Complex two-year scam exposes weaknesses in Bank of America's user authentication approach

Dark Reading Staff, Dark Reading

August 18, 2012

1 Min Read

Michigan authorities have charged seven people with pulling off a complex account takeover scam against Bank of America and stealing nearly $360,000.

According to the indictment, the two-year scam of online and telephone banking involved individuals who were to open fraudulent accounts and withdraw funds at Bank of America.

The seven suspects moved funds from legitimate accounts to accounts opened under false pretenses, the indictment says. The indictment alleges that leader Xavier Hicks used new accounts opened by runners to transfer stolen funds from legitimate accounts. Hicks also allegedly opened joint accounts in the names of runners and existing BofA customers by accessing personally identifiable information about those customers through Bank of America's telephone and online banking systems.

Hicks allegedly set up joint accounts involving legitimate customers and then initiated fund transfers online or through the call center from the legitimate accounts to the fraudulent joint accounts. After funds appeared in the joint accounts, prosecutors say they were transferred to the runners' accounts, where they could be withdrawn by the runners.

The scam suggests that banks need to give more thought to how they authenticate customers who work through on-site tellers and call center operators, the indictment says.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights