Hackers Are Breaking Into and Emptying Cash App Accounts

An anonymous reader quotes a report from Motherboard: Hackers are breaking into unsuspecting victims' Cash App accounts, a massively popular payment app, and stealing hundreds of dollars, according to victims Motherboard spoke to. In one person's case, they said, Cash App has not reimbursed them for the stolen funds. "It's scary!" Liz Shelby, who said their son was a victim of the hacking, told Motherboard in an online chat. "My son saved up some cash for a small vacation with his grandma. We put it in his Cash App before he left. He called me on Aug. 9, and told me that his money was gone." Shelby said that after she looked at the account she found that someone else had logged into it and sent themselves the money. Shelby said she's been emailing Cash App support, without success. Marvis Herring, another target, told Motherboard that hackers attempted to steal $1,400, in the form of two installments of $700. In those cases, Herring believes his bank blocked the fraudulent transactions.

Motherboard saw many other people reporting on social media that their Cash App accounts had been compromised in some way. "The main thing I thought was weird is that I went to change my account password and there really isn't a password for Cash App accounts," Herring added. When users sign up to Cash App, they can use either an email address or a phone number to open an account. After doing so, they receive a login code sent to either of those. On fraud websites, dark web marketplaces, and social media, multiple people appear to be selling login details associated with Cash App accounts. Some of these peoples' listings specify that the logs contain the email address and password for a linked email account. Some of the listings may be scams, but those on the dark web marketplaces come from fraudsters who have received positive feedback from alleged customers, according to the review system that is common on such sites. One listing for hacked Cash App accounts said the vendor has sold that specific item multiple times.

Fraudsters also appear to be offering Cash App accounts for another purpose: laundering money. Motherboard found multiple listings on a dark web marketplace offering these newly created and verified accounts. Cash App requires users to verify their identity to use some features, and this can require them providing their Social Security Number with the platform. These already verified accounts will allow fraudsters to buy Bitcoin through the Cash App without having to verify their identity, the listing suggests. [...] On its website, Cash App encourages users to make sure their linked email address has two-factor authentication enabled. The app also has an extra feature called Security Lock which means that each transfer requires the user to enter a PIN. "Preventing fraud is critically important to Cash App. We continue to invest in and bolster fraud-fighting resources by both increasing staffing and adopting new technology. We are constantly improving systems and controls to help prevent, detect, and report bad activity on the platform," a Cash App spokesperson told Motherboard in a statement. "For those who believe they have fallen victim to an identity-theft or account take-over scams, we encourage them to reach out to Cash App Support where we will review the account in question. If deemed fraudulent, we will take the necessary action starting with account closure and disablement of all applicable products."

Banks

[stabiesoft]

Who knew such an archaic industry was hard? I've had precisely zero losses from banks in decades. The one time recently a check was stolen from the mail, altered and cashed, the bank made me whole the next day.

Re:

[Anonymous Coward]

The bigger risk comes doing this stuff on your phone. I won't use a bank app either, it's all too frail

Re:

[Opportunist]

They're not, if done right. But US banks are notoriously insecure. They use outdated security methods that have well known and long exploited flaws, and given their size, they are also prime targets.

Say, do they still use those "secure tan lists" or did they at least switch to text message tans by now? How long 'til they finally find out that two factor tokens and electronic OTPs exist?

Re:

[Zeratul2k]

Do US banks still believe SSNs are mystical numbers that nobody else but the owner has access to?

Re:

[Ed Tice]

Just because you've had zero losses from banks doesn't mean they haven't occurred. In general, the protections for bank accounts are fairly good but they do have certain requirements like reporting in a timely manner. Often victims are the elderly using paper statements who may get defrauded during a long hospital stay or the like. But yes regular banking is much lower risk. Apps like Square Cash don't make you whole in the same way a real bank transaction would.

