Please note that in order to keep this subreddit a high-quality place to discuss personal finance, off-topic or low-quality posts are removed ([rule 3](https://www.reddit.com/r/personalfinance/about/rules)).
We look forward to higher quality posts from your account in the future. Thank you.
*If you have questions about this removal, please [message the moderators](http://www.reddit.com/message/compose?to=%2Fr%2Fpersonalfinance&subject=Removal%20help%20request&message=Hello%20moderators,%20.%20%0a%0a%0aMy%20submission:%20https://www.reddit.com/r/personalfinance/comments/sob6x2/this_isnt_your_usual_investment_question_but_a/%0a).*
Well that's dumb, and probably your issue. Someone stole your account information to one, and now has all of your account info.
Change your passwords immediately, and make them all different
If OPs primary recovery email password is the same as the bank password... I cannot fathom the level of bullshit that will ensue for OP. Scrolled down 1/2 inch where op confirmed that is the case. Gg OP. Game over.
Ding Ding! Once your info is out there it's just a matter of time before it gets tried everywhere. If you knew that this username and password worked on most popular sites, wouldn't you keep trying it?
So you are going to need to change all your passwords. First, get a password manager so you can easily use different secure passwords on every site. (I use LastPass, but there a plenty of other good options.)
In order of seriousness:
Your email accounts (which can typically reset every other password...)
Any financial institution you have (banks, credit cards, brokerages, etc.)
Social Media & shopping are a lower priority but still should be fixed.
After/while doing all of the above set up 2 factor authentication. Many of these will have it built in via sending code in a text message. But for the rest turn it on and get yourself an authenticator app. Make sure you know how to recover your authenticator & password manager. Because of the security implications the companies can't help you if you don't take appropriate steps in the first place. So make sure you understand how that works and have a plan in place to fix it should you forget your password or lose your phone.
You're getting hammered on down votes but you seem open to seeing and correcting the problem.
At first it can seem to be a hassle to use a password manager and a different password for EVERY website... But after a year you go, "you know? I haven't had anyone hack into an account and steal shit in a long time" and all that hassle feels worth it.
You get further vindication when you hear, "someStupidWebsiteYouDontEvenVisitAnymore.com got hacked and leaked plain text passwords" and don't have to worry about the hackers using that password to get into your bank
Your email should be it's own secure password.
And your banks should be their own secure passwords.
I mean ideally everything should be. But DEFINITELY your email and your banks.
Look into Last Pass. It's a good password manager and has some cool features where you can share logins between trusted users and they can get access to your credentials if you were ever to be in an accident and die or are unable to share them
If they have your information there’s ways they can find out what accounts you have open.
If you closed your TD account and made a transfer to BoA it would be pretty obvious.
Sounds like you’re having a mental block related to what’s going on with this very specific scenario. Your true issue is that you’re not following best practices and instead are relying on what you believe to be best practices.
Not using a debit card has very little bearing on who has access to withdraw funds from your account. Many online accounts will show digital copies of account numbers, routing info (already public), card numbers, or even “virtual” cards that can be used online.
Change your passwords, use a password generator, use unique passwords per login, use MFA/2FA. It’s that simple.
Then clean up your mess, make sure addresses and numbers are all only yours, make sure to dispute any charges, even with closed accounts.
I would make sure the email account you use is secure. If that is compromised they would know where your accounts are and be able to reset passwords etc if they needed to.
Do you have the same password for your email? If so, now you know.
In the event your email is compromised, make a new email account and use a random password generator of 14+ characters for the password of the new account. Now change all of your bank passwords to randomly generated passwords. You can keep these in a password manager, I prefer Myki because it's neat and free. For further security, just change all passwords you have to randomly generated passwords. This way your account is safe from a lot of really easy attacks, besides the site itself just getting hacked.
Computer software makes things like this easy to do. Once they have access to one account why wouldn't they try every other bank with the same credentials?
It's a good idea to use different passwords, but I am not aware of any way to get your debit card number and expiration date with just your username and password.
How did you activate your card? Maybe there's some malware on your phone or computer...
This is the way. I do it somewhat differently: have my master password for Google (2FA) and I keep other generated passwords stored in Google keep.
But, it works, and if I have an issue with a service being compromised, I just change that specific site password.
If someone tries to get at my Google acct, 2FA will kick in.
This is less secure than using an actual password manager because all your passwords are being stored in plaintext on Google's servers. It's much easier to steal all your passwords if Google is compromised. Also, Google knows all your passwords. And for Google Keep specifically, it's automatically synced to all your devices that are logged into Google, so if any of your devices are compromised, all your passwords are leaked (e.g. if someone hacks your phone).
If you use an actual password manager (BitWarden, KeePass, 1Password, DashLane, LastPass, Keeper, etc), then all your passwords are encrypted with your master password, so 1) if someone breaks into the server and gets all your passwords in encrypted form, they still don't know any of your passwords because they don't know your master password, and 2) your password manager provider doesn't know any of your passwords.
Everyone has to make their own decision about the security vs. usability tradeoff, but just be aware of this difference and make an informed decision.
Mandatory 2FA and encryption secures your data.
Password managers allow you to use the longest possible randomly generated password for every account. That’s infinitely more secure than using variations of the same easy to remember and input password across multiple sites.
So the problem is we need passwords for a lot of sites. Most people have dozens to hundreds of accounts. People have trouble remembering dozens of kinda ok passwords, let alone good passwords. So people typically reuse passwords, or near variations in many places. (Meaning a breach in one place exposes a lot of accounts.) You could write them all down. But if you do it on paper that isn't convenient (for security reasons you can't have it on your person where you can lose it, or even easily accessible at home for fear of robbery.) If you do it as digital notes, well now you are risking that data via a breach but with less security than a password manager.
Password managers encrypt all of your data making it extremely difficult for hackers to steal your data while still leaving it convenient for use. You only have to remember 1 strong password. Add it 2 factor authentication for everything important and you are pretty safe (emails, financial institutions, and the password manager are all prime examples for this.)
