Posted on 01/24/2024 8:02:10 PM PST by 11th_VA
WASHINGTON (7News) — 7News is asking a security question that deals with your cell phone. How did a Maryland woman lose $17,000 even though she had two-factor authentication on all her accounts?
It all started when Hussey got an email thanking her for the purchase of a new phone at Verizon. Minutes later her contact information at Bank of America had changed.
The problem? She didn't do either transaction and had two-factor authentication on her accounts.
"And the bottom just kind of dropped out,” added Hussey.
She called Bank of America, but her cell phone was no longer active. An online attempt required a verification code her phone couldn't receive.
Within minutes, her $17,000 was gone.
"Initially, I didn't realize how big of a deal it was. I thought I had handled it on the first day by calling the bank, calling Verizon. Figuring things out,” said Hussey.
Hussey told 7News that Verizon said someone in California walked into one of its stores and purchased a new phone along with a new SIM card and used Hussey's current phone number to activate the new phone.
When the new phone was turned on Hussey's phone went dead.
Hussey used a landline to contact Bank of America, but it was too late. Her $17,000 was gone.
"And I have two-factor identification which ended up biting me in the face when it all came down to it. That was the thing that completely hijacked everything. They had complete control of my phone and there was nothing I could do about it,” said Hussey.
SIM card swapping has been around for the past four years, but security experts told 7News that the scale of this type of scam has recently skyrocketed...
(Excerpt) Read more at wjla.com ...
Good to know - Thanks for the lengthy explanation
me too.
and i don’t carry an apple or google (app based) smart phone either. i still carry a flip or use the good ol’ land line when i need one. yes they keep taking my network away, now they’ve got me up to 4G, and it’s a bother to get them to go around all their tech at whatever financial company i’m dealing with (using an ol’ laptop with out 2fa, a secure email, or snail mail and paper applications for instance), but thieves can’t use their damn insecure apps to steal my money like they did to this lady. much safer to stay as old fashioned as possible when doing financial stuff.
>> despite two-factor authentication
Total BS premise
So the only solution will be to embed a chip into everyone.
What could possibly go wrong with that?
Never use my phone for any money things. I have a hard enough time trusting my WiFi desktop for finance.
how? with inside help.
I make no payments over my phone ever, and never use the phone network unless I am our of town. And no auto payments
Which is a major reason we NEVER use our cell phones for banking. Mine is a dumb phone anyways, just a flip phone. All I want is something for calls and texts if necessary.
I’m also delaying the SS until 70, but signing up for a Medicare Supplement was the easiest thing in the world and takes care of the Part B premium.
The scammers didn’t get access to her existing cell phone...they just got her phone number put on a new cell phone (”SIM swapping” doesn’t require a physical SIM card anymore with the advent of “eSIM”). We are not getting the full story here...how did the scammers have her BofA login credentials? (Username & PW). Verizon either very lax/incompetent or we aren’t getting all the facts from the lady victim.
Actually, the phone security is extremely sophisticated and works! This topic is about dishonest or corrupted carrier employees, who reassign the phone number. Dishonest or corrupted workers could mess up your accounts even if you don’t own a phone at all, nothing new there.
What could possibly go wrong with that?
Do you suppose they will be required to worship some image of some sort?
Have never done any banking online for this very reason. The bank will be totally liable for any such fraud.
Please do not think that a password is safe. Ever. Passwords are the easiest way to compromise an account. There's nothing simpler, because you, people, are the weakest link in EVERY cybersecurity practice.
93% of compromises start with phishing. If you respond to a strange email, click on a link, take a phone call from some entity claiming that you have a virus, they WILL take everything. I've seen advanced persistent threats (APTs) literally shut down food banks and not give a care in the world about people who they serve. I've seen APTs shut down a children's hospital and not blink once when implored to allow them to keep network connected vitals monitors online. It all started because someone wasn't careful.
This article is complete trash. It leaves out that the woman was using SMS (text messaging) for multifactor authentication (MFA). SMS and phone calls were deemed unsafe by NIST back in 2015. They're not allowed for any federal agency to use for MFA, and you shouldn't be trusting them either. If your bank uses text messaging, call or email them daily demanding them implement stronger authentication. Your phone can be taken over by anyone with SIM swapping, and it happens far more often than you think. Also, if you think that the underpaid grunts running a Verizon store wouldn't crumble like cheap suits when a bad actor offers them thousands of dollars to help compromise a phone, then you're living in ignorance. It happens more often than you think.
The strongest MFA available right now is FIDO2 leveraging a security key like a YubiKey device. It requires physical control of the device and a physical touch of the device to execute the security chip. A strong second is an authenticator app such as what Microsoft or Google provide. Push notifications are more secure than on-time-passcode (OTP) which is the rolling random number. Again, do not trust that SMS, phone, or email codes are secure. They aren't. All three methods can be compromised with ease.
Please do not dismiss MFA. You do so to your online safety detriment. Please, I implore you, take the steps necessary to guard your identities. It is easier than ever to compromise them.
ussey told 7News that Verizon said someone in California walked into one of its stores and purchased a new phone along with a new SIM card and used Hussey’s current phone number to activate the new phone
THIS HAPPENED TO ME LAST MONTH EXACTLY.
Luckily I dont do banking on my phone I believe they have a piss poor screening hire at the verizon stores. No way they would have gained access to my account and passwords without help from within, beware!
LTR
I never use my phone for banking. I use my stationary computer at home. I have no added apps on my phone -—Samsung A51
I think and hope I am better protected using my boring computer instead of a smartphone for banking
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.