I Got Hacked. Security Lessons Learned the Hard Way.

I Got Hacked.  Security Lessons Learned the Hard Way.

Being a victim of theft is not only a financially annoying and painful. It will leave you feeling violate and vulnerable.  Read about how I was hacked and what I learned from the experience.

I was just wrapping up a relaxing weekend trip to the mountains when I walked back into my house. My cell phone started binging like crazy with new emails and they were all from USAA.  Thank you for changing your password. Your ATM daily limits have been updated Thank you for changing your username. Thank you for changing your mobile banking pin. Oh shit, I thought, this can’t be good.

I immediately called USAA customer service.  However, to my surprise, my cell phone would not work, “no network service” it said. I grabbed my laptop and logged onto my T-Mobile account. The next thing I saw was the  hacker’s phone number in place of mine.

Image of my hacked T-Mobile account
Screenshot showing the hacker’s phone number on my T-Mobile account

Hackers “Ported” their Phone Number Onto My SIM Card.

I found out that some evil villain had “ported” their cell phone number to my SIM card.  They simply called T-Mobile and pretended to be me and provided the last four of my SSN.  That explained why I didn’t have any cellular service, but when I got back inside my house, the wi-fi kicked in and I received the e-mail alerts.

I immediately grabbed my office landline phone and called USAA.  Since it was Sunday, all they could do was tell me to call back on Monday, they had already frozen all of my accounts.  The worst part was I had no idea how much the hacker had stolen of what they were doing with my accounts and USAA said they didn’t have access to see it either because it wasn’t during normal business hours.

Next I called T-Mobile and convinced them that it wasn’t actually me that called two hours prior and swapped phone numbers on my account. “Ma’am, you just called us and removed this number, now you want to add it back?” Uuuuuuuuugh.

The Hackers Stole $10k

On Monday I found out that the hackers had drained both of my savings accounts into my checking account.  Then they make 6 withdrawals totaling about $10,000 at various Walgreens. They also tried to use my credit card, but luckily, USAA was able to block those transactions before they went through.  Mind you, they did all of this without ever having physical custody of my cell phone, credit card or debit cards!

USAA was excellent about unfreezing my accounts, changing my login information, and refunding the stolen money.  By Wednesday morning, I was back in business, like nothing had ever happened.  When I took to Twitter to complain about my misfortune, USAA actually read my tweet (I didn’t even tag them) and followed up with a real phone call.

So I Asked Myself, Are Mobile Banking Apps Too Risky to Use?

Although I had a hunch, I found out that the hackers accessed my USAA account via the mobile banking app on my phone.  I don’t save my passwords in the app, so they must have used a password generator to crack it.

Before I was hacked, I had just deleted all of my credit card and investment apps off my phone because my phone is about 500 years old and I needed to free up some space.  Interestingly enough, the only account that was hacked was my USAA account, the only account I still had an app for on my phone.

This experience scared me enough that I deleted the mobile banking app from my phone.  If I ever get in a jam and I need to use it, I’ll just re-download it, use it, and delete it.  At the time this story was published, USAA had not returned my e-mail regarding the security of their mobile banking application.

I’m no IT Security Specialist, but this is what I learned from getting hacked…I was lazy about my smartphone security.

Step 1:  Put a passcode on your phone.

Why:  Make it more difficult for hackers to physical or virtually get into your phone.

Step 2: Be choosy about the apps you download to your phone or tablet.

Why: Many apps ask for insane levels of permission when you download them. Sometimes the permissions requested are legit.  However, you may want to think twice if an apps asks for read/write permissions to e-mail accounts, messaging, or phone storage.  I’ve done a thorough re-checking of all my downloaded apps.

Step 3: Always use the most secure method of log-in

Why: I was being totally lazy by using a 4 digit pin as a quick login for my mobile banking app.  Instead, I should have used a more secure method like photo recognition or a password.  When the hackers got to my mobile app, all they had to do was break/guess a 4 digit pin.

Step 4: Don’t use the same pin or password for every account

Why:  Guess what?  I used to have the same pin for basically everything.  I made it pretty easy for the hackers to access my account and take out cash from the ATM.

Step 5: Limit your use of free public wi-fi

Why:  The person who hacked me was local to my area.  I can tell because the phone number they ported to my account was a local number! They probably found their way to me when I logged into “free wi-fi” at a café or bar in my area.

Step 6: Link a current and accessible e-mail address to your accounts.

Why:  When I got hacked, USAA notified me via my personal email account. As soon as I saw the e-mail about my password update, I knew something was up.  On the other hand, my husband received the same e-mails as me but they all went to his work e-mail account, which wasn’t any help to us on a Sunday.

Step 7: Add a “phone password” with your bank and cell phone providers.

Why:  The hacker simply called up my mobile service provider and told them A phone password is a word or phrase you have to relay to the representative you are speaking to over the phone.  Choose something that you can remember easily, but only you would know.

 



11 thoughts on “I Got Hacked. Security Lessons Learned the Hard Way.”

    • Kyle,
      I don’t know about limits to liability and the normal safeguards I had in place like ATM limits were changes by the hackers! Luckily USAA is great and they returned my money right away, basically without questions. They said they can tell who was making the fraudulent transactions by the IP addresses. No questions asked and I had my money back in about 2 business days. Thanks for reading!

  • Wow I’m so sorry to hear this! I would always get emails that looked like they were from USAA saying that my account was locked for suspicious activity and that I needed to fill out security questions. Then, when I’d call USAA they would verify that my account was not locked and that they dot send emails like that! It’s so scary to know that this can happen.. I’m so glad you were able to get a refund. Thanks for sharing these tips, hopefully this will prevent someone else from being victimized

    • I hope so too. I also get those spammy e-mails, and not just from USAA, from other companies too. A good rule of thumb I’ve learned is to call the company like you did or log onto your account directly, never from a hyperlink! These hackers get sneakier everyday!

  • That’s so scary, but I’m so glad USAA was able to resolve the problem quickly. I already do most of the steps you’ve listed to increase security, but I definitely need to look into steps 2 and 7.

    Thanks for writing this up and sharing what you learned!

    • Good! I hope you found some helpful info from this. I’m glad I had recently deleted my other financial apps from my phone (because my phone is like 100 years old and I needed space). It could have been a very messy situation if my AMEX or investment accounts had been involved.

  • so sorry this happened to you. that’s crazy how they hacked your info . changing all my passcodes (and making sure they don’t match). free wifi spots always worry me, but at the same time it’s so convenient. argh. but yay, to usaa for making everything okay. hope they catch the culprits.

    • Piggy-good this makes me happy! Out of all this suck, at least I hope I can warn others to phone-password protect a lot of their accounts! Thank you- Her $ Moves

Leave a Reply

Your email address will not be published. Required fields are marked *