I Got Hacked. Security Lessons Learned the Hard Way.
Being a victim of theft is not only financially annoying and painful but it will leave you feeling violated and vulnerable. I was hacked and this is what I learned from the experience.
I was just wrapping up a relaxing weekend trip to the mountains when I walked back into my house. My cell phone started binging like crazy with new emails and they were all from USAA. Thank you for changing your password. Your ATM daily limits have been updated. Thank you for changing your username. Thank you for changing your mobile banking pin. Oh sh*t, I thought, this can’t be good.
I immediately called USAA customer service. However, to my surprise, my cell phone would not work, “no network service” it said. I grabbed my laptop and logged onto my T-Mobile account. The next thing I saw was the hacker’s phone number in place of mine. Whaaaaat?
Hackers “Ported” their Phone Number Onto My SIM Card.
I found out that some evil villain had “ported” their cell phone number to my SIM card. They simply called T-Mobile and pretended to be me and provided the last four of my SSN. That explained why I didn’t have any cellular service, but when I got back inside my house, the wi-fi kicked in and I received the e-mail alerts.
I immediately grabbed my office landline phone and called USAA. Since it was Sunday, all they could do was tell me to call back on Monday. They had already frozen all of my accounts before I even called them. The worst part was I had no idea how much the hacker had stolen or what they were doing with my accounts. USAA said they didn’t have access to see it either because it wasn’t during normal business hours.
Next I called T-Mobile and convinced them that it wasn’t actually me that called two hours prior and swapped phone numbers on my account. “Ma’am, you just called us and removed this number, now you want to add it back?” Uuuuuuuuugh, I thought.
The Hackers Stole $10k
On Monday I found out that the hackers had drained both of my savings accounts into my checking account. Then they make 6 withdrawals totaling about $10,000 at various Walgreens. They also tried to use my credit card, but luckily, USAA was able to block those transactions before they went through. Mind you, they did all of this without ever having physical custody of my cell phone, credit card or debit cards!
USAA was excellent about unfreezing my accounts, changing my login information, and refunding the stolen money. By Wednesday morning, I was back in business, like nothing had ever happened. When I took to Twitter to complain about my misfortune, USAA actually read my tweet (I didn’t even tag them) and followed up with a real phone call.
Are Mobile Banking Apps too Risky to Use?
Although I had a hunch, I found out that the hackers accessed my USAA account via the mobile banking app on my phone. I don’t save my passwords in the app, so they must have used a password generator to crack it.
Before I was hacked, I had just deleted all of my credit card and investment apps off my phone because my phone is about 500 years old and I needed to free up some space. Interestingly enough, the only account that was hacked was my USAA account, the only account I still had an app for on my phone.
This experience scared me enough that I deleted the mobile banking app from my phone. After a few months of being annoyed that I was living without my mobile banking app, I did download it again. This time I opted-in for the 2-factor security authentication. I’m using biometric data to log in and my PIN is a random number, not my birth year!
What I Learned From Getting Hacked
Step 1: Put a passcode on your phone.
Why: Make it more difficult for hackers to physical or virtually get into your phone.
Step 2: Be choosy about the apps you download to your phone or tablet.
Why: Many apps ask for insane levels of permission when you download them. Sometimes the permissions requested are legit. However, you may want to think twice if an apps asks for read/write permissions to e-mail accounts, messaging, or phone storage. I’ve done a thorough re-checking of all my downloaded apps.
Step 3: Always use the most secure method of log-in
Why: I was being totally lazy by using a 4 digit pin as a quick login for my mobile banking app. Instead, I should have used a more secure method like photo recognition or a password. When the hackers got to my mobile app, all they had to do was break/guess a 4 digit pin.
Step 4: Don’t use the same pin or password for every account
Why: Guess what? I used to have the same pin for basically everything. I made it pretty easy for the hackers to access my account and take out cash from the ATM. 0000, 1234, and your birth year are all horribly easy pins to crack BTW.
Step 5: Limit your use of free public wi-fi
Why: The person who hacked me was local to my area. I can tell because the phone number they ported to my account was a local number! They probably found their way to me when I logged into “free wi-fi” at a café or bar in my area.
Step 6: Link a current and accessible e-mail address to your accounts.
Why: When I got hacked, USAA notified me via my personal email account. As soon as I saw the e-mail about my password update, I knew something was up. On the other hand, my husband received the same e-mails as me but they all went to his work e-mail account, which wasn’t any help to us on a Sunday.
Step 7: Add a “phone password” with your bank and cell phone providers.
Why: The hacker simply called up my mobile service provider and told them A phone password is a word or phrase you have to relay to the representative you are speaking to over the phone. Choose something that you can remember easily, but only you would know.