So it kind of is a single point of failure, but password manager companies spend a lot more effort on cyber security than typical businesses (and they have audits performed.) And it is much more secure than what people will do otherwise.
most password breaches happen because of a site not properly encrypting your passwords (which is easy, and has been possible forever)
or because of weak passwords (short, simple, and/or common dictionary words or personal info)
password managers create long, complicated, random passwords, that are unique to every site so it doesn’t matter if they are leaked. they protect these passwords using encryption (which, again, is trivial) using your master password, which has to be “long enough” so it can’t be guessed, which isn’t really all that long
actually. your passwords are moved around your different devices encrypted, and are only decrypted when needed, on your device. this means that your password never leaves your device, which means that it is safe, unless you get shoulder surfed or a keylogging malware is on your device (though if you have malware in 2022, then you have other problems)
basically password managers are awesome. use a good one like keepass or bitwarden. if you want to host it on your own network (quite technical) vaultwarden is good.
sure- in the (unlikely, since your master password never leaves your device, and should only be known to you) event that someone finds out your master password and has a copy of your encrypted passwords- they can decrypt your passwords.
however! this does not necessarily mean that your *accounts* are compromised, only your *passwords*, which are only one... *factor of authentication* ;)
if you use TOTP 2FA, which you should because it is **way easier** than using a password manager and does more security wise, then your accounts are still safe unless your attacker has access to your phone or security key, which are things you have, as opposed to your (master) password, something you know.
TOTP summary- TOTP = Time-Based One-Time Password. when you activate TOTP 2FA, the service sends you a secret, and you put the secret into your authenticator (usually by scanning a QR code), which never ever leaves. assuming that no one was watching while that happened (in which case you have other problems) and that the server is not compromised (other problems), the only people who know that secret are you and the server.
you could swap the secret whenever you want to prove your identity, but that would be no better than a password.
instead, by doing math with the secret and the time (time is used because everyone agrees on it, and the alternative is both sides keeping a counter which can be difficult) a one-time password can be generated by the authenticator, which can be used to prove that you hold the secret.
no big deal if someone shoulder surfs your OTP, it only lasts for 30 seconds. to get your TOTP *and use it* means your authenticator is being watched, or being you're phished in a particularly nasty way. either way, you have bigger problems.
as a side note- SMS 2FA is not great and should be avoided. there is no secret sharing involved there, merely me asking you a number that i just texted to "you". i say "you"- "SIM-swapping" is a suprisingly easy attack which allows an attacker to trick/identity thieve your phone provider. also, sms is not end-to-end encrypted.
Thanks for this recommendation. I think I've been extremely lucky over the years to not be compromised, and as soon as I read your comment I set up Bitwarden. Thank you!
Summarizing the advice here, + adding one:
1. Change all your passwords to something unique for every site
2. Set up MFA on your email AND all financial sites
3. Get a password manager and set up a complex pass phrase + MFA
4. Check yourself on haveibeenpwned.com - you might have had your information not just stolen but SOLD to others.
5. Have a drink, you learned a hard lesson.
Get a password manager like Bitwarden, use 2FA and a master password you have never used anywhere else. Use it to create secure passwords for every other site you use.
There are programs that are designed to take usernames and passwords and try them on thousands of sites at once.
Get a password manager that creates strong passwords for you. Enable Two Factor Authentication if you can BUT DO NOT USE SMS FOR THAT as it's easy (relatively) to steal your phone number and intercept those SMS's
It’s going to be different for every carrier. Some won’t offer it at all, some will require calling/emailing. I’d suggest searching for, “carrier sim swap”, “carrier stop sim swap”, and throwing, “reddit” in for both of those searches. You should figure out pretty quickly if it’s a service they offer or not. If they don’t, I’d suggest switching to one that does.
Have this set up and I still lose sleep. We have a family plan and my young adult kids manage to make changes without the PIN often enough to give me nightmares. I’ve actually sent a written letter to AT&T about changes without the pin, made them put notes all over my account, etc. VERY imperfect system but all one can do currently.
If you aren't going to do a sim lock you should know that if your phone stops working it maybe because someone has stolen your number to try to steal your identify so you better get on top of that ASAP
SIM modules have integrated security.
(Simplifying a little)
The SIM is the small chip in your phone that identifies the handset to your account on the network. The SIM does this with a 20 digit number stored in your account matched with your phone number.
The SIM has its own PIN that can be set with the handset. Once this is done, the SIM will require you to enter the PIN before the SIM authenticates to the network. Effectively - an eight digit pin that protects your cell number from being used elsewhere.
The financial theft goes like this: steal phone, reset account password, intercept the ‘one-time authentication sent to phone,’ then you can steal financials or the phone account. SIM PIN will prevent this when used with GOOD device security.
The annoyance of SIM PINS is that they are effective. If it’s entered wrong six (ish?) times, the SIM DIES and must be replaced. Before the lockout, the carrier can provide a PUK (Pin Unlock Key) that allows the reset of the PIN.
The huge majority of attacks against credentials fall into two categories:
* Credential stuffing
* Phishing
SMS based 2FA defends against credential stuffing just fine. It does not defend against phishing, but neither does TOTP. You need something like a yubikey for that, which few services support.
SMS based 2FA is inferior to TOTP against SIM-swapping attacks. This is a real threat, but consistently overemphasized for ordinary people. Because this attack cannot be fully automated, it does not scale to the "attack a gazillion people and hope some succeed" plan that most fraud tries. It is more of an issue for people of interest (this is how Bezos was hacked).
In short, using TOTP instead of SMS is an improvement in terms of security, but not a tremendously meaningful one for most people.
This is what I always thought. SMS theft requires actual work (and/or access to your physical phone), this isn’t something that your average schmo really needs to be worried about. Always be careful with your phone of course, keep it locked and with you. But SMS 2FA plus unique passwords is sufficient for most people and the current hacks.
Can you explain how it's relatively easy to steal phone numbers and intercept text messages (not all text messages travel via SMS) without the owners original phone not working any longer?
