Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Was My Bank Account Hacked When I Did Everything Right?

When everything isn’t enough.

Hacked!
Hacked! (Image: canva.com)
Even with all the right things in place, stuff happens. I'll review the additional steps you can take to protect yourself.
The Best of Ask Leo!
Question:

My bank account was just hacked. The hacker opened a new account, transferred money from my line of credit into that account, then transferred the money out to his outside account. So it appears he somehow got my client card number and my password.

My laptop is about five years old, running Windows, which I update every week. I have BitDefender for virus scans, which I do a full system scan every week. My password was 15 characters long, with a mix of numbers and upper and lowercase letters. When I am not at home, I use a VPN service while on the internet. I have changed my bank passwords to 22 characters long and installed Malwarebytes Premium for real time virus protection.

So, I have two questions: how could a hacker possibly do this with the precautions I have? And how can I protect myself further from this point?

You have good security in place — above average, I’d say. That makes this situation more difficult to diagnose as well as more frustrating.

While I certainly can’t tell you exactly what happened, I can speculate. I also have ideas on how I’d further protect myself if I were in your shoes.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

My bank account was hacked!

Hacks can come from sources other than you.

  • The bank could have been compromised.
  • Man-in-the-middle-style interceptions.
  • You could have malware.
  • You could have tripped up unintentionally.

Good security hygiene is in your control. It’s always important whether you bank online or off.

It might not be you

The first thing that comes to mind is that this might be completely out of your control.

It might not be you.

You may rightfully share things like bank account numbers with services and institutions you trust and do business with. It’s one reason you have a bank account, after all.

The account number could have been compromised via one of these third parties.

This highlights an important reality: your account ID — for example, your username, email address, or possibly even your bank account number1 — are not secure.

You may think hiding or obscuring your IDs to various services keeps you more secure. It’s a false sense of security. Those IDs are how you use those accounts, often in less-than-private ways. Consider your email address, for example; it’s just another type of ID you regularly share with others.

As for the password, it’s possible the bank suffered a breach of some sort. It seems not a week goes by when we don’t hear of one. While I don’t think this is likely (unless your bank says otherwise), it’s a possibility.

That leads to a scarier scenario.

It might be your bank

Bank
(Image: canva.com)

You didn’t say which bank you use, but I assure you none of them are perfect. While some are better than others, it’s definitely a spectrum.

A breach is one example of what can go wrong. Someone calling in and pretending to be you could have fooled them; this is called social engineering. Their technology could have failed. Maybe they don’t protect their login process sufficiently against brute force attacks. Perhaps they store passwords poorly, or pay attention to only the first eight characters.2

Perhaps their network is less than secure.

And there’s always the possibility of an inside job.

All these scenarios are quite rare these days, so it’s difficult to point a finger, but they’ve each happened and could explain what happened to you.

And they’re all out of your control.

It could be something in the middle

I don’t know where you’re connecting from, who your ISP is, or what computers you use, but other things could cause security issues.

  • Using a public computer with a hardware keylogger.
  • Using a friend’s computer with a keylogger or other malware on it.
  • Using a network compromised with a “man-in-the-middle” attack. This can allow even secure connections to be intercepted.

All these and more would be rare, but possible.

It could still be malware

Even though you were running good security, it’s critical to realize that not all tools catch every form of malware. No tool is 100% perfect.

Something could have slipped through.

Given your strong password, what comes to mind is a keylogger. Password strength is no protection from software intercepting your password as you type, click, or paste it in.

Even though you seem well protected, this seems the most likely scenario at this point.

Malware often arrives in different guises — for example, a rogue browser extension. Every so often, we hear of malicious actors getting their malware into app stores and extension repositories. Once installed in your browser, this software has access to everything happening within your browser, including visiting and signing in to your bank.

It could even be you

Tripped
(Image: canva.com)

No hardware or software, no anti-malware tool, no firewall, and no system protection feature can protect you from yourself.

It’s important to realize that while having all the tools in place to protect yourself is important, it’s only part of what you need to do to stay safe. You can still bypass all those protections.

Whether it’s falling victim to a phishing attempt, installing malicious software, or just sharing private information with someone you shouldn’t, it’s not uncommon in these cases for it all to come back to the user. Perhaps you did something, somehow, somewhere, bypassing all the security you so carefully put into place.

Sometimes without even realizing it.

Again, I’m not saying that’s the case here, but I can’t rule it out.

What I would do

If I were in your position — having set up what I thought was sufficient security only to get compromised — I would take several additional steps, some of which you may have already done.

  1. Change the account password to something more secure.
  2. Consider adding an additional security tool.
  3. Set or update account recovery information. This can be misused if it’s not kept current and active.
  4. Add transaction alerts to the bank account, if available.

I’d also have a talk with my bank about adding restrictions to online transactions. Because someone who wasn’t you could access a line of credit without additional verification is, to me, very troubling. Many banks allow you to set restrictions on what you can and cannot do online, or place amount thresholds to require additional verification steps to complete the transaction.

It’s a conversation well worth having.

Do this

Don’t give up on online banking. Most of the risks I’ve mentioned are present whether you bank online or not.

The good news here is that these types of account compromises don’t happen as often as headlines lead you to believe. Credit card compromise, for example, is much more common.3 Fortunately, there are many protections in place, not only to prevent fraudulent card use but to limit your own liability for what happens.

What you need to do, however, is make sure you’re doing everything you can to keep your account, your transactions, and yourself, as secure as possible.

Also, subscribe to Confident Computing. My weekly newsletter will help you stay safe and secure, with less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: If you’re still writing checks, for example, you’re handing over your bank’s routing number and your account number to whomever you pay.

2: Don’t laugh. It’s happened, usually with some kind of legacy compatibility as an excuse.

3: Happens to me about once a year.

30 comments on “How Was My Bank Account Hacked When I Did Everything Right?”

  1. Phishing is also a possibility. I don’t see it as likely, in this case, as the questioner seems to be very careful, but it’s also something to watch out for. Never click in a link in an email from your bank, or any website for that matter, even the legitimate ones. It can develop into a dangerous habit. Unfortunately, my bank, Bank of America, sends links in their emails. Those are legit but a phisher might take advantage of this and some might so used to clicking on those links that they might fall for a phishing email. When I get an email from BofA with a link, I go straight to LastPass and log in directly from there. Another reason for using LastPass or other password manager.

    Reply
    • One way you can spot a phishing attempt is to look at the sender’s email address. If the email bears the logo of, say, Walmart, but the sender’s email doesn’t say “walmart.com,” that should be an immediate red flag to you that the email is fraudulent and you should delete it immediately.

      If you use a web-based email server — Microsoft’s Outlook or Hotmail, Google’s Gmail of Yahoo! Mail — you can immediately report the fraudulent email as a phishing scam (Mircosoft has been especially aggressive in filtering out fraudulent emails, but no system is perfect and you must be constantly on your guard).

      Reply
    • A trick I use is to hoer my mouse over any link in emails. This usually presents the address to which the link will take me. If it looks legit, I may choose to click the link. If I’m not sure, I Google the addressee to learn more about them (when they seem to be a site I know – I copy/paste the first part of the URL – up to the first forward slash [/], then search for it with Google et-al). This has kept me relatively safe so far. :)

      Reply
  2. I recently had over $17,000 scammed from my checking account. The scammer did this by somehow convincing the bank that I had a Sams Club MasterCard and had it included in my account for automatic payment. I checked with the bank that issues Sams Club MasterCards and they confirmed that I did NOT have any account with them, but there was an account with another person with the same name as mine. While the bank currently has a policy that notifies the account holder when a new bill pay is entered into the account, I do not recall having received such a notice regarding the Sams club card, so this notification policy may not have been in place at the time. I am in the process of trying to convince the bank to add to the notification policy by making a return acknowledgement by the account holder a part of the process. I believe the bank was a bit at fault for not having suspicions raised in my case because, unlike me and most of those that I know, payment for credit card accounts are generally made but once a month on a specific closing date. These payments were made randomly and multiple times during the month over a period of two months. Normally, I would have caught this sooner as I frequently monitor my account; however as luck wold have it, I was ill for a month and failed to do my regular inspections of my account. One thing that I cannot fault the bank for is that at the conclusion of their investigation on each of these charges, my money was restored.

