How did someone manage this hacking/identity theft and what else can we do about it?

Someone was arrested after stealing my identity, and cashing 2 checks in Georgia that nearly reached $10,000. The person who did it was a Bank of America employee, who had access to all my information.
What you describe could have been anyone. A former IP person at your husbands work would easily have all that information.

It is possible there is a keylogger on your computer. This is a kind of virus that detects your keystrokes, so the perp could have gotten your information that way. If this is the case, changing your password won’t help because they’ll see that too. On many computers there is an on-screen keyboard that you can operate with the mouse for optional use. You can use this to get around a keylogger to set up a new password safely. I don’t know how to diagnose or fix a keylogger other than taking your computer to a specialist, but maybe somebody else can jump in and help with that more.

Update your anitvirus and batten down the hatches. I recommend Kaspersky http://www.kaspersky.com

If need be. complete your orders over the phone. Most customer service call centers do not store credit card information.

Proof of identity theft can give you an avenue to new SSN, if need be. Contact the Social Security, if you are worried.

Make sure you shred (I burn) any bank/CC/bills. Someone could have dug through your trash too.

A keylogger could have been used. Or even something like firesheep to grab your cookies if you used a open wifi network.

1. I would contact the police in that California town and get them involved with this, too. Someone at that address is looking for an X-Box.

2. This seems to be a juvenile thing. I can’t imagine a professional thief going to the trouble that it would have taken to arrange all of this… and then ordering an X-Box.

3. The only “credit card company” who issues AmEx cards is… American Express. They are easy to contact directly. You should do that.

And just so you know your browsers cookies/passwords/bookmarks are kept in a folder. You can just transfer that folder over to another computer and it is just like using your browser on their computer. So if someone (like your kids friend that wanted to check his email on your computer) grabs that folder they would have a lot of your info.

Subscribe to LifeLock. Its worth the $20 a month fee. They update you on any strange activity observed on your bank accounts and credit cards.

@CWOTUS My husband called AmEx and they have no record of an account in his name. They are the ones who told him the card was probably issued by another institution (kind of like how our debit cards are Mastercard but those accounts are through the bank). I’m hoping that once I hear back from Amazon’s investigation people they’ll have more information on where the payment came from so we can work on reporting it as fraudulent and getting it closed.

Contacting the police is a good idea. It will at least give us something else on record in case we have credit problems down the line because of this. In my experience (when someone stole checks and cashed them) the police are not interested in actively pursuing the person. That was right here in our own town, so I can imagine how apathetic the police on the other side of the country would be. We’ll report it just to be official, but I certainly wouldn’t expect anything to come of it.

I’m pretty sure our antivirus is effective, but I’ll check that. We have WiFi here at home, but it is secured. Not with a password, but with those really long keys. It’s not something anyone can connect to unless they know the key. I’m thinking it’s something like what @filmfann said, with someone who had access to the information because of a job or something. It would partially explain the out-of-date address used for the credit card billing address. We haven’t lived there for five years.

Let’s not overlook @CWOTUS‘s key point: Someone at that address is looking for an X-Box. In all likelihod the thief has thoughtfully provided either his own name and address or those of a confederate.

Thanks for the alert, @MissAusten. I immediately went to my address book on Amazon to see if there was anyone listed who shouldn’t be.

The X-Box was already delivered. The person who ordered it took advantage of our Amazon Prime membership and paid $3.99 for one day delivery. The game console would have been delivered two weeks ago.

One of the things I’m trying to figure out is why we didn’t get an email confirmation when that order was placed. I didn’t notice it at the time, but we also didn’t get an email confirmation for something WE ordered after this mystery person got their x-box even though Amazon definitely has our correct email address with our account.

Yes, but the point is—you have the address. You began by saying that you noticed a strange shipping address listed in your account. That seems like something solid to give to the police.

The lack of e-mail confirmation is disturbing. Maybe you can opt out of that when ordering by unchecking a box?

