PenFed credit card woes

[REWahoo]

Looks like I spoke too soon.

When checking my CC balance this morning I noticed I was issued a new CC number today. Unfortunately the transferred balance does not include the payment (in full) I made to the CC yesterday. The old card shows the correct payment amount, the new one shows the amount as a debit, which cancels out the payment. Sigh...

More emails and phone calls next week to straighten this out. I've enjoyed the 5% discount on gas for the cars and diesel for the RV, but my hassleometer has just about pegged.

[braumeister]

Don't worry about it.
I'm being issued two new card numbers from PFCU, and the double accounting has been going on for a couple of weeks now.

They can take 3-4 days to properly reconcile the entries between old and new cards when I check their website, but they always get it right with no prodding from me.

Still haven't physically received the new cards yet, but I'm not concerned since they said it was OK to keep using the old ones until I activate the new ones.

[target2019]

I'm storing the PDF statements that are online at PFCU. Also doing this with my AMEX statements.

I have also been notified that a new CC has been issued. I was thinking it was one of my merchants, but see I am wrong.

Oh well.

[Lakedog]

Got my replacement card today and also a separate letter about "a recent discovery of a data security breach in mid December 2010 in which some of your personal information was improperly accessed". They are offering two years of access to ID TheftSmart through Kroll Inc. Figured something like this had happened since this was my second card replacement in two months.

[Rustward]

Saw this today: Malware snags Pentagon Federal CU member’s SSN and data | Office of Inadequate Security

"According to a letter sent to the state on December 30, on December 12, PenFed discovered that a laptop had been infected with malware. The compromise allowed access to a database containing names, addresses, Social Security Numbers, credit card and/or debit card numbers, and PenFed account numbers for PenFed members, joint owners, former members, employees, and beneficiaries. "

This is one that they know about. It makes one wonder what other breaches are undetected. At any rate, the user of this laptop is/was one of those "trusted individuals" with access to information.

Edit to add: I wish it were not so, but I am afraid that going forward this type of event is going to become business as usual until there is a major technology breakthrough in data security.

I bet the card issuers have gotten or will get very efficient at reissuing cards for possibly compromised accounts.

[REWahoo]

Thanks Rustward. Now we know why...

[braumeister]

This is why I have several credit cards. Imagine being on a foreign trip, when you really need a credit card, and suddenly find out your primary card has been compromised and frozen.
It has happened to me, once in England and once in Belgium.

My main card is the PFCU Visa, because of the great rewards program.
But I also have:
USAA MasterCard, which has a decent rewards policy
REI Visa, I buy a lot from them and using their card gets their annual rebate
Hilton Amex, because I frequently stay at Hampton Inns
PFCU Amex, to get that great signing bonus

When I travel, I carry all of them, just to be on the safe side. If one or two have a problem, I'm still covered with the others.

[Nords]

Quote:

Originally Posted by braumeister My main card is the PFCU Visa, because of the great rewards program. But I also have: USAA MasterCard, which has a decent rewards policy REI Visa, I buy a lot from them and using their card gets their annual rebate Hilton Amex, because I frequently stay at Hampton Inns PFCU Amex, to get that great signing bonus When I travel, I carry all of them, just to be on the safe side. If one or two have a problem, I'm still covered with the others.

Do you seen an effect on your credit rating?

I have four cards: two of which I routinely carry, a third with a credit limit I'll never qualify for again, and a fourth that used to be shared with my daughter before she was old enough to get her own.

Spouse has one credit card, and her credit score routinely comes in 20-30 points higher than mine.

I'm planning to get rid of the fourth card and I may even get rid of the third card. I figure a primary and a back up is "good enough". Anything beyond that may just be inviting trouble.

[target2019]

"We are writing to inform you of our recent discovery of a data security breach in mid December 2010 in which some of your personal information was improperly accessed."

That's the first sentence of two-page letter received today. This is more serious than "a computer got infected."

I'm not impressed with PFCU at all. It is Jan 7th and this is first written notification. I received a phone call and an email, but no details given. As of today I don't have a replacement CC.

Just activated free 2-yr subscription to kroll's service for id protection. Now my personal information is safely stored at another company.

[Rustward]

Quote:

Originally Posted by target2019 "We are writing to inform you of our recent discovery of a data security breach in mid December 2010 in which some of your personal information was improperly accessed." That's the first sentence of two-page letter received today. This is more serious than "a computer got infected." I'm not impressed with PFCU at all. It is Jan 7th and this is first written notification. I received a phone call and an email, but no details given. As of today I don't have a replacement CC. Just activated free 2-yr subscription to kroll's service for id protection. Now my personal information is safely stored at another company.

Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

[target2019]

Quote:

Originally Posted by Rustward Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

What do you base your statement on?

[M Paquette]

Quote:

Originally Posted by Rustward Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

Yup. Sadly, all it takes is an employee to plug an infected laptop into the corporate network. Any file server or database containing something that looks like credit card data will be spotted, reported up the botnet to it's operator, and likely pilfered within seconds. An exceptionally opportunistic operator will put a logger onto a machine within the network to provide a steady supply of new or updated records. (See the 2008-2009 Heartland Payment Systems hack...)

