Patelco Credit Union Ransonware Attack

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Topic Author
mrsbetsy
Posts: 508
Joined: Mon Jun 26, 2017 12:16 am

Patelco Credit Union Ransonware Attack

Post by mrsbetsy »

We have, unfortunately, been part of the Patelco Credit Union ransomware attack. We have our every day accounts there (about 40K) and the rest at Schwab (not too much liquid there though).

We have been locked out of our accounts since June 29th and the communication from Patelco has been "cut and paste" style with no real answers. It's been terrible for us. We did everything in bill pay on June 28th and to date nothing has been paid: Chase credit card bills, PGE. utilities, etc.

Do you think smaller credit unions like this have a higher likelihood of this sort of attack? Do you think larger banks have a better security system/team to handle attacks such as this?

We are ready to cut and run, but they can't even tell us our balances. It's a major headache with all the direct deposits that go in there to change banking systems and I am loathe to do it, but this is absolutely ridiculous.

Where is the safest place to bank?
User avatar
cosmos
Posts: 401
Joined: Thu Oct 16, 2008 4:11 pm
Location: Third rock from the Sun

Re: Patelco Credit Union Ransonware Attack

Post by cosmos »

I bank with Schwab now for at least 15 years. No complaints and no hacks/outages of any note.
It's 106 miles to Chicago, we've got a full tank of gas, half a pack of cigarettes, it's dark... and we're wearing sunglasses. Hit it.
User avatar
mrspock
Posts: 2177
Joined: Tue Feb 13, 2018 1:49 am
Location: Vulcan

Re: Patelco Credit Union Ransonware Attack

Post by mrspock »

Sorry to hear you've been caught up in all this, I've been following it from a far. This said, I've never understood why anyone would bother with credit unions like this for anything other than a mortgage in this day and age. Go with Schwab... hands down. No brainer. They are probably the best "all around" bank in the country, and that's saying a lot since that isn't even their core business.

They aren't perfect (see their "voice is my password" fiasco), but I just can't see this happening over there. They can afford to hire and pay for far better IT/eng folks vs. some shop like Patelco, and their brokerage business has such high stakes ($7.38 trillion dollars under management), they need to have a much better game.
sc9182
Posts: 2301
Joined: Wed Aug 17, 2016 7:43 pm

Re: Patelco Credit Union Ransonware Attack

Post by sc9182 »

Technically, one Swiss bank may be still safe to bank (not anonymous 69 US depts any longer!). However, they won’t give ATM card for UHNW accounts. But, for commoners and mere mortals - any couple of credit unions and banks would do the job - esp., if you have balances within respective limits.

Nuisance - has since become a fact of life - and we may all learn to deal with it. Hard to have a perfect plan for/against back-drop of state/non-state hackers (or Ransomware actors). Spread your accounts a little, and also spread your access.

Wish you (Patelco) well !
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

Patelco is not a small credit union.

https://www.advratings.com/credit-unions

I used the have an account there but was not impressed with them. Until recently I did all my banking at Ally and have moved to Schwab Bank for the small amount of banking that I now do. I am mostly using Vanguard CP.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

mrspock wrote: Tue Jul 09, 2024 11:42 pm Sorry to hear you've been caught up in all this, I've been following it from a far. This said, I've never understood why anyone would bother with credit unions like this for anything other than a mortgage in this day and age. Go with Schwab... hands down. No brainer. They are probably the best "all around" bank in the country, and that's saying a lot since that isn't even their core business.

They aren't perfect (see their "voice is my password" fiasco), but I just can't see this happening over there. They can afford to hire and pay for far better IT/eng folks vs. some shop like Patelco, and their brokerage business has such high stakes ($7.38 trillion dollars under management), they need to have a much better game.
What was the fiasco? AI impersonation?
boogiehead
Posts: 564
Joined: Wed Sep 27, 2017 11:45 pm

Re: Patelco Credit Union Ransonware Attack

Post by boogiehead »

mrsbetsy wrote: Tue Jul 09, 2024 11:33 pm
Do you think smaller credit unions like this have a higher likelihood of this sort of attack? Do you think larger banks have a better security system/team to handle attacks such as this?

