I had something similar happen to me [1]. I won 500$ Apple gift cards in a sysadmin contest but they were for the US only and I (from Austria) wasn't able to spend them so I tried to sell them for about a year and then found someone who tricked me and stole the cards.
Over a year I tracked them down and in the end got my money back by sending facebook messages to his mother and brother. Found out his real name because some school friend of him had posted a screenshot of a windowed game which facebook open in the background where you could see his friendlist. Crazy stuff. Even BBC wrote about it later [2]
Fun fact: Since that article aired (8 years ago) I'm still getting 2 to 5 messages per week from random people who ask me to track down their scammers too
Nobody stole her identity. Someone stole the bank and then the bank used the "stolen identity" scam to somehow put the burden on an uninvolved third party.
Things will get better when the customers realize they aren't the victims of the thieves. Banks are the victims of the thieves. Customers are actually the banks' victims.
I was mildly surprised when the article quoted a senior at the bank framing the situation as a feeble, lone teller vs a well-oiled theft industry - as if the teller doesn't have resources of a multi-billion-dollar corporation - perhaps they don't and it was an inadvertent confession. In that case, we don't need a "fraud czar", we need laws that make fraud the banks' problem by forcing them to make clients whole when the bank is defrauded by misrepresentation.
My wife and I had a somewhat similar thing happen, one week before our wedding. She had a debit card declined at Starbucks.
Someone had printed a business check with our account number, made out to a name that matched a dead person on the sex crimes registry, and then someone had cashed that check at a bank in New Jersey. The check was for over $11k, and left about $20 in the account.
Now, we never left that much money in the account generally but we had transferred some in to settle with the various vendors and for spending cash on the honeymoon.
The good news was that Chase saw it as fraudulent immediately and the money was back in our account in less than 48 hours, and they put a few thousand in before then so we could travel.
Security is hard, in whatever field. Customers do want to be able to get service at their bank, without jumping through crazy hoops.
That said, bank security in the US is generally awful. Checks should not exist - they are a concept out of another era. Actually, in the US, just having someone's account number enables you to withdraw money from their account. That is just nuts.
By now, all money transfers should be electronic and immediate. Where I am, we use the "Twint" service. Want to pay in a shop? Scan a QR code off the card reader, then click ok. Want to send money to a private person? Select them from your contacts, enter the amount, click ok. Transfers are completed in seconds, which also eliminates the issue of bouncing checks.
> On April 18, 2023, according to a police report, she’d gone into a Citizens Bank branch in New Rochelle in Westchester County, presented an ID with another woman’s name, and walked away with $3,500. A bank employee had become suspicious and called the account owner to confirm she’d made the withdrawal herself. She hadn’t.
What confuses me is that the bank has my photo ID already. So when someone comes in to make a large cash withdrawal using a fake ID with my name on it, doesn't the teller see my face on screen to match?
I find it hard to believe that the thiefs managed to find a mule that looks exactly like the victim.
KYC? I wouldn't expect the teller to have it (if my bank even had branches) but certainly I've provided driving licence or passport as well as 'selfie' for KYC and to subsequently prove my identity.
That's changing, at least in the US. I don't know the timeline however. Also recently had to call my bank to verify some credit bureau type details they'd dug up on me.
You are saying know your customer requires the bank to keep a copy of your photo ID on file, and that it shows up on the teller's terminal when you go into a bank? That seems pretty insane to me that tellers would be able to look up any customer's photo ID, and it seems like a huge liability for the bank to keep those on file.
I've had my primary checking account since the 80s, the photo would not look anything like me. When I opened my passbook savings in the 70s I didn't even have a photo ID, just a socical security card.
No big company has faced any big liability in the US that I’m aware of. Experian comes to mind.
They originally sent a mail with that requirement, but changed it to the interview instead. I don’t know the internal policy. Presumably they thought they had enough from “public records” as they called it.
I agree with the ‘insane’ moniker… but realized a few years back we’re not in Kansas anymore.
Just went to a concert where you’re not allowed to attend w/o a internet connected terminal in your hand. ((boggle))
Banks are required to keep their KYC up to date. Regulations will obviously vary depending on where you are, but in general, banks have a fuckton of information about you, all alledgedly to prevent fraud (and terrorism).
