Are the cops not looking st videos from the atm withdrawals? And this sucks big time.

Off topic, but did you go to Oshkosh?

16 year member here... curious how this plays out.

Fraud sucks... and I've been there. Hope it all gets worked out!

Watching this topic. Already touched on, but I would reformat all my computers and restore my phone back to factory settings if I were you.

Unfortunately cops don't have time for that, small potatoes, as I found out when my dad was being defrauded recently of several thousand dollars and I actually knew how to flush the criminal out and they still couldn't be bothered with it.

BQ78 said:

---

Unfortunately cops don't have time for that, small potatoes, as I found out when my dad was being defrauded recently of several thousand dollars and I actually knew how to flush the criminal out and they still couldn't be bothered with it.

---

That is absurd. $10k is not small potatoes.

BQ78 said:

---

Unfortunately cops don't have time for that, small potatoes, as I found out when my dad was being defrauded recently of several thousand dollars and I actually knew how to flush the criminal out and they still couldn't be bothered with it.

---

Vigilante justice should be acceptable means of justice when criminal acts are committed against kids and the elderly.

wow. that sucks. Good luck and appreciate you informing the board as you get resolution (hoping you do!)

Am not a USAA customer, but my attitude has always been that they're the first place I'd turn if I were ever to become unsatisified with my Credit Union.

I've been a USAA member for 45 years and been happy with the service.

Last Sep I received what turned out to be a phishing email that looked identical to a USAA email except for the info in the security zone was missing (didn't notice). It said that the USAA server and website had been updated and that I needed to review my information.

The link provided took me to a window that was identical to the USAA login page. There was nothing unusual about that. I logged on and now was on another page that looked like a USAA page, but was asking me to fill in some personal details.

I closed the page and browser, went to a different computer and changed my username and password, etc.

I called USAA and they verified that it was a scam. While I am an "old", I don't consider myself an idiot, but I was fooled right up to the point that some suspicious questions were asked.

USAA has struck me as responsive and frankly careful.....Whenever I call in for assistance of any type, they identify me six ways from Sunday, starting with recognizing the telephone number I am calling from.

Quote:

---

The link provided took me to a window that was identical to the USAA login page. There was nothing unusual about that.

---

keep your eye on what the actual URL is though...likely had nothing to do with usaa.com

CapCity12thMan said:

---

Quote:

---

The link provided took me to a window that was identical to the USAA login page. There was nothing unusual about that.

---

keep your eye on what the actual URL is though...likely had nothing to do with usaa.com

---

Of course it didn't have anything to do with USAA. That's my point. I got sucked in. The link to a login was normal and the windows were amazingly believable. It wasn't obviously hinky until it actually asked for info.

That's the point that I saved myself from a potential ton of misery.

Obviously you know this, but for anyone else who doesn't:

Never follow a link from an email that you weren't expecting. Use a search engine to find the address yourself. Check for the "secured" icon in the address bar before entering personal information.

Ulrich said:

---

Obviously you know this, but for anyone else who doesn't:

Never follow a link from an email that you weren't expecting. Use a search engine to find the address yourself. Check for the "secured" icon in the address bar before entering personal information.

---

Also in this vein, for unsolicited phone calls from a bank or other financial institution and they start asking questions...I always tell them that I will call them back via the main number and never had an issue.

Not absurd, the cop I talked to said it was the 8th call he had handled that day alone for someone trying to defraud an elder person and my call was the only one where money had not actually gone out to the defrauder. He said you need to count your blessings.

Wait, so you haven't lost the $10k? Or just lost $5k? I guess I am confused. Or was it just attempts both times?

Usaa member for 20+ years, so keeping tabs on this topic...

Another USAA customer here (home, life, and auto). Watching this topic carefully - I currently pay a premium for USAA because they have a reputation for excellent customer service. Will certainly switch if they start playing games...

dallasiteinsa02 said:

---

John Francis Donaghy said:

---

Too late to be helpful with this situation, but debit cards are just about the riskiest form of payment out there today. They are a direct link to your cash, and if they get compromised, your money is gone before you ever even know about it.

Not sure how much you trust your daughter's spending discipline, but you think she can handle it
this could be a good opportunity to teach some with a low limit credit card with good fraud protection policies behind it instead of using a debit card.

---

Debit cards have a few weaknesses, but I wouldn't say they are the riskiest form of payment out there. One of the weaknesses is the leverage over the bank since the bank is not out the funds you are. This is short term because at some point even a credit card company is going to force you to take care of payment on a charge they deem valid. The other is that it is easier to access cash.

All that being said, I have found that my debit cards have a few protections that credit cards don't offer. I get a text every time my debit card is used. We have one credit card that we use for most transactions, but I tried to set a text up on the other cards that are rarely used and the credit card companies don't offer the technology.

