My bank account was just hacked. The hacker opened a new account, transferred money from my line of credit into that account, then transferred the money out to his outside account. So, it appears he somehow got my client card number and my password.
My laptop is about five years old, running Windows 7, which I update every week. I have BitDefender for virus scans, which I do a full system scan every week. My password was 15 characters long, with a mix of numbers and upper and lowercase letters. When I am not at home, I use a VPN service while on the internet. I have changed my bank passwords to 22 characters long and installed Malwarebytes Premium for real time virus protection.
So, I have two questions: how could a hacker possibly do this with the precautions I have? and how can I protect myself further from this point?
You do have good security in place — above average, I’d say. That makes this situation a little more difficult to diagnose, as well as a tad more frustrating.
While I certainly can’t tell you exactly what happened, I can speculate on some possibilities. I also have a few ideas on how I’d protect myself if I were in your shoes.
Become a Patron of Ask Leo! and go ad-free!
It might not be you
Honestly, the first thing that comes to mind when I review your security precautions is that this might be completely out of your control.
It might not be you.
We often share things like our bank account number with services and institutions we trust and do business with. It’s conceivable that the account number, at least, could have been compromised in some way via one of these third parties.
This highlights an important reality: account IDs — for example, your user name or email address — are not secure. Many people think that by hiding or obscuring their IDs to various services, they’re keeping themselves more secure. It’s a false sense of security, at best. Those IDs are how we use those accounts, often in less-than-private ways. Consider your email address, for example; it’s just another type of ID we regularly share with others.
As for the password, it’s certainly possible that the bank suffered a breach of some sort. It does seem not a week goes by when we don’t hear of one. While I don’t consider this likely (unless you’ve heard from your bank that it’s happened), it’s a possibility.
That actually leads to a somewhat scarier scenario.
It might be your bank
You didn’t indicate which financial institution you use, but I assure you, none of them are perfect. While some are better than others, it’s definitely a spectrum.
Suffering a breach is just one example of what might go wrong. They could have been fooled by someone calling in and pretending to be you — so called “social engineering”. Their technology could have had a failure of some sort. Perhaps their login process isn’t sufficiently protected against brute force attacks. Perhaps they store passwords poorly, paying attention to only the first 8 characters.1 Perhaps their network is less than fully secure.
And, of course, there’s always the possibility of an inside job.
All these scenarios are quite rare, so it’s difficult to point a finger with any certainty, but they’ve each happened, and could explain what happened to you.
And they’re all out of your control.
It could be something in the middle
I don’t know where you’re connecting from, who your ISP is, or what computers you use, but other things could cause your password to be stolen or your account to be hacked, including:
- Using a public computer with a hardware key logger.
- Using a friend’s computer with who-knows-what to capture or save your login credentials.
- Using a network that has been somehow compromised with a “man-in-the-middle” attack, allowing even secure connections to be intercepted. The most common case might be on a corporate network where outside access is monitored and controlled by a savvy IT department.
All these and more would be rare … but possible.
It could still be malware
Even though you were running a reputable anti-malware tool at the time, it’s critical to realize that not all anti-malware tools catch every form of malware. No tool is 100% perfect.
Which is to say, something could have slipped through.
Given your strong password, what comes to mind is a keylogger of some sort. Password strength is no protection whatsoever from software that intercepts your password as you type (or click or paste) it in. Even though you seem well protected, this seems the most likely scenario at this point.
Malware also often arrives in different guises. One that comes to mind is the rogue browser extension. Every so often, we hear of malicious actors managing to get their malware into various app stores and extension repositories. Once installed in your browser, this software has access to absolutely everything that happens within your browser, like visiting and signing in to your online banking account.
It could even be you
No hardware or software, no anti-malware tool, no firewall, and no system protection feature can protect you from yourself.
I’m not trying to be harsh here, but it’s important to realize that while having all the tools in place to protect yourself is important, it’s only part of what we all need to do to stay safe. We still have the ability to bypass all those protections.
Whether it’s accidentally falling victim to a phishing attempt, unintentionally installing malicious software, or just sharing private information with someone we shouldn’t have, it’s not at all uncommon for it all come back to us. We did something, somehow, somewhere, that bypassed all the security we so carefully put into place.
Sometimes without even realizing it.
Again, I’m not saying that’s the case here, but it can’t be ruled out.
What I would do
If I were in your position, having set up what I thought was sufficient security only to get compromised, I would take several additional steps.
First, I would do exactly what you did: add an additional security solution to my mix, and change the password to the affected account to something longer than in the past.
Next, I’d review the account recovery information. Anything that could be used to reset a forgotten password has the potential to be misused if it’s not kept current and active.
Then I’d add transaction alerts to my bank account, if that’s supported. It’s more common with credit cards; I have my cards email me every time they’re charged, and even text me for transactions over a certain amount.
Finally, I’d talk to my bank about setting up additional restrictions on what can and cannot be done online. The fact that someone who wasn’t you was able to access a line of credit without additional verification is, to me, exceptionally troubling. Many banks allow you to set restrictions on what you can and cannot do online, and may even be able to place amount thresholds to disallow transactions, or require that you proactively take additional steps offline to complete the transaction. It’s a conversation well worth having.
It’s rare, but…
I don’t want this litany of possibilities to scare people off online banking. Honestly, the majority of risks I’ve just mentioned are present whether you bank online or not.
These types of one-off bank account compromises don’t happen as often as headlines lead you to believe. Credit card compromise, for example, is much more common2. Fortunately, there are many protections in place, not only to prevent fraudulent credit card use, but to limit your own liability for what happens.
That being said, it remains an important responsibility to maintain our personal security appropriately, both online and off.