USAA Gave Access to my Accounts to an Identity Thief by Ignoring their Own Procedures

Hello, I am a federal employee and retired military member who has been banking at USAA for almost 20 years. BOTTOM LINE: This past week, using pieces of my personal information and persistent social engineering, my accounts at USAA were hacked, and additional information stolen following access, due to customer service representatives not following procedure. THANKFULLY, I FIRST NOTICED IT QUICKLY--THE SAME DAY IT OCCURRED, though USAA caused this breach to occur by not following its own procedures. Last week, I noted a multi-thousand-dollar bank check withdrawal earlier that day from a savings account at USAA. Additionally, there was a charge for a check fee and expedited mail fee. I had not requested these. I opened a fraud investigation immediately with the bank, and put a fraud alert on my credit (credit was already locked). USAA said they would let me know what they find out in 1-2 days. After changing all passwords, pins, etc, the person (I was told a male with a heavy non-English accent) tried to break into my account over the phone again two days later. He was only thwarted because of MY actions to initiate a fraud alert, though USAA had AMPLE evidence to do this before it happened. Here, almost a week later, I still was not contacted by USAA with a status. So, I called and USAA revealed how the hacker got access, and how USAA failed to follow their own security protocols. The identity criminal had begun calling USAA and had my social security number, name, zip code, details of military service, wife's name, and wife's date of birth. This hacker did NOT have my nor my wife's USAA unique ID number, my required and always enabled telephone access password, online account usernames, my phone numbers, credit card numbers, nor online access pin. HOWEVER, using repeated calls to USAA in succession on August 18th, he persisted all day--calling back multiple times--and managed to find out more information about my background from USAA. He would call, give a piece or two of good info, then fail an authentication, and they would just allow him access by asking a different question. He managed to link his iPhone to my bank accounts and set his own pin--I never got notification this was done. He then used that iPhone to access our accounts with his pin and abbreviated sign-on, bypassing all our security. NOTE--he never had our phone password, our pin, my online username, our credit cards...but he was still able to convince a USAA member to ADD A DEVICE against our accounts. Our passwords and PINs were NEVER breached--we monitor our accounts daily and take strict precautions. USAA appears to discourage its service reps from enforcing security protocols if the customer gets angry enough. They also told me the male identity thief had a strong foreign accent and had multiple failed attempts in the same day to access the information, persisting until USAA failed to protect my information. They accessed via an IP and phone I never used. In fact, the person only was thwarted on the second attempt because I had already alerted USAA to the activity, and while on the phone I revealed no one should be trying to create any transactions against our account. USAA also told me the person used new unusual IPs and phones not in my profile. Even though they serve primarily military members, who had been part of multiple US Gov data breaches, USAA STILL allows and allowed account access with a social security number and addresses--even though we had multiple layers of other security in place to prevent this exact scenario. REALLY? It is moronic they have not adapted their security protocols based on the data environment of their compromised customers who were likely affected by at least one of the breaches. When you call, all that is needed are a few pieces of information--no phone password even if you enabled it. They just "give in" to the customer after a while. I AM PROOF OF THIS. The US Gov breach is one thing, but the thief would not have accessed our accounts if USAA followed BASIC protocols. WORSE YET, once the thief used their phone, they then had all my other acct data of my family at their fingertips-- which was previously secure! As I weigh legal options, and of course banking/insuring etc elsewhere, I encourage members to keep close daily watch on your accounts, because it is clear we are one weak customer service link away from compromise. They weren't this way 20 years ago. This is unforgivable.I STILL have security protocols on my account that they are not honoring. BEWARE because there is extreme incompetence.

31 REPLIES

Dear member,

 

I can imagine your frustration during this time and I would like to get someone in contact with you to help. I have sent this over to our bank for further review, someone will be in touch with you. Thank you.

 

With respect, I don't think you can imagine the frustration, but obviously I don't want to badger the messenger.

 

What USAA needs to do is simple--and should have already been done without me asking:

 

Since USAA compromised all of my accounts and personal information of me and my family by responding to phishing, they need to transfer all my investment accounts, etc to new acct numbers, issue new USAA numbers, transfer all my existing accounts to new equivalent accounts, and transfer associated scheduled ACH items to the new accounts, and put ACH blocks in the meantime except on a per-case basis as authorized by me.  

 

Further, convert existing checking accts to SecurePlus accounts, without fees including free credit monitoring ad infinitum, which is how long my personal information will be compromised. 

 

Only thing I should have to take care of are existing ACH direct deposit/payroll reauthorizations because I don't think the bank can do that on my behalf.

 

Anything less than that is unacceptable.

Had a very similar experience recently and it was not handled well by USAA.  I had to call several times to make things happen that should have happened to begin with.  I can't imagine the issue over there.

AllenD,

 

Based on your comment, I am not sure if your situation was resolved. If not, please send us an email along with your member number and details to: [Removed Link]. Thank you for posting in the community.

I'm going to have to jump on this bandwagon, since this JUST happened to me and in the same way. First someone called pretending to be me from Nebraska, and didn't succeed. Shortly after that someone else tried (Florida this time) and they were able to provide enough information to get access via usaa.com, change my username, password, email, phone and pin. What's really scary is that this happened shortly after I requested a new card for one of my other accounts.

 

I am thankful that USAA handled this faster than expected, but it was too late to save my funds. So now there's a fraud report, will be 2-3 business days before money is redeposited, but wouldn't matter since I had to cancel my cards and wait for new ones to come in.

 

Here are the parts I don't understand. One, if someone tried to get into my account via phone and failed, why wasn't an alert done right then? Two, why did it take me (essentially the third call) calling up there trying to find out what was going on before anything was done? Shouldn't the account have been flagged right there and then? Also, it bothers me that the ONLY  reason I found out as soon as I did was because my husband (who uses my login, long story) saw a brief alert pop up with something about profile change, so he called me. The idea of alerts is great except for one problem - when someone does what happened to me, I can't see/load the messages because they've changed my login! Hard to respond when you don't know what you are responding to...

 

Between all the conversations I had today, and the pieces I've put together, I can understand exactly what the first poster was saying. During the beginning of my call to USAA I was asked for my phone pin. I had no idea what that was. So I answered some basic security questions, and the girl TOLD me what it was (adding afterwards that I could have asked for a hint). Why wasn't the fact a hint was possible done INSTEAD of giving that information out?

 

Fast response doesn't trump prevention in the first place...

Dear Ayara2001,

What a scary experience, thank you for being vigilant about the safety of your accounts. I would also like to thank you for taking the time to share your experience and thoughts.  I have made sure your comment is escalated to our bank for further review and consideration. Thank you again for commenting.

You are obviously not USSA material. Do not fret, as it is common for Simpletons such as yourself to believe you are equals to the top Thinking Cream rising Privileged few such as myself (a common delusion shared all the way back to the obvious Peasant/Servant Bloodline you surely hail from as far back as the Dark Ages....) I soil my impeccable Class, Style, Suavvayness, Charm, Charcter, Extremely Perfect Physically Physical Photogenic Physique, and Humble Modesty that matches my Stunning Chiseled Features by Aknowledging your Cringeworthy Embarrsement attempt to affiliate your see through shennanigans of thinking any USSA worthy Customers Such as my Self would be fooled at the belief you are associated with them in a capacity except possibly Head Custodian...Bad Form, I say, Bad Form indeed!!! But keeping with my charitable reputation I will forgive your offensive act and even show you a blessed act as a example of how lucky you are to have me and the greatness that makes up the me that makes me so great with some advice, i daresay, I exaggerate none when I tell you a war on a Continent I'll leave unnamed was narrowly averted when two countries in past travels of mine wanted sole claim to my Royal Advice on what it was to be me and the incredible Aura encompassing of my Marvelously Mythically Maintained Mystical Malovent Maintenance Mistaken as Mother Theresa~like in Charitable and Uncommparrablely Uncircumcised Wisdom, I will show you my Grace and guide you from USSA Banking Clearly above your Peasantry Means and Class , and u shall have my Butler instruct you in enrolling in a more fitting institution for one of your means. I'm sure you will know Honesty and Comfort there at, dare I say a perfect fit! Best wishes and success at Green Dot Banking. Toddle Doo Da Dee!
This just happened to me. Was there another attempt after?
In my case, there were multiple calls until they were finally able to change my account password, the pin to a card, and increase the ATM daily withdrawal amount. They also put a travel alert on my account that they would be in Italy for a few weeks. They managed to get a card number and used the PIN they created/changed to withdraw several thousand dollars.
Same thing happened this month. The fraudsters performed their transactions in Miami FL including multiple ATM charges,and a major retail purchase. They gained access to the online account after calling multiple times. Feel like the bank card was skimmed then they called to gain access to online information. Then changed withdrawal limits, requested balances etc. in the meantime no phone alert was sent - only alerts through email and an app. We are dealing with this and are concerned that if they had access online and could scan or do phishing with USAA what prevents them from doing it again.