    Reply
    • Adding two factor makes it safer, yes. I always use two factor if offered. To be clear, it is not ABSOLUTELY safe (nothing is), but it is significantly safer.

      Reply
  3. So my question is, would having a separate computer dedicated to nothing but banking/financial sites be a safer option than the computer that you use everday to do… well just anything?

    I read once, easily 5+ years ago that doing this would mean that you only go to the relevant sites and nowhere else so therefore malware won’t be an issue, nor viruses either. Would this be a fair and/or correct assumption?

    Reply
    • Yes. I’ve seen this recommendation before. If you have a single computer some recommend booting from a “live CD” or DVD running Linux and doing all your banking from there. That’s extreme, and personally I don’t feel it absolutely necessary (I don’t do it myself, for example), but it does remove certain types of threats from the equation completely.

      Reply
    • It would add a layer of protection, especially if the computer is running a version of Linux. But there’s no need to have a second computer. You can boot most versions of Linux from a CD, DVD or USB flash drive and get similar protection. This method isn’t perfect simply because no security method is perfect but it’s pretty good.

      Reply
      • What about setting up a VM, that would be used only to perform financial transactions such as managing my bank account or making online purchases. Would the VM offer the same protections as a live USB.CD/DVD session? Just wondering . . .

        Ernie

        Reply
        • A VM would be similar as long as you don’t save the session when you close the VM. Saving the session would save any malware which may have gotten into the VM. Of course, if you use that VM session only to access your Bank’s website and not access any other site, your chances of getting malware are extremely low, nearly zero.
          I no longer use a Linux session to do banking. My banks use two factor authentication, and even if a hacker has my login name and password, they still couldn’t get in without my phone which has the authentication app.

          Reply
  4. I’ve never had my bank account compromised, but my credit card has been compromised maybe 3 times in the last 10 years. Fortunately, my credit card provider caught the transactions on the way through the system, blocked the transactions, cancelled my card and issued me with a new one. The only price I had to pay for these account breaches was the inconvenience of 10 working days’ wait for my new card.
    My bank provides me with an additional layer of security in the form of a digital token, which produces a random 6-digit code at the press of a button. This code must be entered, along with my account ID and password, every time I log into the account, and, even though I have already logged in with the token, I have to generate a new 6-digit code every time I attempt an online transaction that involves any movement of funds, regardless of where those funds are intended to go. Furthermore, this token works not only at home on a desktop computer: it also works with my bank’s mobile app.
    I have read on some bank-related security blogs that there are ways in which even these digital tokens can be compromised, but I have been using this token ever since I opened my account about 12 years ago, and I have never had any hint of a problem, so I’m pretty confident about my level of account security.
    I would strongly recommend that anyone who does online banking should inquire of their bank about the possibility of using such a token with their account.
    I’m in Australia, and we don’t have a large number of different banks, here, but I’m fairly sure that not all Australian banks offer security tokens. I guess if you’re in the US, UK or Europe, YMMV.
    Anyway, that’s my 2¢ worth!

    Reply
    • I live in Germany and all German banks have TAN (Transaction Authorization Numbers) which is a unique password sent either by a text message or a sheet of paper with onetime passwords. Some banks offer a TAN calculator which generates a TAN based on a number the bank sends you online. I believe all EU banks have a similar two factor system.

      Reply
  5. I like to think I am as safe as I can be as I never use my bank debit card online ! I pay with PayPal whenever I can and when that’s not possible, I use my credit card so I never input my bank details on my pc. If neither of those two are not accepted I buy from another company. When shopping it’s cash or credit card, never a debit card. More than that I don’t think I can do but we can never be 100% protected from fraud.

