Privacy & Security

Are Hackers Planning to Bleed Your Bank Account?

While it wasn’t widely publicized on this side of the pond, a hacker breach last month into Britain’s Tesco Bank sent shockwaves throughout Europe, with the thieves managing to steal £2.5 million pounds (US$3.1 million).

That’s a relatively small loss compared to other hacker attacks, such as the staggering $81 million theft earlier this year from the Bangladesh central bank’s accounts in New York. What is more distressing though is the fact that nearly 7% of Tesco’s customers were affected – as well as the techniques the hackers may have used to penetrate the bank’s databases.

Early reports on the attack, which took place in early November, indicated that hackers might have guessed a customer’s debt card number, expiration date, and security code through a “distributed guessing” attack. That is, for each compromised account, the attackers made multiple attempts to access it from numerous websites until they finally got it right. The tools used for this type of attack are now so sophisticated that according to one researcher, a hacker can acquire these three data points in a matter of seconds.

More recent reports point to a more obvious vulnerability: Tesco may have issued debit cards numbered sequentially. That would mean that by knowing just one card number, a hacker would have a much easier time working out the remaining two data points – the expiration date and security code. In addition, most online payment systems aren’t set up to detect multiple invalid requests from different websites.

As would be the case in most countries, Tesco has now reimbursed the 9,000 customers whose accounts were affected by the hack. But don’t assume that if hackers steal money out of your account, you’re not liable for the loss.

In the US, protection against unauthorized electronic transfers is almost absolute for personal accounts. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden in most circumstances. Your liability for a loss is capped at $50 if you report the unauthorized transfer within two days. The limit is $500 if you wait longer than that. Even your personal negligence – such as writing your PIN on the back of your debit card – doesn’t let the bank off the hook for your loss if the card is stolen. But if you don’t report the loss for 60 days, you’re responsible for all of it.

Business accounts tend to be larger and are therefore increasingly in hackers’ crosshairs. However, for business accounts, Regulation E no longer applies. Instead, transactions are governed by the Uniform Commercial Code (UCC). That means much weaker legal protection.

The UCC requires that banks provide business customers with “commercially reasonable” security conditions. As long as the bank follows its own protocol, it need not reimburse businesses whose accounts are hijacked by hackers. Moreover, buried in the fine print of business banking agreements, you’ll often find the bank disclaims all responsibility for security breaches.

Stuart Rolfe, a Seattle businessman, found this out the hard way. Hackers managed to hijack his company’s email account, allowing them to impersonate Rolfe and authorize fraudulent transfers. When he finally discovered what was happening, more than $1 million was missing. And since all of the transfers appeared to originate from Wright Hotels, JP Morgan, the company’s bank, had no obligation to make good on the loss.

The most recent FBI data show a huge growth in this kind of fraud. More than 8,000 companies have been victimized over the past two years. Their losses total nearly $800 million.

The safest strategy to protect yourself is to avoid online banking completely, cut up your debit cards, and close all your bank accounts. Unfortunately, that’s not practical for most of us. But there are several ways you can protect yourself and your business from this type of fraud.

  • Avoid posting information on social media that a hacker could use to answer security questions. What I do is intentionally give the wrong answers to security questions. For instance, I might list my best childhood friend as “Uriah Heep,” the fictional character in Charles Dickens’ masterpiece, David Copperfield. Just make sure to keep a record so you don’t lock yourself out.
  • Subscribe to fraud alerts from your bank notifying you of suspicious activity in your account.
  • Use a virtual private network (VPN) for all online communications. This prevents hackers from monitoring your data stream to siphon off passwords and other credentials that could be used to impersonate you. Here at The Nestmann Group, we use Cryptohippie for this purpose.
  • Monitor your account activity carefully. Individuals should review monthly statements for any unauthorized activity. Business users should monitor account activity daily or even more often, to ensure there’s been no fraudulent withdrawals.
  • Impose daily transaction limits on your account. For instance, if you never transfer more than $10,000 out of your account daily, this would be an appropriate limit.
  • Set up accounts with banks that give you a printed list of disposable authorization codes. Whenever you want to log on to the bank’s website, you’ll need to match a challenge-response screen to a series of letters and numbers on the list. An equally effective precaution is to have your bank give you a “dongle,” a small device plugged into your PC or smartphone. Without the dongle, you can’t get access to the account.

One thing is certain: Hackers have your financial accounts in their sights, especially if you operate a business and keep large balances in them. Don’t wait to be the next victim before you take the appropriate precautions.

On another note, many clients first get to know us by accessing some of our well-researched courses and reports on important topics that affect you.

Like How to Go Offshore in 2024, for example. It tells the story of John and Kathy, a couple we helped from the heartland of America. You’ll learn how we helped them go offshore and protect their nestegg from ambulance chasers, government fiat and the decline of the US Dollar… and access a whole new world of opportunities not available in the US. Simply click the button below to register for this free program.

About The Author

Need Help?

We have 40+ years experience helping Americans move, live and invest internationally…

Need Help?

We have 40+ years experience helping Americans move, live and invest internationally…

As Featured on

Get our latest strategies delivered straight to your inbox for free.

Get Our Best Plan B Strategies Right to Your Inbox.

The Nestmann Group does not sell, rent or otherwise share your private details with third parties. Learn more about our privacy policy here.

The Basics of Offshore Freedom

Read these if you’re mostly or very new to the idea of going offshore

What it Really Takes to Get a Second Passport

A second passport is about freedom. But how do you get one? Which one is best? And is it right for you? This article will answer those questions and more…

How to Go Offshore
in 2024

[CASE STUDY] How we helped two close-to-retirement clients protect their nest egg.

Nestmann’s Notes

Our weekly free letter that shows you how to take back control.