(6-minute read)

In this week’s MemberPass Blog, we look at these startling examples of technology-driven financial fraud and how MemberPass can help your members avoid them.


Hacked Text Messages

We’ve known for a long time that text messages aren’t an especially secure or reliable way to transmit information.

In fact, a Google search of the phrase “text messages are easy to hack” returns more than 18 million results. The first dozen or so sites listed offer how-to tips and applications bad actors can use to illicitly view another person’s text messages.

Recently, there have been reports of a significant text message vulnerability created by firms who offer commercial texting services. For the businesses who routinely use text messages for marketing purposes, it can be a time-consuming labor-intensive task to send hundreds of thousands or millions of promotional text messages. They’re typically happy to outsource the task.

A number of these firms offer free or cheap trials. That’s where the weakness is. According to the author of this piece on Vice.com, “A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.”

With the permission of the author of the article, a hired hacker signed up for a trial with one of the commercial texting firms. The hacker paid $16 and registered the author’s cell phone number on the firm’s website.

After the equivalent of a pinky swear that he would do nothing unlawful or inappropriate, the hacker could immediately send and receive text messages from the author’s number.

From there, it was trivial for him to log into other accounts associated with the author’s phone number. The author points out this is much easier and requires less technical sophistication than SMS hijacking and causes pretty much the same security vulnerability.

This should be a real wake-up call for the credit unions, banks, and investment firms who use text-message-based multi-factor authentication systems to grant users access to their financial information. It’s simply not as secure as it should be.

Phone-based identity fraud gets more sophisticated every day

This one is so unsettling it’s better to read the actual story from the CU Today website. It happened recently to a credit union member. We share a lightly edited version below.

Bria Williams, a credit union member, told a local TV station she always thought of herself as vigilant in protecting personal information, but a phone call has her rethinking things. Williams told the news outlet she was called by a familiar number, that of her credit union. That was followed by a text also claiming to be from the credit union.

“Pretty much saying, ‘Hey, did you attempt to use $650 at Smart Auto Loan with your card ending in this?’” Williams told the station. “Reply ‘y’ for yes or ‘n’ for no. I replied ‘n’ and it said, ‘Thank you, someone will be in contact with you shortly.’ Moments later they called me from that same exact phone number.”

The station reported that while on the call, she Googled her credit union’s number to be sure it was correct, and it was. The caller, Williams said, verified all her personal info, including her address and credit card numbers. “After he verified those things, I said, ‘OK, this is a legit call.’”

According to the station, Williams said the man on the phone told her about three charges someone made to her account in Houston, and that he would send her a one-time code so the card could be deactivated.

“He says, ‘OK, what’s your PIN? I need your pin so I can put it in and we’ll get this deactivated,’” Williams told WTVR. “I was hesitant, but I also was like I know it is the credit union man because he called from the phone number, so let me just give him this number.”

Feeling uneasy, Williams told the news outlet she checked her account a short time later, and while it showed no bogus charges made in Texas, there were two identical debits from her account made in Oklahoma City.

After getting in touch with a real representative from her credit union, Williams learned they had no record of calling her, the station reported, adding that Williams, who had been scammed, wants her story to be a cautionary tale for others.

“I’m 100% confused as to how they were able to duplicate the credit union number and impersonate them,” she said. “I contacted you all so I could bring awareness to the situation.”

Her credit union said it is investigating the incident and Williams was told they will return the money to her account.

Let’s quickly review what happened here

1. She answered the scam call because it was identified as being from her CU.

2. She heard believable information about potential bogus charges to her account.

3. The scam only fell apart when she was asked for her PIN.

4. Even then, she waffled before she ended the call.

The lesson to us all is that financial fraud is real, it’s sophisticated, and it’s getting trickier to detect by the day. Virtual high fives to the credit union team for helping Bria navigate her way through this troubling ordeal.

MemberPass can help you avoid both problems

These are two perfect example of situations where MemberPass should be a key part of the services you offer your members. It’s the hassle-free way to give members control of their identity, verify it when they need to, and keep private personal information private.

Your members will thank you when you help them appreciate the direct and immediate security benefits of MemberPass digital ID. It’s virtually unhackable, and immune to identity theft. Members own and control every dimension of their identity and their personal information.

If you haven’t already added MemberPass to your credit union, we’d be happy to arrange a MemberPass demo. Simply email us to set one up. You can also register to attend a webinar or visit us online at www.memberpass.com to find out more.

The sooner you start, the sooner your members will have strong protection against financial fraud!

Bonifii, a credit union service organization, offers MemberPass, a simple, secure and convenient member identity verification method. MemberPass is a digital passport that provides members convenient access to their financial accounts while allowing control and privacy over their personal information. We leverage touchless technology to protect you and your members. Visit www.memberpass.com or email sales@memberpass.com.