The Money Mustache Community
Other => Off Topic => Topic started by: GuitarStv on January 24, 2019, 11:17:13 AM
-
Yesterday while at work I got a phone call from our bank, asking me if I had sent an email money transfer to Beata Halabis. I said that I didn't know anything about it and asked them to stop the transfer. I logged into my email account and saw two messages indicating that Beata Halabis had accepted 3000$ that I had sent him (her?).
I called back our banks fraud and security division (45 minute wait on hold BTW). The person I was talking with said that the 3000$ is gone, and that the fraudster must have had my password, account number, and bank card number. My wife and I share an account, but it was specifically stolen using my card information, not my wife's. They're doing an investigation, and it sounds as though I'm likely to be refunded the money stolen from me.
I've been trying to figure out how this happened.
I was using a 12 digit password that is a mix of random alphanumeric (capital and lower case) characters and digits. I have never used this password to access any other website. I don't ever click on phishing links or give personal information out over the phone and only log in to the bank website after I type their address in the title bar of my browser. I only do internet banking on my home PC (running windows 10), with up to date updates and virus protection.
Is there something else that I should be doing?
-
Maybe a card-skimmer?
This is something that they put on ATM's so that it can read your card info as well as your password.
Change your password for the card asap.
https://www.thebalance.com/how-credit-card-skimming-works-960773
-
Maybe a card-skimmer?
This is something that they put on ATM's so that it can read your card info as well as your password.
Change your password for the card asap.
https://www.thebalance.com/how-credit-card-skimming-works-960773
I've asked the bank to freeze my account while they are issuing me a new card. My password and PIN has already been reset and will be changed again when I get the new card. It sounded like the password they were using was for online banking only, not the PIN for the card though. I'm really struggling to figure out how my information got out there though.
-
Wow. Do everything right and still get ripped off. I'm interested to hear any theories (or an explanation from the bank) as to how this could have happened.
-
Wow. Do everything right and still get ripped off. I'm interested to hear any theories (or an explanation from the bank) as to how this could have happened.
It has made me wonder if the bank itself may somehow be responsible for the security breach.
I was also kinda wondering why they let irretrievable and suspicious interac email money transfers go out from my account and then contacted me about them, rather than simply hold them up for a few hours first while they check if they're legit or not first. Seems a bit bass-ackwards.
-
Have you done a recent virus scan on the device you use to access the account?
I'm leaning towards the bank as the issue. But you never know.
Here's hoping the problem is over...
-
Have you done a recent virus scan on the device you use to access the account?
I'm leaning towards the bank as the issue. But you never know.
Here's hoping the problem is over...
Yesterday after they called me I turned off Windows Defender (which I had been using) and downloaded Malware Bytes for a full system scan. Then after it found nothing, I uninstalled it and repeated with BitDefender. Again, nothing.
-
That sounds like the bank may be the source of the breach. You may want to let them know that this password has not been used on any other accounts, that the device you use to access the account is clean, and that you haven't had any weird emails/phishing links recently. It's worth it to them to make sure that their security isn't compromised, for sure.
-
It was also weird because, like I said (45 min wait), the fraud prevention guys seemed to be very busy yesterday . . . which makes me wonder if there were many customers effected by similar. Likely I'll never know.
-
I've had fraudulent charges on 2 of my credit cards in the last month. After the first time, I set up notifications for every account I own to send me an email notification when funds are leaving the account. The 2nd time it happened, I was in one city when I got an email saying my card was being used in a different city's grocery store. Was a quick call to get that card cancelled, reissued and refund made to the card. It's too easy for this stuff to happen, but at least there are protections in place to not be liable for the charges.
All but 3 of the charges were very innocuous and someone who doesn't monitor their charges closely may very well have missed them. My bank didn't alert me of any suspicious activity in either case. I've had better luck with Chase taking a proactive approach to suspicious charges in the past.
-
If you talk to an IT firm, they can do a dark web scan for your user name and see if it is on there with any of your passwords. It won't always tell you where it was stolen from but sometimes it will. I wouldn't try doing this yourself though because you don't want to look like you are trying to get that information for nefarious purposes.