Re:

[stabiesoft]

Timely is longer than I expected though. I thought I was screwed because I had not been checking online and noticed it on the paper statement. On a saturday no less. The check had been processed a couple weeks before the statement came in the mail. I was very pleasantly surprised how quickly they restored the funds. Let's just say i am feeling much better about the near zero interest the bank pays on my checking account. I am getting something from the bank more valuable than a few dollars of interest. Mone

Re:

[Ed Tice]

Which I'm pretty sure was the original purpose of banks!

Re:Banks

[whoever57]

Banking in the US is retarded.

In the UK, I don't need 3rd party apps to send or receive money. I can directly send money using my normal bank website (and I assume the bank's own app). If I add a new recipient, it requires 2FA based on having my credit or debit card and the PIN for the card.

I can initiate international wire transfers just like local transfers though the bank's website, although this may not always be possible because some US banks have arcane and overly complex procedures for receiving wire transfers.

It's crazy that, if you use the bank's correct routing number and the
recipient's correct account number, them money may actually get there, but then be refused by the destination bank, because you didn't send it via some intermediary: yes I am speaking from experience, I know the numbers were correct because the destination bank received and accepted my first small test transfer, then refused the larger transfer.

Re:

[93 Escort Wagon]

In the UK, I don't need 3rd party apps to send or receive money. I can directly send money using my normal bank website (and I assume the bank's own app).

You can do that in the US too. Nowadays most US banks offer Zelle; but this was possible long before that existed - Zelle just standardized and streamlined the process.

People choose to use apps like this Cash App for the same reason they use PayPal - perceived convenience. It doesn't really offer anything that isn't available via other means.

Re:

[whoever57]

Did you not understand the part where Zelle is a third party app?

You can't use Zelle to send money to someone's bank account. You can only send money to another Zelle user.

Re:

[Anonymous Coward]

Did you not understand the part where Zelle is a third party app?

You can't use Zelle to send money to someone's bank account. You can only send money to another Zelle user.

There are third party apps where I can send money directly to a bank account even on the other side of the planet. Wise [wise.com], for example. Great for international transfers. Relatively inexpensive and the money arrives in seconds.

Re:Banks

[unimind]

Zelle isn't an app, it's a network that banks participate in. The customer signs up through the bank, but no additional login/registration is required directly with Zelle. And there's no additional app or webportal to use. It's all integrated with the bank's app/webportal. It's likely much more regulated and secure than something like "Cash App".

Re:

[OverlordQ]

It's likely much more regulated and secure

Bless your heart

Re:

[Ecuador]

The GP post's main point was:

You can't use Zelle to send money to someone's bank account. You can only send money to another Zelle user.

which is true.
I was at a tech conference in Houston in June and I had read up on current US payment methods (haven't lived in the US for 15+ years) and set up my Zelle account, but then at lunch nobody else from the 15 people around me had an account. Did not bring it up again during the trip, no idea how popular it is.

Re:

[igreaterthanu]

Zelle has ridiculously low limits. And if you try to send even a modest amount (like $1000) it will often delay the transfer for 3 business days.

Re:

[stabiesoft]

International I thought always went thru swift. I've had incoming swift payments with no issues and regularly transfer into/out of with just route number/account number for US only transactions. You may need to use the bank's swift ID, which is not the same as the US local routing number. And swift as I'm sure you know is not a cheap transfer.

Re:

[gweihir]

And swift as I'm sure you know is not a cheap transfer.

Depends. For US and other backwards banking countries, yes.

Re:

[hoofie]

Same in Australia. I can pay bills direct or transfer money to another account instantly most of the time or else it takes a day or two. I can send money to my mothers bank account in the UK with a couple of clicks and it takes 3 days max. All I pay is a small fee since it's a Swift transfer

All my cards are chip and pin and 2FA activates for all bank transfers above a limit I set and bill payments.

