Technology fail! Hackers steal $870M from Zelle users, US says

Topic

New Reply

PUBLIC DEFENDER By Brian Livingston Three of America’s largest banks — Bank of America, JPMorgan Chase, and Wells Fargo — were sued last month by the
[See the full post at: Technology fail! Hackers steal $870M from Zelle users, US says]

10 users thanked author for this post.

teuhasn2, IBM1130, fisher75, SueW, Norio, Geo, windbg, DLivesInTexas, lmacri, rc primak

Reply | Quote

Replies

Thanks for your disclosure – I now feel safer using PayPal and will keep my balance at a minimum. That was very good intel. Any tips for Venmo?

Reply | Quote

Disclosure: I myself have an account with one of the three financial institutions the CFPB is suing. But I never felt enough confidence in Zelle to even try it by signing up. By comparison, I’ve sent money electronically using PayPal for years, and I’ve never had any problems. For one thing, when I send a payment using PayPal, a crooked recipient who somehow tried to overcharge me could take no more than the balance in my PayPal account, which I deliberately keep to a bare minimum.)

I have had similar experiences. Never a problem with PayPal. My Bank wants customers to use Zelle. I wouldn’t touch Zelle with a ten-foot polecat.

My Apartment Community uses Bilt Rewards, also backed by Wells Fargo, for rent payments. Getting to the Property Ledger through Bilt is a nightmare, but it is still there. No other problems after over a year.

I’ve also used XpressPay with a medical services provider, because they insisted on it.

At least they issued a receipt when I asked them for it. Better than a certain mostly-online optical shop when I showed up in person because their web site did not accept my Medicare Advantage Flex Card for payment. No receipt there — wait for the email with a non-itemized receipt.

An aside: It should be factually noted that the incoming American Administration has vowed to gut or eliminate CFPB.

— rc primak

-- rc primak

1 user thanked author for this post.

wavy

Reply | Quote

“Three of America’s largest banks — Bank of America, JPMorgan Chase, and Wells Fargo — were sued last month by the US Consumer Finance Protection Bureau (CFPB) for fraudulent losses suffered by their Zelle online-payment customers.”

A typical do-nothing, band-aid fine…

They’ll just write it off as the just the cost of doing business and go on their merry way as if nothing ever happened at all.

If you really think puny corporate fines do much to change their behavior, I have a bridge to sell you.  What color would you like?       

 

Reply | Quote

the item in scam process, “The bank’s call center may be no help.”    is confusing. How does the scammer know the person’s phone number if they called the bank? How will the person confuse the scammer with bank if scammer wasn’t replied to?

 

Reply | Quote

The banks being sued have also automatically opted customers into to Paze which is digital wallet payment option. I was opted in about 6 months ago. I haven’t seen any vendors where I shop online accept Paze. I am concerned about the safety of being automatically opted in to a program which does not appear to have a way to opt out of. The following website explains the program a bit.    https://clark.com/personal-finance-credit/clark-ignore-paze/      I have also read and watched the videos on the Paze website.

Reply | Quote

I don’t think that I was opted into Paze.  I have not heard of Paze until now. However, I didn’t join Zelle through one of those 3 banks.

Reply | Quote

Bank of America has tried several times to get me to use Zelle, and I have always refused. Better safe than sorry.

Reply | Quote

I have been using zelle.  A few times a year.  I picked Zelle because it is immediate, and can operate out of my bank account.  I chose not to use Paypal, Venmo, etc., because I didn’t want to pay a fee to use a credit card, and don’t want money sitting in an account with them to avoid fees for the few times that I use money transfer.  And, it would likely mean transferring money to that account just to be able to send to someone.  Too complicated.

Seems that the article is mentioning money theft based on people falling prey to the usual scam artist tactics. Not money being directly accessed from accounts by thieves.  And the banks not doing as much as possible to protect against it? Probably not. Being money transfer I guess they aren’t liable for it.

However, the article did inspire me to move my Zelle access to a checking account which never has much in it, only enough to pay the imminent credit card, utility, autopays.  Which saved me recently when the only check I had written in last 3 years was stolen and check washed. It was denied because of insufficient funds.  I transfer in whatever will be needed for the next few weeks’  autopayments.

 

Reply | Quote

Hi Brian:

Thanks for another excellent article.

Further to your comments about PayPal, I don’t have a PayPal account and have some concerns about the security of credit card payments through this service.

Many websites for third-party utilities allow users to make online (non tax-deductible) donations with credit cards, and the transaction is handled via PayPal. For example, there is a link at https://www.quickinstaller.net/donate to donate to the developer of QuickInstaller, but when I proceed and choose the option to “Donate with Debit or Credit Card” (i.e., rather than “Donate with PayPal”) I’m taken to a PayPal page at https: // www. paypal.com/donate/guest?token… that requires me to enter an extensive amount of personal data beyond what is typically needed for an online credit card payment like my home address, phone number, email address, etc., even if I don’t check the “Save this information for next time” checkbox. What concerns me is that there is a warning on that page that I am implicitly agreeing to the terms of PayPal’s Privacy Statement if I click the “Donate Now” button, which seems to give PayPal very broad permissions to store and share my personal data with third-party partners and retain that personal data “for longer periods than required by law if it is in our legitimate business interests and not prohibited by law“.