So she walked into a bank with nothing but an ID and walked out with thousands in cash? I did not realize someone could make a withdraw like that without a debit card (or a check, or some other bank authenticated mechanism).
I lost my wallet once and I was able to write a counter check for cash while I waited for my new ATM card to come. That was in the early 2000s, I did have my passport however. I also had the key to my safety deposit box, but they didn't check that.
I had poor credit with LloydsTSB at one time (due to an error on their behalf) and they terminated all my debit cards, credit cards and ATM access. They would only allow me to withdraw cash using my passport at a teller window for about a year.
Charming how the bank just skates through this whole thing with a little halo over its head. They should be liable for their own failure to authenticate the customer. Immediately restore the $5k, then they chase after the thief.
Seriously. And this is the author writing her own story. You'd think that after two years she'd have done a little reflection to realize that there are two instances of fraud here. The mule deceiving the bank into giving them the cash, and the bank deceiving the author into thinking the bank owes her $5k less. Align the incentives and all the bloviating about fraud "czars" and difficulties of prosecuting non-violent crimes just falls away.
I've got to wonder how much people's broken understanding of these situations is an extension of that same old mistaken belief that banks hold your money in their safe or something. Notice how she's continually going on about "my money". Whereas actually your bank balance is merely a debt the bank owes you, which cannot have been altered by the bank being defrauded. Any more than a cursory one or two business days to fix her account ledger is unacceptable. If after 60, 90, or however many days the bank cares to spend investigating it turns out that the account owner lied when disputing the original transaction, that would be its own fraud and can be prosecuted post-facto the same as anything else.
> Whereas actually your bank balance is merely a debt the bank owes you, which cannot have been altered by the bank being defrauded.
It's often amusing--and sometimes enlightening--to imagine how well the same nonsense-logic would work if it was being used to the benefit of a consumer instead of an institution:
"Hi Bank, I just sent enough money to fully pay off my mortgage! Now I fully own my house and our business is done... Wait, you didn't get it? That was some scammer who showed up randomly at my door with a fake business card? Well, that sucks.... for you, that is. I hope you manage to get your money back from them someday, ciao!"
> You'd think that after two years she'd have done a little reflection to realize that there are two instances of fraud here.
Three if you consider that New York let the criminal walk and go on the lam without posting any bail, due to a 2020 (presumably late 2020) 'law'
From the post:
> The bail reform law, which took effect in New York in 2020, eliminated the requirement for defendants to put up cash bail for most misdemeanors and nonviolent felony charges. It was meant to limit incarceration of defendants in New York who couldn’t afford to get out on bail while their cases play out, according to the New York Civil Liberties Union. The nonprofit’s website says reform has been essential to “upholding due process, advancing racial justice, and protecting public health” during the pandemic.
Making people pay for bail is an almost exclusively USA thing. Doesn't seem to be causing many problems in the rest of the world to assess bail on criteria other than "is able to afford it".
the term itself "identity theft" is part of the propaganda - instead of calling it "bank fraud" suddenly it's my problem because my identity has been stolen? no it hasn't, I'm still me. it's not my problem a bank got scammed by someone pretending to be me
Identity theft framing helps customers understand they have a responsibility in using these systems in a secure way. If you call it bank fraud, customers don’t see their part in the responsibility, and become careless, increasing the chance of bank fraud,
As a responsible consumer, how do I prevent Equifax and AT&T from distributing my information?
Actually, when someone signed up for a Bank of America checking account with my AT&T information, I notified AT&T once I was done with BofA... And AT&T ignored it, until 2 years later.
Whatever BS shreading and information hygeine I do amounts to nothing when a big company lets stuff out. Or when my employer's HR person keeps unencrypted payroll files on a USB drive in their car in SF.
And by calling it identity theft instead of bank fraud, the reverse effect is had on the common perception of who has responsibility when dealing with an incident. You can have your “””identity stolen””” at a bank without an ounce of carelessness on your end.
That doesn’t scan for me. We call it car theft and thousands of cars are stolen every day that are properly locked and parked, even in the owners driveway.
