Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Could My Bank Account Have Been Hacked if I Have Good Security?

//

My bank account was just hacked. The hacker opened a new account, transferred money from my line of credit into that account, then transferred the money out to his outside account. So, it appears he somehow got my client card number and my password.

My laptop is about five years old, running Windows 7, which I update every week. I have BitDefender for virus scans, which I do a full system scan every week. My password was 15 characters long, with a mix of numbers and upper and lowercase letters. When I am not at home, I use a VPN service while on the internet. I have changed my bank passwords to 22 characters long and installed Malwarebytes Premium for real time virus protection.

So, I have two questions: how could a hacker possibly do this with the precautions I have? and how can I protect myself further from this point?

You do have good security in place — above average, I’d say. That makes this situation a little more difficult to diagnose, as well as a tad more frustrating.

While I certainly can’t tell you exactly what happened, I can speculate on some possibilities. I also have a few ideas on how I’d protect myself if I were in your shoes.

Become a Patron of Ask Leo! and go ad-free!

It might not be you

Hacked WalletHonestly, the first thing that comes to mind when I review your security precautions is that this might be completely out of your control.

It might not be you.

We often share things like our bank account number with services and institutions we trust and do business with. It’s conceivable that the account number, at least, could have been compromised in some way via one of these third parties.

This highlights an important reality: account IDs — for example, your user name or email address — are not secure. Many people think that by hiding or obscuring their IDs to various services, they’re keeping themselves more secure. It’s a false sense of security, at best. Those IDs are how we use those accounts, often in less-than-private ways. Consider your email address, for example; it’s just another type of ID we regularly share with others.

As for the password, it’s certainly possible that the bank suffered a breach of some sort. It does seem not a week goes by when we don’t hear of one. While I don’t consider this likely (unless you’ve heard from your bank that it’s happened), it’s a possibility.

That actually leads to a somewhat scarier scenario.

It might be your bank

You didn’t indicate which financial institution you use, but I assure you, none of them are perfect. While some are better than others, it’s definitely a spectrum.

Suffering a breach is just one example of what might go wrong. They could have been fooled by someone calling in and pretending to be you — so called “social engineering”. Their technology could have had a failure of some sort. Perhaps their login process isn’t sufficiently protected against brute force attacks. Perhaps they store passwords poorly, paying attention to only the first 8 characters.1 Perhaps their network is less than fully secure.

And, of course, there’s always the possibility of an inside job.

All these scenarios are quite rare, so it’s difficult to point a finger with any certainty, but they’ve each happened, and could explain what happened to you.

And they’re all out of your control.

It could be something in the middle

I don’t know where you’re connecting from, who your ISP is, or what computers you use, but other things could cause your password to be stolen or your account to be hacked, including:

  • Using a public computer with a hardware key logger.
  • Using a friend’s computer with who-knows-what to capture or save your login credentials.
  • Using a network that has been somehow compromised with a “man-in-the-middle” attack, allowing even secure connections to be intercepted. The most common case might be on a corporate network where outside access is monitored and controlled by a savvy IT department.

All these and more would be rare … but possible.

It could still be malware

Even though you were running a reputable anti-malware tool at the time, it’s critical to realize that not all anti-malware tools catch every form of malware. No tool is 100% perfect.

Which is to say, something could have slipped through.

Given your strong password, what comes to mind is a keylogger of some sort. Password strength is no protection whatsoever from software that intercepts your password as you type (or click or paste) it in. Even though you seem well protected, this seems the most likely scenario at this point.

Malware also often arrives in different guises. One that comes to mind is the rogue browser extension. Every so often, we hear of malicious actors managing to get their malware into various app stores and extension repositories. Once installed in your browser, this software has access to absolutely everything that happens within your browser, like visiting and signing in to your online banking account.

It could even be you

No hardware or software, no anti-malware tool, no firewall, and no system protection feature can protect you from yourself.

I’m not trying to be harsh here, but it’s important to realize that while having all the tools in place to protect yourself is important, it’s only part of what we all need to do to stay safe. We still have the ability to bypass all those protections.

Whether it’s accidentally falling victim to a phishing attempt, unintentionally installing malicious software, or just sharing private information with someone we shouldn’t have, it’s not at all uncommon for it all come back to us. We did something, somehow, somewhere, that bypassed all the security we so carefully put into place.

Sometimes without even realizing it.

Again, I’m not saying that’s the case here, but it can’t be ruled out.

What I would do

If I were in your position, having set up what I thought was sufficient security only to get compromised, I would take several additional steps.

First, I would do exactly what you did: add an additional security solution to my mix, and change the password to the affected account to something longer than in the past.

