Daniel Farber Huang
September 10, 2020
“Hello, Ms. [insert name]. This is Bank of America Fraud Protection calling. We noticed some suspicious activity on your debit card and are reaching out to you to confirm if these transactions are yours. Before we begin, to confirm that we have contacted the account holder, you’ll be receiving a text from Bank of America in just a moment. Please confirm the code in the text.”
And with that, the scammer on the phone just bypassed Bank of America’s two-factor authentication and gained access to the target’s online bank account. The scammer’s immediate steps (which would take only minutes to complete) would be to (1) change your bank account’s email and password and (2) wire all available funds to a dummy or offshore account. Before the target realizes what has just occurred, they’ll already have been robbed.
For this scam to work, the thief or thieves will need to already have your online banking username and password. In reality, that’s not too difficult for experienced scammers to obtain, either by purchasing personal information on the Dark Web or by relying on the likelihood that people still are very lax with their passwords. (Ask yourself: How many of your accounts use the same or extremely similar usernames and/or passwords?) In reality, this scam is likely to be a coordinated group of people working the operation like an efficient business, targeting hundreds or thousands of potential victims.
Two-factor authentication provides a double layer of protection that sites and apps can offer users to protect their accounts (whether it’s their bank account, medical records or even Twitter). In addition to a user providing their most basic info (their username and password) two-factor authentication asks for additional confirmation by requiring the user to either have physical proof (such as a mobile device to receive text messages or a digital key fob) or biometric proof (such as a fingerprint).
In theory, two-factor authentication, also called 2FA by the cool kids, prevents unauthorized users from simply obtaining what are often easily-cracked passwords and gaining full access to an unwitting target’s account. Thieves, however, remain thieves by blowing up theories like this. It’s highly likely that Bank of America customers are not the ones to be targeted by this scam, as 2FA (look, I’m a cool kid!) text codes are pretty standard fare. I learned about the BofA situation earliest so I am using them as an example, but this can be perpetrated across the spectrum of accounts. If there’s something to be gained, whether money, personal information or other data, there’s most certainly someone who will want to steal it for nefarious reasons.
According to Bank of America’s website, “Bank of America will never ask you to provide your Social Security number, ATM or debit card PIN or any other sensitive information in response to an email or text. If you receive an email or text from Bank of America and you’re unsure if it’s real, don’t click on any links.”
[Article continued below]
You might also be interested to read:
What to Do if This Happens to You (Yes, YOU!)
First and foremost, hang up and call back. Politely, of course. In today’s world, when any company calls you about an issue, it’s best to say you’ll call them back. Importantly, do NOT call back the number the “helpful” representative provides you during their phone call. If they are legitimate, they should understand without hesitation. Instead, call the phone number listed on the company’s website (for customer service, fraud prevention or whatever department is appropriate). Alternatively, customer service numbers are provided in the billing statements you receive.
Other, healthy cybersecurity habits should include:
Install Two-Factor Authentication on All Your Accounts. Even though this article is about how scammers can bypass 2FA, it’s still extremely valuable to use everywhere you can. In The Secret to Cybersecurity, former FBI special agent Scott E. Augenbaum notes that 2FA will protect you from much of the common, broad brush onslaught of fraud that’s out there. Furthermore, it should always be highly suspect if you got a live phone call from, say, a PayPal or Ebay “representative” concerning your account, so the scam-du-jour in this article is likely more limited to “high-touch” customer services such as banks and financial institutions, perhaps healthcare providers too.
Change your existing passwords to better ones. We know every website says to create strong passwords but in reality many people haven’t graduated beyond their pet’s name (with a 1! or 99! appended to the end) or, say, their child’s birthday (backwards) and used across countless sites and apps. We’re all guilty of it. Many passwords can be brute force cracked by programs that try thousands or millions of combinations, so the more difficult you make yours, the better. “CRONUT1234” just doesn’t cut it anymore. Granted, I did the same for years and it’s taken a huge amount of time to undo my former laxity with changed passwords.
Use a Password Manager. Going forward, there are major steps you can take that will dramatically strengthen your online defenses. Besides the tedious task of creating complex passwords, it’s simply impossible to remember what those passwords are. I’ve used LastPass for years (and by extension so does my family) to not only save all my different logins for every account I have but, importantly, their auto-generate feature creates random, ridiculously long passwords that it manages for me. My auto-generated passwords typically range from 16 characters (which is sometimes the maximum a site allows) to 48 or more characters just because I can.
Scams are constantly evolving so it’s healthy for the public to be informed and aware. The goal of these cybersecurity articles is to make the public better informed of illicit behavior targeting unwitting victims. We are all potential targets, and often the victims who get burned are the most vulnerable among us, including family and friends.
More articles are available at https://medium.com/paradigm-crunch
Be aware, feel free to share this article if it may protect someone you care about, and safe (web) surfing.