FREE NEWSLETTER

Stop Bank Robbers

Adam M. Grossman

“YOUR CHECKING ACCOUNT balance is low.” It’s an alert none of us wants to receive, especially if we’ve just been paid. But that was the message that a friend—let’s call him Ron—got recently. A hacker had gained control of his account and started bleeding it dry.

Ron, it turns out, was lucky to have received that alert. Another friend—let’s call him Arthur—received no such alert when his account was also taken over by hackers this summer.

Both are customers of Bank of America, which was the victim of a data breach earlier this year. The reality, though, is that this could occur at any bank, so it’s worth understanding what happened and what steps consumers can take to toughen their defenses against a similar attack.

For both Ron and Arthur, the thieves’ playbooks were similar. The first step was to gain control of their online accounts. In Arthur’s case, it was a two-step process. First, the crooks tricked his cell phone carrier into activating a new phone with Arthur’s number. Then, the thieves went to Bank of America’s website and requested a password reset. To authenticate the hacker, Bank of America sent a text message to Arthur’s phone number, which the thieves had in their control. That gave them access to Arthur’s account, where they were able to make a note of Arthur’s account number and—he thinks—see copies of canceled checks with Arthur’s signature.

Next, the crooks walked into a Bank of America branch in another state and requested a cash withdrawal. They had Arthur’s account number, and the signature used matched the signature on file. The thieves didn’t have any identification, though, so for authentication purposes the bank teller sent a code to Arthur’s phone number, which the crooks had in their possession. While the details are still unclear, apparently that process is sufficient for a teller to authenticate a customer. The hackers were then able to walk out with $10,000 in cash from Arthur’s account. Later that day, the crooks did the same thing at another branch and walked out with Arthur’s remaining account balance.

Hearing this story, you might wonder about the safeguards that should have been in place. Sadly, thieves are often a step ahead. They knew that banks typically email customers when their passwords have changed, and Bank of America did do that. But to cover their tracks, the hackers buried Arthur’s email box in spam messages. In the space of minutes, hundreds of thousands of messages came in, making it impossible for Arthur to see the all-important message from the bank.

Ron’s experience was very similar, including the flood of spam. But instead of walking into a branch, the hackers took a different tack. After gaining access to Ron’s online login, they opened a new joint account in the name of Ron’s wife and another, presumably phony individual’s name. They then transferred Ron’s checking account balance into this new account and, from there, wired the funds out to an account owned by the crooks.

While Bank of America has committed to restoring the stolen funds to both Arthur and Ron, these experiences have nonetheless been a significant headache. By siphoning off nearly every available penny, the thieves triggered a financial domino effect. Scheduled transactions—from mortgage payments to electric bills—all failed, and neither had any access to cash.

Years ago, I recall attending a presentation by technology executives from J.P. Morgan. What surprised me was the frequency of cyberattacks they described. They measured them by the number of attempted attacks per day. In other words, it’s an ongoing battle, and there’s no silver bullet, so I recommend doing everything you reasonably can. Here are 12 steps to consider:

