Strong passwords and two-factor-authorization gave me a false sense of security … lessons learned!
===============
Cutting to the chase: a perp breached my B of A account and withdrew a statistically significant amount of money.
Here’s the story as I’ve been able to piece it together…
Somebody (in Ft Worth TX) “bought” a new phone on my Verizon account and activated it to “highjack” my cell phone number.
It’s not clear to me how he did it.
It appears that he bought the phone in a Verizon store (though some Verizon reps say it was an online purchase).
My questions…
If a store purchase, why didn’t somebody check his photo ID and notice that the account has a Maryland address … not a Texas address?
If an online purchase, he might have illicitly got his hands on my ID and password, but how did he get by the “challenge question”?
=============
My theory of the case:
The perp downloaded the Bank of America app to the highjacked phone, signed on to B of A and clicked the “forgot ID & password” button. B of A sent my 2FA code to the hijacked phone … which allowed the perp to access my B of A account … changing the password and processing transactions
My B of A “connection log” does show transactions via the B of A app … which I have never even downloaded,.
B of A did send me email alerts about “User ID lookup” and “Password changed” … but I didn’t notice them until about an hour after-the-fact … and, it took me another hour to finally get through to B of A’s fraud department.
In the 2 “open season” hours, the perp made 2 withdrawals from my B of A account. — an online funds transfer and a branch bank cash withdrawal
Again, all of this is happening in Fort Worth TX … it’s not clear to me why the branch didn’t check a photo ID and take notice of the account’s Maryland address
Once I connected with the fraud department, they froze my account and started the process of reversing the fraudulent transactions.
I’m confident that B of A will make me whole. I’ll keep you posted on that.
Since my account is now frozen (for 6 months, deposits ok but no outflows), I had to open a new account.
That sounds simple enough, but …
Opening a new account means:
- Changing the delivery instructions for all of my direct deposits (e.g. Social Security and retirement “checks”)
- Restoring my list of “Bill Pay” accounts
- Changing instructions for a couple of recurring direct debit charges (e,g, medical insurance)
That all sounds easy enough, but trust me, it’s a frustrating and time-consuming process …. and I’m sure some things will fall through the cracks.
The bad news: Getting to the “right” customer service reps is a challenge.
Many are “above my pay grade” or “not my department” people … some speak with practically unintelligible accents … some sound like they’re using fast-food drive-thru speaker technology to communicate
The good news: While it took many calls to get to them, several of the Customer Service reps were fantastic.
They obviously knew what they were doing …they spoke clearly … they were patient with “dumb” questions … they knew how to “work” their company’s systems … and they “got it done”
=============
My biggest takeaway
Our IT director at Georgetown frequently reminded me that cell phones are the weakest security link … and strongly advised not using them for online transactions.
I don’t use my phone for online transactions … and I never dreamt of my phone number being hijacked … and, I didn’t even consider the implications (e.g. 2FA codes going to the hijacked phone number).
=============
Some action items
Some things that I’m doing:
- Tightening security on my cell phone account
- Changing (and strengthening) all financial account passwords.
- Activating 2FA for all accounts (after being sure that #1 is done)
- Updating accounts’ contact information (especially fraud dept. phone numbers) for all financial accounts.
Trust me, #4 is easier to do before, not during, a hack when nerves are frayed.
The Homa Files 
Leave a Reply