-
Did you check if you've been pwned?
https://haveibeenpwned.com/Passwords (https://haveibeenpwned.com/Passwords)
-
what bank? I have a friend that works exclusively in cyber for things like finding large company vulnerabilities. He usually can't tell me what it was but he knows who we have accounts with and if he sees something before it becomes public usually hits me up with a change your password NOW. I can ask him. Also, could be a newer key logger and if you keep blue tooth on, or connect to public wifi it would be easy for someone to upload without you knowing it.
-
and totally get you not wanting to say who it is. But is it one of the big five, BoA, Citi, Chase, JP, or Wells? and I can ask that.
Wells got hit with a major breach, but that was largely mortgage related.
-
All but 3 of the charges were very innocuous and someone who doesn't monitor their charges closely may very well have missed them. My bank didn't alert me of any suspicious activity in either case. I've had better luck with Chase taking a proactive approach to suspicious charges in the past.
Sometimes there will be a small charge testing the waters before selling the stolen info to be used for a big attempt.
Did you check if you've been pwned?
https://haveibeenpwned.com/Passwords (https://haveibeenpwned.com/Passwords)
Thanks for sharing.
-
A coworker and her husband have both had this happen multiple times between the two of them, they have separate accounts. It's a small bank. My guess is debit card was how the thieves gained access. I have had charges on my credit cards but since I very rarely use my debit cards I haven't had any problems with my bank accounts. One cc was accessed right after I activated it, I never even used it before it was compromised.
-
1. The breach was probably on the bank's end.
2. They'll never own up to it unless they're publicly exposed.
3. They didn't stop your transfer because the basic authentication was there. One transaction among millions is going to get lost in the shuffle and simply paying you back is faster and less expensive than worrying about your security as an individual. If they know they were breached they'll fix it internally and not tell anyone.
-
Ping Brian Krebs at Krebsonsecurity.comvia his web site or Twitter. He’s a former wsj cybersecurity reporter and well connected. Always finds out if it’s a systemic bank issue or may have some advice on what he thinks happened.
-
Did you check if you've been pwned?
https://haveibeenpwned.com/Passwords (https://haveibeenpwned.com/Passwords)
Not saying you're a bad actor or anything BUT
I go to this legitimate(?) website which may put a cookie or whatever on my laptop, which might have other nefarious software in the cookie that looks for saved usernames in my browser, and then I type in all my passwords to check if I've been pwned (so the these guys now have a record of my passwords)??????
Seriously, criminals could not have come up with a better way of gathering login details if they tried....
-
Did you check if you've been pwned?
https://haveibeenpwned.com/Passwords (https://haveibeenpwned.com/Passwords)
Not saying you're a bad actor or anything BUT
I go to this legitimate(?) website which may put a cookie or whatever on my laptop, which might have other nefarious software in the cookie that looks for saved usernames in my browser, and then I type in all my passwords to check if I've been pwned (so the these guys now have a record of my passwords)??????
Seriously, criminals could not have come up with a better way of gathering login details if they tried....
Whoa, hey! That’s not how cookies work. And haveibeenpwned is a pretty trusted/authoritative source for checking these things. The 1Password password manager actually relies on haveibeenpwned to nag you to change your password if it’s on that list.
-
+1 on checking your email here: https://haveibeenpwned.com/
And your password here: https://haveibeenpwned.com/Passwords
If you're concerned load your browser in incognito mode. Haveibeenpwned never stores accounts and their passwords together. The just allow the list of emails to be searched, and the list of passwords to be searched. That means the password may have actually been attached to someone else's account, but if it's in the list it would still be a good idea to change it.
I've set up two factor authentication for all my accounts, is this an option with yours?
-
Did you check if you've been pwned?
https://haveibeenpwned.com/Passwords (https://haveibeenpwned.com/Passwords)
So, I figured that since the password is now disabled and will not be used again it is safe to check on that site. It says that the password which was being used is not found in their database.
and totally get you not wanting to say who it is. But is it one of the big five, BoA, Citi, Chase, JP, or Wells? and I can ask that.
