As featured in The Wall Street Journal, Money Magazine, and more!

Privacy and Security

What happens if your bank account is hacked? Are you liable or is your bank? We have the answer, along with some tips how to keep your money safe online.

bank account is hacked

As society’s reliance on technology grows, especially for things like banking, we will continue to see more and more issues with account hacking. Whether on a large scale–such as the recent $10M theft from banks in the U.S. and Russia–or small, data breaches are becoming increasingly prevalent. So, what happens if your bank account is hacked?

How Big is the Problem?

According to the Identity Theft Resource Center, hacking was responsible for a whopping 59.3% percent of the total data breaches in 2017. This number has grown significantly each year (up from 14% in 2007 and 27% in 2012, for instance). It shows no signs of slowing.

It’s concerning enough to think about our email accounts being breached or our personal data being compromised through physical theft of personal documents. However, when we consider the impact of our checking or savings accounts being hacked–and even emptied–the fear increases exponentially.

This may even lead some to think about pulling their money out of financial institutions, opting instead a more personal, less-likely-to-be-targeted solution. However, that might not be the best option.

While there are many reasons to reconsider doing business with large financial institutions, the threat of a cyber attack shouldn’t be one. Those who see the potential for this kind of data breach as a reason for not doing their financial business over the internet are over-reacting. Of course, that’s little comfort in the face of fear.

Let’s take a look at exactly what happens after your bank account is hacked, and why you shouldn’t be scared to bank with an online institution.

Banking Deal: Earn 1.75% APY on an FDIC-insured money market account at CIT Bank.

You Probably Won’t Lose Your Money

You may not know this, but the banks are actually liable for any stolen funds as a result of cyber crime. Non-business Customers should not lose money, as long as they notify their banking institution of the fraudulent transaction(s) within a reasonable period of time and took steps to safeguard their account information.

This is all thanks to Regulation E, a guideline established by the Federal Reserve to protect electronic funds transfers (ETFs). According to Reg E, banking customers are only liable for up to $50 in losses if they notify their bank right away (typically, within 2 days of receiving the statement with the fraudulent charge). If they wait up to 60 days, their lost funds are still limited–losses are capped at $500–and the bank carries most of the liability.

However, if customers wait beyond 60 days to notify their bank of any fraudulent charges, they may be liable for the full amount stolen.

The takeaway here? You’re still protected as a personal banking customer, even against cyber threats, as long as you stay on top of your account activity. Of course, you should be doing this anyway, but thanks to the Federal Reserve, your losses are largely capped even if you’re the unfortunate victim of bank account hacking.

Banks Are More Prepared than Ever

Banks are hit by cyber attacks every single day. As a result, they are becoming more adept at preventing breaches of security, and are implementing cutting-edge protocols and software to prevent such attacks from being successful.

It’s important to remember that only the big attacks hit the news. Banks are bombarded by security threats all day every day, and their systems are improving exponentially for detecting and dealing with these problems.

You Can Help Protect Yourself

While some breaches happen on a much larger scale, many of them originate by an individual having his or her personal data compromised. In today’s world of WiFi hotspots and coffee shop internet, it’s even easier for hackers to gain access to our accounts.

Luckily, it’s fairly simple to ensure your account is not vulnerable to this particular attack. When using a public internet connection – whether at the airport, in a coffee shop, or even at your kids’ after school gymnastics practice – avoid logging in to important personal accounts. Browsing the web is fine, but don’t enter personal information like your bank account login or even email password while on a publicly-accessed connection.

Also, when logging into your bank account online, most banks allow you to “remember your computer.” This allows you to bypass a few added security questions the next time you log in, but makes it easier for cyber threats. Hackers can spoof your IPv4 address or even use malware to hijack your computer, so you don’t even know it’s accessing your bank account.

It’s a good idea to always disable the “remember your computer” feature. While it makes logging in a bit more of a pain, it’s much more secure in the end.

Keep an Eye Out for Spoofs

Even the most technology-savvy folks can be fooled by today’s advanced social engineering. Keep a close eye on everything you open and click on, to ensure that you’re not their next victim.

Email programs have become very adept at filtering out spam most of the time. However, they’re not foolproof. You may still see emails that look very much like they are official, coming from your bank or even Paypal, asking you to visit the website and confirm some piece of financial information.