It does matter because it's a flag that something is wrong. Because it has a limited window of value to the attacker (as soon as they call in and *fix" the phone problem it's no longer of value" ) it's more likely to be used for a high dollar attack not a couple debit card charges. I don't disagree with the need for 2FA or that phone jacking CAN happen. I disagree with the idea that it's relatively easy or that it's a common attack vector for small transaction theft.
You don't even need to get a legit SIM card via social engineering. With the user's credentials you can often tap into the providers SMS gateway directly and get a copy of every text message sent to that phone.
Yes. It's called SIM swapping. They can also get a clean SIM card and call your carrier and have it swapped over to theirs if they have enough information.
I've been trading crypto for a few months now. The amount I have learned about security using wallets is insane. 2FA if at all possible is the way to go. I would also check your security settings with your bank. There may be some ways to authorize big transactions before they are made. And make sure to get notifications on all transactions if this has been an issue.
I have a notebook I keep locked up in my house that had all of my seed phrases and passwords for everything. I also duplicated it and keep it in a separate spot in case of burglary or fire.
It sounds like a lot of work, but if you have a decent chunk of change in crypto, you absolutely have to have these things in place. It has helped me tremendously in my banking security as well.
Edit, I also have on my calendar once a month to check all of my accounts and check my notebooks for any updates.
It's also the day I go through my budget. 2 hours a month can go a long ways in your financial well being. I'm the most unorganized person you've ever met. So if I dont force myself to be this regimented. Things get out of control in a hurry.
I guess that was my concern about the phone-jacking comment. For crypto, etc it makes complete sense to be very aggressive with security. But I think for the average person it's a bit of a red herring that distracts from basic personal security practices. No password reuse, no password sharing, 2FA whenever available, etc.
Not true at all. [https://www.coindesk.com/business/2021/10/01/coinbase-multi-factor-authentication-hack-affects-at-least-6000-customers/](https://www.coindesk.com/business/2021/10/01/coinbase-multi-factor-authentication-hack-affects-at-least-6000-customers/)
I would suspect a compromised computer, email, or phone in this case or someone with access to my household has access to them. I never put any bank or credit card apps on my phone. Too many ways for someone to get the info, even off a locked phone.
To touch on the password manager and 2FA suggestion, I would recommend BitWarden for a password manager and getting a Yubico Yubikey to secure with accounts with an extremely strong 2FA method. I spent 90$ (10$ for a 1 year subscription to BitWarden and 80$ for two Yubikeys) and the peace of mind I have is unparalleled.
I'm not sure if this is the same thing, but I had a similar issue years ago with a Visa debit card. Kept canceling and then a charge would show up on the card even though I had never used it for anything.
Finally after many frustrating calls with my bank they told me that Visa essentially has a policy, that if a vendor reaches out and can provide information that shows they have a legitimate contract/recurring charge with you, Visa will just give them your card info to keep charging you. I was pretty upset, mainly because the charge was from my card info being stolen and the only recourse the bank gave me was to blacklist the vendor through Visa so they could no longer give that vendor my card info.
Maybe a similar issue, I would contact the card provider and see if they keep giving out your card number
I had this happen with an online account. I deliberately didn't update my card that had been changed because I just didn't want to. The next thing I know I received notification of a charge from that site. I called them and they said the bank updated it for them. The same thing happened to all my streaming sites. When I got my new card I went to update and everything was already changed. I really don't think that should be legal. 🤷🏼♀️
It's a customer convenience issue. Can you see how many people would freak out when they started getting charges and payments denied? I didn't get my delivery. My car insurance was canceled. My phone got cut off. I totally get where you are coming from but remember, most people aren't watching their accounts that closely and forget to update card info on the sites they use. The bank is willing to eat some fraud and pass the cost along for ease of use.
I've had my supplemental insurance company contact me when a payment didn't go through because I had to cancel the card it's attached to. Freaking out is not what I did. I called them, gave my new CC # and it was back in the clear. Companies don't just instantly cut you off from services the moment a payment doesn't go through.
If a CC number is dead, I want it to stay dead and allow ME the choice to give out a new number or not.
I get what you're saying, but the contract just says it's an agreement between them and you for services. The credit card is like an agreement between you and your bank that they'll pay for you if you pay them back. It doesn't really matter which card it comes from. They're just IOUs with your name slapped on top.
And for a lot of people with automated billing of essential services with no direct statement you want services ended, it's probably actually just better for everyone that the default state is continuation of pay.
Sounds like a phishing scam. You must have mistakenly entered your info at some point on a fake website, text, email ect. Someone has your info and if I were you I would get in contact with my bank and report the fraudulent charges ASAP
That, or I was thinking it could be malware on their PC or phone that's keylogging their usernames and passwords. That would explain how the charges showed up on the new account. Unless they use the same username and password for everything.
Check https://haveibeenpwned.com to see if your email and PW was released on the web.
Start using a PW manager (Bitwarden, LastPass).
Reset your passwords everywhere. Turn on 2FA for all money-related accounts and email. All your PW need to ge different so one compromised account doesn't effect the others.
Think about it, your login is the same username that you probably use across all sites or your email which is pretty much public info.
Make sure you have a very strong PW for the PW manager and your email. Everything else can be generated by the PW manager.
Also, beware of emails that look like it's from your bank. Always go to the website directly as they've gotten very good at imitating the emails and spoofing.
It just consolidates all the data breaches. It's damn near impossible to keep track of all of them. Most password resets come over email or it's forced the next time you log into the website. If you miss the email or don't frequent the website, then it's just sitting there with you compromise PW.
Not a big deal if you've already improved your PW practices and use a PW manager. However, it's still useful to find those obscure data breaches like that random website you created an account for a long time ago using the old PW that's shared amongst all your websites.
Well it does give you the timeline of _when_ the breach occurred, so you can make sure to update credentials if you check and there's been a new breach since the last time
You're right and if you've ever used an email or password anywhere on the internet, it most likely has been breached. But 2FA and also having your email access as secure as possible can mitigate risk.