The other biggest strength is there are quite a bit more laws to protect the consumer as it relates to bank fraud versus credit card fraud. You will find that one your start really pushing. The bank will have to put plans in place that a credit card company just is not required to do.

---

Sorry, but a text message to let me know that someone just stole a bunch of my money isn't exactly my idea of fraud protection.

And consumer liability for fraudulent credit card transactions under the FCBA is limited to a maximum of $50. And if you haven't lost your physical card, you can't be held liable for any unauthorized charges. Total protection.

Consumer liability for fraudulent debit card transaction under the EFTA can be as high as 100% of the funds that were stolen from you. In other words you can be left with zero recourse for recovering your stolen money if you don't report it within a certain time frame. It's just gone, and you're SOL.

Plus, with credit card fraud you don't have to push your credit card company to "put a plan in place." The thieves stole the credit card company's money, not yours. You get to sit back and watch the credit card company sick the hounds on the thief to recover their money, while you wait for your shiny new card to arrive in the mail. The vast majority of the time, they will identify the fraudulent use of your credit card before you do, because they don't want to be stolen from.

There is just no way that a debit card is safer than a credit card. I know this is bordering on a derail from the OP, so I won't continue this discussion further, but given the nature of the thread I wanted to put some better info out there for anyone interested.

Lots of good info on this topic on the FTC's website too of anyone wants to dig deeper: https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards

OP, the EFTA should be pretty heavily on your side in this scenario too. Not sure what effect the fraudulent phone authorizations from the fraudster could have on the timelines, but from the timeline you laid out in the OP, your liability should probably be limited by law to a max of either $50 or $500, maybe even $0 if the timing of the first fraudulent ATM withdrawal works out in your favor.

If your bank doesn't come through with an acceptable solution, you should definitely consider talking to an attorney with EFTA experience. The second ATM withdrawal in particular, which occurred after you reported the fraudulent activity on the account, absolutely should not be your problem.

Hopefully the bank comes through and just does the right thing by you. Hope it works out.

UPDATE: I just got off the phone with USAA, and they have made me whole (with the assistance of Fidelity Investments). I also have the rest of the story as to how the fraud occurred.

The crooks spoofed my home telephone number and called into USAA with my wife and daughter's names and DOBs. With that small amount of info plus the spoofed number, USAA allowed them to request a debit card to be sent to an alternate address. They also allowed the limit for ATM withdrawals to be increased due to the caller indicating some urgent need. One real disturbing aspect of this was that my wife isn't authorized on my daughter's account (I'm the custodian), yet they allowed the crook impersonating my wife to request the ACH transfer from Fidelity (this account was previously linked to my daughter's account).

More concerning was that USAA allowed the same caller using the same spoofed number and limited info to close my fraud claim after I had reported it. This is also why they sent me correspondence saying the claim had been investigated and had been determined to not be fraud.

A detail I previously had not mentioned is that I had contacted Fidelity Investments the evening (Monday) the initial fraud was detected, as even though USAA had credited my account there for the ACH transaction and had already allowed ATM withdrawals, the Fidelity account had not yet been debited. I asked Fido to freeze my account. Unfortunately, the manager I spoke to failed to do that. When I called them back on Thursday to inform them of the second unauthorized transfer, not only did they close my account before it could be debited a second time, they went ahead and refunded me the original $4,750 in recognition that they should have closed the account on Monday. Kudos to them.

I will say that USAA's attitude changed dramatically when I started posting this story on their own Community Forums, their Facebook page, and Twitter. I received a call from the CEO's office on Saturday morning assuring me that they had failed and that I would be made whole. I would have preferred to not have to have done all of this so publicly, but maybe there are lessons everyone can learn from my pain.

It even inspired a blog article with some tips for everyone. Be careful out there, folks.

Thanks for the update. I am so glad they made the situation right and everything is back to how it should have been.

Criminals are *******s.

ATXAdvisor said:

---

UPDATE: I just got off the phone with USAA, and they have made me whole (with the assistance of Fidelity Investments). I also have the rest of the story as to how the fraud occurred.

The crooks spoofed my home telephone number and called into USAA with my wife and daughter's names and DOBs. With that small amount of info plus the spoofed number, USAA allowed them to request a debit card to be sent to an alternate address. They also allowed the limit for ATM withdrawals to be increased due to the caller indicating some urgent need. One real disturbing aspect of this was that my wife isn't authorized on my daughter's account (I'm the custodian), yet they allowed the crook impersonating my wife to request the ACH transfer from Fidelity (this account was previously linked to my daughter's account).

