Attacker logs in to capitalone.com.

Attacker changes account username from jlamoree to josephlamoree

Attacker changes account e-mail address to dcan2009@aol.com

Attacker discovers that card had no available credit

Attacker submits payment of $1500.00 using stored checking account information.

Joseph receives e-mail alert that changes have been made to Capital One account

Joseph attempts to login to capitalone.com. Fails with invalid username.

Wells Fargo sends e-mail indicating that $1500.00 pre-authorized debit has been reversed as insufficient funds

Wells Fargo applies $39.00 fee to checking account

Joseph logs in to wellsfargo.com to see payment to Capital One and reversal

Joseph calls Capital One to assess damage done with account.

While on hold, Joseph discovers changed e-mail address and corrects it

While on hold, Joseph adds mobile phone number for SMS alerts on any account change in the future.

First Capital One representative transfers Joseph to "account specialist"

Second Capital One representative transfers Joseph to "account specialist"

Third Capital One representative cannot understand why someone would make a fraudulent payment

Joseph attempts to explain why attacker would want a stolen card to have available credit

Joseph asks representative about the attack: brute force attack? hijacked session? known credentials?

Representative informs Joseph that only option is to file a lost/stolen card report

Capital One issues new card for account

Joseph terminates 41 minute phone call without resolution

Joseph wishes he had the means to close Capital One account