“YOUR CHECKING ACCOUNT balance is low.” It’s an alert none of us wants to receive, especially if we’ve just been paid. But that was the message that a friend—let’s call him Ron—got recently. A hacker had gained control of his account and started bleeding it dry.
Ron, it turns out, was lucky to have received that alert. Another friend—let’s call him Arthur—received no such alert when his account was also taken over by hackers this summer.
Both are customers of Bank of America, which was the victim of a data breach earlier this year. The reality, though, is that this could occur at any bank, so it’s worth understanding what happened and what steps consumers can take to toughen their defenses against a similar attack.
For both Ron and Arthur, the thieves’ playbooks were similar. The first step was to gain control of their online accounts. In Arthur’s case, it was a two-step process. First, the crooks tricked his cell phone carrier into activating a new phone with Arthur’s number. Then, the thieves went to Bank of America’s website and requested a password reset. To authenticate the hacker, Bank of America sent a text message to Arthur’s phone number, which the thieves had in their control. That gave them access to Arthur’s account, where they were able to make a note of Arthur’s account number and—he thinks—see copies of canceled checks with Arthur’s signature.
Next, the crooks walked into a Bank of America branch in another state and requested a cash withdrawal. They had Arthur’s account number, and the signature used matched the signature on file. The thieves didn’t have any identification, though, so for authentication purposes the bank teller sent a code to Arthur’s phone number, which the crooks had in their possession. While the details are still unclear, apparently that process is sufficient for a teller to authenticate a customer. The hackers were then able to walk out with $10,000 in cash from Arthur’s account. Later that day, the crooks did the same thing at another branch and walked out with Arthur’s remaining account balance.
Hearing this story, you might wonder about the safeguards that should have been in place. Sadly, thieves are often a step ahead. They knew that banks typically email customers when their passwords have changed, and Bank of America did do that. But to cover their tracks, the hackers buried Arthur’s email box in spam messages. In the space of minutes, hundreds of thousands of messages came in, making it impossible for Arthur to see the all-important message from the bank.
Ron’s experience was very similar, including the flood of spam. But instead of walking into a branch, the hackers took a different tack. After gaining access to Ron’s online login, they opened a new joint account in the name of Ron’s wife and another, presumably phony individual’s name. They then transferred Ron’s checking account balance into this new account and, from there, wired the funds out to an account owned by the crooks.
While Bank of America has committed to restoring the stolen funds to both Arthur and Ron, these experiences have nonetheless been a significant headache. By siphoning off nearly every available penny, the thieves triggered a financial domino effect. Scheduled transactions—from mortgage payments to electric bills—all failed, and neither had any access to cash.
Years ago, I recall attending a presentation by technology executives from J.P. Morgan. What surprised me was the frequency of cyberattacks they described. They measured them by the number of attempted attacks per day. In other words, it’s an ongoing battle, and there’s no silver bullet, so I recommend doing everything you reasonably can. Here are 12 steps to consider:
Adam M. Grossman is the founder of Mayport, a fixed-fee wealth management firm. Sign up for Adam’s Daily Ideas email, follow him on Twitter @AdamMGrossman and check out his earlier articles.
Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.
One thing I do is check my personal Capital account daily. It gives me my net worth so I can see if something looks off. I also do some of the other things noted.
Google Authenticator has no online backup, so if your phone dies or is stolen, you’ve lost your 2FA codes forever. If you use a second verification method, you may be able to get back in to your accounts, but that second method is just as vulnerable as it would have been if you didn’t use an authenticator app at all. I use an authenticator with online backup, and avoid creating alternate verification methods tied to my phone (though many places still require a phone related alternate).