Wells got hit with a major breach, but that was largely mortgage related.
It's one of the large Canadian banks.
-
Honestly this makes no sense. How would they get your online password?
I'm a cynical guy at times and I wonder if in this case someone called the bank, social engineer their way into your account, and wired out the money. I'm betting the bank is saying it happened another way because the phone representative screwed up the authentication process allowing this to happen, and they'd rather not admit to it.
-
I've set up two factor authentication for all my accounts, is this an option with yours?
As far as I'm aware, this is not an option.
-
I've set up two factor authentication for all my accounts, is this an option with yours?
As far as I'm aware, this is not an option.
Look into this. 2FA should be available for TD, RBC, CIBC, BOM.
-
I've set up two factor authentication for all my accounts, is this an option with yours?
As far as I'm aware, this is not an option.
Look into this. 2FA should be available for TD, RBC, CIBC, BOM.
Interesting. It turns out that my bank does offer this. Strange that their security guy didn't mention it while we were talking.
-
I used to work in a bank and I helped clients with several fraud cases while I was there.
The person I was talking with said that the 3000$ is gone, and that the fraudster must have had my password, account number, and bank card number.
It's normally one or the other. A fraudster doesn't really need your online credentials and your card information. If they have the card information they can make purchases/transfers with the card. If they have the online credentials they can transfer money to another account, and if they had your online credentials they would also have your account number(that is normally visible online).
but it was specifically stolen using my card information
They had your card information. This is MUCH easier to get than your online credentials. It's rare for someone to hack into your online banking if you have a strong password and never share or reuse that password. Stealing card numbers on the other hand is very common.
Potential causes ranked in likelihood:
*Skimmer device at a gas station.
*The POS device at a retailer was hacked(like what happened at Target).
*Online retailer was hacked.
*An employee at a retailer/restaurant who swiped your card stole the numbers. Writing them down would be difficult, but oops they dropped your card behind the counter, and then snapped a photo with their phone as they picked it up.
*Someone with physical access to your card, friends/family, wrote down the numbers.
-
When I saw the title I thought this would be a story about getting robbed in the street then pulling out your semiautomatic pistol and filling up a fool with lead, then, after he’s already dead adding in a few more face shots so his mama can’t have an open casket. Instead, this is a much less gangster thread.
-
When I saw the title I thought this would be a story about getting robbed in the street then pulling out your semiautomatic pistol and filling up a fool with lead, then, after he’s already dead adding in a few more face shots so his mama can’t have an open casket. Instead, this is a much less gangster thread.
This is already pretty exciting for Canadian true crime.
-
When I saw the title I thought this would be a story about getting robbed in the street then pulling out your semiautomatic pistol and filling up a fool with lead, then, after he’s already dead adding in a few more face shots so his mama can’t have an open casket. Instead, this is a much less gangster thread.
This is already pretty exciting for Canadian true crime.
True. Very true.
-
I don't understand why the bank card information is relevant in this case where a fraudulent transfer of bank account funds is directed towards a named individual. I am not aware of any situation where a crook using only a bank card can direct funds from a bank account to a named individual.
The crook can manufacture a bogus bank card with the fraudulently obtained numbers and PIN, however they can only withdraw funds from an ATM or make fraudulent purchases. They're not going to be able to login to your online bank account with just your bank card number+PIN.
The bank card number and the bank account number are normally different, and if they were the same, that seems like a potential security problem, and I'm not aware of any bank that does this.
-
Not trying to be technical but a robbery happens by force or under threat of force. You were a victim of identity theft.
-
Not trying to be technical but a robbery happens by force or under threat of force. You were a victim of identity theft.
That's exactly what you're being :)
This was my first thought about the thread title too, but after consulting the dictionary it looks like "rob" is a synonym for "steal". It has a number of informal uses which are not precise, but would not be incorrect.