    Reply
  6. You said “The most common case might be on a corporate network where outside access is monitored and controlled by a savvy IT department.” It reminds of a conversation I had recently with a network admin for a mid size NGO. He runs a data center for a building with perhaps three hundred workers. As I remember, he uses an https proxy server that lets them decrypt and re-encrypt ALL https traffic and they save it ALL in clear text on their servers for months. I was not bold enough to ask if that would include bank passwords of employees who happened to do on line transactions at work.

    Is that technically possible? And should be we asking about this at our workplaces?

    Reply
    • Yes. As long as someone has physical or remote access to a computer, they can do anything on that machine. If they intercept the https: traffic before it is encrypted, they are also intercepting bank passwords also. They wouldn’t have the capability to decrypt the https: traffic but they can get it before it’s encrypted. The reason you should never do banking from a public or work computer.

      Reply
      • Actually a savvy IT department CAN intercept https traffic. It involves installing an additional root certificate on corporate machines (easy to do in a controlled environment like that), and then serving up locally generated https certificates for any site’s https traffic. The https traffic is then encrypted from the PC to the IT’s proxy, decrypted, re-encrypted using the “real” site’s https certificate and passed along to the real site. It’s not trivial to set up, and perhaps even detectable to someone using the PC if they know what to look for. (They need to examine the certificate used on their PC for an https connection.)

        Reply
        • Isn’t that, in a way, capturing it before it’s encrypted. I remember from the old PGP program that is was possible to encrypt a message to more than one recipient. But in any case, is it actually getting the traffic after it’s encrypted but SSL encryption? Wouldn’t it have to capture it before the SSL encryption to do that?

          Reply
          • No. Client encrypts locally using a corporate cert. That then goes to the corporate proxy. It’s decrypted and then optionally examined. It’s then re-encrypted using the actual cert of the intended destination.

          • I’m still confused. To me, that still sounds like they are encrypting the plain text message with the corporate SSL certificate and then decrypting it and re-encrypting it with the destination certificate. That, to me, sounds like the company intercepted it before it was encrypted.

          • The message is encrypted before it leaves your computer, without “interception”. That it’s using a corporate certificate doesn’t imply any interception at all, other than that certificate being installed on your PC, possibly when the corporate IT department set up your machine for you.

  7. Footnote #1: “Don’t laugh. It’s happened, usually with some kind of legacy compatibility as an excuse.” Isn’t legacy compatibility, in that case, a euphemism for “We’re too lazy (or cheap) to fix it?”

    Reply
    • I’ve always assumed that when I encounter this the system being used is a decades old mainframe written in Cobol or something. The conversion cost isn’t about being cheap — the cost could be massive. Not that they shouldn’t do it, but it may not be as frivolous a decision as you imply.

      Reply
  8. NEVER HAD PROBLEMS UNTIL I STARTED USING ‘{redacted}’

    BEWARE OF >>>> {redacted}

    This {redacted}VPN FREE SERVICE has caused me problems.

    I installed this {redacted}chrome extension and used it’s Free VPN Service.

    Note: I only used the VPN when viewing my Bank Account online and responding to political websites.

    Sept. 2019 – I activated (switched on) {redacted}(Singapore Setting) to view Bank Account. Within a few hours the Bank called and said that I had been hacked from the Netherlands. I immediately went online, and sure enough I was hacked for two hundred dollars. – (I live in Arkansas – USA)

    January 3, 2020 – Went online to check local bank account using {redacted}(UK Setting). — Within 13 minutes someone had hacked my account for $450.

    I’ll never use {redacted} again. (I thought VPN’s were safe)

    My question is this ….. “Are VPN’s Safe?”
    Please Respond.

    Reply
  9. My bank account was hacked when I was “SIM jacked” (an entire subject in itself). They transferred money out of my account. They went to Amazon.ca and saw that the most recent purchase was a 6GB hard drive and told Amazon that it was defective. So Amazon sent them a replacement. They even tried to get into my Air Canada Aeroplan account and steal my points but Aeroplan locked it for “suspicious activity.
    My Virgin cell phone account is now locked down so hard that virgin claims that I could not even take my SIM card to another phone.

