“Your checking account balance is low.” It’s an alert no one would ever want to receive—especially if you’d just been paid. But such was the message that a friend—let’s call him Ron—received recently. A hacker had gained control of his account and had started to bleed its balance toward zero.
Ron, it turns out, was lucky to have received that alert. Another friend—let’s call him Arthur—received no such alert when his account was also taken over this summer.
Both are customers of Bank of America, which was the victim of a data breach earlier this year. The reality, though, is that this could happen to any bank, so it’s worth understanding what happened and what steps consumers can take to harden their defenses against a similar attack.
For both Ron and Arthur, the thieves’ playbooks were similar. The first step was to gain control of their online accounts. In Arthur’s case, it was a two-step process. First, the crooks tricked his cell phone carrier into activating a new phone with Arthur’s number. Then, they went to the Bank of America website and requested a password reset. To authenticate the hacker, BoA sent a text message to Arthur’s phone number, which the thief had in his control. That gave him access to Arthur’s account, where he was able to make a note of his account number and—he thinks—see copies of canceled checks with Arthur’s signature.
Next, the crook walked into a Bank of America branch in another state and requested a cash withdrawal. He had Arthur’s account number, and his signature matched the signature on file. He didn’t have any identification, though, so to authenticate him, the bank teller sent a code to Arthur’s phone number, which the bad guy had in his possession. While the details are still unclear, apparently that process is sufficient for a teller to authenticate a customer. The hacker was then able to walk out with $10,000 in cash from Arthur’s account. Later that day, the crook did the same thing at another branch and walked out with the remaining balance from Arthur’s account.
Hearing this story, you might wonder about the safeguards that should have been in place. Sadly, thieves are often a step ahead. They knew that banks typically email customers when their passwords have changed, and Bank of America did do that. But to cover their tracks, the hackers buried Arthur’s email box in spam messages. In the space of minutes, hundreds of thousands of messages came in, making it impossible for Arthur to see the all-important message from the bank.
Ron’s experience was very similar, including the flood of spam. But instead of walking into a branch, the hackers took a different tack. After gaining access to Ron’s online login, they opened a new joint account in the name of Ron’s wife and another, presumably phony individual’s name. They then transferred Ron’s checking account balance into this new account, and from there, wired the funds out to an account owned by the crooks.
While Bank of America has committed to restoring the stolen funds both to Arthur and to Ron, these experiences have nonetheless been a significant headache. By siphoning off nearly every available penny, the thieves triggered a financial domino effect. Scheduled transactions—from mortgage payments to electric bills—all failed, and neither had any access to cash.
Years ago, I recall attending a presentation by technology executives from J.P. Morgan. What surprised me was how they described the frequency of cyber attacks. They measured them by the number of attempted attacks per day. In other words, it’s an ongoing battle, and there’s no silver bullet, so I recommend doing everything you reasonably can. Here are steps to consider:
- Job number one is to secure the logins to all of your financial accounts. Use a password manager that will generate long passwords. Then, be sure you have two-factor authentication (2FA) enabled. If your bank offers a choice, go for the 2FA option that employs an authenticator app, such as Google Authenticator, Authy or Symantec VIP. That way, even if someone gets hold of your cell phone number, as they did in Arthur’s case, they’ll have a much harder time accessing your account. If your bank offers only text message-based two-factor authentication, I’d switch banks. It’s that important.
- Set up account alerts. If your balance falls too low, or if a withdrawal is unusually large, your bank can let you know immediately. Most banks offer a variety of flexible alert options. Fortunately, despite the flood of spam, Ron was able to catch an alert like this, and that allowed him to take action more quickly. But as noted, since hackers sometimes target email inboxes and sometimes target cell phones, be sure you have alerts set up to communicate through both channels. Your bank might also offer alerts that are sent through their mobile apps, offering a third channel.
- Secure your cell phone account. Call your carrier and ask if you can put in place an account password. That would prevent a hacker from tricking a hapless phone store employee into giving away your phone number to a crook.
- Secure your bank account with a verbal password. If a hacker tries calling your bank to initiate a transaction, a verbal password—which is different from your online password—can help thwart that line of attack.
- Because the Bank of America data breach this year included account logins, I suggest changing your user ID if you’re a BoA customer.
- Have more than one bank account. While I generally advocate consolidating accounts, Arthur was lucky to have another ATM card in his wallet. Even though BoA committed to restoring his funds, it still took time. And in Ron’s case, the bank understandably locked down all his accounts. But with all of his accounts at BoA, that put him in a difficult position, unable to pay bills for too long a period.
- Don’t use your ATM card as a debit card. If you use your ATM card only for cash withdrawals, that will prevent your card number from being swept up if there’s a data breach at a retailer where you’re a customer.
- If you have a safe in your home, hold some cash there. I don’t mean to sound extreme, but if you already have a safe, it could help in certain situations. Years ago, for example, a blackout affected New York City, knocking out large numbers of ATMs for an uncomfortably long period.
- Never respond to inbound inquiries of any kind, no matter how authentic they might look or sound. If you receive a text or an email, ignore it. Never click on any links or call any numbers they provide. And if you receive a call, hang up. If you aren’t sure whether the communication was legitimate, call your financial institution using only a phone number you find on the back of your bank card or on the bank’s website.
- Install malware protection software such as Malwarebytes on your computer.
- If you see any of the warning signs described here—whether it’s a flood of spam or a “No Service” message on your cell phone—call your financial institutions immediately.
- I sincerely hope it never happens, but if you ever do have a problem along these lines, consult the Federal Trade Commission’s website, which provides a number of useful resources and recommendations. Also, file an incident report with your local police department, and contact credit agencies to put a fraud alert in place.