USAA Acount holders -- I just got hacked

[JimGant]

Well, it was on Nov 29th and 30th, when someone transferred $5000 (the max allowed) each day from my USAA checking account to a bank account in Florida. I didn't discover this until Dec 7th, when I logged into my online USAA account to double check bank account balances, to make sure they tallied with mine. When I noticed the transfers, I immediately called USAA's fraud line, and they froze both my and my wife's online USAA accounts (and the bogus transfer conduit). As it turned out, the crook had logged into my wife's online USAA account, set up a transfer account to this bogus account in Florida, and had labelled the owner as my wife. As such, it was allowed to be a "push/pull" account, meaning he could "pull" transfers from his bogus Florida account (USAA never verified that the bogus account's owner was my wife, which, of course, it wasn't). I still don't know if this was a push, or pull operation -- not that it matters, as the results were the same.

 

Two weeks later, I got a message from the USAA fraud department stating that: "They had discovered no fraud." Period. Huh?!. This meant it had been either me, or my wife, who had sent the $10000 to the bogus account in Florida. They did say that I could call and request a full report on how they arrived at their findings. So, of course, I called -- and was put on hold for 52 minutes. Finally a gruff voice came on, obviously pre briefed on the subject at hand, and told me that USAA doesn't give out reports on cases NOT ruled as fraud! Jeez, this was contrary to what they had said in their message. He did volunteer that, "All traffic related to the transfers was on computers recognized by USAA as mine." End of discourse.

 

A little investigation on my part, apparently a lot more than they did, discovered that the crook had put a spam filter on my gmail account (the one both me and the wife have as primary for USAA email), meaning, I could not get any correspondence from USAA. I hadn't noticed this, because recent USAA emails had only been perfunctory, i.e, not any warnings, like: "New transfer account set up -- was this you?" And, of course, with the spam filter, I wouldn't have -- and didn't -- get any such warnings! A later look in the gmail spam folder, however, showed much of the missing USAA email correspondence. Smart crook. And, how did I realize I was getting blocked from USAA email? When I went to unfreeze my USAA online account, we tried three times to get the one time six digit code sent to my primary email. No luck. But when sent to my secondary email address on file, bingo. That's when I got introduced to spam filters (and that the related folders aren't normally shown, unless requested -- which is why I was in the dark about these missing emails.)

 

But, of course, the crook didn't have a spam filter on his email reader, so he could read all correspondence from USAA, to include the one time six digit code sent when USAA asked if the crook wanted his computer to be recognized as belonging to my wife's USAA online account. Duh. So this is why the USAA fraud department concluded that I or my wife had conducted the transfers! It didn't dawn on them that, as the crook has access to the wife's USAA account, where he could read the primary email contact address --'cause it is NOT XXXXED out -- that any one time security codes sent to that address would and could be read by the crook. Are they phu****** brain dead!

 

Anyway, this has all recently been fired to the top of USAA management (unfortunately, run by all civilians -- the Generals McDermotts and Herres long gone). It will be interesting to hear their response, particularly as I included several references to nearly identical situations to mine -- one resolved when a local investigative TV channel got involved.

 

Sadly, USAA has really gone downhill. They're already paying the Feds $140M in fines, for shoddy security procedures. And the number of complaints you can find online is staggering. I've been a member for 56 years, and it used to feel like a club of officers and senior NCOs. Now, with the Gronkowski  commercials, every swinging d*** who had a dishonorably discharged relative can be a member. Sure ain't the same -- with management on par with its new members.

 

Oh, put the "[email protected]" in your address book or contact list. This should eliminate someone putting a spam filter over your USAA email contact address. And, do change that password periodically, and go to MFA sign ins. I never changed my or my wife's passwords -- my bad. And her account was dormant, as she's joint with me on all accounts, so only I needed to log into my account to check things. I certainly now check periodically her account for strange activity.

[TallGuyJohninBKK]

That's a strange and scary story, Jim... Hope you have better luck in ultimately sorting out the wrongdoing and recovering those funds.

