Something was very wrong. I sensed it as soon as I scanned my email late that morning, about two weeks ago.
Long before my conscious brain could process the data on my computer screen, my subconscious was screaming “EMERGENCY.”
What was I seeing? Sitting in my inbox were notifications about three withdrawals from a large savings account. An account that I rarely touch.
Clicking on one of the withdrawals, my worst fears were quickly realized: An “Official Check,” for more than $43,000, had been drafted on the account, less than an hour before.
But, I had not requested any check! With frantic fingers I dialed my bank….
Genesis of a Crime
I had spent that morning planning a summer road trip, making reservations on the west coast. Some of those reservations required reading my credit card number to individuals on the other side of the call. They all seemed legitimate. But, there is always the possibility you are dealing with somebody crooked, or that somebody with shady intentions could be listening in….
About an hour before I checked my email that day, a text message from the bank had popped up on my phone. Something about a “Temporary Pass Code.” I hadn’t seen this before, so I Googled the term. Seems this would be generated when somebody tried logging into my account from a strange computer.
Ok, as a retired software engineer, I knew that this happens all the time on the web as fraudsters attempt to hack into online accounts. I was confident of my online security measures, so didn’t fret much about it. Just to be sure though, I logged into my credit card account and checked: There weren’t any suspicious transactions.
So I went back to my travel planning until just before noon, when I checked my email and found the spurious withdrawals from my savings account….
The first-line agent at the bank was courteous and helpful. Maybe a little glib given that I’d just lost over $40K, but they undoubtedly see this much more than I do. She asked politely: “So, you didn’t request a $43,000 check to buy a boat in Florida this morning?” “NO, I don’t do boats,” I replied. She reversed the two small transaction charges, and put me on hold for a few minutes while she ran to try and recall the big check.
When she came back on the line, I began to get some sketchy details on what had transpired. Somebody had phoned in, posing as me. I was told they had “just enough” personal information to get past the security measures. Once in, they apparently had free reign to withdraw from my accounts.
At the agent’s suggestion, we flagged my account for fraud risk, meaning a higher-level of security verification would be applied to any future callers. Then she transferred me to the fraud department.
That department assured me the incident would be investigated and I’d be reimbursed for any fraudulent activity. But it could take as long as 3-5 days. Meanwhile, we were out a lot of cash. Suggestions were made that we change our online credentials, that we might have to get a new savings account, maybe even a new phone number. What a headache!
My wife and I spent a good chunk of the afternoon changing our online credentials. That evening, we went to bed uneasy. It seemed we’d done all we could do, but we had no idea where else we might be at risk, or how it would all turn out….
I slept fitfully. Waking up early, I glanced at my cell phone on the table beside the bed. The little green light was blinking. There was a new text message: “Temporary Pass Code.”
While I had been asleep, the perpetrator had tried breaking into my accounts again. I rubbed the sleep from my eyes and logged in to spot-check my account balances. No changes, thank heavens. The new security measures appeared to be holding.
I called the bank to be sure. “Yep,” the agent said, “looks like they have your phone number and just enough personal information.” But this time, thanks to the additional security measures on my account, they were required to supply my phone password.
They didn’t know it. And the intrusion was stopped in its tracks….
That afternoon I received a call from the investigator in the bank’s fraud department. He had access to all their internal logs and could tell me exactly what had happened the day before.
The fraudster knew my phone number and had used widely-available black market tools to “spoof” it on the call-in. So, to the bank’s systems, his phone appeared to be mine. But the miscreant failed to answer my correct phone password, and then failed to supply another piece of identifying information. Finally, they provided my date of birth, and a credit card number, and were allowed in.
I can only imagine the audacity required to pull this charade off. But the bank was not blameless. They could have done better in this instance. Names and phone numbers are public information. Birth dates — one of the first pieces of personal security information ever put to use — have been compromised in large data breaches in recent years. And credit card numbers are routinely stolen. (Despite taking a number of precautions, it happens to us about once a year.)
So, for the bank to give an intruder unfettered access to my cash based on that collection of easily-assembled data seems like a screw-up. And I told them so. I was assured they were evaluating their verbal authentication procedures. But they are also risking customer frustration if they present too many security hurdles. It’s an ongoing tension.
Who hasn’t been exasperated by the need to remember passwords or PINs, or answer elaborate security questions? It can seem burdensome and paranoid. Until you see thousands of your own dollars disappear in an instant. So, I’ll cast my vote for more security, not less, when it comes to financial accounts….
