TUCSON – Cybercriminals are gaining access to bank accounts and stealing money.
A victim from Oro Valley recently had tens of thousands of dollars stolen from a credit union account. They did not want to be identified.
“It really hurts,” the victim said.
Sgt. Carmen Trevizo said it may have been a consequence of data breaches at large companies over the past few years. She does not think the suspect is local.
“This was really well organized and set up and planned out,” Trevizo said.
Jason Denno knows exactly how hackers steal money. He is the Director of Cyber Operations at the University of Arizona. He runs the cyber degree program and research around it.
“Unfortunately, that threat is higher than you’d want to know,” Denno said.
Denno said hackers frequently obtain passwords online, so they don’t actually have to hack anything. They also have tools that can figure out passwords over time.
“It’s science-real,” Denno said. “It’s happening right now.”
Denno said there are several ways to get money out of a bank, but one of the easiest methods requires opening an account in the same bank as the victim. That’s what happened in the recent Oro Valley case.
“One bank is going to trust itself more than it’s going to trust another bank,” Denno said. “Once they have all that money into a separate account in that same bank, they can then move it out.”
Cybercriminals also look for personal information through public records and social media. That helps them answer security questions and refine password guessing.
Once hackers figure out user names and passwords, they are still getting past the next layer of security through a scheme called “SIM swapping.” People frequently use text message codes to confirm their identities. In a SIM swap, hackers activate a new phone with the victim’s phone number.
“They get the code on their phone to be able to log back in,” Denno said, “and they have now gotten past that second-factor authentication.”
Technology is constantly balancing convenience and security. Denno said, especially with banking, email and phone accounts, people should choose security.
“It is a little less convenient for you when you are dealing with a carrier,” Denno said. “But your security goes way up when they have to jump those hurdles because they might not have that information.”
Denno said complicated passwords are good, but long passwords are much more important. He recommends using phrases or sentences mixed with capitalization, numbers and characters. He used the example “iliketacosontuesdays” as a simple password that is almost impossible to crack.
“The length of the password makes it dramatically harder,” Denno said.
Here are some other tips Denno recommends:
Do not use your computer as the admin. If a hacker gains access, they have more privileges. Set up user accounts with fewer privileges, even if you are the only person who uses the computer.
Secure your WiFi connection, and set up different signals for different devices.
Never trust devices or have them “remember” you on the next login. Always use at least 2-factor authentication to log in to accounts.
Set up a PIN on cell phones and any other accounts that allow it.
Keep operating systems, firewalls and antivirus software up to date.
Deny privileges to programs unless they are necessary.
Put a freeze on your credit report with Experian, Equifax and Transunion.
Never use a debit card online.
Talk to your bank about security measures you can add to your account.
Never use the same password on more than one website.