BEWARE of Bank of America

[kannon]

Bank of America will STEAL your money. BEWARE!!

Due to errors in checking the identify of a customer, BoA gave thousands of dollars from our checking account to a person in a state 800 miles away. They have yet to credit our account and after 3 months still have not approved our claim. It is an a point that we need to hire a lawyer (at our expense) to prove to BoA that we were in Maryland 800 miles away and we did not rip off our own account. Complete BS!!

There are so many things about this that are ridiculous. I have to prove my innocence. The amount taken out is a fraction of our retirement savings so I really want to give up retirement for a prison cell for a fraction of my money. Did I say I have to prove I'm innocent??

BEWARE of Bank of America.

[pacergal]

Wow, sorry this happened to you
I have never had a problem with BofA, and have been with them for years. I have every alert possible on my accounts and get notified via text on my phone immediately.

[kannon]

This was a very slick operation. Before going to BoA, the thieves went to Verizon, using the same fake identity, bought a new phone (and two pair of AirPods) and ported our smartphone number to the new phone. They used the new phone with our stolen phone number as second level verification. So - we got our checking account ripped off, plus had new phone/new airpods charged to our Verizon account. Wasn't a fun day. We believe this all came about from a OPM Data Breach a few years ago.

[pb4uski]

Contact the state banking commissioner in your state and file a complaint.... BOA is more likely to pay attention to an inquiry from the banking commissioner's office than a customer.

All of that said, I'm surprised... it should be easy for them to determine that the withdrawal is not legit and fix it for you.

[Z3Dreamer]

How did they withdraw the funds? They had some ID. They must have known you were a BofA customer. Walked in, said "I am Mr. Kannon", showed the ID, said "Call the phone of record, if you don't believe me." Once they verified it was you, requested a cash withdrawal. Correct?

[Spock]

Supposedly, freezing your credit at NCTUE will "help" with preventing the phone number being hijacked. At least that was the gist of an article from (I think) Krebs.
Since thieves find new holes faster than they can be plugged, I wouldn't be surprised if there are other ways around it.

[sengsational]

This proves that SMS as a second factor is a "dumb idea". I've avoided it. I believe that there will be solutions that don't involve SMS. Even secure SMS would not have prevented this kind of hack. What would have prevented it is a solution like "SQRL" (full disclosure...I've coded on the Android version of this project). The way this works is that you load something onto your device (your SQRL identity) and that is used cryptographically to prove you are you. If someone bought a phone as if they were you, there would be no way for them to load the SQRL app with your identity because it's on a piece of paper that you've hidden away somewhere.

[Bestwifeever]

I found your previous post about this http://www.early-retirement.org/foru...do-100549.html

What a mess....

[MichaelB]

I’ve helped extended family deal with this 3 times, including BoA. We did the following:

File a theft report with the local police dept
File a theft report with the FTC

Once this was done,

File a complaint with the Office of the Comptroller of the Currency, which is the federal regulator for BoA.

Mail a request for assistance to our congressional rep, with copy of the letter to OCC.

Then, write a letter to the BoA CEO, polite but firm, with copies of all the above reports / complaints, asking for immediate reimbursement of all the funds unlawfully withdrawn. Include proof the withdrawal was reported within the 60 day window required by the EFTA.

[Chuckanut]

Quote:

Originally Posted by sengsational This proves that SMS as a second factor is a "dumb idea". I've avoided it. I believe that there will be solutions that don't involve SMS. Even secure SMS would not have prevented this kind of hack. What would have prevented it is a solution like "SQRL" (full disclosure...I've coded on the Android version of this project). The way this works is that you load something onto your device (your SQRL identity) and that is used cryptographically to prove you are you. If someone bought a phone as if they were you, there would be no way for them to load the SQRL app with your identity because it's on a piece of paper that you've hidden away somewhere.

+1 to all the above.

I am amazed at the number of financial sites that still use SMS text messages as their 2FA method. When possible I choose an alternative such as a Yubikey or an authentication app.

SQRL, you mean Steve Gibson's product? From the little I have read this is a much better method of securing our data and finances.

