When everything isn’t enough.
My bank account was just hacked. The hacker opened a new account, transferred money from my line of credit into that account, then transferred the money out to his outside account. So it appears he somehow got my client card number and my password.
My laptop is about five years old, running Windows, which I update every week. I have BitDefender for virus scans, which I do a full system scan every week. My password was 15 characters long, with a mix of numbers and upper and lowercase letters. When I am not at home, I use a VPN service while on the internet. I have changed my bank passwords to 22 characters long and installed Malwarebytes Premium for real time virus protection.
So, I have two questions: how could a hacker possibly do this with the precautions I have? And how can I protect myself further from this point?
You have good security in place — above average, I’d say. That makes this situation more difficult to diagnose as well as more frustrating.
While I certainly can’t tell you exactly what happened, I can speculate. I also have ideas on how I’d further protect myself if I were in your shoes.
Become a Patron of Ask Leo! and go ad-free!
My bank account was hacked!
Hacks can come from sources other than you.
- The bank could have been compromised.
- Man-in-the-middle-style interceptions.
- You could have malware.
- You could have tripped up unintentionally.
Good security hygiene is in your control. It’s always important whether you bank online or off.
It might not be you
The first thing that comes to mind is that this might be completely out of your control.
It might not be you.
You may rightfully share things like bank account numbers with services and institutions you trust and do business with. It’s one reason you have a bank account, after all.
The account number could have been compromised via one of these third parties.
This highlights an important reality: your account ID — for example, your username, email address, or possibly even your bank account number1 — are not secure.
You may think hiding or obscuring your IDs to various services keeps you more secure. It’s a false sense of security. Those IDs are how you use those accounts, often in less-than-private ways. Consider your email address, for example; it’s just another type of ID you regularly share with others.
As for the password, it’s possible the bank suffered a breach of some sort. It seems not a week goes by when we don’t hear of one. While I don’t think this is likely (unless your bank says otherwise), it’s a possibility.
That leads to a scarier scenario.
It might be your bank
You didn’t say which bank you use, but I assure you none of them are perfect. While some are better than others, it’s definitely a spectrum.
A breach is one example of what can go wrong. Someone calling in and pretending to be you could have fooled them; this is called social engineering. Their technology could have failed. Maybe they don’t protect their login process sufficiently against brute force attacks. Perhaps they store passwords poorly, or pay attention to only the first eight characters.2
Perhaps their network is less than secure.
And there’s always the possibility of an inside job.
All these scenarios are quite rare these days, so it’s difficult to point a finger, but they’ve each happened and could explain what happened to you.
And they’re all out of your control.
It could be something in the middle
I don’t know where you’re connecting from, who your ISP is, or what computers you use, but other things could cause security issues.
- Using a public computer with a hardware keylogger.
- Using a friend’s computer with a keylogger or other malware on it.
- Using a network compromised with a “man-in-the-middle” attack. This can allow even secure connections to be intercepted.
All these and more would be rare, but possible.
It could still be malware
Even though you were running good security, it’s critical to realize that not all tools catch every form of malware. No tool is 100% perfect.
Something could have slipped through.
Given your strong password, what comes to mind is a keylogger. Password strength is no protection from software intercepting your password as you type, click, or paste it in.
Even though you seem well protected, this seems the most likely scenario at this point.
Malware often arrives in different guises — for example, a rogue browser extension. Every so often, we hear of malicious actors getting their malware into app stores and extension repositories. Once installed in your browser, this software has access to everything happening within your browser, including visiting and signing in to your bank.
It could even be you
It’s important to realize that while having all the tools in place to protect yourself is important, it’s only part of what you need to do to stay safe. You can still bypass all those protections.
Whether it’s falling victim to a phishing attempt, installing malicious software, or just sharing private information with someone you shouldn’t, it’s not uncommon in these cases for it all to come back to the user. Perhaps you did something, somehow, somewhere, bypassing all the security you so carefully put into place.
Sometimes without even realizing it.
Again, I’m not saying that’s the case here, but I can’t rule it out.
What I would do
If I were in your position — having set up what I thought was sufficient security only to get compromised — I would take several additional steps, some of which you may have already done.
- Change the account password to something more secure.
- Consider adding an additional security tool.
- Set or update account recovery information. This can be misused if it’s not kept current and active.
- Add transaction alerts to the bank account, if available.
I’d also have a talk with my bank about adding restrictions to online transactions. Because someone who wasn’t you could access a line of credit without additional verification is, to me, very troubling. Many banks allow you to set restrictions on what you can and cannot do online, or place amount thresholds to require additional verification steps to complete the transaction.
It’s a conversation well worth having.
Don’t give up on online banking. Most of the risks I’ve mentioned are present whether you bank online or not.
The good news here is that these types of account compromises don’t happen as often as headlines lead you to believe. Credit card compromise, for example, is much more common.3 Fortunately, there are many protections in place, not only to prevent fraudulent card use but to limit your own liability for what happens.
What you need to do, however, is make sure you’re doing everything you can to keep your account, your transactions, and yourself, as secure as possible.
Also, subscribe to Confident Computing. My weekly newsletter will help you stay safe and secure, with less frustration and more confidence, solutions, answers, and tips in your inbox every week.