mikegalbicka
Back in the saddle again
I provide the following for MOA members (military affiliated) who use USAA for banking/investing/insurance. If that ain't you then don't bother.
As a long time USAA member and a retired IT professional with 30 years experience who uses best practices for online security I was shocked to uncover what the following links discuss.
The relative ease to recover an account with only the DOB/cell number and a new phone number not on the account is very troubling. I have been disappointed that their security protocols only offer Symantec VIP tokens for 2FA (I use Yubikeys) but this report is really my last straw with them. I am in the process of moving my checking/bill pay over to my Schwab accounts because of this. Schwab does allow hardware security key 2FA but you have to jump through some hoops to avoid using the Symantic Key/App and use a Yubikey instead. I have chosen to greatly reduce my risk at USAA for the foreseeable future. I have also decided to use a Google Voice number for any financial institution contact instead of my cell number to provide some protection from spoofing. YMMV
First detailed hack post I found (be sure to read the comments)
short version - and I quote
USAA had a security breach between December 2022 and May 2023. They were very secretive about how it happened and what data was lost. I’m not sure if my data was part of this breach, they never notified me that it was, but it could explain the hacker’s ability to social engineer USAA.
It appears the hacker just called USAA and told them something like “my phone got stolen and I can’t get into my account. Here’s my new phone number. Sure, I’ll verify my SSN, DOB, the kind of car I drive, my address, …” USAA then changed the phone number on my account and the attacker reset access using his own phone. They did this multiple times, even after the account was marked for fraud. Not once did USAA send anything to my REAL phone to alert me. Nor did they wait a reasonable amount of time, attempt to verify me through my valid email, etc. Essentially they had almost no controls to prevent access to my personally identifiable information.
Follow up to that post with more details (be sure to read the comments)
short version - and I quote
It’s been just over 3 weeks since Russian hackers spoofed USAA’s very weak internal controls (3 separate times) and stole over 30 years of my financial data. Here’s an update on my situation and USAA’s attempts to fix their problems.
The original article (I linked above) describes what it is like when your bank allows Russian hackers to take over your account.
In summary, USAA did not do anything until I filed a complaint with the California and Texas Attorney General, wrote emails to their execs, and posted on LinkedIn.
After doing this, I was finally contacted by a woman who said she was from “the CEO’s Office” (Adrianna x48521) and would be my point of contact. We spoke twice and she stopped taking my calls. During the two calls that I had, she acknowledged the flaws in USAA’s Fraud controls and provided an indication of what was (and was not) being done.
The most important thing that I took away is that USAA does not have procedures to monitor for and detect fraud. They do not have procedures to investigate fraud and they do not have procedures to communicate fraud to their customers. These are basic requirements established by the FTC.
My added comments below:
The breach has been reported elsewhere and it appears there is a class action lawsuit as well.
This appears to be the letter they eventually mailed out.
Other links from a google search.
As a long time USAA member and a retired IT professional with 30 years experience who uses best practices for online security I was shocked to uncover what the following links discuss.
The relative ease to recover an account with only the DOB/cell number and a new phone number not on the account is very troubling. I have been disappointed that their security protocols only offer Symantec VIP tokens for 2FA (I use Yubikeys) but this report is really my last straw with them. I am in the process of moving my checking/bill pay over to my Schwab accounts because of this. Schwab does allow hardware security key 2FA but you have to jump through some hoops to avoid using the Symantic Key/App and use a Yubikey instead. I have chosen to greatly reduce my risk at USAA for the foreseeable future. I have also decided to use a Google Voice number for any financial institution contact instead of my cell number to provide some protection from spoofing. YMMV
First detailed hack post I found (be sure to read the comments)
short version - and I quote
USAA had a security breach between December 2022 and May 2023. They were very secretive about how it happened and what data was lost. I’m not sure if my data was part of this breach, they never notified me that it was, but it could explain the hacker’s ability to social engineer USAA.
It appears the hacker just called USAA and told them something like “my phone got stolen and I can’t get into my account. Here’s my new phone number. Sure, I’ll verify my SSN, DOB, the kind of car I drive, my address, …” USAA then changed the phone number on my account and the attacker reset access using his own phone. They did this multiple times, even after the account was marked for fraud. Not once did USAA send anything to my REAL phone to alert me. Nor did they wait a reasonable amount of time, attempt to verify me through my valid email, etc. Essentially they had almost no controls to prevent access to my personally identifiable information.
Follow up to that post with more details (be sure to read the comments)
short version - and I quote
It’s been just over 3 weeks since Russian hackers spoofed USAA’s very weak internal controls (3 separate times) and stole over 30 years of my financial data. Here’s an update on my situation and USAA’s attempts to fix their problems.
The original article (I linked above) describes what it is like when your bank allows Russian hackers to take over your account.
In summary, USAA did not do anything until I filed a complaint with the California and Texas Attorney General, wrote emails to their execs, and posted on LinkedIn.
After doing this, I was finally contacted by a woman who said she was from “the CEO’s Office” (Adrianna x48521) and would be my point of contact. We spoke twice and she stopped taking my calls. During the two calls that I had, she acknowledged the flaws in USAA’s Fraud controls and provided an indication of what was (and was not) being done.
The most important thing that I took away is that USAA does not have procedures to monitor for and detect fraud. They do not have procedures to investigate fraud and they do not have procedures to communicate fraud to their customers. These are basic requirements established by the FTC.
My added comments below:
The breach has been reported elsewhere and it appears there is a class action lawsuit as well.
This appears to be the letter they eventually mailed out.
Other links from a google search.
Last edited:
