Lousy Telephone Call Overrides Username and Password Protections

May 31, 2012

Hello, Mr. President, sorry to bother you but can you give me the launch code for today's nuclear missile exercise?

Can it really be so simple and easy?  Are we all deluding ourselves into believing that our online accounts are safe?  Hey - don't be so quick to wave me off.  Sit down. This one may take your breath away.

Hey, Can You Help Me Out Here?

Between February 2011 and January 2012, Khaddy Garcia, 25, of North Bergen, NJ, telephoned customer service representatives at various banks, falsely representing that he was the owner or agent of a particular business with an account at the bank. Then this fraudster unrolled his scam.  Garcia claimed to have forgotten the username and password for his business's online account.

You know about all those publicized security protections on your online accounts?  The first line of defense. The second line. The fail-safe.  Well, seems that nothing's foolproof and more than a few fools answer the phones at far too many banks.  Garcia was actually successful in convincing some service reps to help him out with his purported memory lapses.  Once in possession of the forgotten usernames and passwords, Garcia withdrew funds from the compromised account by issuing checks and wire transfers to himself and to his co-conspirators.

And just how successful was this idiotic scheme?  How about to the the tune of Garcia actually gaining on-line access to over 20 different business bank accounts from which he attempted to withdraw over $1.5 million, and ultimately succeeded in withdrawing over $200,000.  I'm less focused on that $200,000 amount than I am on the fact that such a stupid ploy managed to override online protections for some 20 different accounts.

Venturing Into Bigger And Better

In December 2011, Garcia learned that the owner of a New York City venture capital firm had wire transferred  $2 million to a bank account maintained by a clearing firm. Apparently confident from several months of scamming bank customer service reps, Garcia made numerous phone calls to the venture capital firm's owner and  his agents.  Once, he had these unsuspecting souls on the phone, Garcia pretended to be a representative from the clearing firm.

Garcia then worked the con.  He told the owner and his agents that the $2 million wound up in the wrong clearing firm account.  Oh my!  What we gotta do here is re-wire the funds from the wrong account to the right one. We're really, really, really sorry about this.  Our bad. Lemme fix this for you folks quickly.  I'm imagining that such was the patter from Garcia.

Garcia then gave routing instructions and account information to his marks, likely assuring them that the $2 million needed to be quickly rerouted to this correct location.  In fact, the routing and account information corresponded to an account controlled by Garcia.  Thankfully, before any funds were rerouted to Garcia's account, the fraud was detected.

On May 29, 2012, Garcia pled guilty in Manhattan federal court to one count of bank fraud and one count of wire fraud, in connection with both schemes discussed above . Garcia faces a maximum prison term of 50 years.

Bill Singer's Comment

Whoa, that scares the crap out of me.  Imagine, we have all those alphanumeric IDs and passwords - some even using special characters - and a simple, lousy telephone call can easily override the whole system.  I'm sure hoping that Citibank, Bank of America, Wells Fargo, and Chase are paying attention to this criminal case. Hopefully, the banks and brokerage firm will test out there own security by routinely calling their customer services numbers and trying to get over with the same sweet talk.  To some degree it's comforting to know that despite the most intricate and advanced digital security systems in place, that human beings still have the ability to screw it all up.

Hello - Barack?  Yes, is this President Obama?  Hey, you the man!  Listen, Barack you may not remember me but its General Saster - yeah, General Saster, David Saster… uh huh, General D. Saster, that's right, and I'm working at the Pentagon.  Anyway, listen, my wife's gonna kill me but I was out all night, smokin', drinkin', had a little lady thing going on the side and, damn, woke up this morning with quite the hangover.  Barack, can you do me a solid?  I wouldn't ask you if it weren't really important but I need the launch codes for our nuclear missiles.  Yeah, I know, you're right but, hey, if there were any other way or anyone else to call you know that I wouldn't be calling you directly. It's just that we've scheduled an exercise today, you know the whole fake launch thing to scare the Iranians - boy, that's gonna be riot - and I can't for the life of me remember the two-part launch code. I think the code was in my pants but I don't know where the hell that wound up after last night. Okay, thanks - I got a paper and pen ready.  The first part is Bow what?  B..O..W … what?  Oh, not bow as in bow and arrow but as in your dog's name? Okay, that BO what? BO1600, as in 1600 Pennsylvania Avenue. Got it. What about the second part of the code? Can you spell that for me?  M..I..C..H..E..L..L..E, okay, and what else. 143?  One for what? Oh, sorry, it's the numbers 1, 4 and 3. Okay, thanks.  Gotta run. Great talking to you.