BEWARE of Bank of America

[kannon]

Bank of America will STEAL your money. BEWARE!!

Due to errors in checking the identify of a customer, BoA gave thousands of dollars from our checking account to a person in a state 800 miles away. They have yet to credit our account and after 3 months still have not approved our claim. It is an a point that we need to hire a lawyer (at our expense) to prove to BoA that we were in Maryland 800 miles away and we did not rip off our own account. Complete BS!!

There are so many things about this that are ridiculous. I have to prove my innocence. The amount taken out is a fraction of our retirement savings so I really want to give up retirement for a prison cell for a fraction of my money. Did I say I have to prove I'm innocent??

BEWARE of Bank of America.

 

[pacergal]

Wow, sorry this happened to you
I have never had a problem with BofA, and have been with them for years. I have every alert possible on my accounts and get notified via text on my phone immediately.

 

[kannon]

This was a very slick operation. Before going to BoA, the thieves went to Verizon, using the same fake identity, bought a new phone (and two pair of AirPods) and ported our smartphone number to the new phone. They used the new phone with our stolen phone number as second level verification. So - we got our checking account ripped off, plus had new phone/new airpods charged to our Verizon account. Wasn't a fun day. We believe this all came about from a OPM Data Breach a few years ago.

 

[pb4uski]

Contact the state banking commissioner in your state and file a complaint.... BOA is more likely to pay attention to an inquiry from the banking commissioner's office than a customer.

All of that said, I'm surprised... it should be easy for them to determine that the withdrawal is not legit and fix it for you.

 

[Z3Dreamer]

How did they withdraw the funds? They had some ID. They must have known you were a BofA customer. Walked in, said "I am Mr. Kannon", showed the ID, said "Call the phone of record, if you don't believe me." Once they verified it was you, requested a cash withdrawal. Correct?

 

[Spock]

Supposedly, freezing your credit at NCTUE will "help" with preventing the phone number being hijacked. At least that was the gist of an article from (I think) Krebs.
Since thieves find new holes faster than they can be plugged, I wouldn't be surprised if there are other ways around it.

 

[sengsational]

This proves that SMS as a second factor is a "dumb idea". I've avoided it. I believe that there will be solutions that don't involve SMS. Even secure SMS would not have prevented this kind of hack. What would have prevented it is a solution like "SQRL" (full disclosure...I've coded on the Android version of this project). The way this works is that you load something onto your device (your SQRL identity) and that is used cryptographically to prove you are you. If someone bought a phone as if they were you, there would be no way for them to load the SQRL app with your identity because it's on a piece of paper that you've hidden away somewhere.

 

[Bestwifeever]

I found your previous post about this http://www.early-retirement.org/forums/f28/appreciate-ideas-what-to-do-100549.html

What a mess....

 

[MichaelB]

I’ve helped extended family deal with this 3 times, including BoA. We did the following:

File a theft report with the local police dept
File a theft report with the FTC

Once this was done,

File a complaint with the Office of the Comptroller of the Currency, which is the federal regulator for BoA.

Mail a request for assistance to our congressional rep, with copy of the letter to OCC.

Then, write a letter to the BoA CEO, polite but firm, with copies of all the above reports / complaints, asking for immediate reimbursement of all the funds unlawfully withdrawn. Include proof the withdrawal was reported within the 60 day window required by the EFTA.

 

[Chuckanut]

This proves that SMS as a second factor is a "dumb idea". I've avoided it. I believe that there will be solutions that don't involve SMS. Even secure SMS would not have prevented this kind of hack. What would have prevented it is a solution like "SQRL" (full disclosure...I've coded on the Android version of this project). The way this works is that you load something onto your device (your SQRL identity) and that is used cryptographically to prove you are you. If someone bought a phone as if they were you, there would be no way for them to load the SQRL app with your identity because it's on a piece of paper that you've hidden away somewhere.

+1 to all the above.

I am amazed at the number of financial sites that still use SMS text messages as their 2FA method. When possible I choose an alternative such as a Yubikey or an authentication app.

SQRL, you mean Steve Gibson's product? From the little I have read this is a much better method of securing our data and finances.

 

[Lakewood90712]

The treasurery OCC is the federal regulator for Bank of america. File an official consumer complaint and keep following up.

https://www.occ.treas.gov/topics/su...mer-complaints/index-consumer-complaints.html


Large banks often do not do " the right thing " unless forced to.

 

[ShokWaveRider]

Pretty much the same for ALL BANKS! That is why we only use credit unions. Although I am sure folks have some horror stories about those too.

 

[Spock]

This proves that SMS as a second factor is a "dumb idea". I've avoided it. I believe that there will be solutions that don't involve SMS. Even secure SMS would not have prevented this kind of hack. What would have prevented it is a solution like "SQRL" (full disclosure...I've coded on the Android version of this project). The way this works is that you load something onto your device (your SQRL identity) and that is used cryptographically to prove you are you. If someone bought a phone as if they were you, there would be no way for them to load the SQRL app with your identity because it's on a piece of paper that you've hidden away somewhere.

To clarify... are you saying SMS 2FA is just not as secure as other options (its a solution just not the best solution)?
If an institution only offers SMS/email/voice call 2FA, is it not better to enable what is available than to have no 2FA at all?

