I had something similar happen to me [1]. I won 500$ Apple gift cards in a sysadmin contest but they were for the US only and I (from Austria) wasn't able to spend them so I tried to sell them for about a year and then found someone who tricked me and stole the cards.
Over a year I tracked them down and in the end got my money back by sending facebook messages to his mother and brother. Found out his real name because some school friend of him had posted a screenshot of a windowed game which facebook open in the background where you could see his friendlist. Crazy stuff. Even BBC wrote about it later [2]
Fun fact: Since that article aired (8 years ago) I'm still getting 2 to 5 messages per week from random people who ask me to track down their scammers too
Nobody stole her identity. Someone stole the bank and then the bank used the "stolen identity" scam to somehow put the burden on an uninvolved third party.
Things will get better when the customers realize they aren't the victims of the thieves. Banks are the victims of the thieves. Customers are actually the banks' victims.
I was mildly surprised when the article quoted a senior at the bank framing the situation as a feeble, lone teller vs a well-oiled theft industry - as if the teller doesn't have resources of a multi-billion-dollar corporation - perhaps they don't and it was an inadvertent confession. In that case, we don't need a "fraud czar", we need laws that make fraud the banks' problem by forcing them to make clients whole when the bank is defrauded by misrepresentation.
My wife and I had a somewhat similar thing happen, one week before our wedding. She had a debit card declined at Starbucks.
Someone had printed a business check with our account number, made out to a name that matched a dead person on the sex crimes registry, and then someone had cashed that check at a bank in New Jersey. The check was for over $11k, and left about $20 in the account.
Now, we never left that much money in the account generally but we had transferred some in to settle with the various vendors and for spending cash on the honeymoon.
The good news was that Chase saw it as fraudulent immediately and the money was back in our account in less than 48 hours, and they put a few thousand in before then so we could travel.
Security is hard, in whatever field. Customers do want to be able to get service at their bank, without jumping through crazy hoops.
That said, bank security in the US is generally awful. Checks should not exist - they are a concept out of another era. Actually, in the US, just having someone's account number enables you to withdraw money from their account. That is just nuts.
By now, all money transfers should be electronic and immediate. Where I am, we use the "Twint" service. Want to pay in a shop? Scan a QR code off the card reader, then click ok. Want to send money to a private person? Select them from your contacts, enter the amount, click ok. Transfers are completed in seconds, which also eliminates the issue of bouncing checks.
> On April 18, 2023, according to a police report, she’d gone into a Citizens Bank branch in New Rochelle in Westchester County, presented an ID with another woman’s name, and walked away with $3,500. A bank employee had become suspicious and called the account owner to confirm she’d made the withdrawal herself. She hadn’t.
What confuses me is that the bank has my photo ID already. So when someone comes in to make a large cash withdrawal using a fake ID with my name on it, doesn't the teller see my face on screen to match?
I find it hard to believe that the thiefs managed to find a mule that looks exactly like the victim.
So she walked into a bank with nothing but an ID and walked out with thousands in cash? I did not realize someone could make a withdraw like that without a debit card (or a check, or some other bank authenticated mechanism).
Charming how the bank just skates through this whole thing with a little halo over its head. They should be liable for their own failure to authenticate the customer. Immediately restore the $5k, then they chase after the thief.
Seriously. And this is the author writing her own story. You'd think that after two years she'd have done a little reflection to realize that there are two instances of fraud here. The mule deceiving the bank into giving them the cash, and the bank deceiving the author into thinking the bank owes her $5k less. Align the incentives and all the bloviating about fraud "czars" and difficulties of prosecuting non-violent crimes just falls away.
I've got to wonder how much people's broken understanding of these situations is an extension of that same old mistaken belief that banks hold your money in their safe or something. Notice how she's continually going on about "my money". Whereas actually your bank balance is merely a debt the bank owes you, which cannot have been altered by the bank being defrauded. Any more than a cursory one or two business days to fix her account ledger is unacceptable. If after 60, 90, or however many days the bank cares to spend investigating it turns out that the account owner lied when disputing the original transaction, that would be its own fraud and can be prosecuted post-facto the same as anything else.
That's almost exactly what my credit union did. After I filled out the paperwork, they sent me out the door with some walking-around money (the thief had emptied my checking account), and the rest was returned within a couple days. I did nothing further; a fraud investigator called me up a couple of months later to ask a few questions, but by that point they already knew who the culprit was.
