> I don't recall last time seeing news on someone's bank account being hacked and drained, if anything its mostly family fraud.

Anecdote time. My wife and I have a shared checking account that got hacked and drained. First her debit card got skimmed. Then the perp called USAA a half dozen times claiming to be her and asking for account credentials. Finally they got a helpful account rep to reset the password, disable MFA, and tell them the username. Yep. You heard that right. Social engineering works even on bank tellers who should know better.

Fortunately it's just a daily use account and I'm paranoid, so there was only 5K they could access there. USAA owned up to the whole thing and restored the funds, but now they punish my wife with a 10-minute interrogation to prove her identity if she ever has to get them on the phone for a legitimate reason.

I just want to point out that this comment is exactly why social engineering is a problem. You have been a victim of what happens when a company doesn't put in enough effort to verify the identity of the person they have on the phone. Yet when that company starts putting in that effort, you object and call it a "punishment".

Convenience and security are often in direct competition with each other. Almost all of us would expect convenience in this situation. You should know better more than most the cost of choosing convenience and even you want that convenience. Is there any wonder why businesses select convenience over security?

I call it a punishment because it's over the top. It was a lot of money for an individual, not a lot of money for the bank. So the security should be proportional. Instead of putting in a 10-ton vault door in front of every customer interaction, I'd prefer they only escalated to that level when someone calls in saying things like "I lost my wallet and I'm stuck away from home, give me access to 'my' money, and oh by the way I don't even know my own login name."

This type of escalating validation is also ripe for social engineering. You said this person called 10 times. They don't need to do everything in one call. Instead the goal for earlier calls can be to gather information. You gave the example of the person trying to take over the account without knowing the login name. What information would someone need to supply to get the account name? Does that require escalation? If not, what is the value of requiring that as part of the identity validation process?

If the company is going to provide some level of support to people they haven't verified, that support will be abused as a means of passing the verification.

At the risk of being a software developer that always sees everything as a software problem, I feel like this could largely be mitigated with very simple improvements to the customer service application.

Back when this happened, that was my first question to USAA and one for which the security guy didn't have a ready answer, though probably it boils down to some version of "we are heavily regulated and continue to rely on software built for mainframes."

There are so many possible ways to mitigate the risk which should be triggered well before a half dozen attempts finally gets to a teller credulous enough to believe their excuses for ignorance.

When I was in a lot of debt, banks outsourced collections agency called many times on a private number and wanted me to verify myself before they would verify themselves. No. Bank denied they would do that but that was lies. They couldn’t even admit to trying to get in contact with me. Collections agency couldn’t even play the theoretically game of maybe there’s a certain someone out there, who knows who, who hasn’t paid off a credit card, maybe this certain someone would want to consider going into his bank and having a chat but that’s not for me to say ah capishe? I’ve got a rock you’ve got a sword how are we gonna play this out? Good times haha

> but now they punish my wife with a 10-minute interrogation to prove her identity if she ever has to get them on the phone for a legitimate reason.

How is that punishment? If USAA knows you or your wife were a target of somewhat sophisticated attack that ultimately broke their security barriers, wouldn't you yourself actually want some extra protection? If anything, this is a positive sign for USAA, I doubt with my Bank of America anyone would care with any sort of extra layers of security if my account would ever get hacked in a sophisticated way.

I call it punishment because I don't think the attack was really sophisticated, I think USAA's internal training and software was wholly inadequate to defend against a persistent unsophisticated attacker. Why were they still routing his calls to regular bank tellers after the first couple attempts? Why wasn't the security department involved at that point as the only allowable contact point? Why did they actually hand out the login name and password for an account without doing the 10 minute deep-dive identity verification they now make my wife do?

I guess on the bright side, nobody will ever hack into your USAA account :)

Weird, USAA froze my cards and funds immediately the only time I've had suspicious transactions. I guess the social portion is where we diverge though, they definitely tried harder to get in to yours. Ours was just a guy in Vancouver trying to order Thai food through a delivery app.