-
Not trying to be technical but a robbery happens by force or under threat of force. You were a victim of identity theft.
That's exactly what you're being :)
This was my first thought about the thread title too, but after consulting the dictionary it looks like "rob" is a synonym for "steal". It has a number of informal uses which are not precise, but would not be incorrect.
Or in the more formal sense, the definition is more precise (but may vary between jurisdictions).
Generally, I don't consider this identity theft. To me identity theft involves opening new lines of credit against your credit report. You don't find out about it until you see the new line on your credit report or have bill collectors after you for the debt that you didn't actually take on.
-
Not trying to be technical but a robbery happens by force or under threat of force. You were a victim of identity theft.
Yup.
-
Definitely make sure you have two-factor authentication turned on for all of your financial institutions. I would like to think something like this wouldn’t happen with that in place, but I don’t no. I hope you get your money back.
-
Not trying to be technical but a robbery happens by force or under threat of force. You were a victim of identity theft.
Yup.
The method used to perform the misdeed is as yet unclear (although it may well have been related to identity theft). As has already been pointed out you are both incorrect regarding the meaning of 'rob':
https://dictionary.cambridge.org/dictionary/english/rob (https://dictionary.cambridge.org/dictionary/english/rob)
to take money or property illegally from a place, organization, or person, often using violence
https://www.merriam-webster.com/dictionary/rob (https://www.merriam-webster.com/dictionary/rob)
to remove valuables without right from (a place)
https://www.dictionary.com/browse/rob (https://www.dictionary.com/browse/rob)
to deprive (someone) of some right or something legally due
https://en.oxforddictionaries.com/definition/rob (https://en.oxforddictionaries.com/definition/rob)
(informal, dialect) Steal.
Definitely make sure you have two-factor authentication turned on for all of your financial institutions. I would like to think something like this wouldn’t happen with that in place, but I don’t no. I hope you get your money back.
Yes, now that I know that our bank supports this I've asked to have it enabled on my account.
-
Not according to the Model Penal Code:
Under the Model Penal Code (MPC), a robbery occurs when, “in the course of committing a theft,” a person inflicts or threatens serious bodily injury on or against “another.” The victim need not have a possessory interest in the property.
Since I live in CA, this is what I looked up before I yupped:
California "Robbery" Laws. ... Penal Code 211 PC reads: “Robbery is the felonious taking of personal property in the possession of another, from his person or immediate presence, and against his will, accomplished by means of force or fear."
You don't think I would yup without doing the research, do you?
-
Not according to the Model Penal Code:
Under the Model Penal Code (MPC), a robbery occurs when, “in the course of committing a theft,” a person inflicts or threatens serious bodily injury on or against “another.” The victim need not have a possessory interest in the property.
Since I live in CA, this is what I looked up before I yupped:
California "Robbery" Laws. ... Penal Code 211 PC reads: “Robbery is the felonious taking of personal property in the possession of another, from his person or immediate presence, and against his will, accomplished by means of force or fear."
You don't think I would yup without doing the research, do you?
What gave you the impression that I was referring to the specific legal definition of robbery under Californian law, or under US specific penal code . . . rather than the common language definition of rob?
If someone says that a tomato is a fruit do you correct them by telling them that they're wrong - under US customs regulations a tomato has been defined as a vegetable? If so, why?
-
Not according to the Model Penal Code:
Under the Model Penal Code (MPC), a robbery occurs when, “in the course of committing a theft,” a person inflicts or threatens serious bodily injury on or against “another.” The victim need not have a possessory interest in the property.
Since I live in CA, this is what I looked up before I yupped:
California "Robbery" Laws. ... Penal Code 211 PC reads: “Robbery is the felonious taking of personal property in the possession of another, from his person or immediate presence, and against his will, accomplished by means of force or fear."
You don't think I would yup without doing the research, do you?
What gave you the impression that I was referring to the specific legal definition of robbery under Californian law, or under US specific penal code . . . rather than the common language definition of rob?
If someone says that a tomato is a fruit do you correct them by telling them that they're wrong - under US customs regulations a tomato has been defined as a vegetable? If so, why?