For this and many other reasons, I will never use a commercial bank again, if I can possibly avoid it.
I had a similar situation with bank a few years ago, not identity theft but rather some checks stolen out of the mail and cashed by the third party, and didn't realize it for a few months (so it was being the easy ach reversal point). I tried to escalate within the bank, must have talked with tier 2 support a dozen times.
What worked was to file CFPB (consumer financial protection bureau) complaints against both banks involved. At that point I got to talk to executive support, who is responsible for handling such complaints, and was able to get the two banks to talk to each other. Should've done that about 6 months or so sooner.
I'm curious what the solutions are. People, including myself, feel this should legally be the bank's problem. Someone pretended to be the account owner and the bank gave them money. That seems pretty clearly the bank at fault
But, let's say the laws got fixed and it became the bank's fault. Would there be un-intended consequences or only good ones? I'd expect banks to maybe get rid of checks. Or, require every check to be approved when received. You send a check, the check gets deposited, the bank pings you (email, sms, app) .. did you write this check? Or maybe something else.
If I understand correctly, some countries (Estonia?, Singapore?) when you use a credit card, the bank requires some form of 2 factor. I've seen that once in a while with USA cards, usually only when ordering something abroad. In Japan some banks require a 2 factor calculator that generates codes. No idea if that's prevented much fraud.
> People, including myself, feel this should legally be the bank's problem. Someone pretended to be the account owner and the bank gave them money. That seems pretty clearly the bank at fault
I think it is a little more nuanced. While I think banks should shoulder more of the responsibility account owners also need to be invested in keeping their personal information secure. If I left my passport, driving license, pin, password, phone (unlocked of course) and 5 years of bank statements by the side of the road a stranger could pick those up and pretend to be me with very little effort, and the bank would be very hard pushed to distinguish the stranger from the real person. If it was purely the bank's problem what incentive would there be for people to secure their information? They'd just reclaim the loss back from the bank.
A second factor (like 3-D Secure) is required by EU directive in the whole block for online payments. For in person payments having access to the card and knowing the code already satisfies the 2 factors, and checks are extremely rare and have been for decades
First, it essentially already is the banks' problem legally. This does not stop a bank from defrauding the customer into giving the bank a loan for months while performing hundreds of hours of paralegal work, but in most cases the bank will eventually be on the hook. So we're not talking about any new risk, but rather for banks to stop giving people the runaround pretending they aren't directly responsible.
Checks would be completely unaffected, as they're already reversible like any other ACH transaction.
If there is any affect it would be on cash withdrawals and wire transfers seeing increased authentication requirements (places where the transaction "hardness" of money increases). But that's precisely what we want to happen! I do personally withdraw thousands of dollars in cash at a time. But if say I had to use my ATM card + PIN instead of merely writing my 9-digit account number on a paper withdrawal slip, I would certainly understand.
Most European cards are chip cards now. (Many of them might require a PIN too.)
American cards still have magnetic stripes that are very vulnerable to skimming. But credit card companies (/banks) can't get rid of the magnetic stripes (in a commercially viable way) until readers are upgraded to support chips. In Europe, you'd probably just have a law saying this needs to perform to that security level by this date, and make the companies upgrade -- but the US theme is "stuck in the 70s" for this kind of stuff.
I have high hopes for contactless payments to finally force reader upgrades, because the difference is something the consumer notices and might appreciate. With magnetic strip vs chip, the user experience was too similar.
(Of course, my phone fails to pay about half the time at the local grocery store, but at least the credit card tap works.)
Part of the problem is the government issued licence. The old paper / dumb card versions are easy to duplicate, and that's what happened. Now they can be a smartcard signed with a government key which can't so easily be forged. "Now" means any time in the last 30 years.
Ditto all government credentials - birth certificates, passports, other licences. All should have been changed decades ago.
But we are talking about the USA. The credit / debit card industry figured this out and published the EMV standard (aka "chip and PIN") in 1995. A few countries made EMV mandatory for credit/debit cards in 2003, most had done it by 2015. The USA waited to 2021 to force the issue using a liability shift.
Now identify fraud is approaching epidemic proportions. In Australia at least the major source of these identity document leaks is data breaches of organisations who were forced by the government to collect copies of licences by Know Your Customer regulations. The penny has finally dropped finally here, with our Feds finally moving to mandating electric ID's and licences. If the governments in haven't realised they a similar position now, they will be soon.