[Lakewood90712]

The treasurery OCC is the federal regulator for Bank of america. File an official consumer complaint and keep following up.

https://www.occ.treas.gov/topics/sup...omplaints.html


Large banks often do not do " the right thing " unless forced to.

[ShokWaveRider]

Pretty much the same for ALL BANKS! That is why we only use credit unions. Although I am sure folks have some horror stories about those too.

[Spock]

Quote:

Originally Posted by sengsational This proves that SMS as a second factor is a "dumb idea". I've avoided it. I believe that there will be solutions that don't involve SMS. Even secure SMS would not have prevented this kind of hack. What would have prevented it is a solution like "SQRL" (full disclosure...I've coded on the Android version of this project). The way this works is that you load something onto your device (your SQRL identity) and that is used cryptographically to prove you are you. If someone bought a phone as if they were you, there would be no way for them to load the SQRL app with your identity because it's on a piece of paper that you've hidden away somewhere.

To clarify... are you saying SMS 2FA is just not as secure as other options (its a solution just not the best solution)?
If an institution only offers SMS/email/voice call 2FA, is it not better to enable what is available than to have no 2FA at all?

ETA: wouldn't 2FA enabled on the phone carrier account (ex. Verizon) have prevented the phone jacking? (assuming they didn't have physical ID to go into a store and do it?)

[GreenEggs]

Phone hacking, or SIM hacking, is a concern I have about my accounts too. Sorry you're having to deal with it. Glad it wasn't a large amount.

[misshathaway]

Quote:

Originally Posted by kannon Bank of America will STEAL your money. BEWARE!! Due to errors in checking the identify of a customer, BoA gave thousands of dollars from our checking account to a person in a state 800 miles away. BEWARE of Bank of America.

Something similar happened to me with BOA in 2015. I had 2 CD's mature at other banks and had them wired into my BOA account. BOA lost both transfers and tried to blame it on the 2 other banks. If not for a customer service rep who went above and beyond, I don't know how long it would have taken to resolve. As it was, it took 10 days. Turned out BOA had just merged with an out of state bank and they tried to put the money into an account with the same account # as mine.

How that could even happen with a routing #, which was verified multiple times with the sending banks, I don't know. Maybe it's not even really what happened, but that's the excuse I was given.

I bailed immediately after that. The mistake was bad, but I must have talked to 20 people before I hit one who did anything but yawn and try to get rid of me.

[Gotadimple]

Quote:

Originally Posted by Spock To clarify... are you saying SMS 2FA is just not as secure as other options (its a solution just not the best solution)? If an institution only offers SMS/email/voice call 2FA, is it not better to enable what is available than to have no 2FA at all? ETA: wouldn't 2FA enabled on the phone carrier account (ex. Verizon) have prevented the phone jacking? (assuming they didn't have physical ID to go into a store and do it?)

SMS 2FA is not as secure as email authentication, because the text can be intercepted, while the email cannot - according to the head of security at Microsoft Corp (he led a class at a local community college).

So, when all a bank offers is an SMS, even, if it wants to verify you while to talking to CS, I decline and ask for an email. If all they have is SMS 2FA authorization - RUN!

[jkern]

A few years ago, my wife's tax refund was directed to her B of A checking account, but mistakenly went into someone else's account. The Bank refused to fix the problem. Long story short, after many weeks of frustration she eventually got her money back. We hate B of A.

[Sunset]

So it seems Verizon is certainly to blame for porting over the phone number. Maybe that should not be allowed unless along with lots of ID, a person brings in the old phone as well.
Otherwise they get a new number, and yes I know that would inconvenience people who lose their phone.

What I really want is additional 3rd factor authorization, why is it limited to 2 factor and usually SMS ??

[ncbill]

This is a huge weakness with any bank...once the matter is handed over to the fraud department it's like it disappeared into a black hole!

Fraud won't tell you anything and will often take weeks or months to resolve the issue...whether or not in your favor.

[Dtail]

Quote:

Originally Posted by pacergal Wow, sorry this happened to you I have never had a problem with BofA, and have been with them for years. I have every alert possible on my accounts and get notified via text on my phone immediately.

Same here.