How Dave Greenbaum accidentally (?) stole Dave Greenbaum’s identity

Screen Shot 2014-02-02 at 12.49.50 PM

My Monday was fairly typical and uneventful until I received an email from MetLife saying first that my account password was changed and then a few minutes later my email address was changed. That certainly wasn’t me! I thought this was probably a phishing attempt, but there actually weren’t any links in the email and the email said if I didn’t make the change I should call.

Screen Shot 2014-02-02 at 12.50.06 PM

I looked at the phone number and went to Metlife’s website and they were a match so this was legit. Moreover looking at my login and password history I did have a life insurance policy in 2011 registered at that email address. I called Metlife and they asked for my account number. I didn’t have that since I cancelled the policy and cashed it out (I’m driving my policy now as it paid for the Prius!). They couldn’t look through the customer database because I wasn’t an active customer.

After being bounced around for an hour between departments that couldn’t help me I approached the question from a different angle: the password and email change request. No account existed with my email address but when they searched by user ID they found an account. Great, getting somewhere. However that email address on file wasn’t mine but rather a variation of my email address at Yahoo. Yikes. Someone did go in and change my account to their email address and locked me out. I figured someone hacked into another database (Adobe?) and guessed my username and password based on other information. Security at MetLife couldn’t help me because again I wasn’t a customer and couldn’t give an account number. More runaround. So again I approached it from a different angle.

I figured it’s my account, what if I simply try to login? I tried and of course my password didn’t work. Is that good? No because that means the hacker did get in. I then asked for a password reset. It asked my email address (I used the alleged hacker’s) and asked me the last four of my social. It confirmed it was me by asking me my security questions (father’s middle initial, first car, those type of questions). I got in. Yeah. Hacker thwarted. But wait. There is my cancelled life insurance policy and now I have the policy number – however also listed is my homeowner and car insurance policies. Nope that isn’t me.

I look and the policy is registered to David Greenbaum and his lovely wife Jane as well as his two young boys. David lives in Connecticut and apparently has a son that gets a few tickets. He’s an executive at a major investment firm (alas another David Greenbaum who isn’t a doctor which makes my Mom sad) His home is beautiful and I Googled it. He seems legit. He’s also four years older than me. I saw how much his house is work, his cars (David had a Lexus!), and the birthdays of his whole family. I panicked that indeed my identity had been stolen and called *my* insurance agent who verified I had Identity theft protection but it had a $250 deductible. Logic set in and I thought this guy is doing pretty darn well stealing my identity. No way my credit rating and income would allow anyone to buy all that stuff in my name. Then I realized when you steal someone’s identity you probably should have the same birthday and he was 5 years older than me. Something isn’t right. My ever rational insurance agent asked me if I thought about calling the guy since I had his phone number.

So I did :
Caller: “This is Dave”
Me : “David Greenbaum”
Caller: “Yes, who is this?
Me: “Well, this is David Greenbaum as well and I’m not crazy but we seem to have a problem with our MetLife account”

Then started a surreal story of how all this came to be. Apparently David Greenbaum of Connecticut called Metlife when he couldn’t login with his account name of davidgreenbaum. He said he got run around and eventually a very nice representative found the account and reset the password and username and made sure he could access the policy. Instead of finding his account, the rep found mine. All the security questions in the world can’t fix human error and incompetence as well as failure to follow established protocol. He didn’t know any of my identifying info such as security questions, social security number or email address (of course now he does!). We laughed about it a bit figure once MetLife figured out what they did wrong they could fix it.

They can’t.

While they gave him a new login with his account info, our accounts are linked in their system. They won’t say how or why but David Greenbaum lives in both Kansas and Connecticut, has two different social security numbers, as well as a cancelled life insurance and a possible active homeowners and auto insurance policy. If one of us has an accident will either of our rates go up? When I initially thought my identity was stolen, I was in the process of selling what I thought was a faux policy in my name. Since I knew all the account info, they would have allowed it leaving David of Connecticut driving without insurance.

More likely than not the greater risk is on David in Connecticut. He’s got more assets than I do and he has policies there at risk. He’s fortunate I’m not a hacker and I truly believe he is not.

So, besides the interesting tale of the two Davids, what is the takeaway from this story. Why am I as a computer repair technician in Lawrence, KS writing about this? A few reasons:

1) When you get email about a password or name change don’t assume they are spam, even though they are. I probably get at least 3 emails a day about various problems with accounts and I need to verify info. This was different because I knew in fact I had an account, it didn’t ask me to follow a link or open an attachment, mentioned me by name and most important, the phone number to call matched the number of the company. Unless all those matches I would have trashed it. I also didn’t follow any links but first called the company. That’s the key. No matter how legit don’t follow the links. However don’t ignore it if you’ve done business with the company. If no link is in the email, it’s more likely legit, but assume it’s not and be cautious

2) When you call to verify use a phone number you know and trust and give out minimal info
Fortunately I didn’t know my account number so I couldn’t give it. All I gave them was public info such as my name, my address, my phone, my email and my login name. I blogged about LINK how Citibank did something similar in the past to me and it was legit. Recently I called American Express about a potential fraudulent charge but I called the number from the website or my statement, not from an email link.

3) Remember that all systems are subject to human incompetence

A few years ago a Wired reporter was hacked because someone convinced an Apple customer service rep to reset a login that eventually led to his computer being erased. Just this week a terrible story of how a Twitter user got his account, his emails and all his websites held hostage because one customer service rep gave out info they shouldn’t. Ultimately perfect passwords, two-factor authentication, and security questions mean nothing if a company allows it to be bypassed. Procedures are there for a reason and should be followed. In this case it was an innocent error, but I’m terrified about how easy it was and how if someone had an intention of stealing my identity they could have through a bit of sweet talking and guilt trips.

The story isn’t over. Metlife is “taking it seriously” and has offered me one year of security monitoring to accommodate me for the error. Of course they won’t pay the $250 deductible for the identity theft protection my insurance company offers — ironic since they already offer such protection for David Greenbaum(s) but the policy apparently doesn’t cover problems CAUSED by Metlife. I wish David Greenbaum of Connecticut the best of luck and hope he knows I’m not trying to mess with him and I hope he isn’t doing the same. I wish all my readers be vigilant in protecting their identity but realize that some things may be out of their control and the only thing they can do is control the damage.

Please note: Subtle details about the other David Greenbaum were slightly changed to protect his identity from any further damage such as his location, his family dynamics, his employer and his automobiles.

Tags: ,

Leave a Comment

Copyright © DoctorDave Computer Repair in Lawrence Kansas |   intrepidity Theme by Top Blog Formula on WordPress |   Log In