Banks are notorious for adopting new technology at a glacial pace, often only when forced to do so.
Witness the adoption of chip and pin in the U.S. oh wait, we still haven’t properly adopted it and a stolen card can just be tapped on the terminal of most retailers in 2024 with no additional authentication.
This is the real problem though. It's literally the money form of "password on paper" if you have such a card. Not that I have experience, but I'd assume the largest part of scams comes down to this, easily stolen and used credit card info. Like it's still 2014.
Probably because there would be a way to exploit such a policy. You’re a normal, honest person, so you think “Why wouldn’t the bank believe me? I would only claim I lost my money through fraud if it were true.”
But the bank also has to deal with dishonest people who might make fraudulent claims about being defrauded.
You're focusing on compensation to victim (and that becoming a new fraud mechanism). Instead, try focusing on what the banks could do to decrease the actual crime. Some examples:
US banking is notoriously sloppy about allowing withdrawals with just knowledge of routing number and bank account number, while every check written contains both numbers -- in Europe, the bank account number can only be used to transfer money to the account (and checks practically don't exist).
One day out of the blue, some hundreds of dollars were transferred out of my American bank account, seeming to claim purchases in a city several hours away. I didn't authorize such transactions. They were direct debits of my account, not credit card charges. A few days later, my money was returned. How was that possible? Why did the bank agree to transfer money out of my account?
All the way back in the 90s, my European bank gave me a one-time codebook, to be used in addition to username and password to authenticate online transfers. Whenever I was close to running out of codes, they gave me a new codebook. Managing to steal my password wouldn't have let an attacker easily empty my account.
My European bank in a small city, that I had been a customer of for decades, and whose employee that I was interacting with being a family friend, verified my passport before discussing a loan.
Yes, the situation in Europe is much better, even more so after the introduction of PSD2 which requires strong customer authentication and is specifically designed to avoid (or at least minimize..) identity fraud.
This doesn't justify putting all the responsibility on the innocent person whose money got stolen by fraud. The fraudster didn't get money from the innocent person. They got it from the bank. That should make it the bank's problem.
If the bank is concerned about fraudulent claims about being defrauded, that's just another case of them needing to improve their fraud detection process.
This is also why credit card companies refuse to work with porn - there are an immense number of people who charge back porn purchases almost immediately.
That's almost exactly what my credit union did. After I filled out the paperwork, they sent me out the door with some walking-around money (the thief had emptied my checking account), and the rest was returned within a couple days. I did nothing further; a fraud investigator called me up a couple of months later to ask a few questions, but by that point they already knew who the culprit was.
For this and many other reasons, I will never use a commercial bank again, if I can possibly avoid it.
Imagine you owe $15k to a hospital, and someone knocks on your door saying “hi, I’m from the hospital, can you pay us $5k?” You, in your naivety, head up to your mattress, get $5k in cash, then pay them. Turns out, they are not from the hospital. What happens if you say to the hospital, “unfortunately your identity was stolen, and now I only owe you the $10k left.” Given bank deposits are debts owed to you, this is exactly what the bank is doing to you.
I had a similar situation with bank a few years ago, not identity theft but rather some checks stolen out of the mail and cashed by the third party, and didn't realize it for a few months (so it was being the easy ach reversal point). I tried to escalate within the bank, must have talked with tier 2 support a dozen times.
What worked was to file CFPB (consumer financial protection bureau) complaints against both banks involved. At that point I got to talk to executive support, who is responsible for handling such complaints, and was able to get the two banks to talk to each other. Should've done that about 6 months or so sooner.
That sounds like an interesting practical workaround for certain support issues, yet at the same time it seems... I dunno, like some sort of tiny indictment of the ethics of modern capitalism, the idea that justice is only available to owners.
I could easily see it being worked into something satirical in the style of Snow Crash, where there's a loyalty program in silver/gold/platinum, and then an undisclosed super-tier of investor ruby, investor diamond...
