Amy, those "protections" go way back before the PATRIOT act. They go way back to one of the drug control acts. The whole idea being that anyone transacting that much cash MUST be a drug dealer.

Which means that this guy is going to have the DEA and the IRS flying up his ass in a few weeks too.

Hopefully the police report will suffice to keep him from being charged with forgery and grand larceny for the forged checks.

The DEA and IRS might not be so... understanding.

In other news, it would appear that Best Buy is a better protector of financial information than BoA.

And that's frightening on multiple levels.

I've posted this on digg, if anyone's interested -
http://digg.com/world_news/Bank_of_America_s_multiple_layers_of_security_fail_again.

You totally, totally, totally rock.

Please, everybody, help get the word out. I'm working on this on many levels, but I also have a book due (it's a month behind thanks to Bank of America) and McGraw-Hill told my agent it's going to be one of their top releases for Fall 2009.

If you're signed up with Digg, you can Digg my piece by going to the link. If you're not signed up, it's really easy to sign up and click to Digg it...meaning it gets further up the pole in what's being talked about on the web and ultimately gets more attention.

Thanks, everybody, so much.

And brian, the thief is less my concern than BofA, since they let this happen again and again and again -- letting people remove money from customers' accounts with a joke in ID. This must be exposed. And by the way, I'm sitting on a bombshell story about the way they gave out money to somebody I gave an assignment to to test their "verification" procedures. Will reveal it when I can.

Be careful with that, you could find yourself on the wrong end of the law by doing that.

Not saying don't do it, just make sure you have your ass covered.

The reason Best Buy checked things out is they would have been responsible, assuming it as a CC transaction, for the amount. BoA doesn't seem to have the same responsibility to replace the stolen money.

Thanks, Brian, but I would not do anything illegal or ask anyone to do anything illegal for me. But, I appreciate the concern!

BofA did give me back my money, but by not verifying ID in a reasonable manner, it means the fraud is allowed to happen and all the time suck that follows, too. The burden is on the customer because of BofA's extreme negligence.

I was going to comment on the $10K thing being an IRS rule that pre-dates the Patriot Act, but brian beat me to it.

Amy, out of curiousity, how long did it take to get BofA to refund the money stolen from you, and what kind of process did you have to go through to get it?

I can't remember the exact number of days...maybe four days? They HAD to refund the money...but what they did is take their time giving me the letter of fraud I needed in order to make a police report. The police won't let you make the report without one. I mean, come on -- the bank manager called from Dixon City to say a black woman with missing teeth got my money. They have it on videotape. Both of these series of thefts -- in the Sacramento area and in Texas -- were done by black women. I am not even...tan. Give me the fraud letter -- because, as anybody with any experience in law enforcement or in reporting on law enforcement knows, the quicker you pursue the perp, the more likely they are to find them.

Also, regarding their tape of the women who they gave my money to, I have to be so much more motivated than their investigators -- if their investigators are at all motivated (remember, they get bazillions of these crimes) -- to find the woman who is putting me in jeopardy perhaps for decades or throughout the rest of my life, in terms of being accused of or jailed for a crime I didn't commit, etc.

I also used to be a BofA customer and they gave my money to someone passing as me. The fun part of my case was that the signature not only didn't look like mine, but that it was misspelled. Now, I realize that my name is spelled a bit differently, but I do know how to spell my own name, so that should have tipped someone off.

I didn't give them time to fire me as a customer, as I pretty quickly took my business elsewhere. But I also wasn't facing a book deadline, so that helped!

Wow...a teller did this? Did they require a PIN number? Did the person just have a fake driver's license in your name? Please tell me more (by e-mail if you'd rather -- adviceamy at a o l dot com . I'm actually doing a lot of research now on BofA, and these stories keep popping up and popping up. Please send people my way if they have a story like ours about BofA.

Actually got bored and tried a few things with BOA. I tried mispelling my own name twice and getting money out. Guess what it worked both times. Once I tried Brad which is one of the more common misspellings of my name and they missed it. Then I used my wife's full name which as you can imagine is not even close to pull 2k out of my account. They gave it to me, no ID check both times just my card and my pin.

However the reason this crap persists is partly due to bad individual decisions. I have found 2 missing wallets in the past few years and in both cases they had their pin (or a 6 digit random number) tucked into the wallet. One was stuck next to the card and said pin on it. I did not try either and just returned the puses or wallet.

We had a run in with the DEA after some jack ass (I know who it is and they got nailed) stole my card and used it to but several hundred bucks worth of seudafed and some autoparts. The only reason that it wasn't a whole lot worse is that they had just finished taking out a meth lab next door, SWAT and all.

I tried to click on the link for the Digg post, and for some reason it wouldn't work, so I went to digg.com and did a search on BofA. There are some posts there that may help you in your fight against them. I just read the headlines, not the posts, but maybe there's enough info to help. One of them was BofA suing a victim of identity theft for $23,312.04. I had a run-in with them years ago, but mine was nowhere near as bad as yours. Makes me glad there's no BofA in my small town.

Yes, they had a fake license with my name, but the signature on the withdrawl slip was obviously misspelled and the teller didn't notice. No PIN transaction (and in response to vlad, I don't have my PIN written down anywhere, but I have no doubt a lot of clueless people do!).

They "only" got a couple of thousand dollars because I noticed pretty quickly and I got it back in a couple of days because it was so easy to prove it wasn't my signature, but like you, Amy, I was pretty unhappy that it was so easy for someone to just go in and start withdrawing my money. A mason jar in the backyard would have been safer - at least my dog wouldn't let anyone else touch it....

Wow. Yes - exactly my point. BofA goes on and on about their security - you'd never believe it was that easy. I think it's unfair of them to give you a false sense of security - when if you knew the reality, I'd bet you'd get your money out of there in a flash.

P.S. Here's my digg link to click:

http://digg.com/world_news/Bank_of_America_s_multiple_layers_of_security_fail_again

Just click that above and it should get you there. And here's another:

http://digg.com/business_finance/Way_to_spot_suspicious_activity_Bank_of_America

Hooley's digg post.

I hope you'll digg both!

Amy, thanks so much for the write up on this and the support. You and your commenters are good peeps.

You're most welcome. Far as I'm concerned, we're all in this together!

Amex recently moved to chip & pin so I got a new pin to remember. For some reason it just would not stick in my head so I wrote it on a post-it-note stuck to the card. But of course I didn't write it plain - I encrypted it. Perhaps the ones Vlad found were encrypted too. No-one would just write it in plain text - would they?

I still don't know why these particular 4-digits would not stick in my brain, but then I found that the finger-dance over the keypad was easy to remember, so that's OK now. My fingers have memorised what my brain couldn't. I could have changed the pin to match my other card but key-sharing is risky. Who has the same password on all their online accounts? No-one here, I bet! (Actually, I wouldn't bet very much on that ...)

Who has the same password on all their online accounts? No-one here, I bet! (Actually, I wouldn't bet very much on that ...)

I do. Well, I have different passwords for different classes of sites.

But the only way to get them is to either beat them out of me, or brute-force them. And good luck with the beating.

I shamelessly stole a password algorithm from my friend, who also has trouble keeping passwords straight when places (like his university) have password policies that are downright despotic (change every 30 days, must have numbers and letters, be more than 8 characters, and you can't repeat for 24 months).

Wanna know it? Here it is:

Pick a word that you know and love. Make it a long one.

Turn it around backwards.

Lop off the first and last characters.

Add a few numbers to it.

And, my modification to get around the more stringent C2 requirements (as enforced by Windows 2003 and several unix systems):

Add a random punctuation mark, and uppercase a few letters. (or do the leet-speek on it and swap numbers and punctuation for letters)

Thus: Start with Goddess
Flip it: sseddoG
Chop it: seddo
Number it: 13seddo
Punctuate: 13seddo$
Capitalize: 13sedDo$

There ya have it - a bulletproof 8 character password that will be the last to fall when l0pht attacks your domain.

Oh, and I keep my passwords in an encrypted file (blowfish 128 for the nerds), and I'm looking in to full-disk encryption so if someone steals my machine all they get is brick.

Amy, I've been reading about Bank of America's apparently complete lack of security, and I just have to add my own experience to the list. This afternoon I went into the Bank of America in Westwood with only my checkbook (that is 5 years old and displays an address that is literally 6 times outdated) and no debit or credit card, as my wallet was stolen last week. I've reported the stolen wallet to Bank of America. I simply handed the teller my checkbook and asked for $100 cash from the account, as I needed to buy groceries and run other assorted errands. The teller handed it over with not a single question -- I never presented any ID, entered in a PIN, or even told him my name. Luckily for me, the person withdrawing money from my account WAS me, but it could have just as easily been any random person who found my checkbook, or (even scarier) the thief who stole my other bank information AND HAS ALREADY BEEN REPORTED!! Completely ridiculous.

Deborah-

Bank of America's policy for transactions $100 or less (at least in my market) is to not check ID. It is too time consuming and most theives are not going to risk breaking the law for $100. Plus, as most of you have mentioned here, the bank will refund any money fraudulently withdrawn from your account in a matter of days. They assume total liability on this as a courtesy to the customer in the interest of speedy transactions and shorter lines in the banking center. There is also technology in place to monitor how many withdrawals are made per day, and alerts will pop up after what may appear to be excessive activity, whether by debit card, checks or in-person withdrawals.

Now, the 40k that was stolen is another matter entirely. The tellers will most likely be fired for failing to follow procedure by checking what is called ImageView to match the signature of the client to their signature card on file or previously written checks.

Joe - read the original thread. Either BoA doesn't have the alerts you talk about, or they chose to ignore them in Amy's case.

Recap: 7 cash withdrawals from an account where such transactions don't occur, in amounts that don't occur, in places that Amy has no transactional history.

I use my American Express four states away, and they have me on the phone WHEN THE TRANSACTION HAPPENS!

Which is why, for all the badmouthing people do about Amex (mostly about them not working with the credit negotiators, or some such) I continue to keep my only general-purpose credit cards with them.

Thanks, Brian.

These transactions were: $1,500, $2,500...all in that neighborhood.

I don't go anywhere. I write seven days a week in Los Angeles. About four times a year, I go to conferences -- one in San Francisco in January, two in the spring in various places, and one in September. Before I go, I get $200 out of the ATM here -- either at my branch or at the bank enroute to the airport (I feel safer when Gregg is driving me). The rest of the time, I get $200 out every three weeks or so, and almost always at my branch when I put in my syndication checks. Pattern, for years; Put in syndication checks, take out $200, pretty much the same ATM or maybe one a few miles away near the 3rd Street Promenade.

(*I do go to Paris a couple of times a year, but I call the bank and my credit card company before I do, and I put mostly everything on credit cards and take the same few hundred or so in euros out of pretty much the same few Bank Paribas ATMs.)

I do not go to teller windows. I don't have time, and I don't need to, as I don't need large sums of cash ever. I pay EVERYTHING humanly possible on my Visa card and transfer over money from my bank account to pay that in full every month. I pay my phone bill, cell phone bill, almost everything but the gas and electric and my car insurance on that credit card.

Yet, suddenly, a person claiming to be me is in...Garland, Texas? Auburn, California? I don't even know where these places are. And they withdraw large sums of money from teller windows? BofA sees how I pay for things -- my credit card bill every month is paid through them, and it's a large sum of money. They see that I have very few transactions otherwise: only rent, my assistant's check, an occasional check to my French teacher and maybe the woman who massages me about once every six months.

And then, of course, they didn't ask for a PIN or verify it was my signature, etc.

If your bank advertises itself as secure, or even if they don't advertise at all, don't you expect them to protect your money with a wee bit more effort than was shown here...seven times?! I mean, time one, time two, we can put that off to a dumb or negligent teller. But these are various branches all over the place. That suggests that negligence by the tellers is business as usual. I find this criminal.

I'm a libertarian. Tell me that this is your level of checking and I will whisk my money out fast. Advertise and promote your bank as secure -- well, that's false advertising first of all, and it goes beyond that. It's just reprehensible behavior.

Just wait till Monday. I will post a bombshell.

I'd love to see a good class action attorney represent harmed bank account holders and go after the bank - and to see the regulators take their eyes off of the mortgage mess for a few and kick BoA's butt too.

You need to get over this. You sound obsessed. You tell others to get over it and get a life and yet you're obsessively posting about your injustice. Hypocrital?

Ruth, I got my money back within a week. I'm not posting about this for my benefit, but for others'. I think other BofA customers should know the extent of Bank of America's "security."

Furthermore, if you think the answer to having two women out there running around with a fake ID in your name, putting you at risk for arrest and all sorts of financial damage, is something to just let roll off you, well, I feel sorry for you and hope you have a freeze on your credit bureau accounts and capable adults taking care of your business affairs.

Amy,
You're doing the right thing by caring so much about the situation to blog endlessly about it. People need to be informed, and the more you talk about it the more it gets around, the more you're heard. Quite frankly you're entitled to speak on the subject until Bank of America no longer exists because of how unprofessional they have handled you as a customer. They have caused a great deal of emotional distress and people don't realize how hard it is to have only institutions to depend on in guarding your most personal information, being guaranteed that by the institution, having that trust be breached sloppily by them, then have to go through hell to give you any kind of assistance in making up for what they did.

If everyone was like the people above advising all to "get over it" then nobody will know who to trust, we will be scared to speak freely and passionately, and we will all be misinformed because of this fear. I think you're doing the right thing and people like that would make an interesting psychological study: why people put blame on the victim. To relate this into a more extreme example, this reaction reminds me of all those lectures on Group Think in sociology and how over 100 people can witness a rape and not one person notify the police or make any attempt in finding justice into a situation - then turn around and blame the victim and not the rapist. And to add to the relation, studying reactions after the event, the same people advise the victim to "get over it". It's an extreme example, I know - but it's the same mentality just on a significantly lower scale. Anyways I'm rambling on, I know as you can tell I feel strongly for the subject of never numbing yourself.

They probably all work at bank of America.

Don’t let people suppress your last tool of defense: your words.