I’ve spoken to Amazon customer service on the phone. There is no way to opt in or out of order confirmation or shipping confirmation emails. The girl I spoke to tried to send me a test email, but we did not get it. She had no idea what else to try. The whole thing is very strange.

Yes, having an address is something to give the police. When a former employee stole and cashed a few of my husband’s checks, we had his name and address but because he lived in another state the police said the best they could do was issue a warrant so that if he came back to this state and if he happened to get pulled over, he might be arrested. I just don’t see cops on the other side of the country taking the time to go to the address we have from Amazon. They couldn’t do anything without a warrant, and for something so petty I highly doubt they would bother. But, because it will be an important part of the process of getting this unlinked from my husband’s name, we will file a report.

This is strange. If an AMEX card was used and AMEX didn’t issue it, who will bill you or report you to credit bureaus? Has Amazon complained about not receiving payment?

I am a student working on a BA in Criminal Justice, and through my research and studies as well as being a victim of ID theft myself, the best advise I can offer to everyone is Any time you make a purchase over the internet. Use a PRE-PAID card. This card could really be put in any name that you make up, anyways this way if anyone does access your acount # through the internet the only amount of money or information they could get is what you have added to the card yourself. Never Online bank!!

I thought you said they were in your town, @MissAusten. I guess I misread your earlier comment. You’re not in California?

No, we’re in CT and the order was shipped to CA. When a former employee stole and cashed my husband’s checks, we reported it to local police which is what you are probably thinking of.

@ratboy Amazon got paid, but I’m sure the bill for the credit card used to purchase the x-box from Amazon won’t get paid. That’s why we have to find out who issued the card so we can get it canceled. I guess it’s like having a Capital One card. It’s a Visa (or Mastercard?) but it’s issued by Capital One.

Waiting to hear from Amazon is the most frustrating part of this. I’ve called twice and am supposed to hear back before the end of the day today. The people I’ve talked to don’t even seem to understand the problem (gotta love those language barriers) so I am not feeling very optimistic about learning anything useful. :(

@MissAusten

Try writing out all of your concerns and the timeline for events in an email and addressing that to abuse@amazon.com. Most operators of large internet operations maintain an “abuse@” email address specifically for such purposes, even if it’s not well publicized. That’s more likely to get to someone in a “security” rather than “customer service” position, and the security people will jump right on it, because as well as being a hassle for you, it’s a direct loss to Amazon when they don’t get paid.

Just an update, if anyone is interested…

I finally got someone useful on the phone at Amazon, and it turned out whoever hacked our account there also managed to get into our email and filter it so we wouldn’t receive any emails from Amazon. Yes, we were the idiots who used the same password for several different things. Won’t make that mistake again.

There is no AmEx credit card in my husband’s name. Even though it should not have happened, American Express approved that transaction even though the name of the cardholder didn’t match the billing name/address (my husband’s) as given when that order was placed with Amazon. So at least we don’t have to worry about that aspect of all of this, which is such a relief. I hope the owner of whatever credit card was used notices the charge soon and throws a fit when he or she learns AmEx doesn’t require the billing info to match their records when approving transactions. Note to self: avoid doing business with AmEx in the future.

Amazon permanently closed our account just in case the person who hacked it once manages to do so again with the information they had access to before we changed the password, so we have to create a new one, but other than dealing with that minor hassle the whole thing is behind us.

Thanks, @MissAusten. I’m sure people who pull off swindles like this one know that they can get away with it to a certain extent, but I still don’t see why they risk it.

Have you yet solved the question of how they got your password in the first place?

For what it’s worth, I have one don’t-care password that I use for things like Dictionary.com and other impersonal accounts. For anything with potential to seriously compromise me or my records, I guard my various passwords so closely that not even my husband has them.

I would recommend looking into LastPass. Its a free service that lets stores your passwords for you then autofills them into the login screens. I use it and every password I have is 11 characters long, randomly generated, and unique from every other website.