I-Team gets money back for salon owner whose Square account was hacked; how to protect yourself

WETHERSFIELD, CT. (WFSB) - If you’re a business owner, there’s a good chance you use a credit card.

A credit card processing machine that makes it easier for customers without cash to pay.

But what happens if your business account is hacked?

$8,000 MISSING:

When Kelly Mesen isn’t at home with her children, she’s working hard at her hair salon in Wethersfield.

“My husband is in school so I’m the only income and I have three little kids,” said Mesen.

As the only income source right now, every penny earned counts more.

Since September 2, Mesen has been missing around $8,000.

Mesen said, “I just want the money back that I worked for.”

For 7 years, Mesen had been using Square credit card processing company.

Here’s how it works: Mesen plugs a small machine into her phone. Customers then swipe their cards. The money goes into a Square account linked to Mesen’s bank account.

But a few months ago, Mesen noticed something was wrong.

“One day I came in and was logged off my account,” said Mesen.

Trying to reset her password didn’t work, so she called Square Customer Service.

“I was able to change my password, she was able to give me a two step verification process, she was able to change my email back and make sure all of the information was correct,” said Mesen.

Mesen was told to wait 3-5 days for everything to clear up.

At the end of September, Mesen looked at her accounts, and saw none of her customer’s payments had been deposited into her account.

Payments totaling more than $8,000.

“I went on to the information where it was going to be transferred and it was a different bank account than my bank account,” said Mesen.

Mesen had been hacked.

Not only had the bank account information been changed on her Square account, but the phone number as well.

The hackers had also gotten into her email.

“They had hacked into my email and filtered anything from square to automatically be deleted so I wouldn’t receive any notifications,” said Mesen.

Mesen said none of her customers reported any problems.

Mesen said all Square could tell her, was to let their security team handle it. It’s been 3 and a half months.

“It’s frustrating and I’m trying to just pay the bills here and pay the bills at home,” says Mesen.

SQUARE RESPONDS:

The I-Team reached out to Square.

A spokesperson said there was NO data breach on their end, but they would work to put the money back into Mesen’s account.

“Unfortunately, millions of individuals in the US have their personal information compromised annually through data breaches that occur on various platforms outside of Square. In some instances, fraudsters are able to use this compromised information to access legitimate sellers’ accounts. We actively monitor for these situations and have policies and processes in place to protect our sellers’ funds and assist them with regaining control of their accounts. Additionally, to better protect their accounts, we strongly encourage all sellers to enable security features such as two-factor authentication.”

HOW TO PROTECT YOURSELF ONLINE:

Cybersecurity Expert Tim Weber, of Cyber74 in Rocky Hill, says Square, and other companies like them, are cloud based. So if a hacker gets personal information off a different site, it won’t be hard for them to guess a username and password.

“Unfortunately, those are things that individuals set that can make it the weak link in the process,” said Weber. “there’s a couple of things that we look at when we’re providing guidance for clients on cloud based systems.”

Whether you’re a business owner, or just the average person, Cybersecurity Expert Tim Weber says two step authentication, also known as multi factor authentication, is the best way to protect yourself with any online accounts you have.

“That’s where in addition to typing in a username and password, you either get a code texted to your phone that you’ve registered or maybe you’ve got an app on your phone that gets a push notification,” says Weber.

Weber also said to make sure you’re using a strong password, but never use the same password twice, because “we’ll see attacks where some system gets compromised, the attackers get a list of email addresses and passwords. Now they go trying to use those emails and passwords in all sorts of other places as well.”

“The longer the password, the better. 8 characters should be an absolute minimum. Mixing uppercase, lowercase, numbers and letters,” says Weber. “There’s a concept called using a passphrase. So that’s maybe something where it’s a movie quote, a lyric to a song.”

Having trouble remembering all of your passwords?

“Password managers are a fantastic tool. There are a lot of different ways you can manage passwords. Having a book where you physically write things down is incredibly safe because it’s not online, an attacker can get to it,” says Weber. “Obviously there’s some usability issues associated with that. If you’re not with the book, you’re not going to be able to get access to those passwords. “There are tools such as dash lane and last pass and other platforms that are basically online password vaults that you can then put all your passwords in and put one really strong password with multi factor verification on it and you’ve got a level of protection.”

Now Square does offer multi factor authentication, but it’s just an option. Weber says companies should make it a requirement, to better protect their customers.

“The more we can see these platforms going to something where MFA is just right there as a requirement to start, that’s going to save everybody some heartbreak,” says Weber.

HAPPY ENDING:

As for Mesen, her heartbreak has been fixed.

“A couple days after you contacted them, I got a call from them saying everything was resolved and the money was being unfrozen,” said Mesen. “I really appreciate it.”

For more tips on how to protect yourself online, head to our website wfsb.com.

Copyright 2022 WFSB. All rights reserved.