They froze the card, but only after six consecutive withdrawals from an ATM in Miami. I was getting notifications on my phone about the withdrawals (did I mention I'm paranoid) but since I was driving, I didn't see them for about half an hour when I arrived at my destination. Called USAA immediately and they had already frozen the card. But the money had already been withdrawn.

I can't explain why it took many consecutive withdrawals in a short time, in a city that I've never visited, 3000 miles away from the most recent use of the card, to trigger USAA's protection algorithms.

USAA did finally take care of it. My biggest beefs with them are 1) they dragged their feet a couple days on the investigation until I called them myself (I'm the veteran, my wife is not, and they were much more responsive to me), and 2) they really do punish my wife for something not her fault. You know those questions you get which are sourced from your credit file? What street did you live on, what's your mortgage payment, things like that? That's what they ask every time, after asking for a secret password and PIN code to be used for phone calls.

I'll give them credit though, for actually sharing the gory details with me once they were done tracking down everything, and admitting that one of their own employees had broken their rules and handed over the credentials to my wife's account.

This incident reinforces the rule never to use your debit card for credit card transactions.

Ever, never, never use your debit card where credit card can be used in its place.

The mechanisms for restoring the charge on your credit card are much stronger than on your debit card. And a credit card is a FUTURE charge, so you have time to fix the problem. Whereas a debit card is your CURRENT money, so it's just gone unless you get it back.

I do not understand why people use debit cards linked to their actual bank account out in the world. Paying bills securely through the utility is the only thing we use that for.

Agreed. I almost never use my debit card. And now, my wife doesn't either. Though her card got skimmed at an ATM, not during a debit card transaction, so this advice doesn't work. Now she just doesn't ever use ATMs. For better or worse, we now keep a few grand in the safe at home and pull from that for the occasional cash need. When I need to replenish that, I walk into the bank and take it out the old fashioned way.

It's not paranoia when they really are out to get you...

>I do not understand why people use debit cards linked to their actual bank account out in the world.

Because this advice is USA only. All of my credit cards (well... two) are linked to the bank account and I don't even think there's a way to get a credit card without bank connection.

There is, but often it cost extra and we at least don't have the whole cashback system to cover those. Though the fees for merchants are lower so the prices should be too.

100%. The account linked to my debit card is empty unless I want to make an immediate withdrawal at an ATM. This being 2022, I can transfer whatever funds are necessary into the account in a minute or two using an app on my phone. I also have a separate checking account for linking to external services like Cash App, Venmo, or third-party bill pay systems. Again, the account remains permanently empty except for the brief window where I'm moving money between these services or paying a bill.

Given how quick and painless it is to transfer money between accounts, leaving substantial amounts of money in accounts linked with mechanisms that can remove that money is insane to me.

I have stopped using credit cards for two reasons:

1. My debit cards allow me to directly import transactions into my personal accounting software while my credit cards don’t; and

2. when I shop online, my debit cards allow me to use them as a 2nd factor (using a USB card reader) while my credit cards require either an iOS or Android device for 2FA.

You’re right in that a credit card is a future charge and debit isn’t. But are debit cards really so much more insecure? What threat model do you have in mind?

Credit card transactions are much easier to reverse. For example, I went to a restaurant and a few days later I noticed they double charged the bill. I called the restaurant, they wouldn't fix the issue, so I called the credit card company and it was quickly reversed. That doesn't happen with a debit card.

Credit cards also come with all sorts of benefits. You can easily get 1-2% off all purchases through cash-back or gift card rewards. You can get free insurance with car rentals. Many cards also offer an extra one year warranty on most purchases, so if you paid for your laptop or phone with your credit card and it dies just outside of the manufacturer warranty, you might still be covered.

> That doesn't happen with a debit card.

Citation needed.

The scenario you described will absolutely fall under most card networks' transaction dispute rules. In day-to-day spending a debit card is just as safe as a credit card when it comes to fraud or malicious merchants.

