Complex two-year scam exposes weaknesses in Bank of America's user authentication approach
Michigan authorities have charged seven people with pulling off a complex account takeover scam against Bank of America and stealing nearly $360,000.
According to the indictment, the two-year scam of online and telephone banking involved individuals who were to open fraudulent accounts and withdraw funds at Bank of America.
The seven suspects moved funds from legitimate accounts to accounts opened under false pretenses, the indictment says. The indictment alleges that leader Xavier Hicks used new accounts opened by runners to transfer stolen funds from legitimate accounts. Hicks also allegedly opened joint accounts in the names of runners and existing BofA customers by accessing personally identifiable information about those customers through Bank of America's telephone and online banking systems.
Hicks allegedly set up joint accounts involving legitimate customers and then initiated fund transfers online or through the call center from the legitimate accounts to the fraudulent joint accounts. After funds appeared in the joint accounts, prosecutors say they were transferred to the runners' accounts, where they could be withdrawn by the runners.
The scam suggests that banks need to give more thought to how they authenticate customers who work through on-site tellers and call center operators, the indictment says.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Defending Against Today's Threat Landscape with MDR
April 18, 2024The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024