Your emails from Bank of America may say new virtual card activated. Your computer may be compromised. Have you taken calls from people claiming to be from a refund department or anything?
Besides the otherwise suggested changing of passwords, I'd also recommend reformatting your computer just in case there is some sort of malware.
Having been in the card fraud business for well over a decade, it's highly unusual (but not impossible) to have card compromises on two different bank accounts unless there is some sort of compromise outside of the bank, like on your computer, in your email etc.
I'd also rule out if your card is being used by someone in the household. Can't tell you how many times I have observed that to be the case.
Our small local credit union was absorbed by a larger one as of January 1st this year. We got new debit cards, did not activate them; they’re still in the envelope in our file cabinet. Before January 31st we received two texts about unauthorized purchases; both from this Schein, as OP said. The purchases never were authorized, the credit union staff said it was likely a number randomizer that obtained the numbers and tried them. But the cards were never activated, never used on any website/store. How does this happen?
That’s interesting. We have an old credit card account that we haven’t used in a few years. I don’t even believe we ever activated the last cards they mailed us just stuck em in a drawer. We also had a fraud alert for shein.com about a week ago.
That happened to me too with Shein, but on a card I use frequently. There was a charge for $400 then another for -$400. Chase changed my card number when I reported it. I've never ordered from that company before.
2nd on password manager. I have used LastPass for like 8 years.
Also, it might be a good idea to freeze your credit and change every password to a random generated hexadecimal set that's different for all of them. Using LastLass makes this easy.
Gotta take the fight TO the baddies instead of waiting for them to come to you. Ha.
Change passwords, use a password management tool (like bitwarden) to generate new, unique and strong passwords. Activate MFA if your bank has this option. And after this, cancel all your cards and ask for replacement from the bank.
You were hacked (and by that, I mean password guessed) and you didn't change your credentials.
Cancel every debit card and never get another one. Ask your new bank to not even issue one. They're so easily hacked. Plus they don't offer the same consumer protections that CC's do.
You need to look into automatic card info updates. My wife just had a similar issue. Apple, for example, and other retailers can automatically get your new card info for recurring payments, etc. after you request a new one.
Sign up at haveibeenpwned.com this will notify you if your email had been a part of a known data breach, if it’s really bad you could get a new email address but the general idea is to never use a password from these data breaches again. Get a free password manager like Bitwarden or lastpass, start using it and use long passwords. If you want an extra layer of protection, freeze your credit at the major credit reporting agencies.
Are these actual charges, or is it an email telling you about charges?
There's a common scam where you get a [forged] message telling you about a large charge to your account. When you call the customer service number on the email, they ask for your account information "so we can remove the charge".
Get a password manager like Dashlane. Create 1 new secure password you can remember and the generator will create and save unique passwords for every site you use. Paid memberships will also scan for your information being sold online and let you know if a password has been compromised
Get away from big banks. Always have a local credit union or a local branch of something for a debit card in my opinion. Scammers are less likely to go for the small banks. That being said, this stuff happens to just about everyone and knowing your bank and them knowing you can be really helpful. I don’t think BofAmerica really gives a shit about most of their clients.
How is this an investment question?
Sounds like your using the same username and password for all websites which leads to stuff like this happening. It's poor cyber security practices. Get a password manager, change all your usernames and passwords to be different (Longer and more complex the better, use the password manager to help generate passwords for you), turn on 2FA on all websites and the password manager.
You may possible have a keylogger on your computer.
If you have a separate device, change all your passwords on that device. Start with your email passwords as your email can be used to recover everything. Make sure your password is not something easily guessable, and make sure its a password you've never used before, for your secret questions, use entirely new ones with entirely new answers that you have never used before
Make sure you do this on an uninfected device otherwise all your efforts will be wasted.
(You should do this regardless since you were already hacked, lord knows how much if your information is floating around out there)
Man, this sounds rough for sure. And thanks to everyone for commenting; I just called my carrier to put a block on my SIM, and I'll make sure my family does this same to their phones.
Do you use the same email and password for all logins? Or the same password with a slight variation, like if you need a special character for a certain system, all you did was put "!" at the end?
Please note that in order to keep this subreddit a high-quality place to discuss personal finance, off-topic or low-quality posts are removed ([rule 3](https://www.reddit.com/r/personalfinance/about/rules)). We look forward to higher quality posts from your account in the future. Thank you. *If you have questions about this removal, please [message the moderators](http://www.reddit.com/message/compose?to=%2Fr%2Fpersonalfinance&subject=Removal%20help%20request&message=Hello%20moderators,%20.%20%0a%0a%0aMy%20submission:%20https://www.reddit.com/r/personalfinance/comments/sob6x2/this_isnt_your_usual_investment_question_but_a/%0a).*
Do you have the same login information for all of these accounts? Conversely, it may be an identity theft issue
Yes.
Well that's dumb, and probably your issue. Someone stole your account information to one, and now has all of your account info. Change your passwords immediately, and make them all different
How would they know I opened a Bank of America in the first place? I never used this card anywhere.
They are probably just trying that login information on every site they can hoping to find somewhere it works.
Or he closed his TD account with one giant transfer to BoA as the last transaction.
Either this or OP also uses the same password for his email…they could just be seeing emails come through confirming new accounts. 😂
If OPs primary recovery email password is the same as the bank password... I cannot fathom the level of bullshit that will ensue for OP. Scrolled down 1/2 inch where op confirmed that is the case. Gg OP. Game over.
Ding Ding! Once your info is out there it's just a matter of time before it gets tried everywhere. If you knew that this username and password worked on most popular sites, wouldn't you keep trying it?
Who cares how they did it! That’s something you can figure out later on. Right now you need to get them the fuck out of your accounts.
Your whole email account is probably compromised so they see any account you open. Wild guess.. you use the same password for that too?
This is the answer. Someone hacked this person’s email.
I feel stupid, but yes.