The failure of the banking industry to provide security that meets current standards can only be described as malfeasance and cries out for tighter regulation of this industry. Most banks, including the household names, do not allow the customer to forgo SMS (text) as an option for 2FA. Easier for the bank that way. I had an experience with Wells Fargo similar to the Bank of America experience above, except that the thieves sent themselves a Zelle transfer (I had never before used Zelle) even as I was with customer support trying to regain control of my account. I went through two rounds of appeal with Wells Fargo and then another round through the Consumer Finance Protection Bureau was was stiffed in each case (CFPB has had its moments, but is largely ineffectual and living on borrowed time because its enemies can afford more K street firepower than its friends.) Wells Fargo apparently stiffed me because my complaints about misuse of the Zelle system that they helped to created countered a narrative in which they are heavily invested. So consumer beware, but recognize that the problem is as much the industry as the rogues. By the way, the brokerage industry (Vanguard and ETRADE/Morgan Stanley) are way ahead of consumer banking on this.
I’ve just submitted a ticket to RedPocket, my cell phone provider to see if they support locking porting and/or new SIM cards, and I’ll write back here when they respond.
Thanks for the information, I hadn’t thought about how easy it is to trick the cell phone company, “my phone is broken, I can’t access it” – which has happened to members of my family, and 2FA is certainly a pain in that case. I love “authy”, which is Google Auth compatible, with the added feature that it can be shared with my phones and my desktop (and my wife, so she doesn’t have to get a 2FA code from me for those sites that support Google Auth any more).
“If your bank offers only text message-based two-factor authentication, I’d switch banks. It’s that important.”
I just checked, and only one of my banks (out of 6? that I use) has 2FA that doesn’t involve text messages.
I will have to go see about locking down my cell phones. It’s irritating that vector is open. Though I’ve long argued that spam filters are so poor in most places. (I run a web and email hosting company and people don’t realize how much spam I throw away for them – spam that doesn’t even end up in their spam folders because it is so spammy.
Not only are the posts valuable, but the comments always provide additional nuggets of information. Sooner or later the banks may wake up and issue fobs to all customers which would cut their losses. Thanks Adam for helping us all out.
Note that Verizon has a similar feature (to prevent number porting and SIM swapping) called “Number Lock”.
Thanks for the Verizon “Number Lock” tip. I thought I had fully secured my Verizon account and phones, but I missed this one.
My security tips: Whenever possible treat an account user name just like a password: Use a random sequence of characters for the user name too. Also fabricate your answers to secret questions, making stuff up that is not true and has no connection to the real you. Just remember to record what you made up.
Superb, Adam. Thank you.
In the interest of clarity, I believe in item 3 you’re referring to your phone carriers security method to prevent an unauthorized SIM swap. A SIM swap is the process used when your carrier moves your phone number to a new phone. With T-Mobile I’m able to turn SIM swap protection on and manage it using my online account. It let me set a PIN that I’ll have to know in order to enable my carrier to swap my SIM to a new phone. I keep the PIN in my password manager so it’ll be easy to find when I need it next time I get a new phone. Turning on your carriers SIM swap protection is a key step in preventing this type of hack. Of course, as with any online account, you’ll want to have a strong password, 2FA turned on and have notifications enabled so you’re notified of any changes to your account such as PIN changes.
Yes, thank you to both of you. I didn’t know about the “account takeover protection” before reading this. I activated this very easily. I wish more businesses would enable the option of using authenticators like the Google Authenticator or Symantec VIP. Situations like having my bank account hacked is something I am paranoid about.
Addendum: turns out on T-Mobile that while SIM swap protection keeps your phone number from being transferred to another phone, there’s a separate security feature called “Account Takeover Protection” that keeps a hacker from transferring your phone number to another carrier. You have to turn this on separately from SIM swapping protection, and it has to be turned on for each phone line in your account. Thanks Adam; I wouldn’t have seen this feature if your article didn’t spur me to take a another quick look at SIM swap protection.
One more useful step: create an account at Chex Systems, the company many financial companies use before opening new accounts, then request a freeze. Have your spouse/partner do it too. This should lower your odds of succumbing to a bank account hijack attack.
BoA supports USB security keys like Yubikey for web logins which I highly recommend. For mobile BoA logins, you can enable Face ID and an SMS 2FA.
Vanguard now supports the latest w3c/FIDO standards with Yubikey too so you can use the same keys to secure those accounts. It looks like Fidelity is preparing to release such support soon.
Be sure to register at least two keys everywhere you use them.
Wonderful, thorough treatment of this topic, Adam. You consistently present truly valuable information.