Warning Bank Fraud (1 Viewer)

Thanks for posting this Craig. These guys are bastards. I just went over this with my wife too. Will talk to my mom and dad as they’re retired and living in Florida. I have heard Florida is #1 for scam targeting due to elderly people with money. Some identity thieves put my parents through a bunch of bullshit a few years ago but got nothing.
 
Sorry this happened to you.

Just a reminder to everyone: please use strong passwords and please please please use two-factor authentication for log-in purposes, especially for email, banks and PayPal. Not just a password, but a 6 digit code that changes every minute or so, using an RSA token, google Authenticator or some other secure 2 factor system. It is by no means 100% bulletproof, but it makes it almost impossible for someone to hack your log-in, since your password is not enough to get in.

And never ever talk to the “bank” or anyone else that calls you. Always always always call back, using the phone number your trust.
 
gopherblue said:
Just a reminder to everyone: please use strong passwords and please please please use two-factor authentication for log-in purposes, especially for email, banks and PayPal. Not just a password, but a 6 digit code that changes every minute or so, using an RSA token, google Authenticator or some other secure 2 factor system. It is by no means 100% bulletproof, but it makes it almost impossible for someone to hack your log-in, since your password is not enough to get in.

And never ever talk to the “bank” or anyone else that calls you. Always always always call back, using the phone number your trust.
Click to expand...

tenor.gif
 
Señor Tony said:
What's the process like for getting your funds back??
Click to expand...
Not entirely sure at this point. I filed the claim - they closed that account and opened a new one. The initiated a reverse wire to the destination bank. The woman I talked to was not privy to the actual details of when (or if) I would get my funds back. I am expected to receive a return phone call from the claims investigation team in 24 hours. Thank goodness it was just my Wells Fargo account and not the high yield savings account as I do not check that account frequently enough. I've done some research online and it isn't 100% clear - but it looks like on a personal account I *might* be protected. Fingers crossed.
 
I’ve had two fraud claims and both times the bank had a 10 day investigation period before refunding the money. The second claim took longer because of the requirement that the old account be closed and it received direct deposits and couldn’t be closed until the dd hit.
 
I'm paranoid now. I just called my bank to asked about the wire I sent today because it looks like it was going to be sent twice. They sent a code to my cell to verify it was me calling them and I told him about this story and didn't give him the code even though I called them. :cautious: Ended up verifying another way.
 
I second @gopherblue with the suggestions of using two-factor authentication on everything that is money related, however please note that text messages (SMS) are no longer considered a secure method of communications if you have an opportunity to move to another product, do it

2 years ago I participated to a project in a private bank in Geneva to introduce strong authentication and we narrowed down the choices to dual authentication based on smartphones, smart cards and token OTP (last 2 are good but you have to handle an extra device)
 
This is scarily sophisticated fraud. Thanks for the heads up, the set up you described I think I might have read the code back also

And best of luck getting those funds back
 
Use a unique, complex password on all sites. Never reuse a password.

So in this instance, it’s very possible a completely separate site had a data breach of account emails and passwords. Then the scammers take those emails and passwords, then run against bank sites until they find some that work.

Every account should use a distinct password.

And run your passwords against the hacked known password lists too. If they’re known, don’t use them.

Use lastpass or other password management tools to create and store the passwords for you.
 
Last edited:
Richard Cranium said:
e lastpass or other password management tools to create and store the passwords for you.
Click to expand...

I’m a huge fan of LastPass. I don’t have to remember any passwords anymore and everything is way more secure. I also love it’s two factor authentication.
 
Richard Cranium said:
Use a unique, complex password on all sites. Never reuse a password.

So I’m this instance, it’s very possible a completely separate site had a data breach of account emails and passwords. Then the scammers take those emails and passwords, then run against bank sites until they find some that work.

Every account should use a distinct password.

And run your passwords against the hacked known password lists too. If they’re known, don’t use them.

Use lastpass or other password management tools to create and store the passwords for you.
Click to expand...
I do use unique and random 32 character passwords for every site. So how the access into my account happened in the first place is the unknown.
 
Richard Cranium said:
Use a unique, complex password on all sites. Never reuse a password.
Click to expand...
Technically correct but practically impossible and horrible user experience.
I strongly believe that "passwords are dead"

Do you imagine senior citizens trying to write down a 16 character long that looks like T*73Hr"p5.g5;>&j ?
If they do not lock their account at the 3rd error they will have a session expired at 2nd attempt :)
 
1A25R said:
Technically correct but practically impossible and horrible user experience.
I strongly believe that "passwords are dead"

Do you imagine senior citizens trying to write down a 16 character long that looks like T*73Hr"p5.g5;>&j ?
If they do not lock their account at the 3rd error they will have a session expired at 2nd attempt :)
Click to expand...