All major CC companies have the extra layer (3-D Secure) available to merchants. Whenever I make a card transaction online that is in any way unusual the bank makes me do an app/SMS 2-factor.
As with any extra step in a purchase its a balance between security and conversion rates. It seems companies have decided it reduces conversion too much in the US hence the low uptake, whereas UK/EU seem to use it very often.
In-person banking only where the employees are long term and recognize the customers, you can see the manager, and you can close your account at any time and are handed a stack of bills. Yes, reversing 50+ years of "progress".
Shout outs to diverse value generation, by people going through a big issue,investing huge chunks of life time and then dispersing knowledge by doing write ups (which are not easy to do in general but it gets harder the nastier the topic).
I have deep empathy for how costly these experiences are, that I can then just learn from in 5-10 mins. I hope that in the future more of the bad stuff can be avoided upfront but in the meantime I think this is wonderful and something to foster (which I should remind myself of and participate in more often).
“Forget the fake IDs adolescents used to get into bars,” says Georgia State’s David Maimon, who is also head of fraud insights at SentiLink, a company that works with institutions across the United States to support and solve their fraud and risk issues. “Nowadays fraudsters are using sophisticated software and capable printers to create virtually impossible-to-detect fake IDs.” They’re able to create synthetic identities, combining legitimate personal information, such as a name and date of birth, with a nine-digit number that either looks like a Social Security number or is a real, stolen one. That ID can then be used to open financial accounts, apply for a bank or car loan, or for some other dodgy purpose that could devastate their victims’ financial lives."
Does this seem a little far-fetched? The reporter lost $5000 - a lot of money! - but if it required a high-tech impossible-to-detect fake ID, layers of shadowy criminal gangs and cash mules it seems like there won't be a huge profit left. It seems more likely that this kind of fraud is much less sophisticated, and is exactly the same technology used by adolescents to get into bars.
This feels like another argument that this is an unsolvable problem, and banks are helpless against mysterious dark web hackers. Dive bars are held reasonably accountable over verifying identity, it seems crazy that we accept that banks can't/won't do the same.
The detour into anti-bail-reform talking points was a sour note in this article.
It sucks that the criminal skipped bail, so without bail reform that would have only been allowed if she passed a certain threshold of wealth. Thats not mentioned because its clearly not a better outcome.
Bail reform is absolutely a good idea. Previous bail issues resulted in rich people with very serious charges being able to bond out, while poor people with shoplifting charges remained in custody for years awaiting trial.
Never keep more money in your checking account than you can afford to lose. Based on my reading of the news, it often gets stolen.
There is however the question of a potential negative balance. For this, do not allow overdraft protection beyond a small amount. Also, don't have a linked account such as a savings account that gets used for potential overdrafts.
The customers are not the problem. The banks are. Having worked with and for banks around the world, I can say with some confidence that US banks are soooo far behind most Western and Asian banks. Heck, even many African banks outshine US banks in terms of IT infrastructure, security, and customer features.
[+] [-] neonate|1 year ago|reply
https://web.archive.org/web/20240520073631/https://www.msn.c...
[+] [-] geek_at|1 year ago|reply
Over a year I tracked them down and in the end got my money back by sending facebook messages to his mother and brother. Found out his real name because some school friend of him had posted a screenshot of a windowed game which facebook open in the background where you could see his friendlist. Crazy stuff. Even BBC wrote about it later [2]
Fun fact: Since that article aired (8 years ago) I'm still getting 2 to 5 messages per week from random people who ask me to track down their scammers too
[1] https://blog.haschek.at/2016/how-a-scammer-stole-500-dollars...
[2] https://www.bbc.com/news/technology-37348014
[+] [-] StrauXX|1 year ago|reply
[+] [-] mrslave|1 year ago|reply
https://www.bostonglobe.com/2024/05/15/magazine/on-the-trail...
[+] [-] yumraj|1 year ago|reply
[+] [-] ghssds|1 year ago|reply
Things will get better when the customers realize they aren't the victims of the thieves. Banks are the victims of the thieves. Customers are actually the banks' victims.
[+] [-] sangnoir|1 year ago|reply
[+] [-] ghusto|1 year ago|reply
This kind of thing has been framed from day 1 very carefully by banks. Don’t fall for it.
