Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.
The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.
Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration.
Other examples may be far less obvious. Consider the case of a consumer who receives their home telephone service as part of a bundle through their broadband Internet service provider (ISP). Failing to set up a corresponding online account to manage one’s telecommunications services can provide a powerful gateway for fraudsters.
Carrie Kerskie is president of Griffon Force LLC, a company in Naples, Fla. that helps identity theft victims recover from fraud incidents. Kerskie recalled a recent case in which thieves purchased pricey items from a local jewelry store in the name of an elderly client who’d previously bought items at that location as gifts for his late wife.
In that incident, the perpetrator presented a MasterCard Black Card in the victim’s name along with a fake ID created in the victim’s name (but with the thief’s photo). When the jewelry store called the number on file to verify the transactions, the call came through to the impostor’s cell phone right there in the store.
Kerskie said a follow-up investigation revealed that the client had never set up an account at his ISP (Comcast) to manage it online. Multiple calls with the ISP’s customer support people revealed that someone had recently called Comcast pretending to be the 86-year-old client and established an online account.
“The victim never set up his account online, and the bad guy called Comcast and gave the victim’s name, address and Social Security number along with an email address,” Kerskie said. “Once that was set up, the bad guy logged in to the account and forwarded the victim’s calls to another number.”
Incredibly, Kerskie said, the fraudster immediately called Comcast to ask about the reason for the sudden account changes.
“While I was on the phone with Comcast, the customer rep told me to hold on a minute, that she’d just received a communication from the victim,” Kerskie recalled. “I told the rep that the client was sitting right beside me at the time, and that the call wasn’t from him. The minute we changed the call forwarding options, the fraudster called customer service to ask why the account had been changed.”
Two to three days after Kerskie helped the client clean up fraud with the Comcast account, she got a frantic call from the client’s daughter, who said she’d been trying her dad’s mobile phone but that he hadn’t answered in days. They soon discovered that dear old dad was just fine, but that he’d also neglected to set up an online account at his mobile phone provider.
“The bad guy had called in to the mobile carrier, provided his personal details, and established an online account,” Kerskie said. “Once they did that, they were able transfer his phone service to a new device.”
OFFLINE BANKING
Many people naively believe that if they never set up their bank or retirement accounts for online access then cyber thieves can’t get access either. But Kerskie said she recently had a client who had almost a quarter of a million dollars taken from his bank account precisely because he declined to link his bank account to an online identity.
“What we found is that the attacker linked the client’s bank account to an American Express Gift card, but in order to do that the bad guy had to know the exact amount of the microdeposit that AMEX placed in his account,” Kerskie said. “So the bad guy called the 800 number for the victim’s bank, provided the client’s name, date of birth, and Social Security number, and then gave them an email address he controlled. In this case, had the client established an online account previously, he would have received a message asking to confirm the fraudulent transaction.”
After tying the victim’s bank account to a prepaid card, the fraudster began slowly withdrawing funds in $5,000 increments. All told, thieves managed to siphon almost $170,000 over a six month period. The victim’s accounts were being managed by a trusted acquaintance, but the withdrawals didn’t raise alarms because they were roughly in line with withdrawal amounts the victim had made previously.
“But because the victim didn’t notify the bank within 60 days of the fraudulent transactions as required by law, the bank only had to refund the last 60 days worth of fraudulent transactions,” Kerskie said. “We were ultimately able to help him recover most of it, but that was a whole other ordeal.”
Kerskie said many companies try to fight fraud on accounts belonging to customers who haven’t set up a corresponding online account by sending a letter via snail mail to those customers when account changes are made.
“But not everyone does that and if the thief who’s taking advantage of the situation is smart, he’ll simply set up an online account and change the billing address, so the customer never gets that notice,” Kerskie said.
MARK YOUR TERRITORY
Kerskie said it’s a good idea for people with older relatives to help those individuals ensure they have set up and manage online identities for their various accounts — even if those relatives never intend to access any of the accounts online. Helping those relatives place a security freeze on their credit files with the four major credit bureaus (and with another, little known bureau that many mobile providers rely upon for credit checks) can go a long way toward preventing new account fraud.
Adding two-factor authentication (whenever it is available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can’t be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place.
This process is doubly important, Kerskie said, for parents and relatives who have just lost a spouse.