No in fact that’s even worse. That’s why you have password management do it for you.
 
CraigT78 said:
So how the access into my account happened in the first place is the unknown.
Click to expand...
some examples and list not exhaustive

- I can have your passwords if you use an open Wifi (ie: Airport, Starbucks, etc)
- I can have your passwords if I have access to your network (ie at your office, at work, etc..)
- You can give away your password if you was targeted with phishing
- You can give away your password if you was targeted with a malware
- And anyone can subscribe to HaaS (hack as a service)
 
I like the use of FIDO keys for the second factor. They would have stopped this hack.

The key needs to be plugged into the machine trying to authenticate, or connected via Bluetooth. A person on the phone can’t bypass this.
 
I think you did well to catch this the same day. If you had only found out when balancing the statement or when checks started bouncing, it likely would have been too late. Wire transfer technology is way behind the technology curve. Slow, hard to initiate, subject to all sorts of communication faults and little safeguards to protect against fraud / mistakes. Wires are one of the few transactions where the customer has little or no way to recover from fraud - once the money is gone, it is available for withdrawal and can be essentially impossible to recover.

There is a lot to be said for doing business with small banks / investment firms. The effort to crack a three branch bank is not likely much less than cracking a major financial institution and thus hardly worth the effort. My relationship is personal and very close by. I do not bank commercially via the internet - in this matter I find old school is best.

As for strong passwords, @1A25R is right on the money. sixteen characters of unique gibberish is a PITA, especially for us old folks. God help me if I need a password for something I use once every couple of years.

No one has mentioned "Wells Fargo" as part of the problem, but I think this merits discussion. Wells Fargo has been a unique problem in the banking world. It does not surprise me at all to hear that bank linked to internal security problems leading to bank fraud. You could hardly do worse . . . Just saying.

Good luck getting your funds restored. Let's hope for the best -=- DrStrange
 
Richard Cranium said:
That’s why you have password management do it for you.
Click to expand...

Today we use more that one device and we are mobile.
Storing passwords is not the problem (as such seniors write it down on papers)
The bad user experience came from login into an application retyping a complex password from the source that store your password and the application that you want to use.

A password management in the cloud? Hum.. that's not safe either :)
 
My bank will actually include the transaction amount and target bank account number along with the verification code in the texts they send.
Might want to suggest that to your bank...

1A25R said:
- I can have your passwords if you use an open Wifi (ie: Airport, Starbucks, etc)
Click to expand...
Way to counter this: use a VPN tunnel to a trusted endpoint whenever using public Wifi.
I have a NAS and another tiny server at my home and am lucky to have a relatively static IP address. The transfer rate isn't great, forget about streaming videos or shit, but at least I know that my traffic is completely unreadable by eavesdroppers until it has been routed to "safe grounds".
 
Complexity of a password isn’t as important as a lengthy but arbitrary password. If they’re going to brute force their way into your account it won’t matter how many symbols or capitalized letters you use so many experts now just say if you’re not using a PW management system, pick a phrase that you’ll remember instead of a complex string of randomness you won’t remember.
 
ReallyGoodUsername said:
Complexity of a password isn’t as important as a lengthy but arbitrary password. If they’re going to brute force their way into your account it won’t matter how many symbols or capitalized letters you use so many experts now just say if you’re not using a PW management system, pick a phrase that you’ll remember instead of a complex string of randomness you won’t remember.
Click to expand...

password_strength.png

https://xkcd.com/936/

I have however noticed that banks often arbitrarily limit the length of passwords you can set.
 
So sorry to hear man. I work in banking and this is a new trend. Fraudsters spoof numbers and have intricate measures in place to make you believe they are legit. As Mongoose said folks, ALWAYS hang up and call the number on the back of your bank card.
 
1A25R said:
some examples and list not exhaustive
- I can have your passwords if you use an open Wifi (ie: Airport, Starbucks, etc)
Click to expand...

What does this mean? I store passwords in a password app. You gain access to my apps? If so, how do you get the passwords from the app? Or anywhere else they are stored?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account and join our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

krafticus
Help needed .. Bar Code Scanner
Replies
6
Views
416
krafticus
krafticus
Marius L
"Collectors corner"-section warning
Replies
2
Views
228
Marius L
Marius L
upNdown
Does ebay protect you from scammers?
Replies
10
Views
340
4SUMERZ
4SUMERZ
inapinch
PSA: eBay now has text-recognition in PM, here's a tip
Replies
4
Views
291
greenchip
greenchip
dpeks13
Tattoo Ideas
Replies
9
Views
161
dpeks13
dpeks13
Back
Top Bottom