The rise of chip-based credit cards in the United States has forced con artists to change their tactics. A recent study says more than 15 million Americans had personal and financial information stolen last year. That is up 16 percent from 2015.
When thieves pose as a customer to gain access to their accounts, it’s called an “account takeover.” In 2016, those instances increased by nearly 40 percent.
Just last week, cyber criminals took over one New Jersey man’s bank accounts in minutes.
“There’s nothing I could’ve done to stop it,” Marc Alfinez told CBS News’ Dana Jacobson. “That was the bank that let him in.”
Alfinez found out that hackers had taken over his bank account last week when he got a series of email notifications that his online ID and password had been changed.
The thieves called his bank and used personal details that he believes were stolen when the Office of Personnel Management was breached in 2015.
“They had all my pedigree information: social security card, driver’s license, wife’s maiden name, all that stuff,” Alfinez said. “But they couldn’t pass the phone password. But since they had all that other information, they still let them in.”
Alfinez said hackers drained his bank accounts, and his children’s savings accounts in under 45 minutes.
His bank, USAA, told CBS News that while they can’t talk about any particular case, “we have extensive security measures in place like 24/7 fraud monitoring, security alerts, free credit monitoring and enhanced authentication options to help members protect themselves and to help us protect the information they’ve entrusted to us. We regret that we cannot prevent all fraud from occurring.” [See full statement below.]
When asked by Jacobson whether he feels violated, Alifez replied, “I do. I highly do. And it’s more by the bank. And what didn’t happen was, the bank didn’t protect my money.”
“Until we institute stronger authentication, stronger controls on accounts, and we get rid of passwords, we’re just going to have a lot of problems,” said Al Pascual, the head of fraud and security for Javelin, a research-based consulting firm.
He says chip cards may be more secure, but that they can’t protect a person’s information once it’s shared online.
Javelin’s latest report found that people who frequently shop electronically are about two times more likely to be victims of fraud than those who only shop in stores.
“Online is now the new battleground to protect consumers,” said Mastercard’s Matt Barr. He and his team are working on creating more secure technology, like tokenization, which is used in mobile wallets. It generates a unique code for each transaction, keeping a person’s credit card data secret.
The technology is currently used on Apple Pay, Samsung Pay, Android Pay and MasterPass. “What it means is that, if someone gets their hands on that scrambled card information, it’s useless,” Barr said.
He says biometrics (like thumbprints and retina scans) will eventually replace passwords and make purchases more secure.
Right now Mastercard is at work on identity check or “selfie pay” — a way to checkout using your phone’s camera.
As for Marc Alfinez, he’s changed his phone number, passwords, and put a freeze on his credit.
Jacobson asked, “How worried are you that they are going to use that personal information again?
“Extremely,” he replied. “I do have a feeling that something else is going to come up. I’m more worried that they also have my wife’s information and that hasn’t come through yet.”
Over the weekend, Alfinez’s bank allowed him to regain access to all of his accounts and funds.
To prevent fraud, experts recommend consumers use mobile or e-wallets, sign up for two-factor authentication with online accounts, monitor transactions, add account alerts, and be careful about how much you share on social media and who exactly you share it with.
USAA’s full statement from Gary McAlum, chief security officer:
The security of our members’ information is of critical importance to us. We have extensive security measures in place like 24/7 fraud monitoring, security alerts, free credit monitoring and enhanced authentication options to help members protect themselves and to help us protect the information they’ve entrusted to us.
We regret that we cannot prevent all fraud from occurring on our member’s accounts if a member’s personal information has been obtained by fraudsters elsewhere. We are constantly improving in this area, and we encourage our members to use enhanced security multifactor authentication options like one-time use codes and biometrics on our mobile app.
We understand that having an account taken over can be very stressful, and we do our best to ease the pain for our members. Members who use our Bank can be assured that we have a zero liability policy and are often able to return funds in less than 24 hours. We also have a specialized team that provides one on one advice and solutions for members that are a victim of account takeover.