“When someone passes away, there’s often an obituary in the paper that offers a great deal of information about the deceased and any surviving family members,” she said. “And the bad guys absolutely love obits.”
Eschewing accounts on popular social media platforms also can have consequences, mainly because most people have enough information about themselves online that anyone can create an account in their name and start messaging friends and family members with various fraud schemes.
“I always tell people if you don’t want to set up an online account for social media that’s fine, but make sure you tell your friends and family, ‘If you ever get a social media request from me, just ignore it because I’ll never do that,'” Kerskie advised.
In summary, plant your flag online or — as Kerskie puts it — “mark your territory” — before fraudsters do it for you. And consider helping less Internet-savvy friends and family members to do the same.
“It can save a lot of headache,” she said. “The sad reality is that criminals very often only need to answer two or three questions to commit fraud in your name, whereas victims typically need to spend hours of their time and answer dozens of questions to undo the resulting fraud.”
A lot of notifications by companies are done thru your cell phone.
So what do they do when they encounter someone like me who is on another continent for two months at a time?
Identical comment was asked 5 days ago.
https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/comment-page-1/#comment-469156
I have talked with multiple people at my bank about this over the years, their only solution was for me to create an account then try to log in with bad password 5x until the account locks. At this point they said it would require a personal visit with ID to a branch to unlock it.
This is stupid. If I call them and tell them I never want to use online banking can you block it from my account they have no way to do such a basic feature. Literally one field in a database.
Them keeping my money safe is squarely on them. They should be the experts on security and scam techniques. This is not the job of Joan the seamstress and Nancy the waitress.
This is literally a core function of their job and they are being utterly incompetent in their duties.
It occurs to me that that suggestion by your bank sounds like a load of crap.
I mean, it’s possible that they require all that to unlock it after five bad password attempts…
…but I think it’s far more likely that- like most banking systems I know of- it unlocks after a pre-set period of time (a length of time which they’re not allowed to specify to you- if it were known, it could be circumvented by nasty folks) after which you can log in freely.
I think it’s that second one, and they’re fibbing to you to get you off their case- which may go to why it sounds like a silly way to secure it.
I can verify that when Chase bank locks an account, it stays locked. It doesn’t unlock itself even after months of time. My wife’s on-line account remains locked to this day. I manage the joint accounts through my on-line access.
The above poster is correct that there is no way to disable on-line access. Locking an account is the only way.
I used to pay bills online first through my bank then switched to paying on each web site for each bill. After a couple of these companies had been hacked or attempted to be hacked. I went back to paying bills through the mail. Everything has risk but every issue I have ever had even my identity theft happened through a internet hack years ago. Trusting the internet with business is risky.
John, when you get your bank account statements that are mailed to you, is the letter postmarked with a city and date?
I disagree. It is impossible for people to have on-line access to all their dealings. The practicality will be to strain security by spreading it more thinly. The battle is really already lost. The final traw will be when cash is abolished and people go without food when payments intermittently become inpossible with the exigencies of technology.
All we had to worry about in the past were physical robberies. The implications of technology are now loss of personal security and privacy and the insidious invisibility of theft from online accounts at financial institutions. The reason for it being imposed on us is bank profits and apathy by customers.
If you noticed suspicious identity-related activity, that wasn’t yet clearly criminal, who could you report it to, who’d care, if it’s still subtle?
Bunch of unknown charges after online banking password no longer worked. Recent attempt to change last name with social security they want to verify its me by the car payment i supposedly have to make now and my new house payment. Computers all appear to have something bad expect hard drives to go out! Page after page of ppl using remote settings and all my settings say that isn’t allowed in my computer. Never in almost 40 yrs have i had a problem with online. Internet company says not their problem and Will disconnect access to help but nothing further. Kept getting notice from antivirus prior to it being disabled was that it was our internet provider watching us and resetting passwords. If course they (internet co) denied this
What about all these types of companies popping up everywhere? For a few they will provide you all the info they can gather from web sites government and state office. What gives them the rights to sell people’s personal info? Or even scan courts or government sites and buy such info or take it for free? Not to mention the details they sell people are not actually ever completely verified and then they want the person to come forward and pay a few to set their own personal information right….how is there any hope for any kind of privacy any more?