Next, I’d review the account recovery information. Anything that could be used to reset a forgotten password has the potential to be misused if it’s not kept current and active.

Then I’d add transaction alerts to my bank account, if that’s supported. It’s more common with credit cards; I have my cards email me every time they’re charged, and even text me for transactions over a certain amount.

Finally, I’d talk to my bank about setting up additional restrictions on what can and cannot be done online. The fact that someone who wasn’t you was able to access a line of credit without additional verification is, to me, exceptionally troubling. Many banks allow you to set restrictions on what you can and cannot do online, and may even be able to place amount thresholds to disallow transactions, or require that you proactively take additional steps offline to complete the transaction. It’s a conversation well worth having.

It’s rare, but…

I don’t want this litany of possibilities to scare people off online banking. Honestly, the majority of risks I’ve just mentioned are present whether you bank online or not.

These types of one-off bank account compromises don’t happen as often as headlines lead you to believe. Credit card compromise, for example, is much more common2. Fortunately, there are many protections in place, not only to prevent fraudulent credit card use, but to limit your own liability for what happens.

That being said, it remains an important responsibility to maintain our personal security appropriately, both online and off.

Podcast audio

Play

Video Narration

Footnotes & references

1: Don’t laugh. It’s happened, usually with some kind of legacy compatibility as an excuse.

2: Happens to me about once a year.

21 comments on “How Could My Bank Account Have Been Hacked if I Have Good Security?”

  1. Phishing is also a possibility. I don’t see it as likely, in this case, as the questioner seems to be very careful, but it’s also something to watch out for. Never click in a link in an email from your bank, or any website for that matter, even the legitimate ones. It can develop into a dangerous habit. Unfortunately, my bank, Bank of America, sends links in their emails. Those are legit but a phisher might take advantage of this and some might so used to clicking on those links that they might fall for a phishing email. When I get an email from BofA with a link, I go straight to LastPass and log in directly from there. Another reason for using LastPass or other password manager.

    Reply
    • One way you can spot a phishing attempt is to look at the sender’s email address. If the email bears the logo of, say, Walmart, but the sender’s email doesn’t say “walmart.com,” that should be an immediate red flag to you that the email is fraudulent and you should delete it immediately.

      If you use a web-based email server — Microsoft’s Outlook or Hotmail, Google’s Gmail of Yahoo! Mail — you can immediately report the fraudulent email as a phishing scam (Mircosoft has been especially aggressive in filtering out fraudulent emails, but no system is perfect and you must be constantly on your guard).

      Reply
  2. I recently had over $17,000 scammed from my checking account. The scammer did this by somehow convincing the bank that I had a Sams Club MasterCard and had it included in my account for automatic payment. I checked with the bank that issues Sams Club MasterCards and they confirmed that I did NOT have any account with them, but there was an account with another person with the same name as mine. While the bank currently has a policy that notifies the account holder when a new bill pay is entered into the account, I do not recall having received such a notice regarding the Sams club card, so this notification policy may not have been in place at the time. I am in the process of trying to convince the bank to add to the notification policy by making a return acknowledgement by the account holder a part of the process. I believe the bank was a bit at fault for not having suspicions raised in my case because, unlike me and most of those that I know, payment for credit card accounts are generally made but once a month on a specific closing date. These payments were made randomly and multiple times during the month over a period of two months. Normally, I would have caught this sooner as I frequently monitor my account; however as luck wold have it, I was ill for a month and failed to do my regular inspections of my account. One thing that I cannot fault the bank for is that at the conclusion of their investigation on each of these charges, my money was restored.

    Reply
    • Adding two factor makes it safer, yes. I always use two factor if offered. To be clear, it is not ABSOLUTELY safe (nothing is), but it is significantly safer.

      Reply
  3. So my question is, would having a separate computer dedicated to nothing but banking/financial sites be a safer option than the computer that you use everday to do… well just anything?

    I read once, easily 5+ years ago that doing this would mean that you only go to the relevant sites and nowhere else so therefore malware won’t be an issue, nor viruses either. Would this be a fair and/or correct assumption?

    Reply
    • Yes. I’ve seen this recommendation before. If you have a single computer some recommend booting from a “live CD” or DVD running Linux and doing all your banking from there. That’s extreme, and personally I don’t feel it absolutely necessary (I don’t do it myself, for example), but it does remove certain types of threats from the equation completely.

      Reply
    • It would add a layer of protection, especially if the computer is running a version of Linux. But there’s no need to have a second computer. You can boot most versions of Linux from a CD, DVD or USB flash drive and get similar protection. This method isn’t perfect simply because no security method is perfect but it’s pretty good.

