Online security holes put your money at risk

Recently, my bank accounts were hit by an identity thief who used access to my online bank information to create fraudulent checks drawn against my account. Anyone who knows how checks work know that they are just about the least secure method of payment after cash. Since I never really trusted checks, I set my bank accounts up so that I had one checking account to store my cash that would receive all of my deposits and a second account from which I made payments. I never ordered checks for the deposit account.

I thought this would mostly keep me safe, but identity thieves are clever and found a way around this limitation.

You are probably thinking that no teller would cash such a check. You would be correct, except they didn’t cash it through a teller, they deposited it through a bank’s mobile app on a internet only account from an online bank. A fake check printed out on paper looks exactly the same as a real check in a photo.

The first step was to gain access to my online banking information. This was accomplished any of a number of ways. One way is through a Trojan horse virus that captures your account credentials and sends them to the crooks. Another method is to either hack into public wi-fi or to set up fake free wi-fi servers and catch people using their mobile devices. The third way is probably the most common, and that is to simply hack into one website, get their username and passwords and then try those combinations at websites for major banks, email providers and other services.

If they gain access to your email account, the password reset features on many websites allow them to gain access through an email link. Some have security questions, but things like mother’s maiden name and favorite color are easily guessable.

Once they gain access to your bank account, the next step is to download images of your checks. The check has all the information a thief needs, the routing and account numbers. In my case, the thieves took a check from the nearly empty bill payment account, which happened to be a joint account, removed the account number and replaced it with the account number of the larger account. They created a fake check, and even lifted my wife’s signature to add to the realism.

You are probably thinking that no teller would cash such a check. You would be correct, except they didn’t cash it through a teller, they deposited it through a bank’s mobile app on a internet only account from an online bank. A fake check printed out on paper looks exactly the same as a real check. Even with all those anti-fraud features that are common in modern checks, they are irrelevant in an image, so the computer accepted the check for $1950, $50 less than the maximum this bank allowed for mobile deposit.

The next day, my account was hit by another check of the same amount, $1950. Luckily, I had caught this by that point and had the accounts shut down and the debits challenged. Even though they cashed a check against the wrong account name with a signature for a person that wasn’t authorized to access my individual account, the bank had us sign affidavits and is still holding our money until the investigations can be resolved. I hope and expect that we will get the nearly $4,000 back, but I also thought I could trust the bank to not allow such a shady practice of mobile deposits go through with no obvious checks.

How can you reduce your risks?

You can never be 100% safe from criminals. If you are specifically targeted, even government officials and agencies can be hit by hackers, but that does not mean you cannot limit your exposure.

  1. Stop using open public wi-fi.  Public networks are like disease vectors. No matter how clean and careful you are, exposure to something used by people with corrupted systems puts you at risk. For one thing, how do you even know the wi-fi that you’ve connected to is not a scammer. SSL gives you some protections, but there are ways of hacking it, especially if you ignore warnings about invalid certificates. VPN is the only way to be secure, but few people use this more complicated technology.
  2. Limit the devices you use to access your bank accounts.  The more devices that you use to log into your accounts, the more points of failure there are for security. Ideally, use one device and make sure that device stays up on security patches and is routinely scanned for viruses like Trojan horses.
  3. Use unique usernames and passwords for all accounts.  Most people hate memorizing passwords, so they often use the same username and password on as many account as possible. The problem with this is that if any of those accounts fail to use proper complex hashing of their password information, it is trivial for a hacker to crack the passwords and once known, they will try that combination at every financial site they can until they gain access to something. Remember, this isn’t a live person doing this, these are distributed computer systems that have been compromised around the world, so the attempts are relentless and computers are patient. If you use a different username and password, you prevent the hacking of one system giving crooks access to everything you have.
  4. Only use banking websites with multi-factor authentication.  A username and password combination is a single factor and can be stumbled upon by a brute force process or otherwise hacked as mentioned above. You can add a second factor by requiring another type of authorization such as a smart card, a fingerprint, restricted IP addresses or a key fob that displays random numbers that must be entered at login. It doesn’t really matter the type used, as long as there is some independent credential that prevents the accidental release of a password to the wrong person from jeopardizing your security.
  5. Change your password often.  Yes, it is a pain, but if someone gains access to your account, if you change your password, they lose access. Cyber-thieves are patient and they will bide their time if necessary, because it is computers doing the waiting. If you have trouble keeping track, use a password keeper like 1Password. It does the heavy lifting of keeping your passwords straight, but still, you need to make sure your systems are secure.
  6. Use longer passwords. Complexity is not as effective as length in keeping your passwords secure. Websites should allow you to enter long passwords if they are serious about security. Longer passwords are easier to remember and harder to crack than short ones. One way to create a longer password is to take 5 random words and add a random defect. For example compare “left onion hurriedly Spain doughnuts” to “Black#2w”. The first one is so long a pure brute force attack would take literally forever and a dictionary attack would take a long time as well because even if you left off the character substitution, the Oxford English Dictionary has around 170,000 words. If they are selected randomly, there are 140 trillion-trillion combinations. An 8 digit “complex” password only has around 1,700 trillion combinations and if we use the dictionary search idea the password in my example only has about 87 billion.
  7. Don’t use checks. Every check you write is another potential security breach. Each check is imprinted with enough information to draw against your account and with the advent of mobile banking apps, they problem has expanded exponentially. No longer do people have to actually ever go into a bank, they can open accounts online and commit check fraud with no risk to themselves.
  8. Use a smaller local bank. Macon has a number of smaller local banks like Robins. Smaller banks are less of a target since crooks want high percentage targets. Smaller banks also are less likely to have 2 hour hold times to reach an offshore security help desk when there is a problem.

Comments

comments