The call closed with the investigator assuring me that the enhanced authentication on my account would be adequate. And, so far, it has. Meanwhile, he submitted our claim for reimbursement, saying we’d see the credit in 1-2 business days. And, the bank was ahead of schedule on that commitment. So we are financially whole again. And a little wiser….
There is plenty of advice on the web about how to protect your identity online. Unfortunately, a lot of it recommends a paranoid, shotgun approach which will cost you a lot of time. Or worse, it’s about selling you products and services that will cost you money and time, and may not make you much more secure.
I want to focus instead on exactly what went wrong, and right, in this instance, so we can all take precise steps to be safer with our financial lives….
First, I long ago signed up for notifications of all transactions on my accounts greater than $1,000. This was critical to my catching and reversing the fraudulent withdrawal quickly. The law says you have up to 60 days to report fraud, but the quicker you do so the stronger your case and faster you’ll get your money back. So, if you haven’t done it, sign up for notifications of large withdrawals on your accounts today!
Next, replace vague fear about identify theft with accurate knowledge. You are not at risk simply because you do bank transactions online. If you use strong, random passwords, those are essentially unbreakable with today’s technology. Financial institutions limit login attempts, which means brute force guessing techniques won’t work over the web. So, with a minimum of effort on your part, nobody will be able to guess your password.
However, as recent politically-motivated hacks in the US and France attest: Even smart people sometimes fail to use strong passwords, and even those who do can be tricked, or have their staff tricked, into giving them away. So, your password could still be compromised or stolen. Fortunately, in many such cases, your institution will detect the intrusion and notify you.
The real problem in my mind is people: employees, not computer systems. Phone access, not online access. The best online security in the world is no good if a criminal can talk their way into your accounts through a front-line agent. The weak link I see in the financial system is due to telephone access and personal interaction.
In my case, the bank apparently gives front-line agents a fair amount of discretion or options for validating callers. If one technique doesn’t work, they’ll try others, in an attempt to avoid frustrating legitimate customers. The motivation is good. And only the bank knows if the costs are worth the benefits. But in the case of my account, there were too many degrees of freedom, and the front-line agent was duped.
Best Security Measures
I dealt with two other companies recently that have much more rigid, and possibly foolproof systems: One requires a PIN. If you don’t know it, they’ll simply generate another one to your registered phone number. Without controlling that physical phone, it will be impossible to access your account.
The other company allows adding a phone password to your account. If a caller doesn’t know it, they are shut out of all account access. If the legitimate owner has forgotten the password, they’ll have to visit a local branch of the company and display two forms of identification to reset the password.
These are very substantial hurdles for a fraudster to overcome.
Common themes here are phone passwords (or PINs) and two-factor authentication (texting a code to your smartphone). These two mechanisms, if strongly enforced by your financial institution, will stop most of today’s fraudulent attacks in their tracks. Fortunately, while a spoofed phone can appear to be your phone for outgoing calls, it cannot receive your messages.
I’d strongly recommend setting up one or both of these mechanisms at all your institutions that hold ready cash accounts. (Investment accounts are less of a concern because of the built-in delays with clearing securities transactions. A fraudster would need to sell securities, wait three days for the transaction to clear, then attempt to transfer money. That gives you much more time to spot criminal activity.)
The final, inviolable line of defense for your financial life is to freeze your credit reports. Though this won’t prevent anybody from accessing your current accounts, it will prevent them from creating new ones, or taking out loans, in your name. I froze our credit reports about a decade ago and I can largely ignore them these days. When I checked our reports after this incident using AnnualCreditReport.com, the results were reassuringly boring. Other than routine credit card transactions, there have been no new entries on our credit reports in years.
If and when you must face identity theft and a resulting financial attack, try to think clearly and avoid panic. I know it’s not easy when a sizable chunk of your money disappears into the ether, but staying calm will save you time and money.
Contact your financial institution quickly, talk to their fraud department, and demand to know exactly what information was compromised. Then proceed to address only that weak link. If the fraudulent access was online, change those credentials. If it was done over the phone, increase the security on your account using a phone password or PIN. In either case, add two-factor authentication, if your institution supports it.
Don’t rush to change all of your credentials, account numbers, phone numbers, etc. You will cost yourself days of work, and you still may not solve the problem.
In my case, a stolen credit card number was the linchpin. Once the mechanism was clear, I promptly cancelled that card. When I have another credit card stolen in the future, as will surely happen, the increased security measures on my account will stop the kind of attack I just saw from happening again….
* * *