Very few companies operate their database/file servers on an isolated network, with no routes out to the Internet. The ones that think they do probably haven't checked for machines 'bridging' between the private net and one with Internet access. (Probably added by some IT type who wanted to play a little Farmville while shuffling the database backups...)

[harley]

Quote:

Originally Posted by Rustward Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

Quote:

Originally Posted by target2019 What do you base your statement on?

I agree with Rustward, and I worked in network security for 15 years. This is par for the course. It sucks, but it can't be helped. Back when I was still paying close attention I would get a data security breach notification for some company or gov't agency pretty much every day. Security is important, but never as important as getting the job done. Except the military. They don't care how inconvenient it is to accomplish something, as long as it's secure. But not private companies, and not civilian gov't groups. It's just part of life.

[target2019]

Quote:

Originally Posted by harley I agree with Rustward, and I worked in network security for 15 years. This is par for the course. It sucks, but it can't be helped. Back when I was still paying close attention I would get a data security breach notification for some company or gov't agency pretty much every day. Security is important, but never as important as getting the job done. Except the military. They don't care how inconvenient it is to accomplish something, as long as it's secure. But not private companies, and not civilian gov't groups. It's just part of life.

I don't agree with the statement that "Anywhere else you could go has the same vulnerabilities." So I asked what that was based on. I don't doubt that you read daily security briefings, and all types of things were happening. I know that, since I read similar each day. I don't believe that all companies are this lax. I do know that many are, but exactly how many? In the past my wife's data has been lost a few times. Each time it was a healthcare company, and it was peculiar that the story was the same each time. An employee had a laptop, and lost it.

This penfed event is different. The letter says my personal information was improperly accessed. Notice the "was".

So the question, in this penfed topic, is whether the company has suffcient ISS layers of protection. My read on the incident is that penfed would not get high ratings on the security scale.

[Rustward]

Quote:

Originally Posted by target2019 What do you base your statement on?

Short answer is:
32 years in Data Processing / Management Information Systems / Information Technology

[SecondCor521]

Quote:

Originally Posted by Nords Do you seen an effect on your credit rating? I have four cards: two of which I routinely carry, a third with a credit limit I'll never qualify for again, and a fourth that used to be shared with my daughter before she was old enough to get her own. Spouse has one credit card, and her credit score routinely comes in 20-30 points higher than mine. I'm planning to get rid of the fourth card and I may even get rid of the third card. I figure a primary and a back up is "good enough". Anything beyond that may just be inviting trouble.

I have 27 credit cards and my CreditKarma score is hovering around 780. From looking at their data, that is more due to the young average age of accounts rather than the large number of accounts.

My then-wife's score was always higher than mine as well, which I thought was strange since I was the breadwinner and she was a SAHM. Whatever.

I do plan to get rid of several of the smaller lines that are no longer useful.

2Cor521

[braumeister]

Quote:

Originally Posted by Nords Do you seen an effect on your credit rating?

Not at all.
I had an opportunity last year to check my score for free, and it was 808. Can't complain about that.

[target2019]

Quote:

Originally Posted by Rustward Short answer is: 32 years in Data Processing / Management Information Systems / Information Technology

So most places is the places you've worked?

[Rustward]

I worked for vendors for 20 years and had contact with more places than the average IT worker.

[harley]

Quote:

Originally Posted by target2019 I don't agree with the statement that "Anywhere else you could go has the same vulnerabilities." So I asked what that was based on. I don't doubt that you read daily security briefings, and all types of things were happening. I know that, since I read similar each day. I don't believe that all companies are this lax. I do know that many are, but exactly how many? In the past my wife's data has been lost a few times. Each time it was a healthcare company, and it was peculiar that the story was the same each time. An employee had a laptop, and lost it. This penfed event is different. The letter says my personal information was improperly accessed. Notice the "was". So the question, in this penfed topic, is whether the company has suffcient ISS layers of protection. My read on the incident is that penfed would not get high ratings on the security scale.

I'm not sure what the ISS layers of protection you mention is. But I'll stand by my statement that PenFed is no different than almost any other private company or gov't agency, as far as security is concerned. The only way to protect against a breach like they had is to do things like encrypt all data on all machines, and use single use authentication in order to access it. Also, no out-of-network access through laptops or remote computers that are not under the direct control of the corporate security organization. And while you can find these requirements in nearly every corporate or gov't security procedure list, they almost never actually get implemented. Too expensive, too complicated, and most of all, too inconvenient. It interferes with the making money aspect of business, which is job #1.

Sadly, the PenFed network was exploited by a bad guy, resulting in the need to do all the account changing, credit freezing and monitoring, and all the rest. My guess is that 99 out of 100 times a system gets compromised, nothing really bad comes of it. But that is not the result of better security, it's the result of luck. Even in the PenFed case, there have been no reports of misuse of the information. They are just reacting to the potential worst case.

I'm not trying to convice you to stick with Penfed. I'm not involved with them at all. But if you go somewhere else, be aware that most likely all the same opportunities for bad things to happen will exist there too.