Someone I know was stolen a few hundreds dollars from a savings account. Looking at the history, she saw transactions like Uber rides and video games purchases she did not do. This account is used strictly for investing and is only accessed from her iPad. The only access card is in a drawer in her home and has never been used in a terminal. I know you can use hacked terminals to clone cards and steal PINs but my understanding is you need to actually swipe the card somewhere for this to happen. Appart from an internal data leak at the bank, is there any other possible explanation?
Asked
Active
Viewed 149 times
0
-
You gave a very real option and I can also think of a member of her family or someone who's visited them recently. – Artem S. Tashkinov Jul 22 '20 at 20:10
-
2seems like you wouldn't need the card... just the routing and account#s. – pcalkins Jul 22 '20 at 20:13
1 Answers
2
In theory, you only actually need the routing number and account number to issue a transaction (note that this is most of how transactions with cheques work).
If there's a card, there's also another set of numbers you can use, namely the card number and expiration date (and usually the cardholder name and possibly the CVV, this is how most online transactions work). You may not even need the PIN for the card here either, as a lot of banks will let you make 'credit' charges on a debit card (and most ATM cards anymore are debit cards too).
This then comes down to how those numbers may have gotten out, and there are five possibilities I can think of here:
- An attack on the investment firm the account is used with. Statistically not very likely IMO, but still theoretically possible.
- A phishing attack on the account holder. In most cases, people will not willingly tell you if they've had this happen, so you may need to dig a bit to get them to tell you if this is the case.
- An attack on the bank the account is with. Less likely even than an attack on the investment firm, but still a remote possiblity.
- A rogue employee at either the investment firm or bank.
- A relative or friend who has visited the victim recently.
Austin Hemmelgarn
- 1,625
- 7
- 9
-
1Or, a rogue mail carrier, that stole an a account statement mailed to the victim by the bank, containing the account number. – mti2935 Jul 22 '20 at 22:15
-
@mti2935 Excellent point. Didn't think of that one because it's been years since I got physical account statements from anywhere. – Austin Hemmelgarn Jul 22 '20 at 22:17
-
1I didn't even think about emailed statements. In that case, it could be a rogue email provider. – mti2935 Jul 22 '20 at 22:30
-
@mti2935 Technically possible also, but I'd consider it an astronomically low probability even compared to attacks on the financial institutions. It's vanishingly rare these days that there's more than one actual hop between the source and destination networks (so there are almost certainly no intermediate hops to interfere), and the likelihood of a major email provider being compromised and that being all that happened is insanely low. – Austin Hemmelgarn Jul 22 '20 at 22:34
-
2I agree, if it's a large email provider. But, I was thinking more along the lines of the victim working as an employee of some company, and using their company email for personal matters, and the 'IT guy' at the company manages the company mail server. The bank statement is sent to their company email, and the rogue IT guy at the company snags the email. – mti2935 Jul 22 '20 at 22:55
-
1All of which is why banks don't send statements IN email, just a notification that your statement is ready, go login to the bank website and download it. – Ben Voigt Jul 23 '20 at 14:40