AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Usaa ach credit and debit3/12/2024 ![]() ![]() I asked her to please cancel my credit cards, put a fraud alert on my account and to file a criminal fraud charge, which we did. She removed these and sent a link to my phone to reset my USAA password. She noticed that there was a new phone number (617 area code) that had been added to my account as well as a new email address. The representative that I spoke to verified my identity through my phone and accessed my account. I tried to keep up with the spam, looking for other indications of accounts that were under attack while I phoned USAA. Meanwhile, the email bomb continued to blow up in my inbox, creating the fear that other security emails were being overlooked. My credentials were changed and I was locked out. I immediately called the USAA Fraud Department while I simultaneously tried to log into my USAA account. I looked through the string of emails and found one from USAA telling me that my security credentials and email address had been updated. I figured that this was being done to hide a valid email from being recognized. Approximately one hundred spam emails began flooding my inbox and spam folder each minute in every language and from every country imaginable. Suddenly my inbox literally exploded with emails thanking me for signing up to their website. My initial thought was that someone had to be playing a joke on me. I was about two hours into a full day of meetings when, at approximately 10:30am I noticed that I was getting an unusual amount of spam email to my gmail account. I log into my accounts primarily through either a work laptop (Macbook) or via a home PC (Windows). In order to log into either, it requires a password and possession of my phone to enter a code via text. I have 2FA enabled on both gmail and on my USAA accounts. I have been using gmail as my primary email service for ~20 years. This is my primary credit card, so the extent of information contained in my USAA account includes all information about past purchases, homes, and cars, as well as all my PII (SSN, DOB, etc.) I have been using USAA for Auto, Home, Credit Card and low-dollar investments for 37 years. My saga is still in progress and so I will continue to update this. ![]() At the end of the story I will share a few things that I have learned about security best practices that USAA. This happened to a security professional who was following best practices and it can happen to you. I am writing this both to help people understand what a hack looks like from the victim’s standpoint and to expose USAA’s weak (non-existent) fraud prevention and monitoring controls. ![]() I am writing this six days after the event occurred, but I have been logging everything that happened since day one. They bypassed the dual factor authentication that was setup within USAA and, because the bank failed to follow even the most basic anti-fraud procedures, they accessed 37 years of financial data and stole thousands of dollars from me. My USAA Bank Accounts were taken over by hackers who only had knowledge of cell phone number and my date of birth. On Tuesday, November 14th, none of that mattered. Hackers owned my USAA accounts by knowing only my DOB – This is my storyīottom Line First: I am a security professional and follow security best practices (mostly). ![]()
0 Comments
Read More
Leave a Reply. |