Ah, this brings back memories of studying for the Bar...
There's both the vernacular and the legal definitions, if we want to get deep into the weeds. Safe to say under the vernacular one can say "GuitarStv was robbed!" and most people understand that someone stole something from GuitarStv.
Under common law (which is the underpinning of law throughout Canada, the US and the UK) Robbery, Larceny, Burglary and Theft all have unique definitions. Under common law GuitarStv was not robbed because the perpetrator did not use force or the threat of force (intimidation), as the taking of assets was done without GuitarStv's knowledge. As an example, our professor gave the example that if someone grabbed your purse from off the back of your chair and ran before you could react, that would be larceny but not robbery. If the thief had to pull it off your shoulder, that would be robbery. The latter can carry a stiffer penalty even though the property taken was the same, because it involved force against an individual.
Ergo, GuitarStv was a victim of larceny under common law.
:-P
n. 1) the direct taking of property (including money) from a person (victim) through force, threat or intimidation. Robbery is a felony (crime punishable by a term in state or federal prison). "Armed robbery" involves the use of a gun or other weapon which can do bodily harm, such as a knife or club, and under most state laws carries a stiffer penalty (longer possible term) than robbery by merely taking. 2) a term improperly used to describe thefts, including burglary (breaking and entering) and shoplifting (secret theft from the stock of a store), expressed: "We've been robbed."
-
LOL. I had the same thoughts when I read the title but reminded myself that not everyone uses technical legal terms and there are times I should be less of a lawyer.
-
Now you're all robbing my pleasure from this thread.
-
Now you're all robbing my pleasure from this thread.
Well, technically...
-
I thought the same thing when I read the title, that you were held up or something. Relieved it was an online stealing of money only. I have no clue how this happened. concerning.
-
Plus "I was robbed" is a more interesting sentence with more impact than "I was stolen from". Raise a glass to the vernacular.
-
I am the common man, I contain multitudes. GuitarStv was ROBBED!!!!!!
-
As a 911 dispatcher, whenever someone stated they were robbed, one of the first followup questions was always some form of "what do you mean you were robbed?" or "tell me exactly what happened." They were almost never robbed, but it does go to show that it is a common universal statement to mean something was stolen.
-
(https://media.giphy.com/media/JsMebxgq4z4iI/giphy.gif)
-
(https://media.giphy.com/media/JsMebxgq4z4iI/giphy.gif)
LARCENY!
-
To be fair, making me watch the Leafs does feel like some sort of crime...
-
To be fair, making me watch the Leafs does feel like some sort of crime...
It's OK, if you watch closely the goalie did not make a save, the puck bounced and went into the net.
-
Sorry GS. At least it was taken care of quickly.
Worst thing about this is that once your info is out there you may find it used more often. I think I've had about one instance of fraud every year for over a decade: cabinets bought, car loans opened, Walmart charges, money directly out of my bank account.
There is really no way to know how they got your info, unless you can find them and ask them nicely whilst you rip their arms from their sockets :)
-
There has been hacking lately where the user name and passwords for other accounts have been compromised. The hackers then use the user name and password on every other possible site to see if there is a match.
The podcast 'cyberwire' discusses many of these types of hacks.
-
There has been hacking lately where the user name and passwords for other accounts have been compromised. The hackers then use the user name and password on every other possible site to see if there is a match.
The podcast 'cyberwire' discusses many of these types of hacks.
The data can also be used for spear phishing, since a lot of usernames are actually valid email addresses. An elder family member received one of these directed phishing attempts in the form of an email like this:
I know your password for site www.goingcamping.com is "FuzzyBear36".
I've stolen your identity and have been tracking your internet use. You have been very naughty!
If you don't wire me $3000, I will tell your loved one about all the porn you have been watching
and then break into your computer and delete your files, etc ...
My family member did not fall for it, but it 's reasonable to assume some people would.
-
There has been hacking lately where the user name and passwords for other accounts have been compromised. The hackers then use the user name and password on every other possible site to see if there is a match.
