposed to do that when you all share one email address?” but my request was in vain.
Eventually, using the same frustrating general email address, I did get some random responses amongst the “You need to email x.” responses. Eventually, I received an email agreeing that they had seen fraudulent activity on my account and they informed me I would be receiving a full refund.
I did not get an apology from the stock photo service for allowing a purchase to be made on my expired debit card. I did not expect an apology from the bank and they did not disappoint me on that front. Although I believe what they said is true and understand that these are the conditions of using the debit card. What I don’t understand is that I have had transactions questioned in the past and I have had security checks on transactions that I have made, so why not this one? I cannot understand how a bank can assume a purchase has been agreed when that particular debit card expired over two years ago and there have been no other transactions with that vendor in that time.
Ultimately, I hold myself responsible. I was guilty of not paying sufficient attention to all of my online accounts. Even though the breeched account had a strong password (11 characters, mix of upper and lower-case alpha plus numerical and special), I cannot be sure that it was unique and I may have used the same password on another site that had been compromised.
I spent the majority of the next 48 hours going through every online account I have to check the account activity and to change the password to ensure the accounts all have unique passwords. I increased my password length too. I am now as sure as I can be that if one online account is compromised and the password decoded, it cannot be used to access another account. I was very hard on myself because I allowed myself to be attacked by unknown cybercriminals. I should be setting an example as I help others with their information security so how could I allow myself to be in this position? I also felt incredibly lucky as the outcome could have been significantly worse.
Even though I received a full refund, it cost me a considerable amount of time ensuring that the breach was contained to one online account. I had to check and recheck everything. I had to experience shocking customer service at the hands of my bank and the stock image service at a time when I needed timely support, reassurance and good advice.
I had a lucky escape and I have learned a lesson, one that I am not keen on revising in the future. I am still not happy that I let this happen but I have the words of Rag’n’Bone Man going through my head “I’m only human after all…” but that is the challenge we are all up against. The cybercriminals only have to get their attack process right once to strike gold. We have to get our defence processes right all the time to keep ourselves safe. Food for thought!