I'm curious what the solutions are. People, including myself, feel this should legally be the bank's problem. Someone pretended to be the account owner and the bank gave them money. That seems pretty clearly the bank at fault
But, let's say the laws got fixed and it became the bank's fault. Would there be un-intended consequences or only good ones? I'd expect banks to maybe get rid of checks. Or, require every check to be approved when received. You send a check, the check gets deposited, the bank pings you (email, sms, app) .. did you write this check? Or maybe something else.
If I understand correctly, some countries (Estonia?, Singapore?) when you use a credit card, the bank requires some form of 2 factor. I've seen that once in a while with USA cards, usually only when ordering something abroad. In Japan some banks require a 2 factor calculator that generates codes. No idea if that's prevented much fraud.
> People, including myself, feel this should legally be the bank's problem. Someone pretended to be the account owner and the bank gave them money. That seems pretty clearly the bank at fault
I think it is a little more nuanced. While I think banks should shoulder more of the responsibility account owners also need to be invested in keeping their personal information secure. If I left my passport, driving license, pin, password, phone (unlocked of course) and 5 years of bank statements by the side of the road a stranger could pick those up and pretend to be me with very little effort, and the bank would be very hard pushed to distinguish the stranger from the real person. If it was purely the bank's problem what incentive would there be for people to secure their information? They'd just reclaim the loss back from the bank.
But we didn't ask the bank for any of this. They can just check my fingerprint each time I go to an ATM and provide no card, and I'll survive. They built these systems, we can't do without them anymore, and on top of it I have to secure their identity checks?
Someone stole 2k$ from me by using my CC number recently. Well, awesome, why wasn't there even an OTP ? When I want to buy a 10$ crap on Amazon they send me 3 SMS... They leave these things a bit open to reduce friction, they have to pay for it. My bank paid me back the same day, and that was the least they could do.
You’d survive, but loose your fingers in the next robbery…
Plus, fingerprint is super unreliable. Every time I’m hand sanding a wood project, or go windsurfing or wingfoiling for a couple of hours, my fingerprints are unusable for some days.
> If I left my passport, driving license, pin, password, phone (unlocked of course) and 5 years of bank statements by the side of the road a stranger could pick those up and pretend to be me with very little effort, and the bank would be very hard pushed to distinguish the stranger from the real person.
Until you report those items as stolen, after which they should be not useful at all. Especially the 5 years of bank statements should have no power of authenticating you.
> Until you report those items as stolen, after which they should be not useful at all.
But if it's all on the bank (and to generalise, the other party trying to authenticate the request) why would you report the items stolen? You've got no incentive to do that.
Im exaggerating of course, but the point is that authentication is really difficult if the party you're trying to authenticate isn't motivated to work with you (and why would you be if there's no cost to you if a mistake is made?)
Yes, you are exaggerating. Your argument is that we should not make any improvements unless we can achieve utopia.
Imagine a world where bank fraud was only possible in that rare scenario you described, and then only for a limited amount of time since you can be required to report loss of identity documents, and then only for transactions that cannot be reverted in time, and even then financial liability might be pushed on to the bank(/'s insurance). That'd solve practically all of the current day bank fraud, without in any way solving your hypothetical.
> Your argument is that we should not make any improvements unless we can achieve utopia.
Not at all. As I said originally:
> I think it is a little more nuanced. While I think banks should shoulder more of the responsibility account owners also need to be invested in keeping their personal information secure.
Some of the comments on this article just strike me as quite idealistic about the ability of banks to bear full responsibility for authentication and authorisation. Practically, I think it works more smoothly when both parties are invested.
>Some of the comments on this article just strike me as quite idealistic about the ability of banks to bear full responsibility for authentication and authorisation. Practically, I think it works more smoothly when both parties are invested.
I agree, although I'd say it was the banks that need to be more invested, not their customers.
I take significant precautions to maintain the security of my account details and debit/credit cards. My bank is, to say the least, inconsistent about such things. If I travel more than 50 miles (~80km) from my home and attempt to use my debit card, my bank will sometimes (but not always) decline such transactions unless I call them and authenticate myself. Then again, I just had to cancel my debit card, as someone was using it in the Dominican Republic (I live in the US/Northeast) -- and my bank just approved the charges without question.