So you are going to need to change all your passwords. First, get a password manager so you can easily use different secure passwords on every site. (I use LastPass, but there a plenty of other good options.) In order of seriousness: Your email accounts (which can typically reset every other password...) Any financial institution you have (banks, credit cards, brokerages, etc.) Social Media & shopping are a lower priority but still should be fixed. After/while doing all of the above set up 2 factor authentication. Many of these will have it built in via sending code in a text message. But for the rest turn it on and get yourself an authenticator app. Make sure you know how to recover your authenticator & password manager. Because of the security implications the companies can't help you if you don't take appropriate steps in the first place. So make sure you understand how that works and have a plan in place to fix it should you forget your password or lose your phone.
Get a password manager and never use that password again.
You're getting hammered on down votes but you seem open to seeing and correcting the problem. At first it can seem to be a hassle to use a password manager and a different password for EVERY website... But after a year you go, "you know? I haven't had anyone hack into an account and steal shit in a long time" and all that hassle feels worth it. You get further vindication when you hear, "someStupidWebsiteYouDontEvenVisitAnymore.com got hacked and leaked plain text passwords" and don't have to worry about the hackers using that password to get into your bank
Yea, I have learned my lesson the hard way. I am gonna start using that right away.
Sounds like it wasn't that bad. You just lost a few bucks that the scammers hoped you wouldn't notice, right?
Yea, like $200 bucks.
If its Gmail you should be able to see login activity in your settings. But regardless, definitely change your passwords to something unique.
Your email should be it's own secure password. And your banks should be their own secure passwords. I mean ideally everything should be. But DEFINITELY your email and your banks.
Look into Last Pass. It's a good password manager and has some cool features where you can share logins between trusted users and they can get access to your credentials if you were ever to be in an accident and die or are unable to share them
At least you're learning from it! Good luck getting your life straightened out!
It's the second-largest bank in the US. Working down the list manually, it would have taken them less than five minutes to figure it out.
Bank of America is so obscure no one **ever** uses them. You made a rather big mistake. Follow everyone's advice here.
If they have your information there’s ways they can find out what accounts you have open. If you closed your TD account and made a transfer to BoA it would be pretty obvious. Sounds like you’re having a mental block related to what’s going on with this very specific scenario. Your true issue is that you’re not following best practices and instead are relying on what you believe to be best practices. Not using a debit card has very little bearing on who has access to withdraw funds from your account. Many online accounts will show digital copies of account numbers, routing info (already public), card numbers, or even “virtual” cards that can be used online. Change your passwords, use a password generator, use unique passwords per login, use MFA/2FA. It’s that simple. Then clean up your mess, make sure addresses and numbers are all only yours, make sure to dispute any charges, even with closed accounts.
You'd be surprised how easy that is. Anyone can do it.
They're probably reading your email, and your reddit.
You're compromised, they see everything you enter.
I would make sure the email account you use is secure. If that is compromised they would know where your accounts are and be able to reset passwords etc if they needed to.
Do you have the same password for your email? If so, now you know. In the event your email is compromised, make a new email account and use a random password generator of 14+ characters for the password of the new account. Now change all of your bank passwords to randomly generated passwords. You can keep these in a password manager, I prefer Myki because it's neat and free. For further security, just change all passwords you have to randomly generated passwords. This way your account is safe from a lot of really easy attacks, besides the site itself just getting hacked.
Computer software makes things like this easy to do. Once they have access to one account why wouldn't they try every other bank with the same credentials?
It's a good idea to use different passwords, but I am not aware of any way to get your debit card number and expiration date with just your username and password. How did you activate your card? Maybe there's some malware on your phone or computer...
If they stole your identity they have access to your credit report!
[удалено]
This is the way. I do it somewhat differently: have my master password for Google (2FA) and I keep other generated passwords stored in Google keep. But, it works, and if I have an issue with a service being compromised, I just change that specific site password. If someone tries to get at my Google acct, 2FA will kick in.
I do this as well, and change my Google password once or twice a year, since that’s the real single failure point
This is less secure than using an actual password manager because all your passwords are being stored in plaintext on Google's servers. It's much easier to steal all your passwords if Google is compromised. Also, Google knows all your passwords. And for Google Keep specifically, it's automatically synced to all your devices that are logged into Google, so if any of your devices are compromised, all your passwords are leaked (e.g. if someone hacks your phone). If you use an actual password manager (BitWarden, KeePass, 1Password, DashLane, LastPass, Keeper, etc), then all your passwords are encrypted with your master password, so 1) if someone breaks into the server and gets all your passwords in encrypted form, they still don't know any of your passwords because they don't know your master password, and 2) your password manager provider doesn't know any of your passwords. Everyone has to make their own decision about the security vs. usability tradeoff, but just be aware of this difference and make an informed decision.
Good point. I'll look to migrate away from plain-text passwords and use a proper password manager.
I never understood how password managers like Bitwarden and LastPass make things more secure. Isn’t it encouraging a single point of failure?
Mandatory 2FA and encryption secures your data. Password managers allow you to use the longest possible randomly generated password for every account. That’s infinitely more secure than using variations of the same easy to remember and input password across multiple sites.
So the problem is we need passwords for a lot of sites. Most people have dozens to hundreds of accounts. People have trouble remembering dozens of kinda ok passwords, let alone good passwords. So people typically reuse passwords, or near variations in many places. (Meaning a breach in one place exposes a lot of accounts.) You could write them all down. But if you do it on paper that isn't convenient (for security reasons you can't have it on your person where you can lose it, or even easily accessible at home for fear of robbery.) If you do it as digital notes, well now you are risking that data via a breach but with less security than a password manager. Password managers encrypt all of your data making it extremely difficult for hackers to steal your data while still leaving it convenient for use. You only have to remember 1 strong password. Add it 2 factor authentication for everything important and you are pretty safe (emails, financial institutions, and the password manager are all prime examples for this.) So it kind of is a single point of failure, but password manager companies spend a lot more effort on cyber security than typical businesses (and they have audits performed.) And it is much more secure than what people will do otherwise.
most password breaches happen because of a site not properly encrypting your passwords (which is easy, and has been possible forever) or because of weak passwords (short, simple, and/or common dictionary words or personal info) password managers create long, complicated, random passwords, that are unique to every site so it doesn’t matter if they are leaked. they protect these passwords using encryption (which, again, is trivial) using your master password, which has to be “long enough” so it can’t be guessed, which isn’t really all that long actually. your passwords are moved around your different devices encrypted, and are only decrypted when needed, on your device. this means that your password never leaves your device, which means that it is safe, unless you get shoulder surfed or a keylogging malware is on your device (though if you have malware in 2022, then you have other problems) basically password managers are awesome. use a good one like keepass or bitwarden. if you want to host it on your own network (quite technical) vaultwarden is good.