  1. Job No. 1 is to secure the logins to all your financial accounts. Use a password manager that will generate long passwords. Be sure you have two-factor authentication (2FA) enabled. If your bank offers a choice, go for the 2FA option that employs an authenticator app, such as Google Authenticator, Authy or Symantec VIP. That way, even if hackers get hold of your cell phone number, as they did in Arthur’s case, they’ll have a much harder time accessing your account. If your bank offers only text message-based two-factor authentication, I’d switch banks. It’s that important.
  2. Set up account alerts. If your balance falls too low, or if a withdrawal is unusually large, your bank can let you know immediately. Most banks offer a variety of flexible alert options. Fortunately, despite the flood of spam, Ron spotted an alert like this, and that allowed him to take action more quickly. But as noted, since hackers sometimes target email inboxes and sometimes target cell phones, be sure you have alerts set up to communicate through both channels. Your bank might also offer alerts that are sent through their mobile apps, offering a third channel.
  3. Secure your cell phone account. Call your carrier and ask if you can put in place an account password. That would prevent a hacker from tricking a hapless phone store employee into giving out your phone number.
  4. Secure your bank account with a verbal password. If a hacker tries calling your bank to initiate a transaction, a verbal password—which is different from your online password—can help thwart that line of attack.
  5. Because this year’s Bank of America data breach included account logins, I suggest changing your user ID if you’re a Bank of America customer.
  6. Have more than one bank account. While I generally advocate consolidating accounts, Arthur was lucky to have another ATM card in his wallet. Even though Bank of America committed to restoring his funds, it took time. And in Ron’s case, the bank understandably locked down all his accounts. But with all of his accounts at Bank of America, that put him in a difficult position, unable to pay bills for an extended period.
  7. Don’t use your ATM card as a debit card. If you use your ATM card only for cash withdrawals, that will prevent your card number from being swept up if there’s a data breach at a retailer where you’re a customer.
  8. If you have a safe in your home, hold some cash there. I don’t mean to sound extreme, but it could help in certain situations. Years ago, for example, a blackout affected New York City, knocking out large numbers of ATMs for an uncomfortably long period.
  9. Never respond to inbound inquiries of any kind, no matter how authentic they might look or sound. If you receive a text or email, ignore it. Never click on any links or call any numbers that these messages provide. And if you receive a call, hang up. If you aren’t sure whether the communication was legitimate, call your financial institution using a phone number you find on the back of your bank card or on the bank’s website.
  10. Install malware protection software such as Malwarebytes on your computer.
  11. If you see any of the warning signs described here—whether it’s a flood of spam or a “no service” message on your cell phone—call your financial institutions immediately.
  12. If you ever have a problem along these lines, consult the Federal Trade Commission’s website, which provides useful resources and recommendations. Also, file an incident report with your local police department, and contact credit agencies to put a fraud alert in place.

Adam M. Grossman is the founder of Mayport, a fixed-fee wealth management firm. Sign up for Adam’s Daily Ideas email, follow him on Twitter @AdamMGrossman and check out his earlier articles.

Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.

Subscribe
Notify of
15 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Edwin Belen
1 year ago

One thing I do is check my personal Capital account daily. It gives me my net worth so I can see if something looks off. I also do some of the other things noted.

Nick M
1 year ago

Google Authenticator has no online backup, so if your phone dies or is stolen, you’ve lost your 2FA codes forever. If you use a second verification method, you may be able to get back in to your accounts, but that second method is just as vulnerable as it would have been if you didn’t use an authenticator app at all. I use an authenticator with online backup, and avoid creating alternate verification methods tied to my phone (though many places still require a phone related alternate).

Chuck BV
1 year ago

The failure of the banking industry to provide security that meets current standards can only be described as malfeasance and cries out for tighter regulation of this industry. Most banks, including the household names, do not allow the customer to forgo SMS (text) as an option for 2FA. Easier for the bank that way. I had an experience with Wells Fargo similar to the Bank of America experience above, except that the thieves sent themselves a Zelle transfer (I had never before used Zelle) even as I was with customer support trying to regain control of my account. I went through two rounds of appeal with Wells Fargo and then another round through the Consumer Finance Protection Bureau was was stiffed in each case (CFPB has had its moments, but is largely ineffectual and living on borrowed time because its enemies can afford more K street firepower than its friends.) Wells Fargo apparently stiffed me because my complaints about misuse of the Zelle system that they helped to created countered a narrative in which they are heavily invested. So consumer beware, but recognize that the problem is as much the industry as the rogues. By the way, the brokerage industry (Vanguard and ETRADE/Morgan Stanley) are way ahead of consumer banking on this.

Jon Daley
1 year ago

I’ve just submitted a ticket to RedPocket, my cell phone provider to see if they support locking porting and/or new SIM cards, and I’ll write back here when they respond.