In reality, the “bank’s website” is actually a hacker’s website, designed to look identical to the official site. Never enter your password or any other identifying information on a website that you’re accessing over an insecure connection.

Internet browsers now even identify the security certificate. So when you’re visiting a secure website that’s supposed to be operated by Chase, you can verify you’re safe. Click the security icon in your browser’s address bar for more information. Here is a screenshot of what that looks like with Chrome.

When dealing with suspicious emails, you can even nip spoofs in the bud. Simply click on the sender’s email address if you receive a message requesting information, to see if it truly came from your financial institution. If you have any doubts, forward the message directly to your bank’s customer service department and get their confirmation.

You can make your passwords as long and as random as you like, but the complexity of a password is irrelevant if you hand it to a criminal willfully.

Safer Alternatives Don’t Exist

I’m sorry to break the news to your sweet grandma, but stashing money under your mattress is much less safe than giving it to the bank.

When you don’t like dealing with banks because you already believe that these corporations are evil, fear-inducing stories about recent hacks or cyber theft prevalence are particularly resonant. News of major security threats seem to confirm the skeptic’s opinion that money is only safe when it’s cold, hard cash… not bits in a bank’s computer.

However, the threat of your money being physically stolen is much more serious than it being digitally stolen. Your house being robbed and criminals being able to find your hidden bills or walk away with your safe is much more likely than losing money due to cyber crime.

Plus, as we mentioned before, you have methods of recourse if your bank account is compromised. Thanks to Regulation E, your stolen personal funds are protected by-and-large, as long as you notice the theft and alert your bank in a timely fashion. If someone walks out of your house with a coffee can full of bills, you’re simply out of luck.

Should You Worry?

While news of past attacks and the threat of future ones is scary, the truth is that the banks will know before you do. Often times, these institutions (and their advanced cyber security teams) solve the problem before the media even mentions the threat.

Federal law requires that banks are liable in the event of a security breach. There is no bank that wants to be liable for a potentially large amount, so the companies have a very strong incentive to be very proactive and protect their customers.

Banks are easy to criticize, for a number of other reasons. However, security is one area where the needs of the customers, shareholders, employees, and executives are completely aligned.

Does news of cyber attacks change the way you feel about banking online?

{ 23 comments }

After a few years of testing this new security feature, Vanguard has begun rolling out voice pattern recognition technology for security. According to the representative I spoke to today, this feature will be available for Flagship customers first, and all customers will eventually follow. Voice recognition adds another layer of security to your financial accounts, and I’m impressed with it so far.

When you call a Vanguard representative to discuss your account, they ask a security question to verify your identity. They may ask your pet’s name, your high school mascot, or some other piece of information a stranger might not know. This isn’t very secure; a friend or family member could easily know the answers to many of the questions typically used for security verification. It is much more difficult to fool voice pattern recognition. Even a digital recording of your voice will not have the same acoustic properties that can be detected over the phone.

Voice Pattern WaveformThe biggest benefit of this level of security is that it eliminates the need for Medallion signature guarantees for most financial transactions for which they were previously required. Signature guarantees can be a hassle; for a financial institution that conducts is business mostly online and over the phone, you might need to visit a local bank or credit union with identification in order to secure a signature guarantee, and then it will take some time to send the signature guarantee to Vanguard.

To enable voice recognition today, call a Vanguard representative today. You’ll be asked to repeat a passphrase several times: “At Vanguard, my voice is my password.” The security system will analyze your voice, which will act as a secure key. After confirming that you’re ready to begin using voice recognition as a security check, the new technology will be activated for you with your next call to Vanguard.

After entering your Social Security number via your phone’s keypad as usual, will be prompted to speak the passphrase. It sounds like this technology could be easily fooled through recording, or to be ineffective depending on the quality of your phone line, but it’s much more secure and accurate than the existing system.

If your security check through voice recognition fails when you call, you will be asked to answer a security question. This fallback can solve any issues if you’re in a noisy room, for example, but that reduces the level of security.

Would you use voice pattern recognition to verify your identity for financial transactions?

Photo: altemark

{ 6 comments }

The fourth largest bank in the United States by assets, Wells Fargo, admitted last week that many of its customers received statements with other customers’ banking information included. In this security breach, those affected might have received a statement with a stranger’s account number, transaction detail, and in some cases, Social Security number. Other affected customers might have had their information compromised, with their details included on other customers’ statements, without their knowledge.