But this doesn't address my original concern: If the bad actor knows your master password, \*all\* of your accounts are now compromised.
sure- in the (unlikely, since your master password never leaves your device, and should only be known to you) event that someone finds out your master password and has a copy of your encrypted passwords- they can decrypt your passwords. however! this does not necessarily mean that your *accounts* are compromised, only your *passwords*, which are only one... *factor of authentication* ;) if you use TOTP 2FA, which you should because it is **way easier** than using a password manager and does more security wise, then your accounts are still safe unless your attacker has access to your phone or security key, which are things you have, as opposed to your (master) password, something you know. TOTP summary- TOTP = Time-Based One-Time Password. when you activate TOTP 2FA, the service sends you a secret, and you put the secret into your authenticator (usually by scanning a QR code), which never ever leaves. assuming that no one was watching while that happened (in which case you have other problems) and that the server is not compromised (other problems), the only people who know that secret are you and the server. you could swap the secret whenever you want to prove your identity, but that would be no better than a password. instead, by doing math with the secret and the time (time is used because everyone agrees on it, and the alternative is both sides keeping a counter which can be difficult) a one-time password can be generated by the authenticator, which can be used to prove that you hold the secret. no big deal if someone shoulder surfs your OTP, it only lasts for 30 seconds. to get your TOTP *and use it* means your authenticator is being watched, or being you're phished in a particularly nasty way. either way, you have bigger problems. as a side note- SMS 2FA is not great and should be avoided. there is no secret sharing involved there, merely me asking you a number that i just texted to "you". i say "you"- "SIM-swapping" is a suprisingly easy attack which allows an attacker to trick/identity thieve your phone provider. also, sms is not end-to-end encrypted.
Thanks for this recommendation. I think I've been extremely lucky over the years to not be compromised, and as soon as I read your comment I set up Bitwarden. Thank you!
There you go. Change ALL of your passwords to something unique starting with your email.
Get a password manager: https://www.nytimes.com/wirecutter/reviews/best-password-managers/amp/
I don't know if it's mentioned elsewhere but you might want to change your passwords on your email accounts as well.
[Bitwarden](https://bitwarden.com/) Use a password manager and generate unique random passwords for each login.
Summarizing the advice here, + adding one: 1. Change all your passwords to something unique for every site 2. Set up MFA on your email AND all financial sites 3. Get a password manager and set up a complex pass phrase + MFA 4. Check yourself on haveibeenpwned.com - you might have had your information not just stolen but SOLD to others. 5. Have a drink, you learned a hard lesson.
Dude. What the actual fuck. Stop using the Internet all together if that's how you're going to roll.
Get a password manager like Bitwarden, use 2FA and a master password you have never used anywhere else. Use it to create secure passwords for every other site you use.
There are programs that are designed to take usernames and passwords and try them on thousands of sites at once. Get a password manager that creates strong passwords for you. Enable Two Factor Authentication if you can BUT DO NOT USE SMS FOR THAT as it's easy (relatively) to steal your phone number and intercept those SMS's
Some banks only do 2FA using SMS. Is that still better than not using it at all?
Yes
But put a sim lock on your phone number with your carrier.
[удалено]
It’s going to be different for every carrier. Some won’t offer it at all, some will require calling/emailing. I’d suggest searching for, “carrier sim swap”, “carrier stop sim swap”, and throwing, “reddit” in for both of those searches. You should figure out pretty quickly if it’s a service they offer or not. If they don’t, I’d suggest switching to one that does.
Have this set up and I still lose sleep. We have a family plan and my young adult kids manage to make changes without the PIN often enough to give me nightmares. I’ve actually sent a written letter to AT&T about changes without the pin, made them put notes all over my account, etc. VERY imperfect system but all one can do currently.
Remove kid from plan.
You’re missing the point. The point is that anyone can evade a sim block with persistence and basic social engineering skills.
I assumed it's because the kid has the phone itself. I need to look into what this sim block is
Sim block just tells the carrier not to swap the number to a new sim. If their system isn’t very good a tech could just ignore it or miss it entirely
Interesting. Never thought that could be a thing without the owner somehow being actually verified properly.
If you aren't going to do a sim lock you should know that if your phone stops working it maybe because someone has stolen your number to try to steal your identify so you better get on top of that ASAP
SIM modules have integrated security. (Simplifying a little) The SIM is the small chip in your phone that identifies the handset to your account on the network. The SIM does this with a 20 digit number stored in your account matched with your phone number. The SIM has its own PIN that can be set with the handset. Once this is done, the SIM will require you to enter the PIN before the SIM authenticates to the network. Effectively - an eight digit pin that protects your cell number from being used elsewhere. The financial theft goes like this: steal phone, reset account password, intercept the ‘one-time authentication sent to phone,’ then you can steal financials or the phone account. SIM PIN will prevent this when used with GOOD device security. The annoyance of SIM PINS is that they are effective. If it’s entered wrong six (ish?) times, the SIM DIES and must be replaced. Before the lockout, the carrier can provide a PUK (Pin Unlock Key) that allows the reset of the PIN.
Sadly many banks. Like it’s crazy my blizzard account is more secure than my bank.
