I got a call from a panicked relative last week. It was one of those 12 o’clock at night calls that you just dread getting.
We’ll call her “Grace.” She was in tears.
Grace had just got off the phone with her bank for the second time in two days. Both her checking and savings accounts were gone, emptied by a hacker armed with her personal information.
All her hard work, her savings, nearly $20,000 in cash, vanished. It’s a chilling feeling. A profound violation of privacy.
The bank, for its part, called her the day prior to warn her of suspicious activity. Upon confirmation that Grace, who lives in Wisconsin, had not completely emptied her accounts at an ATM in South Florida, the bank promised to lock her accounts and refund most of her money.
The rest would be returned following a fraud investigation.
All good, right? The system worked as it should have, and Grace got her money back after a minor scare. But that wasn’t why she was calling me at midnight.
It happened twice!
Within a span of less than 36 hours, Grace’s accounts were emptied again. The roughly $15,000 her bank had refunded to her account was gone. This time it was Grace who caught the error, not her bank.
After another frantic and quite terse call with the bank, Grace was told that she authorized the withdrawal!
The call came from the phone number on her account — again from a location in South Florida and again with verified personal information that only Grace should have had access to. Armed with this information, the hacker was able to override the bank’s account lock and steal the refunded cash.
That’s $35,000 now gone into the humid South Florida air.
How did this happen, especially after the bank locked her accounts?
The answer is surprisingly simple. It lies with social media firm Facebook.
Making the World More Open and Connected?
For 2018, Facebook changed its motto to: “Making the world more open and connected.” Thanks to the company’s lax protection of your personal data, that motto has taken on a more ominous meaning.
On October 12, Facebook announced that it had been hacked. More than 30 million user accounts were affected, leaking their private data to hackers across the globe. Grace’s account was among those affected.
While the investigation is still ongoing, the bank believes that the hacker used data gleaned from Grace’s hacked Facebook account to impersonate her online and on the phone. The hacker had access to Grace’s email address, mailing address, phone number and numerous other personal details.
Using these, the hacker initially gained access to Grace’s account and changed the phone number on record and the personal identification questions that are used as a backup for access.
When Grace’s bank locked the accounts, the hacker called from the new “official” number armed with the new identification information and rescinded the lock.
It was that simple.
Arguably, the bank’s fraud department should have seen something wrong with this second hack. It’s something that Grace will have to settle up with the bank later.
But the whole incident could have been solved by a few easy steps.
2 Steps for Avoiding Facebook Hacks
The first step is going to hurt for a lot of us: Stop using Facebook.
If you’re like me, you waste way too much time there in internet arguments. Stop. Stop sharing articles. Stop liking things. Stop altogether.
But there is a convenience to Facebook when connecting with friends and family. For some of my family, it’s the only way we stay connected. In this case, there are some critical things you need to do:
- Create an email address specifically for Facebook — don’t use it anywhere else.
- Don’t share any personal information — at all. No phone number. No mailing address. This means in your postings as well as in your profile.
- Change your privacy settings to “Friends” and not “Public.” It will further limit the amount of personal data you share, but you are still subject to your friends’ privacy policies.
- Don’t, under any circumstances, use “Connect with Facebook.”
That last point needs some further explaining. “Connect with Facebook” is one of the world’s worst password managers. It allows you to log into websites by using your Facebook information, thereby alleviating the need to remember a password for that site.
It sounds like a simple solution, especially when you have unique passwords and usernames for practically every website you visit these days. But this simple solution makes it extremely easy for a Facebook hack to occur, as access to personal information you share with these other websites is granted.
It also allows those other websites access to data you share with Facebook. Therefore, if the other website gets hacked, the hacker also potentially has access to identifying information you shared with Facebook.
This is in addition to your personal information being shared across the internet with various third parties — you don’t think those tailored ads are just a coincidence, do you?
The second overall step is to beef up your own personal security. That means ditching that free email address you got from Gmail or Yahoo and getting a password manager — a real service like LastPass, not that fake one Facebook offers. Never reuse passwords and user names for multiple websites.
Ultimately, it’s going to cost you a little bit of money out of pocket. LastPass’s main service is free, but its paid service is about $48 per year. For secure email, there’s CounterMail for about $20 every three months. But how much is your personal information, your bank account, and your life savings worth it to you to prevent a Facebook hack?
I’ve only skimmed the surface when it comes to applications like these. For a considerably more in-depth dive and the best recommendations on what you can do to protect your digital privacy, you must read this month’s edition of The Bauman Letter and Ted Bauman’s special report, Privacy Code 2.0.
Both would have saved Grace thousands of dollars … and a tear-streaked call to family at midnight.
Until next time, good trading!
Assistant Managing Editor, Banyan Hill Publishing