 

I had a somewhat similar, smaller, but still alarming episode lately with one of my major U.S. firm brokerage accounts. In two separate instances toward the end of last year, I had -+ $100 debits withdrawn from one of my retirement accounts via charges to its associated debit card.

 

In my case, I've never ever even used that debit card and it's never been seen or handled by anyone else in the world other than myself.

 

In the first case, the brokerage reversed the charge on their own the same day it was debited before I even became aware of it.  In the second and separate case a few weeks later, another charge occurred on the same card, I became aware of that, filed a protest with the brokerage, and eventually was reimbursed.

 

In the first case, the brokerage ultimately informed me that the debiting party had manually keyed in the wrong debit card number (my card's number) by mistake in processing a transaction. In the second instance, it was just outright fraud by some entity a foreign country that I've never had anything to do with in any way.

 

But it was alarming to discover that anyone out there in the world can just guess at my debit card number and be able to process a charge against my account with no protection. (Subsequent to all that, I "locked" my debit cards associated with that brokerage).

 

[FritsSikkink]

30 minutes ago, JimGant said:

Well, it was on Nov 29th and 30th, when someone transferred $5000 (the max allowed) each day from my USAA checking account to a bank account in Florida. I didn't discover this until Dec 7th, when I logged into my online USAA account to double check bank account balances, to make sure they tallied with mine. When I noticed the transfers, I immediately called USAA's fraud line, and they froze both my and my wife's online USAA accounts (and the bogus transfer conduit). As it turned out, the crook had logged into my wife's online USAA account, set up a transfer account to this bogus account in Florida, and had labelled the owner as my wife. As such, it was allowed to be a "push/pull" account, meaning he could "pull" transfers from his bogus Florida account (USAA never verified that the bogus account's owner was my wife, which, of course, it wasn't). I still don't know if this was a push, or pull operation -- not that it matters, as the results were the same.

 

Two weeks later, I got a message from the USAA fraud department stating that: "They had discovered no fraud." Period. Huh?!. This meant it had been either me, or my wife, who had sent the $10000 to the bogus account in Florida. They did say that I could call and request a full report on how they arrived at their findings. So, of course, I called -- and was put on hold for 52 minutes. Finally a gruff voice came on, obviously pre briefed on the subject at hand, and told me that USAA doesn't give out reports on cases NOT ruled as fraud! Jeez, this was contrary to what they had said in their message. He did volunteer that, "All traffic related to the transfers was on computers recognized by USAA as mine." End of discourse.

 

A little investigation on my part, apparently a lot more than they did, discovered that the crook had put a spam filter on my gmail account (the one both me and the wife have as primary for USAA email), meaning, I could not get any correspondence from USAA. I hadn't noticed this, because recent USAA emails had only been perfunctory, i.e, not any warnings, like: "New transfer account set up -- was this you?" And, of course, with the spam filter, I wouldn't have -- and didn't -- get any such warnings! A later look in the gmail spam folder, however, showed much of the missing USAA email correspondence. Smart crook. And, how did I realize I was getting blocked from USAA email? When I went to unfreeze my USAA online account, we tried three times to get the one time six digit code sent to my primary email. No luck. But when sent to my secondary email address on file, bingo. That's when I got introduced to spam filters (and that the related folders aren't normally shown, unless requested -- which is why I was in the dark about these missing emails.)

 

But, of course, the crook didn't have a spam filter on his email reader, so he could read all correspondence from USAA, to include the one time six digit code sent when USAA asked if the crook wanted his computer to be recognized as belonging to my wife's USAA online account. Duh. So this is why the USAA fraud department concluded that I or my wife had conducted the transfers! It didn't dawn on them that, as the crook has access to the wife's USAA account, where he could read the primary email contact address --'cause it is NOT XXXXED out -- that any one time security codes sent to that address would and could be read by the crook. Are they phu****** brain dead!

 

Anyway, this has all recently been fired to the top of USAA management (unfortunately, run by all civilians -- the Generals McDermotts and Herres long gone). It will be interesting to hear their response, particularly as I included several references to nearly identical situations to mine -- one resolved when a local investigative TV channel got involved.

