search

ElectricRCAircraftGuy / bug_reports

Consumer bug reports you and I can report for any product or service we use. Add additional details & screenshots to an Issue here and link to it when submitting help requests through their website.
MIT License
1 stars 0 forks source link

USAA bank: fraud representatives will ask you for a code that says "USAA will never contact you for this code, don't share it" #19

Open ElectricRCAircraftGuy opened 1 year ago

ElectricRCAircraftGuy commented 1 year ago

This happened to me today and yesterday, on two separate calls, with two separate USAA representatives:

I had a $175 fraudulent transaction on my USAA bank account a few days ago. I called USAA's official number (once yesterday and once today) saved in my phone. The automated system asked for security verification. When it asked me to verify the last 4 digits of my phone number to send me a 1-time two-factor-authentication passcode, the automated voice said something like, "I'm sorry, we cannot verify your account at this time." It then routed me straight to the fraud department. A human answered and said they'd need to verify me. They said they sent me a passcode to my phone, and then they asked me to give it to them. The problem is, the text message said this (emphasis added, security code changed):

USAA FRAUD PREVENTION ALERT: USAA will never contact you for this code, don't share it: 999999. Call 800-531-8722 if you gave it to anyone. Reply HELP for help.

So, you see the major security concern, right? A human I am talking to is claiming to be with the USAA fraud department, because there is fraud on my account, and they're asking me to give them a code that literally says right on it to never give it to them! It seems to me that there should be a slightly different message when the fraud department triggers the code and expects you to give it to them.

The only consolation I had was that I called them, and I knew I used the saved number from my phone that I've been using for years, so I reluctantly gave them the code and that was that. They helped secure my account and fix the fraudulent transaction.

But, the biggest problem here is that the USAA anti-fraud department themselves is conditioning callers like me to violate the warning and give away the code anyway (despite it saying to never give it away), and in particular when we already suspect fraud. This sounds like a recipe for disaster to help condition us to accidentally help more fraudsters commit fraud on us, because the more we give away a code that says never to do so, the more we feel like we should ignore those warnings when the situation is really dire, stressful, or serious. Boom. We are conditioned to give it away, just like that.

Furthermore, there was an option sometimes to wait on hold and get a call-back. This would be even more risky: imagine getting a call-back from a stranger who claims to be USAA, and then triggers this and asks you to give them the code. That's exactly what fraudsters do too.

ElectricRCAircraftGuy commented 1 year ago

Note: SoFi bank had this issue before, but may have resolved it. See here: https://github.com/ElectricRCAircraftGuy/bug_reports/issues/15#issuecomment-1666192290

ElectricRCAircraftGuy commented 1 year ago

It just happened with USAA again, a couple minutes ago. I called to talk about my rental property insurance, and they sent me the same text message as above, and then requested I give them the number, when the text messages says right on it not to share it with anyone. Here it is again (emphasis added, security code changed):

USAA FRAUD PREVENTION ALERT: USAA will never contact you for this code, don't share it: 999999. Call 800-531-8722 if you gave it to anyone. Reply HELP for help.

This bothers me.