Thanks for the information, I hadn’t thought about how easy it is to trick the cell phone company, “my phone is broken, I can’t access it” – which has happened to members of my family, and 2FA is certainly a pain in that case. I love “authy”, which is Google Auth compatible, with the added feature that it can be shared with my phones and my desktop (and my wife, so she doesn’t have to get a 2FA code from me for those sites that support Google Auth any more).

Jon Daley
1 year ago

If your bank offers only text message-based two-factor authentication, I’d switch banks. It’s that important.”

I just checked, and only one of my banks (out of 6? that I use) has 2FA that doesn’t involve text messages.

I will have to go see about locking down my cell phones. It’s irritating that vector is open. Though I’ve long argued that spam filters are so poor in most places. (I run a web and email hosting company and people don’t realize how much spam I throw away for them – spam that doesn’t even end up in their spam folders because it is so spammy.

AKROGER SHOPPER
1 year ago

Not only are the posts valuable, but the comments always provide additional nuggets of information. Sooner or later the banks may wake up and issue fobs to all customers which would cut their losses. Thanks Adam for helping us all out.

rgscl
1 year ago

Note that Verizon has a similar feature (to prevent number porting and SIM swapping) called “Number Lock”.

Humble Reader
1 year ago
Reply to  rgscl

Thanks for the Verizon “Number Lock” tip. I thought I had fully secured my Verizon account and phones, but I missed this one.

My security tips: Whenever possible treat an account user name just like a password: Use a random sequence of characters for the user name too. Also fabricate your answers to secret questions, making stuff up that is not true and has no connection to the real you. Just remember to record what you made up.

Mike Gaynes
1 year ago

Superb, Adam. Thank you.

OldITGuy
1 year ago

In the interest of clarity, I believe in item 3 you’re referring to your phone carriers security method to prevent an unauthorized SIM swap. A SIM swap is the process used when your carrier moves your phone number to a new phone. With T-Mobile I’m able to turn SIM swap protection on and manage it using my online account. It let me set a PIN that I’ll have to know in order to enable my carrier to swap my SIM to a new phone. I keep the PIN in my password manager so it’ll be easy to find when I need it next time I get a new phone. Turning on your carriers SIM swap protection is a key step in preventing this type of hack. Of course, as with any online account, you’ll want to have a strong password, 2FA turned on and have notifications enabled so you’re notified of any changes to your account such as PIN changes.

kt2062
1 year ago
Reply to  OldITGuy

Yes, thank you to both of you. I didn’t know about the “account takeover protection” before reading this. I activated this very easily. I wish more businesses would enable the option of using authenticators like the Google Authenticator or Symantec VIP. Situations like having my bank account hacked is something I am paranoid about.

OldITGuy
1 year ago
Reply to  OldITGuy

Addendum: turns out on T-Mobile that while SIM swap protection keeps your phone number from being transferred to another phone, there’s a separate security feature called “Account Takeover Protection” that keeps a hacker from transferring your phone number to another carrier. You have to turn this on separately from SIM swapping protection, and it has to be turned on for each phone line in your account. Thanks Adam; I wouldn’t have seen this feature if your article didn’t spur me to take a another quick look at SIM swap protection.

David Powell
1 year ago

One more useful step: create an account at Chex Systems, the company many financial companies use before opening new accounts, then request a freeze. Have your spouse/partner do it too. This should lower your odds of succumbing to a bank account hijack attack.

David Powell
1 year ago

BoA supports USB security keys like Yubikey for web logins which I highly recommend. For mobile BoA logins, you can enable Face ID and an SMS 2FA.

Vanguard now supports the latest w3c/FIDO standards with Yubikey too so you can use the same keys to secure those accounts. It looks like Fidelity is preparing to release such support soon.

Be sure to register at least two keys everywhere you use them.

Last edited 1 year ago by David Powell
Edmund Marsh
1 year ago

Wonderful, thorough treatment of this topic, Adam. You consistently present truly valuable information.

Free Newsletter

SHARE