More concerning was that USAA allowed the same caller using the same spoofed number and limited info to close my fraud claim after I had reported it. This is also why they sent me correspondence saying the claim had been investigated and had been determined to not be fraud.

A detail I previously had not mentioned is that I had contacted Fidelity Investments the evening (Monday) the initial fraud was detected, as even though USAA had credited my account there for the ACH transaction and had already allowed ATM withdrawals, the Fidelity account had not yet been debited. I asked Fido to freeze my account. Unfortunately, the manager I spoke to failed to do that. When I called them back on Thursday to inform them of the second unauthorized transfer, not only did they close my account before it could be debited a second time, they went ahead and refunded me the original $4,750 in recognition that they should have closed the account on Monday. Kudos to them.

I will say that USAA's attitude changed dramatically when I started posting this story on their own Community Forums, their Facebook page, and Twitter. I received a call from the CEO's office on Saturday morning assuring me that they had failed and that I would be made whole. I would have preferred to not have to have done all of this so publicly, but maybe there are lessons everyone can learn from my pain.

It even inspired a blog article with some tips for everyone. Be careful out there, folks.

---

Glad they made things right.

Sounds like either their process has some MAJOR holes or (and sadly, more likely) some folks weren't requiring the proof they are probably supposed to.

So, when I log in to USAA ...its a two step process normal logon then they send a one time code for the second step.

There are options of text or email and those are listed and you select which you want to do at the time.

If a bad guy has log in username and password...he now has phone numbers and email addresses.

Now, having a phone number may not be useful...I don't know if inbound calls to my cell, for example, can be stolen by someone who has my number.


Having my email address could work. If he had my USAA logon info....he may have my email logon also.

What kind of security is being used at other financial institutions?

Inbound calls can be stolen if someone ports-out your cell number. Relying on you cell phone for two-factor authentication should be coupled with beefing up security on your cell carrier's end.

https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/

For awhile USAA has had me mention a phone password whenever I call in, so does Navy Federal. Other places which have you recite an address or the last 4 of your social is almost worthless at this point for security. Much of that info is already out in the open. Even many of the user-selected security questions are worthless because of leaked information.

ATX...

Very pleased this worked out for you.

As an aside, I've recently thought of linking my bank account to my brokerage account. I'm now thinking it would be best to keep them separate. Care to share your thoughts given this experience? Thanks.

ToddyHill said:

---

ATX...

Very pleased this worked out for you.

As an aside, I've recently thought of linking my bank account to my brokerage account. I'm now thinking it would be best to keep them separate. Care to share your thoughts given this experience? Thanks.

---

I always viewed the accounts linked by ACH as pretty low risk due to them being a "closed loop". Even with an ATM card on my daughter's account, I viewed the risk as minimal. What I am going to change is making sure any ACH links I use going forward are only accessible through two-factor authorization.

It amazes me how few banks out there use true two-factor-authorization.

free_mhayden said:

---

It amazes me how few banks out there use true two-factor-authorization.

---

It's only an option at USAA...you don't have to use it, unless that's changed recently.

It's very marginally inconvenient, but seriously, it's your money...

I don't understand why banks don't require an updating token + personal pin for all trx.

Whoops! Looks like two-factor authentication using text can also be intercepted with a SIM swap. Hopefully banks will start supporting USB hardware keys in the future.

https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/#more-44585

2FA via sms was always lazy authentication and it came off as cheap anyways.

I'm not sure if the issue is scalability or what, but many of the bitcoin exchanges uses 2FA with tokens from Google Authenticator and I think that works very well. I don't know the tech behind it so maybe its not that secure, but seems better than nothing.

Not saying banks should require it (yet), but having to provide a token when logging into online banking, changing contact/mailing information, and when making any transactions over $5000 sure would make a lot of sense.

But I guess it doesn't make financial sense for the banks yet.

Sounds like we better make sure our cell carrier logins are buttoned up!

free_mhayden said:

---

2FA via sms was always lazy authentication and it came off as cheap anyways.

I'm not sure if the issue is scalability or what, but many of the bitcoin exchanges uses 2FA with tokens from Google Authenticator and I think that works very well. I don't know the tech behind it so maybe its not that secure, but seems better than nothing.

Not saying banks should require it (yet), but having to provide a token when logging into online banking, changing contact/mailing information, and when making any transactions over $5000 sure would make a lot of sense.

But I guess it doesn't make financial sense for the banks yet.

---

It's much more secure as it prevent a simple phone-port from being effective, but it can be a bit complicated to set up and a nightmare for most non-tech savvy folks. Banks probably don't want to deal with the hassle.

This is a disturbing story. I'm glad it got resolved but disturbing none the less.