And so, because my bank doesn't enforce its anti-fraud rules consistently, I get the worst of both worlds -- declined valid charges when I travel, and approved fraudulent charges when fraud is definitely more likely. Sigh.
Edit: Clarified why the Dominican Republic wasn't likely as a valid place for my debit card to be used.
A second factor (like 3-D Secure) is required by EU directive in the whole block for online payments. For in person payments having access to the card and knowing the code already satisfies the 2 factors, and checks are extremely rare and have been for decades
So you sign up for a subscription and every month you must use a 2nd factor to secure it?
Do you have amazon or equivalent? Does every time you order you have to second factor or do you just have to do it once when you sign up for an account?
Subscriptions don't need to 3-D Secure every transaction, the initial transaction is considered identified and the auth code is re-used for subsequent charges until you revoke it.
For Amazon and other larger merchants I feel there is some rules system taking as parameters the merchant size (also as a "trustworthiness" score of sorts), recency of last identified purchase (or even some kind of re-using identified auth codes on that merchant), and amount of purchase since almost all larger purchases I make online seem to require 3-D Secure even on larger merchants.
It's not a big hassle, sometimes buying through a new checkout process requires me to authorise the transaction even for small amounts but where I live I can do it through a electronic identification app on my phone, takes some seconds.
The banks use the sort of risk factors they do for other kinds of fraud protection.
If you make a larger transaction than usual, or try to make a transaction with a merchant you've not used before, then you'll usually be prompted to authenticate.
There's also a limit to how many unauthenticated transactions you can make within a period of time.
nah you only need to do it once for subscriptions, but you can revoke access.
with other purchases it depends on the site. some ask you every time and others don't. i'd assume charges in the same range don't have to be approved again, but idk how it works exactly
First, it essentially already is the banks' problem legally. This does not stop a bank from defrauding the customer into giving the bank a loan for months while performing hundreds of hours of paralegal work, but in most cases the bank will eventually be on the hook. So we're not talking about any new risk, but rather for banks to stop giving people the runaround pretending they aren't directly responsible.
Checks would be completely unaffected, as they're already reversible like any other ACH transaction.
If there is any affect it would be on cash withdrawals and wire transfers seeing increased authentication requirements (places where the transaction "hardness" of money increases). But that's precisely what we want to happen! I do personally withdraw thousands of dollars in cash at a time. But if say I had to use my ATM card + PIN instead of merely writing my 9-digit account number on a paper withdrawal slip, I would certainly understand.
Most European cards are chip cards now. (Many of them might require a PIN too.)
American cards still have magnetic stripes that are very vulnerable to skimming. But credit card companies (/banks) can't get rid of the magnetic stripes (in a commercially viable way) until readers are upgraded to support chips. In Europe, you'd probably just have a law saying this needs to perform to that security level by this date, and make the companies upgrade -- but the US theme is "stuck in the 70s" for this kind of stuff.
I have high hopes for contactless payments to finally force reader upgrades, because the difference is something the consumer notices and might appreciate. With magnetic strip vs chip, the user experience was too similar.
(Of course, my phone fails to pay about half the time at the local grocery store, but at least the credit card tap works.)
Part of the problem is the government issued licence. The old paper / dumb card versions are easy to duplicate, and that's what happened. Now they can be a smartcard signed with a government key which can't so easily be forged. "Now" means any time in the last 30 years.
Ditto all government credentials - birth certificates, passports, other licences. All should have been changed decades ago.
But we are talking about the USA. The credit / debit card industry figured this out and published the EMV standard (aka "chip and PIN") in 1995. A few countries made EMV mandatory for credit/debit cards in 2003, most had done it by 2015. The USA waited to 2021 to force the issue using a liability shift.
Now identify fraud is approaching epidemic proportions. In Australia at least the major source of these identity document leaks is data breaches of organisations who were forced by the government to collect copies of licences by Know Your Customer regulations. The penny has finally dropped finally here, with our Feds finally moving to mandating electric ID's and licences. If the governments in haven't realised they a similar position now, they will be soon.
All major CC companies have the extra layer (3-D Secure) available to merchants. Whenever I make a card transaction online that is in any way unusual the bank makes me do an app/SMS 2-factor.