My personal data and Social Insurance Number (SIN) [the Canadian equivalent of a Social Security Number (SSN) in the U.S.] was stolen in a large data breach in 2023 (see the Globe and Mail article Mackenzie Investments clients still seeking answers and support after data breach). Even though I’m currently enrolled in a credit monitoring service, that PayPal privacy statement (not to mention the numerous hits I receive when I google “PayPal data breach”) has always dissuaded me from using any PayPal online payment service.

Am I being overly paranoid about PayPal?
———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.5247 * Firefox v134.0.0 * Microsoft Defender v4.18.24090.11-1.1.24090.11 * Malwarebytes Premium v5.2.4.157-1.0.5116 * Macrium Reflect Free v8.0.7783

Reply | Quote

lmacri wrote:

Am I being overly paranoid about PayPal?

I don’t use PayPal or Zelle.  But after personal data has been exposed through any of the numerous data breaches that now seem to be a common occurrence I suppose an argument could be made that such concerns are akin to “locking the barn door after the horse is gone.”  On the other hand, I can empathize with your reluctance to further broaden the exposure and think it is a perfectly natural reaction and not paranoia.  As usual, its a contest between the two parties to a transaction.  If they will only accept a payment method that you eschew then its their loss.  If you don’t ordinarily use PayPal, why start now?  Just my opinion.

1 user thanked author for this post.

WSbobby-p

Reply | Quote

I totally agree 100%. I have a internationally recognized credit (NO NOT A DEBIT CARD) card, cash, and a checking account. If any of these choices are not acceptable to you then I can send you a Cashiers Check-this is the last option. I’m sorry for your loss of doing business with me if none are acceptable to you.

 

I’m not ‘jumping on the bandwagon’ of every new payment system that is introduced as the ‘latest and greatest’ for doing business with you. The ‘systems’ that I have listed are tried, true, secure, and proven to be pretty much as effective as could be reasonably expected with little to no loss for the customer-me.

 

Reply | Quote

I have never felt comfortable using Paypal (similarly with Amazon, which I use occasionally as last resort) because I don’t feel they are clear about what I am ‘buying into’ when using them, having to be extremely careful about which boxes they check for me (always to their advantage, and against mine), what the terms mean, etc. iow, Why do business with a company that I expect to be dishonest and deceptive?

eg: Amazon, returning an item through one of their drop off center. Why presume that I would rather have the refund stay in my account with Amazon, rather than refund to credit card that I paid with. So I check the box asking for refund to credit card. Later I see that I can more easily go to a different drop off site. Amazon doesn’t let me use the same return label, or simply change the drop off location. It requires me to “cancel” the return. This gives them the opportunity to switch refund back to “leave it with Amazon”. I didn’t notice this switch until their ‘immediate’ refund email happily announced that my refund resides at Amazon. One phone call (ghosted after put on hold), chat session, and another phone call all refused to move the refund back to credit card. I filed a dispute with credit card company.

Reply | Quote

astro46 wrote:

the item in scam process, “The bank’s call center may be no help.”    is confusing. How does the scammer know the person’s phone number if they called the bank? How will the person confuse the scammer with bank if scammer wasn’t replied to?

 

I agree the first sentence is a bit confusing, but for the moment ignore that first sentence and focus on the rest of the paragraph, I believe what Brian’s saying there is that some victims did not respond to the text but called their bank to verify whether $2,000 had been withdrawn. Customer service for the bank didn’t pick up and sent them to voicemail. The victim left a message asking customer service to call them back.

The scammers waited 10-15 minutes after sending the text, and when they didn’t hear back on the text, they called the victim pretending to be the bank. We know the scammers did in fact have the victim’s phone number, because the scammers used it to send the text… right? Since the victim left a message asking for a callback, they believed the scammers when they identified themselves as being customer service agents for the bank.

So the first sentence is saying some people still got scammed even though they called their bank, as they thought they were supposed to do. (The bank would have told the victim there was no withdrawal if they’d answered their customer’s call, but they didn’t.)

 

1 user thanked author for this post.

rc primak

Reply | Quote

This version of the possible events makes more sense.

-- rc primak

Reply | Quote

CFPB drops lawsuit against JPMorgan Chase, Bank of America and Wells Fargo over Zelle fraud

The Consumer Financial Protection Bureau on Tuesday dismissed its lawsuit against the operator of the Zelle payments network and the three U.S. banks that dominate transactions on it…

Since acting Director Russell Vought has taken over the CFPB, the agency has dropped at least a half dozen cases brought by his predecessor, Rohit Chopra. ..

Since the recent cases were dismissed with prejudice, the CFPB has agreed to never bring these claims again, shutting off the possibility of clawing back funds for consumer relief..

Reply | Quote