The only time a credit card will be better is grey areas where a card network dispute doesn't succeed, in which case the law in most countries forces the credit card provider to eat the loss. In some of those cases, the reason why a credit card chargeback succeeds is not necessarily because you are right (if you were, the dispute process would've succeeded anyway) but because the amount is too low for the issuer to care so they just eat it to not have to investigate and/or litigate the issue.

If your credit card is compromised, you make a phone call and maybe can't use it for a few days.

If your debit card gets compromised, your rent check bounces.

Plus, frankly, banks are generally more protective of THIER money than YOUR money.

> If your debit card gets compromised, your rent check bounces.

I guess that depends on the bank and the country you live in.

There’s no reason to want your credit card to have 2FA. It’s not your money, so the only point is to annoy you when you’re spending someone else’s money.

Well, or to use it with sites that require 3D Secure, but that’s still something to help the merchant not you.

As if it was my choice.

EU-wide regulation requires all banks to force 2FA onto their customers for logging into their accounts.

Absolutely do not use your debit card ... well, anywhere if you can help it.

(Apologies, saw the wrong parent comment) How many utilities, credit card companies require a checking account for autopay? How many times have you thrown out an old checkbook that contains routing and account numbers on a carbon copy pages?

Bank accounts are not especially secure, we mostly hope to limit the risk/reward calculation for hacking them and basic security controls.

> How many utilities, credit card companies require a checking account for autopay?

In my experience, this is getting better! I now have all but one of my bills being paid by my credit card. Used to be that the utility companies made you pay extra and use a third party service if you wanted to use your credit card.

Not all, though. Verizon, for example, will let you pay with a credit card, but they give a substantial discount if you use a debit card instead. For obvious reasons. I hope that does not become normal. I'm used to Verizon being scummy, I hope it doesn't become the default behavior for the other utilities I pay for.

The US needs an automatic bill payment system with strong guarantees.

In Britain, most people¹ pay bills (electricity, water, phone, internet, insurance, car loan, credit card etc) by "Direct Debit"². (Most European countries have a similar system with similar guarantees, but this one is described in English.)

If anything should go wrong, the bank must fix it. There's a list of direct debits in the bank's interface, and they can be cancelled/suspended with one click (or by phoning or going to the bank).

It isn't perfect (see 3 from two weeks ago) but that sort of problem is rare enough that it was reported in newspapers.

¹ "Direct Debits are used by nine in ten UK consumers to pay some or all of their regular bills".

² https://www.directdebit.co.uk/DirectDebitExplained/Pages/Dir...

³ https://www.moneysavingexpert.com/news/2022/03/tsb-customers...

This is one reason to keep at least some accounts with a large national bank or credit union. If you need to prove your identity or deal with a lost card while traveling you can at least walk into a physical branch and talk to a manager.

FDIC protects against bank failures (like the bank goes bankrupts and looses all the deposited money). It has nothing to do with unauthorized transactions as far as I know.

Depends on the transaction type. Checks and debit cards are pretty well protected. Wire transfers aren't protected at all.

Story time: I also once had my bank account hacked - in a manner of speaking.

I tell you this story in the hopes that it helps you recognize if you have similar flaws in your own security.

I used to run a VNC server on my home PC (flaw 1). Chinese hackers discovered it and spent three weeks brute-forcing the password (flaw 2). Once in, they installed TeamViewer to allow themselves future access. Then, they logged in at 3am and used my browser-saved PayPal credentials (flaw 3) to paypal themselves $5k from my linked chequing account (flaw 4).

I discovered this several days afterwards when I saw the withdrawals hit my bank account. I then found a few further pending Paypal transactions, and pieced the rest together from VNC and router logs.

Thankfully my credit union believed me that I didn't authorize the transactions and reversed them, making me whole again.

But damn, it's a scary feeling having someone break into your computer, not knowing what they might have looked at or accessed. Very similar to having your home broken into.

This article is about people being fooled into wiring money to fraudulent actors, not about hacking.

FDIC does not protect against account hacks. Bank's assets and laws do. FDIC protects accounts against losses caused by bank failures.