I was ripped off this week.
I won’t mention any names of the financial institutions involved, as there are investigations currently ongoing and I don’t wish to unfairly blame anyone. I'm angry, worried, and even fearful that if someone can get past what I feel are pretty good security precautions (random passwords, secondary PINs, security questions, etc.), how can I ever be sure I'm completely safe? In short, I don't think any of us can ever be totally sure of anything, but perhaps my tale will offer some insight into how you can avoid becoming a victim.
This isn’t first time that a thief has stolen from me. Twenty years ago, Cindy (my wife), and I went to a small party on a Saturday night at a friend’s house. We knew everyone there, at least casually. When we arrived, the host suggested that Cindy put her purse in a spare bedroom where other guests had already stashed theirs’.
The next morning, Cindy and I went out for brunch and decided to go by Home Depot to get supplies for some household project we were working on. When she reached into her wallet to pay, there was a similarly colored but rarely used library card that normally hid in the back of her wallet placed where her debit card normally resided. She looked through her wallet and purse, but the debit card was nowhere to be found. I used mine, and we called the bank when we got home.
It turns out that the thief that took the card had already run up a couple of thousand dollars of debits at many of the same stores that we frequented. The bank cancelled the card and sent us an affidavit to sign declaring that the charges weren't ours. After a week or so, they refunded our account. Thankfully, we had enough money left to pay our bills while we waited.
Mainly, due to that experience, we have primarily used credit cards that seem to offer more protection in case of loss or theft. Financial institutions, unfortunately, have increasingly made the use of debit cards mandatory. One of our brokerage companies recently terminated a relationship with American Express and forced us to convert to a Visa debit card for accessing cash in our account. Another cancelled a pre-paid debit card service for our kids and required us to get debit cards for them. This is where the most recent story begins.
My 15-year-old daughter has a checking account with one of these debit cards attached. Her checking account is linked to her savings account at the same institution. A few years ago, we linked up her savings account with an electronic link to our checking account at another institution so that we could easily add funds from time to time.
Earlier this week, I received a notice from my daughter’s bank that there had been a $5,000 transfer into her savings account from my checking account. After confirming with Cindy that she hadn’t done it, I called the bank to inquire. While I was on the phone with the bank representative, I noticed that the funds had already been transferred to my daughter’s checking account and that there had been several ATM withdrawals wiping out the account all in the same day.
When I asked how they were able to use the ATM, the bank told me they had overnighted me a new ATM card to an address in the Dallas area last week. Oh, then they offered to credit me back the $8 they had charged my daughter’s account for the “expedited shipping” of the ATM card to the thief. How thoughtful!
I eventually got a manager on the phone and had the bank freeze all money movement into or out of the account while we sorted out what happened. Or so I thought.
Then, yesterday, as I powered up my phone after an early morning flight, I had an email alert that there had been another $5,000 transfer while I had been in the air. Here’s the good part. When I called the bank, they told me that the fraudster had called in the day after I had the freeze placed on the account and convinced them that he was me and the fraud claim was a mistake. They then lifted the freeze allowing the second transfer. Even crazier, while I was on the phone with them reporting the second theft, the fraudster called in again asking to have the freeze removed so his “daughter” could use the ATM.
Considering that the bad guy was able to provide enough information about me and my account to convince the bank they were me, even after I had reported the first fraud, raised many questions about my soon to be former bank’s risk management processes and algorithms. I also wondered if I may have inadvertently done something had given the thief access to my personal information.
So, I reached out Chris Prosise, who teaches computer security at the University of Texas, for some tips on protecting myself.
“Targeted attacks against individuals are not new, but in the past have focused on higher value targets to the risk/reward for the attacker. This type of attack, which requires an attacker to gain valid credentials, a phone conversation with the bank, a valid mailing address for the ATM card, and physical presence at the ATM is especially troubling,” he said.
He explained that while $5,000 may seem like a lot to me, it is a relatively low payoff for all the effort required. He then offered a few suggestions to lower my risk.
- Avoid “Free WIFI”. Airport and hotel WIFI networks are generally unsecured and, in some cases, spoofed by criminals to get your login credentials. Your phone’s hotspot is preferable to public WIFI.
- Secure your machine. This can range from safely storing your device, using a password on the computer, to regularly running security software to check for malicious content.
- Randomly Generated Passwords. Use randomly generated, complex passwords. Applications, such as Last Pass, can generate passwords and store them securely.
- Two-Factor Authentication (2FA). If your financial institution offers it, add this feature to your account where you will be asked to verify a logon with a call, text, or application on your phone. You should also consider adding this feature to your email accounts. You can visit twofactorauth.org to see what the most secure 2FA option is for virtually any site that you visit.
- Never Re-Use Passwords. According to Chris, hackers have access to millions of valid credentials from formerly hacked websites. “Anyone that uses the same or similar password at their bank that they used at LinkedIn, for example, is at risk,” Chris said.
Even though I consider myself pretty careful, I hadn’t practiced all of Chris’s suggestions until this week. Let my loss be your lesson. If you have questions or concerns about how ATX Portfolio Advisors protects your information, the security guarantees offered by our custodians, or if there are any steps you can take to be better protected, get in touch.