ETA: wouldn't 2FA enabled on the phone carrier account (ex. Verizon) have prevented the phone jacking? (assuming they didn't have physical ID to go into a store and do it?)

 

[GreenEggs]

Phone hacking, or SIM hacking, is a concern I have about my accounts too. Sorry you're having to deal with it. Glad it wasn't a large amount.

 

[misshathaway]

Bank of America will STEAL your money. BEWARE!!

Due to errors in checking the identify of a customer, BoA gave thousands of dollars from our checking account to a person in a state 800 miles away.
BEWARE of Bank of America.

Something similar happened to me with BOA in 2015. I had 2 CD's mature at other banks and had them wired into my BOA account. BOA lost both transfers and tried to blame it on the 2 other banks. If not for a customer service rep who went above and beyond, I don't know how long it would have taken to resolve. As it was, it took 10 days. Turned out BOA had just merged with an out of state bank and they tried to put the money into an account with the same account # as mine.

How that could even happen with a routing #, which was verified multiple times with the sending banks, I don't know. Maybe it's not even really what happened, but that's the excuse I was given.

I bailed immediately after that. The mistake was bad, but I must have talked to 20 people before I hit one who did anything but yawn and try to get rid of me.

 

[Gotadimple]

To clarify... are you saying SMS 2FA is just not as secure as other options (its a solution just not the best solution)?
If an institution only offers SMS/email/voice call 2FA, is it not better to enable what is available than to have no 2FA at all?

ETA: wouldn't 2FA enabled on the phone carrier account (ex. Verizon) have prevented the phone jacking? (assuming they didn't have physical ID to go into a store and do it?)

SMS 2FA is not as secure as email authentication, because the text can be intercepted, while the email cannot - according to the head of security at Microsoft Corp (he led a class at a local community college).

So, when all a bank offers is an SMS, even, if it wants to verify you while to talking to CS, I decline and ask for an email. If all they have is SMS 2FA authorization - RUN!

 

[jkern]

A few years ago, my wife's tax refund was directed to her B of A checking account, but mistakenly went into someone else's account. The Bank refused to fix the problem. Long story short, after many weeks of frustration she eventually got her money back. We hate B of A.

 

[Sunset]

So it seems Verizon is certainly to blame for porting over the phone number. Maybe that should not be allowed unless along with lots of ID, a person brings in the old phone as well.
Otherwise they get a new number, and yes I know that would inconvenience people who lose their phone.

What I really want is additional 3rd factor authorization, why is it limited to 2 factor and usually SMS ??

 

[ncbill]

This is a huge weakness with any bank...once the matter is handed over to the fraud department it's like it disappeared into a black hole!

Fraud won't tell you anything and will often take weeks or months to resolve the issue...whether or not in your favor.

 

[Dtail]

Wow, sorry this happened to you
I have never had a problem with BofA, and have been with them for years. I have every alert possible on my accounts and get notified via text on my phone immediately.

Same here.

 

[sengsational]

SQRL, you mean Steve Gibson's product? From the little I have read this is a much better method of securing our data and finances.

Steve is the main inventor, yes. It's more of a defined protocol / identity system. It's completely free to use (no patent encumbrances), and no third party involvement to use. Many implementations are also open source.

To clarify... are you saying SMS 2FA is just not as secure as other options (its a solution just not the best solution)?
If an institution only offers SMS/email/voice call 2FA, is it not better to enable what is available than to have no 2FA at all?

I don't like many of the additional factors typically offered, but I prefer email over SMS. I even prefer "secret questions" over SMS (I never answer with real answers, so research by hackers would be useless). I do like time-based one time codes, but that requires having a bit of hardware in my possession. So I am saying that having SMS turned on is less secure (IMO) because BofA apparently allowed it to become the ONLY factor (I could be wrong, but I don't think the hacker had compromised the OP's password prior to the SIM jacking, and the password would have been an additional factor).

 

[Alan]

A year or so back the EU passed a law requiring all banks to use 2FA with authenticator apps or physical devices. (No more SMS messages allowed). Several of our friends complained about receiving these devices and having to learn how to use them to access their accounts online.

Our bank, HSBC, switched to using an authenticator which was added to their banking app for logging on. Their US app for our HSBC USA account does not have the authenticator feature so logging on just requires password plus your birthdate. Using the app itself to do online banking, US or UK, uses face id as a 2FA.

 

[Teacher Terry]

That’s terrible! We use a small local bank.

 

[Bestwifeever]

Wow, sorry this happened to you
I have never had a problem with BofA, and have been with them for years. I have every alert possible on my accounts and get notified via text on my phone immediately.

If someone ports your phone number to a new phone, as in the OP's case, you will not ever see another text using that number--you would still get email alerts if you have them set up, but the person who ported your phone number will now see the text notifications.

We have both email and text alerts for our bank withdrawals and credit cards.

 

[sengsational]

So I am saying that having SMS turned on is less secure (IMO) because BofA apparently allowed it to become the ONLY factor (I could be wrong, but I don't think the hacker had compromised the OP's password prior to the SIM jacking, and the password would have been an additional factor).

I read the other thread and saw that the other security "factors" were likely a (fake) ID and a (forged) signature. The proceeds were probably split between the teller who was on the take and the SIM jacker.