The podcast 'cyberwire' discusses many of these types of hacks.
The data can also be used for spear phishing, since a lot of usernames are actually valid email addresses. An elder family member received one of these directed phishing attempts in the form of an email like this:
I know your password for site www.goingcamping.com is "FuzzyBear36".
I've stolen your identity and have been tracking your internet use. You have been very naughty!
If you don't wire me $3000, I will tell your loved one about all the porn you have been watching
and then break into your computer and delete your files, etc ...
My family member did not fall for it, but it 's reasonable to assume some people would.
I don't use the same password anywhere on the internet. My login information is my bank card number and a unique random 12 digit alpha numeric password.
I've certainly never responded to any email asking for a password or login information. My bank does not send emails with links in them.
-
I've had my credit card number stolen three times, and my debit card once. My debit card was victim to ATM skimming. The perp bought $170 worth of McDonald's and $50 at a hair salon. That one made me laugh actually. How do you spend that much at McDonald's?
I had about $6000 charged to my credit card fraudulently too. They used my last name to set up a fake business name and purchase a bunch of computer equipment from Dell. I noticed the pending charge AND the invoice was mailed to my address (???), so it was caught right away. The police called me and asked if I'd assist in the investigation and of course I was happy to help.
Every penny was refunded to me so all good. It sounds like you're doing everything you can security-wise so unfortunately this is just a common thing. Several of my friends have been victim to it too.
-
I've had my credit card number stolen three times, and my debit card once. My debit card was victim to ATM skimming. The perp bought $170 worth of McDonald's and $50 at a hair salon. That one made me laugh actually. How do you spend that much at McDonald's?
THis made me laugh, too. When I was in college I was an NCAA swimmer, and the university (thankfully) placed pretty strict rules to prevent hazing, but we still wanted our freshmen to undergo some sort of memorable initiation. One year we made up a bizarre 'race' where htey had to chase our captain - dressed up as the hamburgler - through town and ultimately 'capture' him as he swam out to a floating dock (swim team, remember?) . Along the way they had to collect all his stolen hamburgers to feed everyone. Anyway, for the event we went to the local McDonalds and order 100 x 1/4 lb ers. I remember the clerk not believing us, then calling over the manager, who made us pay before entering it into the system, and then two hispanic cooks coming out from the back and saying something impolite about our mothers in spanish. The entire bill as I recall was under $100 as there was a manager's special on 1/4 lbers. I'm bafffled at how you can spend $170 at McDonalds unless you are buying food for at least 20 people.
-
I've had my credit card number stolen three times, and my debit card once. My debit card was victim to ATM skimming. The perp bought $170 worth of McDonald's and $50 at a hair salon. That one made me laugh actually. How do you spend that much at McDonald's?
Dinner and $150 worth of gift cards.
-
I've had my credit card number stolen three times, and my debit card once. My debit card was victim to ATM skimming. The perp bought $170 worth of McDonald's and $50 at a hair salon. That one made me laugh actually. How do you spend that much at McDonald's?
Dinner and $150 worth of gift cards.
ahhh...... that might make sense. Question: IF someone buys a bunch of gift cards with a stolen credit card, can the retailer go back and void those gift cards? Seems that would be important loss-prevention security step.
-
Do you use Venmo or Zelle or some version of those services? Maybe they changed the email address associated with the account, and then just sent themselves the money from your account? I am pulling ideas out of my a$$, obviously. But maybe?
Nope.
My bank has refunded the money and sent me a new card. Still doesn't really sit well with me.
-
May not be related to what happened to you @GuitarStv but this article I came across this morning https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank (https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank) is about a hack that targets a messaging vulnerability being exploited to drain money from bank accounts globally. Says Europe is particularly at risk and "that American banks seem to be less impacted." Not sure where that leaves Canadian banks of it it could apply to your situation. But I figured you and the others would like to read it through as an FYI if nothing else.
-
Not me, I'm cell phone free fortunately. Thanks for the info though . . .