[+] [-] skipkey|1 year ago|reply
Someone had printed a business check with our account number, made out to a name that matched a dead person on the sex crimes registry, and then someone had cashed that check at a bank in New Jersey. The check was for over $11k, and left about $20 in the account.
Now, we never left that much money in the account generally but we had transferred some in to settle with the various vendors and for spending cash on the honeymoon.
The good news was that Chase saw it as fraudulent immediately and the money was back in our account in less than 48 hours, and they put a few thousand in before then so we could travel.
[+] [-] bradley13|1 year ago|reply
That said, bank security in the US is generally awful. Checks should not exist - they are a concept out of another era. Actually, in the US, just having someone's account number enables you to withdraw money from their account. That is just nuts.
By now, all money transfers should be electronic and immediate. Where I am, we use the "Twint" service. Want to pay in a shop? Scan a QR code off the card reader, then click ok. Want to send money to a private person? Select them from your contacts, enter the amount, click ok. Transfers are completed in seconds, which also eliminates the issue of bouncing checks.
[+] [-] tromp|1 year ago|reply
What confuses me is that the bank has my photo ID already. So when someone comes in to make a large cash withdrawal using a fake ID with my name on it, doesn't the teller see my face on screen to match?
I find it hard to believe that the thiefs managed to find a mule that looks exactly like the victim.
[+] [-] tingletech|1 year ago|reply
[+] [-] wildrhythms|1 year ago|reply
[+] [-] teeray|1 year ago|reply
[+] [-] mindslight|1 year ago|reply
I've got to wonder how much people's broken understanding of these situations is an extension of that same old mistaken belief that banks hold your money in their safe or something. Notice how she's continually going on about "my money". Whereas actually your bank balance is merely a debt the bank owes you, which cannot have been altered by the bank being defrauded. Any more than a cursory one or two business days to fix her account ledger is unacceptable. If after 60, 90, or however many days the bank cares to spend investigating it turns out that the account owner lied when disputing the original transaction, that would be its own fraud and can be prosecuted post-facto the same as anything else.
[+] [-] doix|1 year ago|reply
[+] [-] foresto|1 year ago|reply
https://www.youtube.com/watch?v=CS9ptA3Ya9E
[+] [-] marssaxman|1 year ago|reply
For this and many other reasons, I will never use a commercial bank again, if I can possibly avoid it.
[+] [-] RecycledEle|1 year ago|reply
Could we write laws that require banks to both reimburse the money stolen and to either catch the criminal or to pay more?
I think the banks would just deny that a crime occurred.
As tempting as it is, I have to be against it for now
[+] [-] worldwidelies|1 year ago|reply
[+] [-] dgoldstein0|1 year ago|reply
What worked was to file CFPB (consumer financial protection bureau) complaints against both banks involved. At that point I got to talk to executive support, who is responsible for handling such complaints, and was able to get the two banks to talk to each other. Should've done that about 6 months or so sooner.
[+] [-] saxonww|1 year ago|reply
https://www.bitsaboutmoney.com/archive/banking-in-very-uncer...
[+] [-] patio11|1 year ago|reply
[+] [-] nox101|1 year ago|reply
But, let's say the laws got fixed and it became the bank's fault. Would there be un-intended consequences or only good ones? I'd expect banks to maybe get rid of checks. Or, require every check to be approved when received. You send a check, the check gets deposited, the bank pings you (email, sms, app) .. did you write this check? Or maybe something else.
If I understand correctly, some countries (Estonia?, Singapore?) when you use a credit card, the bank requires some form of 2 factor. I've seen that once in a while with USA cards, usually only when ordering something abroad. In Japan some banks require a 2 factor calculator that generates codes. No idea if that's prevented much fraud.
[+] [-] remus|1 year ago|reply
I think it is a little more nuanced. While I think banks should shoulder more of the responsibility account owners also need to be invested in keeping their personal information secure. If I left my passport, driving license, pin, password, phone (unlocked of course) and 5 years of bank statements by the side of the road a stranger could pick those up and pretend to be me with very little effort, and the bank would be very hard pushed to distinguish the stranger from the real person. If it was purely the bank's problem what incentive would there be for people to secure their information? They'd just reclaim the loss back from the bank.
[+] [-] Boltgolt|1 year ago|reply
[+] [-] mindslight|1 year ago|reply
Checks would be completely unaffected, as they're already reversible like any other ACH transaction.