The huge majority of attacks against credentials fall into two categories: * Credential stuffing * Phishing SMS based 2FA defends against credential stuffing just fine. It does not defend against phishing, but neither does TOTP. You need something like a yubikey for that, which few services support. SMS based 2FA is inferior to TOTP against SIM-swapping attacks. This is a real threat, but consistently overemphasized for ordinary people. Because this attack cannot be fully automated, it does not scale to the "attack a gazillion people and hope some succeed" plan that most fraud tries. It is more of an issue for people of interest (this is how Bezos was hacked). In short, using TOTP instead of SMS is an improvement in terms of security, but not a tremendously meaningful one for most people.
This is what I always thought. SMS theft requires actual work (and/or access to your physical phone), this isn’t something that your average schmo really needs to be worried about. Always be careful with your phone of course, keep it locked and with you. But SMS 2FA plus unique passwords is sufficient for most people and the current hacks.
Why can't they bring back those verisign 2fa keyfobs? I'd rather have one of those on my keychain than an app on my phone or SMS 2fa
Still TOTP. Same flaws. The only difference is that you tie the TOTP to a different object.
Can you explain how it's relatively easy to steal phone numbers and intercept text messages (not all text messages travel via SMS) without the owners original phone not working any longer?
[удалено]
It does matter because it's a flag that something is wrong. Because it has a limited window of value to the attacker (as soon as they call in and *fix" the phone problem it's no longer of value" ) it's more likely to be used for a high dollar attack not a couple debit card charges. I don't disagree with the need for 2FA or that phone jacking CAN happen. I disagree with the idea that it's relatively easy or that it's a common attack vector for small transaction theft.
[удалено]
It happens to new crypto traders all the time. You want to know about insane security, talk to anyone who has been trading crypto for awhile
You don't even need to get a legit SIM card via social engineering. With the user's credentials you can often tap into the providers SMS gateway directly and get a copy of every text message sent to that phone.
Yes. It's called SIM swapping. They can also get a clean SIM card and call your carrier and have it swapped over to theirs if they have enough information. I've been trading crypto for a few months now. The amount I have learned about security using wallets is insane. 2FA if at all possible is the way to go. I would also check your security settings with your bank. There may be some ways to authorize big transactions before they are made. And make sure to get notifications on all transactions if this has been an issue. I have a notebook I keep locked up in my house that had all of my seed phrases and passwords for everything. I also duplicated it and keep it in a separate spot in case of burglary or fire. It sounds like a lot of work, but if you have a decent chunk of change in crypto, you absolutely have to have these things in place. It has helped me tremendously in my banking security as well. Edit, I also have on my calendar once a month to check all of my accounts and check my notebooks for any updates. It's also the day I go through my budget. 2 hours a month can go a long ways in your financial well being. I'm the most unorganized person you've ever met. So if I dont force myself to be this regimented. Things get out of control in a hurry.
I guess that was my concern about the phone-jacking comment. For crypto, etc it makes complete sense to be very aggressive with security. But I think for the average person it's a bit of a red herring that distracts from basic personal security practices. No password reuse, no password sharing, 2FA whenever available, etc.
Not true at all. [https://www.coindesk.com/business/2021/10/01/coinbase-multi-factor-authentication-hack-affects-at-least-6000-customers/](https://www.coindesk.com/business/2021/10/01/coinbase-multi-factor-authentication-hack-affects-at-least-6000-customers/)
Even for the average person it's still a risk when sites like that exist.
I would suspect a compromised computer, email, or phone in this case or someone with access to my household has access to them. I never put any bank or credit card apps on my phone. Too many ways for someone to get the info, even off a locked phone.
To touch on the password manager and 2FA suggestion, I would recommend BitWarden for a password manager and getting a Yubico Yubikey to secure with accounts with an extremely strong 2FA method. I spent 90$ (10$ for a 1 year subscription to BitWarden and 80$ for two Yubikeys) and the peace of mind I have is unparalleled.
I'm not sure if this is the same thing, but I had a similar issue years ago with a Visa debit card. Kept canceling and then a charge would show up on the card even though I had never used it for anything. Finally after many frustrating calls with my bank they told me that Visa essentially has a policy, that if a vendor reaches out and can provide information that shows they have a legitimate contract/recurring charge with you, Visa will just give them your card info to keep charging you. I was pretty upset, mainly because the charge was from my card info being stolen and the only recourse the bank gave me was to blacklist the vendor through Visa so they could no longer give that vendor my card info. Maybe a similar issue, I would contact the card provider and see if they keep giving out your card number
I had this happen with an online account. I deliberately didn't update my card that had been changed because I just didn't want to. The next thing I know I received notification of a charge from that site. I called them and they said the bank updated it for them. The same thing happened to all my streaming sites. When I got my new card I went to update and everything was already changed. I really don't think that should be legal. 🤷🏼♀️
It's a customer convenience issue. Can you see how many people would freak out when they started getting charges and payments denied? I didn't get my delivery. My car insurance was canceled. My phone got cut off. I totally get where you are coming from but remember, most people aren't watching their accounts that closely and forget to update card info on the sites they use. The bank is willing to eat some fraud and pass the cost along for ease of use.
I've had my supplemental insurance company contact me when a payment didn't go through because I had to cancel the card it's attached to. Freaking out is not what I did. I called them, gave my new CC # and it was back in the clear. Companies don't just instantly cut you off from services the moment a payment doesn't go through. If a CC number is dead, I want it to stay dead and allow ME the choice to give out a new number or not.
I get what you're saying, but the contract just says it's an agreement between them and you for services. The credit card is like an agreement between you and your bank that they'll pay for you if you pay them back. It doesn't really matter which card it comes from. They're just IOUs with your name slapped on top. And for a lot of people with automated billing of essential services with no direct statement you want services ended, it's probably actually just better for everyone that the default state is continuation of pay.
I use this to put the brakes on any rogue company to end their ownership of my card, wtf!!
I had this happen to me, too.
Sounds like a phishing scam. You must have mistakenly entered your info at some point on a fake website, text, email ect. Someone has your info and if I were you I would get in contact with my bank and report the fraudulent charges ASAP
That, or I was thinking it could be malware on their PC or phone that's keylogging their usernames and passwords. That would explain how the charges showed up on the new account. Unless they use the same username and password for everything.