      Reply
  4. I’ve never had my bank account compromised, but my credit card has been compromised maybe 3 times in the last 10 years. Fortunately, my credit card provider caught the transactions on the way through the system, blocked the transactions, cancelled my card and issued me with a new one. The only price I had to pay for these account breaches was the inconvenience of 10 working days’ wait for my new card.
    My bank provides me with an additional layer of security in the form of a digital token, which produces a random 6-digit code at the press of a button. This code must be entered, along with my account ID and password, every time I log into the account, and, even though I have already logged in with the token, I have to generate a new 6-digit code every time I attempt an online transaction that involves any movement of funds, regardless of where those funds are intended to go. Furthermore, this token works not only at home on a desktop computer: it also works with my bank’s mobile app.
    I have read on some bank-related security blogs that there are ways in which even these digital tokens can be compromised, but I have been using this token ever since I opened my account about 12 years ago, and I have never had any hint of a problem, so I’m pretty confident about my level of account security.
    I would strongly recommend that anyone who does online banking should inquire of their bank about the possibility of using such a token with their account.
    I’m in Australia, and we don’t have a large number of different banks, here, but I’m fairly sure that not all Australian banks offer security tokens. I guess if you’re in the US, UK or Europe, YMMV.
    Anyway, that’s my 2¢ worth!

    Reply
    • I live in Germany and all German banks have TAN (Transaction Authorization Numbers) which is a unique password sent either by a text message or a sheet of paper with onetime passwords. Some banks offer a TAN calculator which generates a TAN based on a number the bank sends you online. I believe all EU banks have a similar two factor system.

      Reply
  5. I like to think I am as safe as I can be as I never use my bank debit card online ! I pay with PayPal whenever I can and when that’s not possible, I use my credit card so I never input my bank details on my pc. If neither of those two are not accepted I buy from another company. When shopping it’s cash or credit card, never a debit card. More than that I don’t think I can do but we can never be 100% protected from fraud.

    Reply
  6. You said “The most common case might be on a corporate network where outside access is monitored and controlled by a savvy IT department.” It reminds of a conversation I had recently with a network admin for a mid size NGO. He runs a data center for a building with perhaps three hundred workers. As I remember, he uses an https proxy server that lets them decrypt and re-encrypt ALL https traffic and they save it ALL in clear text on their servers for months. I was not bold enough to ask if that would include bank passwords of employees who happened to do on line transactions at work.

    Is that technically possible? And should be we asking about this at our workplaces?

    Reply
    • Yes. As long as someone has physical or remote access to a computer, they can do anything on that machine. If they intercept the https: traffic before it is encrypted, they are also intercepting bank passwords also. They wouldn’t have the capability to decrypt the https: traffic but they can get it before it’s encrypted. The reason you should never do banking from a public or work computer.

      Reply
      • Actually a savvy IT department CAN intercept https traffic. It involves installing an additional root certificate on corporate machines (easy to do in a controlled environment like that), and then serving up locally generated https certificates for any site’s https traffic. The https traffic is then encrypted from the PC to the IT’s proxy, decrypted, re-encrypted using the “real” site’s https certificate and passed along to the real site. It’s not trivial to set up, and perhaps even detectable to someone using the PC if they know what to look for. (They need to examine the certificate used on their PC for an https connection.)

        Reply
        • Isn’t that, in a way, capturing it before it’s encrypted. I remember from the old PGP program that is was possible to encrypt a message to more than one recipient. But in any case, is it actually getting the traffic after it’s encrypted but SSL encryption? Wouldn’t it have to capture it before the SSL encryption to do that?

          Reply
          • No. Client encrypts locally using a corporate cert. That then goes to the corporate proxy. It’s decrypted and then optionally examined. It’s then re-encrypted using the actual cert of the intended destination.

          • I’m still confused. To me, that still sounds like they are encrypting the plain text message with the cor[orate SSL certificate and then decrypting it and re-encrypting it with the destination certificate. That, to me, sound like the company intercepted it before it was encrypted.

          • The message is encrypted before it leaves your computer, without “interception”. That it’s using a corporate certificate doesn’t imply any interception at all, other than that certificate being installed on your PC, possibly when the corporate IT department set up your machine for you.

  7. Footnote #1: “Don’t laugh. It’s happened, usually with some kind of legacy compatibility as an excuse.” Isn’t legacy compatibility, in that case, a euphemism for “We’re to lazy (or cheap) to fix it?”

    Reply
    • I’ve always assumed that when I encounter this the system being used is a decades old mainframe written in Cobol or something. The conversion cost isn’t about being cheap — the cost could be massive. Not that they shouldn’t do it, but it may not be as frivolous a decision as you imply.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.