Wells Fargo through its spokesman Josh Dunn blamed the error on a “malfunctioning printer.”

Wells FargoThe biggest threat is that with an account name and number, and a bank’s routing number which is public information, anyone can easily print a check. When presented, if the signature isn’t checked, could result in a withdrawal from the compromised customer’s account. For those whose Social Security numbers have been shared, the potential fraud could be worse.

My first reaction is to encourage customers to turn off paper statements opting instead for online statements only, but that won’t prevent every potential bank error. Online statements are much more secure than mailed statements.

If you’ve been affected, I would suggest changing your account number at Wells Fargo. This may be a significant process, particularly if you have direct deposit enabled or automated debits scheduled with outside vendors. It will be worth the effort, however, to ensure the compromised account number is no longer linked to you. If you Social Security number has been shared with a stranger, you should contact one of the credit reporting bureaus to freeze your credit. Your Social Security number can be used to open accounts in your name, using your credit history, so by working with the credit agencies you can opt to be notified if anyone tries to open a new line of credit.

Considering Wells Fargo’s error, the bank should offer to pay for credit monitoring services for affected customers.

Is this extra motivation for moving your money out of a big bank? There are many reasons to switch to a credit union, but this may not be a reason on its own. Mistakes like this one can happen at any institution, regardless of the company’s size.

I’ve used Wells Fargo for my primary banking services, ever since Wells Fargo acquired Wachovia, since Wachovia acquired First Union, since First Union acquired CoreStates, since Philadelphia National Bank merged with New Jersey National Bank forming CoreStates Financial Corporation.

If you’re a Wells Fargo customer, do you plan to close your account after this incident?

Photo: MoneyBlogNewz
BusinessWeek (AP)

{ 8 comments }

The latest big business security breach affected Citigroup and about 1% of the company’s credit card customers. Hackers were able to access the customer database, finding customers’ names, credit card numbers, and email addresses free for the taking. The hackers were not able to gain access to other personal information, like Social Security numbers, card verification numbers, or birth dates. The company has started contacting affected customers.

It’s unlikely that customers whose numbers and names are significantly more susceptible to identity theft as a result of this breach, because Citi kept the more sensitive information secure. It may still be a god idea to change your password if you have online access to a Citi credit card. In cases like these, there is little that customers can do to avoid being included in a data breach short of opting out of the finance industry overall. If you never sign up for a credit card, you prevent hackers from stealing your information. Once you’re in “the system,” you have to rely on banks to protect your information appropriately.

As a result of this breach and the continual development of technology, financial institutions may soon find new regulations that require even stricter security for online access. Some financial institutions now offer options for their customers to authenticate via a SecurID — technology that uses wireless networks to provide a unique code over the air that must be verified before you can access your account. In my role at my former job, I accessed banking institutions on behalf of the company, and every bank required a different wireless device. This could be where the consumer market is heading — and if it is, it’s going to make even more sense to simplify your finances.

Additional information: According to the Wall Street Journal, Citigroup waited up to three weeks after the incident before notifying customers. The delay was due to an investigation into the issue.

Update: Of the 360,000 accounts breached, only 3,400 accounts were subject to fraudulent charges by the hackers. Customers are not responsible for fraudulent charges, though the total loss on Citi’s side due to the fraud is $2.7 million.

Yahoo Finance / AP, CNN Money

{ 14 comments }

Lie to Yourself for Better Security

by Smithee

This week, TechCrunch made a big to-do by publishing internal Twitter business documents that they apparently received from an enterprising hacker. The access to multiple networks apparently began when the hacker accessed the GMail account of the wife of a co-founder. If you, like Twitter employees, store any sensitive information in your Google Docs, or […]

0 comments Read the full article →

Livin’ it Up: Young Philly Couple Charged With Identity Theft

by Luke Landes

Jocelyn Kirsch and Edward K. Anderton live in Philadelphia but they’ve been spending their time in Paris, London, Hawaii, and Seattle thanks to their neighbors. The neighbors aren’t quite as happy, however. The two were using their expensive apartment to assist in stealing the identities of the other people living in their building as well […]

16 comments Read the full article →