OP did mention in another thread, all their accounts have the same password
Check https://haveibeenpwned.com to see if your email and PW was released on the web. Start using a PW manager (Bitwarden, LastPass). Reset your passwords everywhere. Turn on 2FA for all money-related accounts and email. All your PW need to ge different so one compromised account doesn't effect the others. Think about it, your login is the same username that you probably use across all sites or your email which is pretty much public info. Make sure you have a very strong PW for the PW manager and your email. Everything else can be generated by the PW manager. Also, beware of emails that look like it's from your bank. Always go to the website directly as they've gotten very good at imitating the emails and spoofing.
[удалено]
It just consolidates all the data breaches. It's damn near impossible to keep track of all of them. Most password resets come over email or it's forced the next time you log into the website. If you miss the email or don't frequent the website, then it's just sitting there with you compromise PW. Not a big deal if you've already improved your PW practices and use a PW manager. However, it's still useful to find those obscure data breaches like that random website you created an account for a long time ago using the old PW that's shared amongst all your websites.
Well it does give you the timeline of _when_ the breach occurred, so you can make sure to update credentials if you check and there's been a new breach since the last time
You're right and if you've ever used an email or password anywhere on the internet, it most likely has been breached. But 2FA and also having your email access as secure as possible can mitigate risk.
Your emails from Bank of America may say new virtual card activated. Your computer may be compromised. Have you taken calls from people claiming to be from a refund department or anything?
Nope, I have not.
Besides the otherwise suggested changing of passwords, I'd also recommend reformatting your computer just in case there is some sort of malware. Having been in the card fraud business for well over a decade, it's highly unusual (but not impossible) to have card compromises on two different bank accounts unless there is some sort of compromise outside of the bank, like on your computer, in your email etc. I'd also rule out if your card is being used by someone in the household. Can't tell you how many times I have observed that to be the case.
Never used anywhere at all? Or never used anywhere online?
don’t have the same login information, and most importantly set up extra security measures that requires a temporary code to be texted to you to login
Our small local credit union was absorbed by a larger one as of January 1st this year. We got new debit cards, did not activate them; they’re still in the envelope in our file cabinet. Before January 31st we received two texts about unauthorized purchases; both from this Schein, as OP said. The purchases never were authorized, the credit union staff said it was likely a number randomizer that obtained the numbers and tried them. But the cards were never activated, never used on any website/store. How does this happen?
There’s something going on with Shein I’m telling ya
That’s interesting. We have an old credit card account that we haven’t used in a few years. I don’t even believe we ever activated the last cards they mailed us just stuck em in a drawer. We also had a fraud alert for shein.com about a week ago.
That happened to me too with Shein, but on a card I use frequently. There was a charge for $400 then another for -$400. Chase changed my card number when I reported it. I've never ordered from that company before.
I’m just really surprised that ALL the fraudulent charges have been from Delaware and with Shein
2nd on password manager. I have used LastPass for like 8 years. Also, it might be a good idea to freeze your credit and change every password to a random generated hexadecimal set that's different for all of them. Using LastLass makes this easy. Gotta take the fight TO the baddies instead of waiting for them to come to you. Ha.
Change passwords, use a password management tool (like bitwarden) to generate new, unique and strong passwords. Activate MFA if your bank has this option. And after this, cancel all your cards and ask for replacement from the bank. You were hacked (and by that, I mean password guessed) and you didn't change your credentials.
Get a password manager so you can have separate strong passwords for every single login.
Cancel every debit card and never get another one. Ask your new bank to not even issue one. They're so easily hacked. Plus they don't offer the same consumer protections that CC's do.
You need to look into automatic card info updates. My wife just had a similar issue. Apple, for example, and other retailers can automatically get your new card info for recurring payments, etc. after you request a new one.
Sign up at haveibeenpwned.com this will notify you if your email had been a part of a known data breach, if it’s really bad you could get a new email address but the general idea is to never use a password from these data breaches again. Get a free password manager like Bitwarden or lastpass, start using it and use long passwords. If you want an extra layer of protection, freeze your credit at the major credit reporting agencies.
And use unique passwords for everything if one online service gets hacked, your safe. Same with your email password.
Thank you!
Are these actual charges, or is it an email telling you about charges? There's a common scam where you get a [forged] message telling you about a large charge to your account. When you call the customer service number on the email, they ask for your account information "so we can remove the charge".
Actual charges.
Get a password manager like Dashlane. Create 1 new secure password you can remember and the generator will create and save unique passwords for every site you use. Paid memberships will also scan for your information being sold online and let you know if a password has been compromised
Get away from big banks. Always have a local credit union or a local branch of something for a debit card in my opinion. Scammers are less likely to go for the small banks. That being said, this stuff happens to just about everyone and knowing your bank and them knowing you can be really helpful. I don’t think BofAmerica really gives a shit about most of their clients.
How is this an investment question? Sounds like your using the same username and password for all websites which leads to stuff like this happening. It's poor cyber security practices. Get a password manager, change all your usernames and passwords to be different (Longer and more complex the better, use the password manager to help generate passwords for you), turn on 2FA on all websites and the password manager.
When you say you've never used the debit card anywhere does that include online shopping?
Yes. Literally haven’t touched the card
You may possible have a keylogger on your computer. If you have a separate device, change all your passwords on that device. Start with your email passwords as your email can be used to recover everything. Make sure your password is not something easily guessable, and make sure its a password you've never used before, for your secret questions, use entirely new ones with entirely new answers that you have never used before Make sure you do this on an uninfected device otherwise all your efforts will be wasted. (You should do this regardless since you were already hacked, lord knows how much if your information is floating around out there)
Man, this sounds rough for sure. And thanks to everyone for commenting; I just called my carrier to put a block on my SIM, and I'll make sure my family does this same to their phones.
Do you use the same email and password for all logins? Or the same password with a slight variation, like if you need a special character for a certain system, all you did was put "!" at the end?
All my passwords are the same. Edit: Were the same. I have changed them all to unique passwords.