I very, very, very rarely carry any cash now and don't even carry change in my pocket as you just don't need i

Re:

[dryeo]

One of our ISP's which also is a mobile company, here in Canada went down for a day. What a mess, half of the cell phones in the country no longer working as well as most money machines, card readers etc. Lot of people learned the problem with having no cash on hand that day.

Re:

[Richard_at_work]

Yes, high street banking in the UK is better than the US.

But high street banking in the UK is also going away as more and more banks realise theres little to no money in it, but considerable risk.

High street banks are, since 2011, heavily restricted on what they can do with your deposit (deposits are now ringfenced and cannot be used for investment purposes), but over the past decade have been made to take more and more liability with regard to fraud suffered by their customers. First it was obvious things

Re:

[NewID_of_Ami.One]

Second that. Its so bad they don't even understand what's being done in advanced systems ! Like the post above about zella or paypal
Some can't even understand that there can be a govt regulator running an open API for registered /legal banks and all sorts of small finance cos or fintech startups and anyone just sends X amount to an ID thats like email (name@bank ), the regulatory (for lack of a better word - its called NPCI in India and small % of equity is held by each bank amd some % by Govt) sends a ping

Re:

[VeryFluffyBunny]

My bank's here in the EU. I can transfer any amount of € to any bank in any country in the EU & it's instant & usually free. It's also impossible to make purchases online without their secure verification app & security certificate, backed up with SMS OTPs & SMS notifications of withdrawals. EU banks are now required to make their services secure & to report breaches to the govt.

The problem now is that some banks haven't adapted well to the new security requirements. My previous ba

Re:

[VeryFluffyBunny]

P.S. The only time I've ever used a 3rd party app for transactions was for exchanging currency overseas & I'd never leave any money with one of those services. I want to keep my money where it's insured & regulated, they can be held legally accountable (under banking & consumer protection laws), & they have at least some form of established, functioning customer service.

Re:

[gweihir]

Banking in the US is retarded.

Yeah, pretty much. I hear they still use things called "cheques"? When somebody from the US sent me one about 15 years back, my bank needed to find their expert to find out what to do with it.

Re:

[hoofie]

I haven't seen a cheque in a few years and haven't written a cheque in 16 years. They are very, very rare in Australia now - pretty well every non-cash payment is via debit/credit card or instant bank transfer.

Re:

[stabiesoft]

Ironically my check was to the police dept for payment of my alarm permit. The only payment method they accept was check. Rare, but I have to use checks occasionally.

Re:

[sdinfoserv]

Lots of posted responses are confusing or wrong about several points. There is difference between "hacking" and "Fraud" in banks. When someone cons you to pull money out of an account, you made the withdrawal, it 's your fault – even when it happens to old people. There may be some remedies, but that’s not the banks position to cover. If someone breaks in and steals from a bank- like hacking - that’s not your loss, it’s insured up to $250K per account.
Being FDIC insured is the p

Re:

[gweihir]

I have actually seen how fraud detection works in a bank. They are very careful to separate fraud by customer, misadventure and fraud by somebody else. And they have a _lot_ of experience with this because that is what you need. Generally, stealing from banks is exceptionally hard.

Now people get "some app", put their money in it and wonder when it is gone.

Re:

[Opportunist]

Right? I bet the next thing they want to tell us Western Union is used to launder money.

"Massively Popular" Cash App

[93 Escort Wagon]

I guess I'm old, because I don't recall ever hearing about this massively popular app.

Re:

[93 Escort Wagon]

Looks like it's a rebrand of "Square Cash", which I have heard of.

Re:

[Aighearach]

Hilariously, they even chose a completely generic name, presumably to make sure that nobody remembers them... hmm...

Us should update its banking systems..

[bumblebees]

Us needs to update its banking system to the level of the rest of the world and make these third party apps redundant. But im sure thats to late now when they make so much money and can hire a lobbyist army to "protect the children"

Can't break into my wallet

[Rick Schumann]

Go back to carrying cash in your wallet and problems like this cease to exist.