As with any extra step in a purchase its a balance between security and conversion rates. It seems companies have decided it reduces conversion too much in the US hence the low uptake, whereas UK/EU seem to use it very often.
In-person banking only where the employees are long term and recognize the customers, you can see the manager, and you can close your account at any time and are handed a stack of bills. Yes, reversing 50+ years of "progress".
Shout outs to diverse value generation, by people going through a big issue,investing huge chunks of life time and then dispersing knowledge by doing write ups (which are not easy to do in general but it gets harder the nastier the topic).
I have deep empathy for how costly these experiences are, that I can then just learn from in 5-10 mins. I hope that in the future more of the bad stuff can be avoided upfront but in the meantime I think this is wonderful and something to foster (which I should remind myself of and participate in more often).
“Forget the fake IDs adolescents used to get into bars,” says Georgia State’s David Maimon, who is also head of fraud insights at SentiLink, a company that works with institutions across the United States to support and solve their fraud and risk issues. “Nowadays fraudsters are using sophisticated software and capable printers to create virtually impossible-to-detect fake IDs.” They’re able to create synthetic identities, combining legitimate personal information, such as a name and date of birth, with a nine-digit number that either looks like a Social Security number or is a real, stolen one. That ID can then be used to open financial accounts, apply for a bank or car loan, or for some other dodgy purpose that could devastate their victims’ financial lives."
Does this seem a little far-fetched? The reporter lost $5000 - a lot of money! - but if it required a high-tech impossible-to-detect fake ID, layers of shadowy criminal gangs and cash mules it seems like there won't be a huge profit left. It seems more likely that this kind of fraud is much less sophisticated, and is exactly the same technology used by adolescents to get into bars.
This feels like another argument that this is an unsolvable problem, and banks are helpless against mysterious dark web hackers. Dive bars are held reasonably accountable over verifying identity, it seems crazy that we accept that banks can't/won't do the same.
The detour into anti-bail-reform talking points was a sour note in this article.
It sucks that the criminal skipped bail, so without bail reform that would have only been allowed if she passed a certain threshold of wealth. Thats not mentioned because its clearly not a better outcome.
Bail reform is absolutely a good idea. Previous bail issues resulted in rich people with very serious charges being able to bond out, while poor people with shoplifting charges remained in custody for years awaiting trial.
Never keep more money in your checking account than you can afford to lose. Based on my reading of the news, it often gets stolen.
There is however the question of a potential negative balance. For this, do not allow overdraft protection beyond a small amount. Also, don't have a linked account such as a savings account that gets used for potential overdrafts.
I wont, in europe its pretty much impossible to do that identity theft scam.
Someone taking cash off my debit card would need to do it via 3d secure and me approving it via phone.
Someone doing this via check in a bank would get them laughed off... I'm not sure people even know what those are still.
Someone trying to use my identity to withdraw money at a bank agency... they'd need an inside man and police would catch that idiot on complaint... plus since corona going to bank agency is via appointment...
I can also complain to government entities if banks wont help, that would lodge official complaint from consumer protection agency and they need to do due diligence to not get fined...
The customers are not the problem. The banks are. Having worked with and for banks around the world, I can say with some confidence that US banks are soooo far behind most Western and Asian banks. Heck, even many African banks outshine US banks in terms of IT infrastructure, security, and customer features.
With regard to a separate account, I would consider having one of these, in order of most preferred to least preferred:
1. An investment account to move money into, even if it's not invested.
2. A savings account at a second bank from which transactions or even withdrawals cannot be done, only transfers to your checking account at the first bank can be done.
3. A CD (Certificate of Deposit) at a bank, although this locks up your funds for the designated time.
My non-blockchain bank already puts such a limit (amount electronically transferred per day). If you need to move more than that you've got to do more than just use the website.
That does not protect you from incompetence or malice of the bank.
Your bank is still a single point of failure.
In the article, the bank claims:
Someone had actually come into the bank and spoken
to a teller, presented a driver’s license, and then
correctly answered some authentication questions to
validate the account.
The bank does not claim that someone just "used the website".
https://web.archive.org/web/20240520073631/https://www.msn.c...