Someone I know got robbed without ever being close to the robber. It wasn’t one of the usual scams where someone convinces you to send money to a stranger. It wasn’t obvious how it happened. It took a while to figure it out well enough to figure out how to prevent it from happening again. The thief logged in to all of the victim’s bank accounts long enough to do an irreversible Zelle transfer of all available funds to some unknown destinations.
Now, what? Both banks said that they didn’t see any problem, since the thief logged in as an authorize user and authorized the transfers. They were no help. I would name names, here, but honestly, that could be any bank’s response. Zelle transactions are all “push” transactions in that they can only be initiated from the sender after authenticating with the bank. So the bank was convince that the thief was actually the victim. More precisely, the bank’s computer system was convinced.
So how can a thief convince a bank that he or she is you? The same way you convince the bank: with your user name, password, and possibly some form of two factor authentication (2FA).
Security Weak Links
Before we could effectively kick the thief out, we had to guess how he or she got in. Some ideas came to mind:
- Password reset mechanisms for the banks rely on email and/or text messages being secure. Compromising either of these can result in bank account takeover.
- Passwords, even good ones, can be intercepted by malware or shoulder surfers.
- Passwords can be intercepted in transit or captured by a fake web site.
- Cookie-stealing malware can bypass 2FA and login requirements.
- Smartphone SIM cards can be duplicated or swapped.
- On iOS, taking over an Apple ID account can result in interception of all text messages, sometimes without the user noticing.
- There are others… some of which we can guess, and some which we cannot.
Now What?
Some things we did to recover were to address were in response to the above, and some are just standard recovery practices or good security practices that we were doing already. These are listed together, as part of what we did to kick the thief out and stop the losses:
- Changed passwords and PINs for bank accounts.
- Changed password for email account. Logged out all currently-logged in devices. (Found one device logged into email that didn’t belong. This may have been the initial point of entry.)
- Changed password for Apple ID account and logged out all other devices.
- Changed phone SIM and phone number, and updated accounts with the new phone number.
- Closed both empty bank accounts and opened a new one at a different bank.
- Checked devices for malware.
- Deleted apps that weren’t needed on the smart phone (to reduce attack surface).
- Made sure new passwords were long, random, and unique.
The Standard Stuff (Already Doing This)
- Use a good password manager (so you can use long, random, unique passwords). The password for this (and whatever you use to login to what you run it on) has to be strong and something you can remember. If your password manager supports 2FA with a hardware key, that is awesome.
- Keep your software updated with security updates.
- Use good anti-malware software.
- Don’t engage with suspicious emails or texts. Beware “pig butchering” texts.
- Lock your smartphone, and don’t let others use it unless you trust them with your bank keys.
- Pray. (This should actually have been mentioned first, not last.)
The Bottom Line
We need not live in fear, even though we live in a fallen, sinful world. God is our provider. And I thank God that the theft mentioned above did not leave the victim destitute. It is still wise to take reasonable precautions to protect the assets God has put in our care to make sure they are used for His glory.