I Was Bank-Hacked - and the System Sort of Worked
It was early on Valentine's Day, and my phone was pinging. But the texts awaiting me had nothing to do with proclamations of heartfelt adoration, although someone was treating themselves to some high-end self-love -- at my expense.
"Free Debit Card Alerts. Did you make a merchant transaction at Michael Kors Inc. for $1,000 on February 14? Reply 1 if yes, reply 2 if no. To opt out reply STOP." Considering that I was still in bed, cuddled up with my dogs, the answer was a resounding "No!" And "STOP!"
No stranger to having my credit cards compromised over the years, I calmly called my bank -- one of the Big 4 -- to suss out the situation. I've been a customer with this institution for nearly 20 years, and as a premier status client, I was quickly dispatched to a special client agent. The discussion was, frankly, alarming.
Three Strikes, and the Villain's Out
That $1,000 transaction was followed by another one -- at the same store, around the same time -- for another $2,129.60. It wasn't until the V-Day villain tried to put through a third transaction (at the same store!) that the bank finally flagged the fraudulent card use -- but not before over $3,000 had been sucked out of my checking account.
"What kind of fraud monitoring is this?!" I asked the agent, after learning that the Michael Kors fan had somehow created a fake debit card to swipe at the brick-and-mortar store. "Why did it take a third attempt to finally signal a problem?"
The agent tried her best to assuage my serious concerns about the security of my accounts -- but, this time, it was my faith that had been indelibly compromised. Crazy story, right?
Not if you talk to some of the country's top banking security experts, like Kevin F. Streff, director of the National Center for Information Security at Dakota State University and founder of Secure Banking Solutions, a consulting firm focused on helping banks shore up their security practices.
Is the Best Good Enough?
Q: How well equipped are both small and major banks to handle security breaches today? Does the size of the bank give it an advantage?
A: Banks today are really doing the best they can. Hackers are fully armed with tools and time, so bankers are fighting folks who are attacking them on a full-time basis -- and small- and medium-sized banks simply lack the time and resources to really keep these bad guys out.
But generally speaking, the larger the institution, the larger the target. If you're a hacker and you can go after a bank that has 1,000 customer records or a million records, all else held equally, where are you going to choose to invest your time?
And I use the word "invest" because that's how hackers think. It's an investment of their time, and they're gonna get paid for their investment of energy and talent. So the smaller banks aren't in the crosshairs of the cyber criminals as much -- but they're easier targets.
So do they want to take down two or three easier targets -- or go after a big target, and maybe not be able to take them down? Those are the kinds of business decisions hackers need to make.
Hackers for Hire
Q: So just how sophisticated are bank hackers nowadays?
A: We're seeing multivariate, very coordinated attacks using "distractionary tactics," as we call them. Maybe they'll flood a server with a lot of bogus transactions to get the banks to look at that server -- and then they'll attack a different part of the network.
The way it works in foreign countries like China is that they have folks do this for hire -- they have goals and objectives, and roles and responsibilities, just like at other companies. They pull into parking spots and hack for 10–12 hours a day. And when they're successful, they're promoted.
So [the operation] is not just the kid in the basement anymore -- it's sophisticated, and people are able to monetize the stolen digits.
Yet Crooks Are Working 24/7
Q: What are banks not doing enough of to keep customers' information and accounts safer?
A: Banks do a lot of "point in time" things. So somebody will do a penetration test on their network, and then do another one 12 months from now.
A penetration test simulates a hacker breaking into your network. So my business might be hired to do an authorized hack, and then write a report about how we got in, so the bank can figure out how to plug those holes. But hackers don't wait 12 months to come around -- they're there all the time.
So how do you get security with a heartbeat, so that every day we're paying attention to this cyber-security problem? How does the board set the tone for cyber-security and establish a security culture at a financial institution -- and not just rely on the IT person to protect them?
There are training programs that boards of directors and management teams at banks simply need to go through to learn Cyber-Security 101, so that they can perform their roles and responsibilities in the bank. For example, the FDIC has a directors' series of free videos. So there are definitely solutions out there in the marketplace for these folks, so they can set the tone from the top.
At Risk Again and Again
Q: If you've had your bank information hacked once, are you more at risk for a repeat episode?
A: Yeah, I'd say you are. The hackers are very good at sharing tools, techniques and information. So if a hacker spends some time on your account, and is able to compromise it and do some identity theft and fraud, they've made money on that.
And if they feel like law enforcement is gaining on them, they may just sell that account to somebody else -- who'll start messing with you from a different address, using different techniques. It's like hackers get to press the reset button and start all over with you.
So if [your information] is leaked out once, it's even more susceptible to identity theft and fraud.
What You Can Do
Q: What can you do to specifically safeguard your banking identity?
A: The first thing consumers should definitely do is check their credit reports, bank statements and credit card statements on a periodic basis, so that they can catch anomalies early -- and report them right away.
The bank has a responsibility if there's a fraudulent transaction, but you really can't report those things six months later -- you've got to get on it. As long as you're being diligent as a consumer by reviewing your statements and reporting anomalies, you're not responsible for those fraudulent charges.
Also, using the same passwords, sharing passwords and writing down passwords are all bad habits. If I crack your Facebook password, and then I figure out where you bank, about 60 percent of the time I'll know your bank password.
What Banks Watch For
Q: If your account has been hacked, what should you do in addition to monitoring your credit?
A: Banks provide credit monitoring services that will look for unusual activities -- those that fall outside your normal behavior, normal spending or normal location -- so anomalies can be brought to your attention very quickly.
There are also some advanced technologies coming soon. For example, Visa has an app it'll be introducing in April. For cardholders who sign up, the app requires the user's cell phone and credit card to be in the same location to make a purchase. So using GPS technology, you register the phone and the card, syncing them up.
Password management is also a big area. There are secure and encrypted electronic password vaults where you can store all your passwords -- and they are affordable compared with the hassle of identity theft.
These are the kinds of security issues that are coming to bear, and I would suggest consumers understand these new technologies -- and embrace them.