    Reply
  10. In this situation, the first thing I would have checked were the installed browser extensions. Many of them have far too many permissions and thus can read everything on every web page.

    When it comes limiting your attack surface, the biggest hammer in the toolbox is a Chromebook running in Guest Mode. This insures nothing malicious is running. Perhaps Google is still looking over your shoulder but still, this is the safest easy option. The downside is that you can not run a VPN on the Chromebook in Guest Mode (as far as I know). For that, you would need to run the VPN on a router or a NAS.

    Reply
  11. Leo, the E-Mail newsletter version of this article does not include the “Do This” section, as a result of which there is no footnote 3, since that is the section where that footnote is located. Therefore, the third item under “Footnote and References,” (“Happens to me about once a year”) is orphaned text — and quite mystifying — in the newsletter.

    Reply
  12. Security at many US financial institutions is just to laugh at. Far too many does not even deploy the very basics, SMS-based two-factor-authentication (2FA), but only have you rely on a user ID and a password. If you bank with such a bank, DON’T! Take your money elsewhere to a bank that at least understands that security trumps ‘fear of inconveniencing the customer’.
    Here is a good data base of services (banks and others) and their 2FA ‘status’ (it is appalling to see so many financial institutions not offering more than SMS based…): https://2fa.directory/us/

    That said, there are inherent flaws in online banking in the US – and it is not the banks’ fault. It is the fault that we lack a true system for verifying identities here in the US. And we do that most likely out of legacy reasons and fear of ‘government intrusion’ or ‘big brother’ snooping. Unwarranted.
    But what could we do? We could start with having a true system for identification (use the SSN on drivers licenses, passports, let it be the ‘marker’ that follows a person through life, in all types of transactions (financial, legal, health). Once that has been established, a system for verified digital identities could be implemented (keyword ‘verified’).
    Why is that important? An example can come from Scandinavia where the system ‘BankID” is in use for over 10 years. It is a private system owned by the banks, but the ‘digital identity’ is widely accepted essentially everywhere, and in fact is a must in order to access your tax information, most government services, retirement information, your bank accounts, to reach healthcare services, your cellphone account, when booking appointments for certain types of services, etc. The list is endless.

    It all starts at the bank. Once duly identified and verified by means of National ID card, Passport, Drivers License – NO exceptions, the bank will issue you a digital token referred to as BankID. A (Swedish) video for how the verification process takes place at one bank is found here (note that there is a two step process, photo if the ID + a scanning of the build-in RFID chip): https://youtu.be/QAupOJWQDIc

    When this is done, you never really ever need to type in a user ID or password to access a service, and life is very simple – and very secure!
    In order to access a service, you open the BankID app (locked with code or biometrics, your choice), you go to the service provider’s web site , use the app to scan the QR code, once scanned, you verify your access via your BankID PIN. Now you do what you came here to have accomplished, transfer money as an example, but in order to confirm and effectuate that transfer and set the wheels in motion, you need to scan another QR code, the BankID app (on the phone itself) will display the amount and the designee, and you are asked (again) to verify the transaction with your PIN.

    It is a VERY simple process and using BankID could not be easier. You have your ‘factors’ (your phone and your PIN codes) and the chance of someone ever intercepting the traffic is slim to nill. No one can log in from a different location. Most institutions will allow one individual two have two to three “BankIDs, so you can have on phone , on a pad, and maybe on a second phone (or on a PC) for redundancy if so desired. The identity verification needs to be renewed every 3 years, so it is good to have BankIDs that overlap a bit.

    As BankID also meets and exceeds the standards for ‘European Digital Identities’, it is not landlocked and can be used for so much more in addition to the more basic services it was initially devised to support, like remote authentication for Azure, signing of legal documents (goodbye VeriSign).

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.