 

Sadly, USAA has really gone downhill. They're already paying the Feds $140M in fines, for shoddy security procedures. And the number of complaints you can find online is staggering. I've been a member for 56 years, and it used to feel like a club of officers and senior NCOs. Now, with the Gronkowski  commercials, every swinging d*** who had a dishonorably discharged relative can be a member. Sure ain't the same -- with management on par with its new members.

 

Oh, put the "[email protected]" in your address book or contact list. This should eliminate someone putting a spam filter over your USAA email contact address. And, do change that password periodically, and go to MFA sign ins. I never changed my or my wife's passwords -- my bad. And her account was dormant, as she's joint with me on all accounts, so only I needed to log into my account to check things. I certainly now check periodically her account for strange activity.

Your computer / gmail getting hacked is not USAA's fault.

[Khyron]

Did you have two factor authentication? When I log into my accounts, it sends a code to my cell via text.

 

Thinking about it now, it also allows you to send it to an email on record, but that is blanked out mostly. But if the email was hacked, then the security would be moot.

 

I'm with Schwab and Wells.

 

Would you get a text from the states?

 

That is a real stinker that USAA isn't copping to anything.

[NanLaew]

19 minutes ago, FritsSikkink said:

Your computer / gmail getting hacked is not USAA's fault.

 

Sounds like the sort of sloping-shoulders, pass-the-buck disclaimer a Thai bank would issue when a customer's funds magically vanish.

 

You been here in Thailand long then Frits?

[sqwakvfr]

Been with USAA since 1988.  The downward spiral of USAA began with the hiring of Wayne Peacock as CEO. Peacock has no military experience or association. I have not been hacked (at least not yet) but getting simple things done with USAA credit cards has been difficult.  Their entire fraud detection alert system. is a catastrophic failure.  I tried to book a domestic fight on Thai Airways with my USAA Visa credit card.  I got a fraud alert on the USAA app and a text message asking "did you make this purchase?".  I replied Yes both time and it still got declined.  I am not surprised at JimGant is going through.  

[FritsSikkink]

53 minutes ago, NanLaew said:

 

Sounds like the sort of sloping-shoulders, pass-the-buck disclaimer a Thai bank would issue when a customer's funds magically vanish.

 

You been here in Thailand long then Frits?

I have been here long and I have knowledge about IT Security and Compliance.

You are responsible for the security of your own computer or phone, that isn't a problem for an external party.

They need to keep their Application secure but can't help you if your login data is available for outsiders.

Edited February 9 by FritsSikkink

[JimGant]

1 hour ago, FritsSikkink said:

They need to keep their Application secure but can't help you if your login data is available for outsiders.

 

The password certainly wasn't available to outsiders -- it's only written down in the sanctity of my office. That our two IRA accounts that USAA sold to Schwab three years ago had a recent hack attempt on Jan 26 -- but failed, as I had changed the passwords after the USAA transfer caper -- leads me to believe there's mischief about in the inner workings of USAA.

[FritsSikkink]

20 minutes ago, JimGant said:

 

The password certainly wasn't available to outsiders -- it's only written down in the sanctity of my office. That our two IRA accounts that USAA sold to Schwab three years ago had a recent hack attempt on Jan 26 -- but failed, as I had changed the passwords after the USAA transfer caper -- leads me to believe there's mischief about in the inner workings of USAA.

How can the inner workings of USAA change your gmail preferences?

Best to run a virus scanner on your computer and phone.

Edited February 9 by FritsSikkink

[sqwakvfr]

Just got a call from an 877 number.  The caller sounded very professional and knew my name and was a USAA Member.  I knew right away it was a scam and told him Fxxx Oxx.  I then called USAA Fraud and got this reply.  Go to the USAA website and send us an email with the details of this fraud call.  What a relief.  USAA Fraud now can go back to denying my legitimate charges whenever I use a foreign merchant.  In the past my attempt to pay for a Visa on the E-Visa site was always declined to due fraud.  ????? I had to switch to debit card in order to pay for the visa.