Sign Me Up!

Staying Safe in the Financial Wilderness

I was hacked the other day.

It started innocently enough with an email notification from PayPal that I had received a deposit in my account. Awesome…except I wasn’t expecting any incoming transfers.

Right after that email, a flood of other notifications for more incoming transfers and outgoing transfers. Ruh roh!

I quickly logged into my account to see what was going on. Arrayed neatly on my transaction list were a dozen transfers in and out of PayPal, plus my two connected bank accounts – for over $2,000 and counting.

At first I considered that perhaps someone had mistakenly sent me funds by mistake. A simple typo. The matched dollar amounts of funds going in and out early could be PayPal support reversing the wayward Washingtons, right?

Nothing a quick call to their customer support line couldn’t resolve!

Over two hours later, I was still on hold. Not light adult contemporary muzak either. Oh, if only my eardrums were so fortunate. In their brilliance, PayPal’s customer service team chose to repeat the same voiceover clips, over and over and over.

In an abundance of caution while on hold, I changed my password. I also noticed a two factor authentication (TFA) option for a code to be sent by text for future logins. Done and done.

Finally, I was connected with a rep who was unable to give me any help except to confirm that my account was compromised and they would be returning the funds to my account in three to five business days.

All set? Wrong! The ACH connection with the banks was a big problem. Normally, if a PayPal balance is not sufficient to cover a pending transaction, they will tap into your linked accounts to cover the difference. In this case, the fraudsters were able to withdraw from my checking account, which is set up a central hub for all my monthly payments. Zoinks!

Luckily, there was enough to cover the upcoming bills (illustrating the importance of a emergency fund), but a bad situation quickly could have escalated into a dire cascading series of missed payments, overdraft charges, and customer service headaches.

Lessons:

  • Create a different password for each location where you have wealth
  • Use two factor authentication – always
    • That annoying speed bump of entering a code each time is enough to stop most common hackers, even if they have your password. They’ll just move on to someone without TFA set up.
    • If you have significant wealth or are a larger target, consider using a token based system rather than the SMS codes. There are cases of hackers convincing phone companies to send out new SIM cards or porting numbers over to the hackers, making it trivial for them to access your account.
    • The best level of security is a hardware token like these from Yubico and Google. Support is limited to a handful of services for now, but expect adoption to grow.
  • Consider which banking account you use to link to online payment services. You can limit the potential damage by using a small ancillary account rather than your main account.

Was this preventable? Yes. I should have enabled two factor authentication as soon as it was available. Over 90% of Gmail users don’t have TFA set up. I had it on some accounts, but not PayPal.

Give yourself a basic security audit by documenting your various accounts and making sure you have different passwords for each as well as two factor authentication set up. If your financial service doesn’t offer TFA, move somewhere that does.

Readers, have you been hacked or defrauded before?

No Comments

Post a Comment