17 February 2009

AT&T Wi-Fi just cost me five hours of my life!

I just lost five hours of my life due to a theft that occurred when I submitted my debit card number to pay for two hours of Wi-Fi service from an AT&T Wi-Fi hotspot. Here's what happened:

On 2 February 2009 I was up visiting Mom in Harford, CT. I was really itching (and needing) to get on-line, and knew that I would have to resort to finding some WiFi hotspots when I went up, as my mobile broadband was temporarily disconnected (I need money to pay the bill!). So before my trip, I prepared by printing out a list of Wi-Fi hotspots in the Hartford, CT area (both paid and free). I was using a free Wi-Fi spot (one of the few in the area that were open late) but unfortunately, the battery in my notebook had drained since I'd been using it for a while and there wasn't anyplace for me to plug in. I decided to search out some of the paid spots and came to Barnes & Noble, which had a Starbucks cafe inside of it, which provided Wi-Fi for a fee through AT&T's WiFi On The Spot service.

I got to the B&N and had to ask the cashier at their Starbucks Cafe where an outlet was so that I could plug in -- apparently, there aren't any outlets provided in the cafe itself but outside of the cafe, on a pillar, was an outlet (in the B&N store proper) that I could plug into and sit in the cafe area and use their WiFi so I could finish what I was doing on-line. In order to get the Wi-Fi service, AT&T's WiFi On The Spot service requires that you open up Microsoft's flawed (especially in terms of security) Internet Explorer browser (which I actually had to enable on my sytem, as one of the first things I do with a system is disable that beast...), which auto-logs you onto their secured web site so you can enter in payment information for the $3.95 they charge for a two-hour session. You need to keep the IE window open the entire time that you're logged in, or you lose the connection/authorization for the Wi-Fi.

Since this is something I've done before, I made certain that no one was standing over my shoulder or behind me, took out my debit card and quickly entered in the information, clicked the submit button, and within a few seconds my Wi-Fi access was enabled and off I went.

Fast-forward to today, 15 days later. I receive a response from my bank (yesterday was a bank/federal holiday) to an inquiry I had made over the weekend, regarding an overdraft fee in the amount of $33.00 that was charged to my account at the end of last week. They responded that it was due to an EFT withdrawal from PayPal that was denied. That caught my attention, as I hadn't used my PayPal account for any purchases that would cause it to dip into my bank account, and there was a little bit of money in my PayPal account anyway. So I log into my PayPal account and I see this charge of $29.95 from "GOVTFUNDEDGRANTS 8007127222 CY."

I call PayPal, and they have me fill out and fax in a form disputing the charge, which I do. I then call my bank and find out that there's no just one charge from them but for several. The $29.95 charge hadn't yet hit my bank and, in fact, the $33 overdraft fee was from a $1.01 charge that was denied a week earlier. I go back to PayPal and find that there have been numerous attempted purchases/authorizations on my debit card with them. So I'm on the phone, back and forth between PayPal and my bank for quite some time. And then I realize that I'm only viewing the past 7 days' worth of transactions in my PayPal account. I go back and find out that all of these unauthorized charges, most of which were made to or payable to the merchant name of "GOVTFUNDEDGRANTS 8007127222 CY," began on 2 February 2009, and were listed after the $3.95 fee from AT&T (for their Wi-Fi service) was posted.

Since I know how careful I was to ensure that no one was in my immediate vicinity and could therefore take down my debit card number, the only way that my account number could have been compromised was in transmission to AT&T for payment of their WiFi On The Spot service or there has been a breach in AT&T's database where my debit card number was stored. Thus, either someone sitting at the same Wi-Fi hotspot as I was using a computer (there were more than a handful of other people there on their computers) capturing the WiFi data packets, decrypting them, and found my debit card number, or (more likely) my debit card number was capture somewhere en-route from the location to AT&T's payment processing center.

The reason I think that my card number was hijacked somewhere en route to AT&T's payment processing center is that on the few occassions that the payments went through on my debit card, PayPal charged a foreign currency transaction fee, which indicates to me that these charges are originating overseas.

Once I was finished dealing with my bank (which is refunding the $33 overdraft surcharge to me in consideration of my long-standing status as a valued customer), I contacted AT&T's WiFi services via the number listed on the charge to my account, and told them what was going on. The representative that I spoke with was very pleasant and a big flabberghasted; she sounded older and wasn't certain what to do with what I was telling her. When I advised her that I work in the IT industry and I pretty much have deduced that my debit card number was hijacked at some point during my access to AT&T's WiFi network during that 2-hour period, most likely when the number was transmitted to them for payment and, as such, the reason that I was calling was to alert them of this situation in the event that there had been a security breach in their system somewhere and so that they would be able to take corrective action, she then figured that she needed to speak with a supervisor. After doing so, she took down everything I had to say, and stopped trying to reassure me that AT&T did everything that was required of them by the banks for online transactions (with respect to security and 128-bit encryption and what not) and then advised me that our conversation would be delivered to her managing supervisor as soon as the call ended. So after spending 4.5 hours trying to resolve my own difficulties, I thought I should do the good deed and at least give AT&T a heads-up

So thus, the reason that AT&T's Wi-Fi service cost me five hours of my life: five hours of research and phone calls and filling out complaint forms in order to deal with these fraudulent charges that were posted to my account when my debit card number was hijacked. I'll never get those five hours of my life back. If they can find the SOB who committed this crime against me, I have a good mind to sue them for the value of the time I've spent dealing with this so far (and I have no doubt that I'll continue to spend time in dealing with this in the future).

For the record, I totally and completely blame Microsoft for this; if it weren't for their crappy browser filled with huge security holes, none of this would ever have happened. :P