If there is any affect it would be on cash withdrawals and wire transfers seeing increased authentication requirements (places where the transaction "hardness" of money increases). But that's precisely what we want to happen! I do personally withdraw thousands of dollars in cash at a time. But if say I had to use my ATM card + PIN instead of merely writing my 9-digit account number on a paper withdrawal slip, I would certainly understand.
[+] [-] yencabulator|1 year ago|reply
I have high hopes for contactless payments to finally force reader upgrades, because the difference is something the consumer notices and might appreciate. With magnetic strip vs chip, the user experience was too similar.
(Of course, my phone fails to pay about half the time at the local grocery store, but at least the credit card tap works.)
[+] [-] rstuart4133|1 year ago|reply
Ditto all government credentials - birth certificates, passports, other licences. All should have been changed decades ago.
But we are talking about the USA. The credit / debit card industry figured this out and published the EMV standard (aka "chip and PIN") in 1995. A few countries made EMV mandatory for credit/debit cards in 2003, most had done it by 2015. The USA waited to 2021 to force the issue using a liability shift.
Now identify fraud is approaching epidemic proportions. In Australia at least the major source of these identity document leaks is data breaches of organisations who were forced by the government to collect copies of licences by Know Your Customer regulations. The penny has finally dropped finally here, with our Feds finally moving to mandating electric ID's and licences. If the governments in haven't realised they a similar position now, they will be soon.
[+] [-] joelccr|1 year ago|reply
As with any extra step in a purchase its a balance between security and conversion rates. It seems companies have decided it reduces conversion too much in the US hence the low uptake, whereas UK/EU seem to use it very often.
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] Am4TIfIsER0ppos|1 year ago|reply
[+] [-] surfingdino|1 year ago|reply
[+] [-] jstummbillig|1 year ago|reply
I have deep empathy for how costly these experiences are, that I can then just learn from in 5-10 mins. I hope that in the future more of the bad stuff can be avoided upfront but in the meantime I think this is wonderful and something to foster (which I should remind myself of and participate in more often).
[+] [-] 1vuio0pswjnm7|1 year ago|reply
[+] [-] datpiff|1 year ago|reply
Does this seem a little far-fetched? The reporter lost $5000 - a lot of money! - but if it required a high-tech impossible-to-detect fake ID, layers of shadowy criminal gangs and cash mules it seems like there won't be a huge profit left. It seems more likely that this kind of fraud is much less sophisticated, and is exactly the same technology used by adolescents to get into bars.
This feels like another argument that this is an unsolvable problem, and banks are helpless against mysterious dark web hackers. Dive bars are held reasonably accountable over verifying identity, it seems crazy that we accept that banks can't/won't do the same.
[+] [-] droopyEyelids|1 year ago|reply
It sucks that the criminal skipped bail, so without bail reform that would have only been allowed if she passed a certain threshold of wealth. Thats not mentioned because its clearly not a better outcome.
[+] [-] criddell|1 year ago|reply
[+] [-] jdkee|1 year ago|reply
[+] [-] hiddencost|1 year ago|reply
But this was secretly an article about bail reform, trying to paint a sympathetic picture and then redirect your anger at bail reform.
I hate that. Bail reform is a good, wise policy that works, and no amount of dishonest articles like this will change that.
[+] [-] qingcharles|1 year ago|reply
[+] [-] ggm|1 year ago|reply
[+] [-] OutOfHere|1 year ago|reply
There is however the question of a potential negative balance. For this, do not allow overdraft protection beyond a small amount. Also, don't have a linked account such as a savings account that gets used for potential overdrafts.
[+] [-] adriancr|1 year ago|reply
If a victim of fraud, file a police report, go to the bank with it and get your money back. Then change banks as they are incompetent.
It's the banks problem now.
It's always the banks problem to keep your money safe and authenticate things.
It's insane this kind of theft is possible.
Also, OP got the money back:
"two and a half months after the theft — the stolen $5,000 was back in my account."
[+] [-] elric|1 year ago|reply
[+] [-] rPlayer6554|1 year ago|reply
[+] [-] djoldman|1 year ago|reply
[+] [-] criddell|1 year ago|reply
https://abcnews.go.com/Business/bank-america-florida-foreclo...
[+] [-] SV_BubbleTime|1 year ago|reply
Sees the issue with bail reform right away, then wishes we had more regulations like the UK.
[+] [-] noja|1 year ago|reply