Identity Theft in the Middle of the Ocean

Editor’s Note: This article previously appeared in a different format as part of The Atlantic’s Notes section, retired in 2021.

“Here I was on a ship in the Persian Gulf, with very little connection to the outside world, and someone was running wild with my money back stateside.” That reader continues his long story below—but first, here are a few short anecdotes from readers. Stephanie writes:

Have I ever been hacked? Sure, lots of times. I had my identity stolen several times when I lived in California, even before the internet was a thing. One of those thieves opened credit accounts and went bankrupt, which made for a real mess when I tried to get my first credit card. About once a year, I have to close a credit account because of fraud. Usually, I am notified by the issuing card company of suspicious activity.

My father lost his life savings in several accounts when thieves stole his debit card and checks. One of my email accounts has been hacked. My Facebook page has been hacked. So yeah, I’ve had experience with this.

So has this reader:

Who hasn’t been hacked? I’ve had my checking account compromised in a major way six times in eight years and many smaller breaches, but I’ll just tell you about nos. 2 and 3.

Someone bought $6,000 of furniture in Italy (we are in NJ) so that brought us down to $0.00 on the first of the month. Naturally we were at the bank within minutes and everything was fixed to our absolute satisfaction. This was on a Sunday.

Then on Tuesday our account was drained again, with our new debit card numbers. Within two days, how could this happen? Somewhat hysterical, I was allowed to reach the Fraud Investigation Department of our national bank. He told me they had 250 employees who investigated fraud. This was almost a decade ago. Wow, he had no idea yet how the first event happened but was quite sure the second one came from a hidden camera at an ATM machine which at that time was a fairly new method, at least to me.

Here’s the scoop now: I check my account online almost every day. I don’t know if that sets me up for vandalism or not, but I have caught untoward things before they roll out of control—recently a small charge for something on my card but using my husband’s name. This is apparently a practice to see if the account is valid before they do the big hit.

I am resigned that this is going to keep happening despite all efforts by the banks. It is a new world and realize that and watch your bank account daily.

Just a few weeks ago, I got a text alert from my bank asking if I charged 29 cents on my credit card in Georgia. I’m in D.C., and I can’t imagine ever buying something for 29 cents, let alone with a credit card, so the bank promptly cancelled my card and sent me a new one—but the mailing address was muddled and it didn’t arrive for a while, causing a bit of a headache while I was traveling to Minnesota over Thanksgiving. But this reader had it much worse:

I am a midshipman at the United States Naval Academy, and I along with many of my shipmates were a part of the OPM breach. However, my story is about a different, more common hack: getting your credit or debit card information stolen. This happened at around the same time as the OPM breach, so it may or may not be related.  

As part of the training at the Naval Academy, midshipmen after their first year are sent a ship in the fleet to shadow an enlisted sailor for a month. I was lucky to be sent to USS Rushmore while she was on deployment in the Persian Gulf. It was a great experience where I was able to see the terrific people that we have in our Navy.

I kept in touch with my family through Facebook messages over the ship’s extremely slow satellite internet connection. One day, about two weeks in, I got a message from my family that my bank, Navy Federal Credit Union, had contacted them about fraudulent charges.

Here I was in the middle of the Persian Gulf, with very little connection to the outside world, and someone was running wild with my money back stateside. I contacted the officer in charge of us midshipmen on the ship, and she was able to allow me to use the ship’s satellite phone to call Navy Federal and sort this out.  We went through the recent charges and I identified which were fraudulent.  Interestingly enough for the worker on the other end of the call, the fraudulent charges were from convenience stores in Pennsylvania, not from the Amsterdam airport or Bahrain.

Navy Federal has a very good policy for this sort of thing, and I was not liable for the charges at all.  As midshipmen, we do not get paid very much.  However, my card had to be canceled, so now I had no access to money on the other side of the world. I had no money for liberty in Dubai and no money during my travel back stateside. In our mandatory cybersecurity classes at the Academy, we would call this result an attack on the cybersecurity pillar of Availability.

I was lucky to have good midshipmen friends who helped me out during this crisis, and I eventually payed them back. However, theft of credit card information is extremely common. These days, it is not really a question of if, but when. A young enlisted sailor who is in a more precarious situation than I am could be put in a pretty bad place. That sailor might not regularly contact someone back home, and may return from deployment nine months later to see this problem become way out of hand.  

Our servicemembers are particularly vulnerable to this kind of thing, especially when they are on deployment, but it is extremely difficult to prevent this sort of hack. The best defense is probably early alert procedures and a generous policy for resolving fraudulent charges on service member’s accounts after the fact.  

Thank you for soliciting these responses, I’ll be interested to see other stories.

If you have your own story, especially one that don’t involve money theft—private emails? private texts? your online dating or porn history? sensitive work info? —please send us a note: hello@theatlantic.com (we would post it anonymously). Update from another reader:

Several years ago I had my identity stolen and apparently sold to a variety of thieves, who attempted to open about a dozen credit-card accounts with my info. I filed numerous federal and local reports, retained services of an Identity Theft consultant for a year (paid for by my insurance company), spent dozens of hours on the phone, and created voluminous files and records of the entire situation to share with law enforcement, credit bureaus (all three), bank credit card fraud prevention managers, etc..

Our local sheriff’s department detective was very sympathetic but basically told me they accepted reports but didn’t investigate these (frequent) crimes because they didn’t have resources, even though we provided the addresses of phony drop boxes in our state where the thieves were obviously picking up the mailed credit cards had they been successful open obtaining any.

The three credit bureaus are totally unhelpful in helping to resolve these crimes. They apparently see them as a chance to sell you more fraud-detection software and will only place a mandated long-term (seven-year) block on your credit records (rather than the year or less they grudgingly offer) if you can provide copies of local reports to law enforcement plus the Federal Trade Commission ID Theft report. In other words, they are more interested in converting your problem into a revenue source for themselves. Federal legislation around the credit bureaus is as full of loopholes as Swiss cheese, due no doubt to their extensive lobbying efforts to our elected representatives who are supposed to be protecting citizens’ interest.

Then, to add even more grief to the experience, one friendly bank-fraud-prevention manager was kind enough to tell me that, based on his lengthy experience with these activities, once we got the fraudulent requests stopped, we could look forward to having it all start up again in about six months—which is apparently the maximum amount of time most people are able to get the credit bureaus to flag their accounts. And sure enough, after just about six months to the day, we had more fraudulent credit-card requests start hitting again—fewer this time, probably because the crooks figured out pretty quickly we had placed the seven-year-block flags in place, rather than the usual short-term blocks most victims end up with at the bureaus.

This is a big, serious problem that is not getting the attention from our elected officials it deserves. These slime balls can reach out from anywhere in the world to ruin your life, mostly with impunity, and it’s obviously getting much worse, since we’re seeing hackers now being accused of breaking into government systems and influencing our elections. This is totally a federal issue because of the state (and national) border lines crossed in the activity. Our national security and military tech specialists probably already have the capability to catch these criminals, they just need the motivation and direction from our political leaders paying attention to the number of honest taxpayers who are being preyed upon.