We are ready to cut and run, but they can't even tell us our balances. It's a major headache with all the direct deposits that go in there to change banking systems and I am loathe to do it, but this is absolutely ridiculous.

Where is the safest place to bank?
Smaller credit unions/banks definitely have a higher risk, they just don't have the budget to hire a full IT team (worked with a small regional bank where they only had 1 FT IT personnel) and most of their systems are legacy systems that don't have any IT security functionalities in mind when the systems were created back in the days.

I would definitely switch to JPM or BoA for a checking account/bill pay and supplement it with a brokerage account that has banking functionalities like Fidelity or Schwab as backup.
User avatar
mrspock
Posts: 2177
Joined: Tue Feb 13, 2018 1:49 am
Location: Vulcan

Re: Patelco Credit Union Ransonware Attack

Post by mrspock »

anagram wrote: Wed Jul 10, 2024 12:21 am
mrspock wrote: Tue Jul 09, 2024 11:42 pm Sorry to hear you've been caught up in all this, I've been following it from a far. This said, I've never understood why anyone would bother with credit unions like this for anything other than a mortgage in this day and age. Go with Schwab... hands down. No brainer. They are probably the best "all around" bank in the country, and that's saying a lot since that isn't even their core business.

They aren't perfect (see their "voice is my password" fiasco), but I just can't see this happening over there. They can afford to hire and pay for far better IT/eng folks vs. some shop like Patelco, and their brokerage business has such high stakes ($7.38 trillion dollars under management), they need to have a much better game.
What was the fiasco? AI impersonation?
You could use publicly accessible information to get past their security checks to set yourself a "voice password", and then call back in to use the password to initiate wire transfers, or whatever other nefarious things you want to do. They have since hardened their security procedures, but I'd highly suggest to setup a password so nobody can do it for you.
Lastrun
Posts: 1778
Joined: Wed May 03, 2017 6:46 pm

Re: Patelco Credit Union Ransonware Attack

Post by Lastrun »

boogiehead wrote: Wed Jul 10, 2024 12:42 am
mrsbetsy wrote: Tue Jul 09, 2024 11:33 pm
Do you think smaller credit unions like this have a higher likelihood of this sort of attack? Do you think larger banks have a better security system/team to handle attacks such as this?

We are ready to cut and run, but they can't even tell us our balances. It's a major headache with all the direct deposits that go in there to change banking systems and I am loathe to do it, but this is absolutely ridiculous.

Where is the safest place to bank?
Smaller credit unions/banks definitely have a higher risk, they just don't have the budget to hire a full IT team (worked with a small regional bank where they only had 1 FT IT personnel) and most of their systems are legacy systems that don't have any IT security functionalities in mind when the systems were created back in the days.

I would definitely switch to JPM or BoA for a checking account/bill pay and supplement it with a brokerage account that has banking functionalities like Fidelity or Schwab as backup.
I agree. About 5 or so years ago I had a client that was CTO at a regional credit union. I asked him how they "kept up" and he said it was very hard. When he first came on to the CU he said they found that a nation state actor had somehow accessed their system but likely discovered that they as a target were not what they thought and he thinks that is why they left them alone. Think something like (and this is not it) Fidelity Federal Credit Union of GA, v. Fidelity.

I don't bank at a credit union, but do at some local-yocal banks for business and fiduciary accounts, and I get the impression, and this is just anecdotal obviously, that their IT is not up to speed. Everything from the webpage to 2fa, etc.
lazyday
Posts: 3870
Joined: Wed Mar 14, 2007 10:27 pm

Re: Patelco Credit Union Ransonware Attack

Post by lazyday »

mrsbetsy wrote: Tue Jul 09, 2024 11:33 pmDo you think larger banks have a better security system/team to handle attacks such as this? ....

Where is the safest place to bank?
Megabanks probably have much larger IT budgets. And more experience with hacking attempts, since they’re big targets. They may also get more attention from regulators, who might notice potential problems early.

Large banks: https://en.wikipedia.org/wiki/List_of_l ... ted_States

Many of the largest such as #1 Chase tend to have very low interest rates, and you might need to be careful to avoid fees.

#11 Capital One, #16 American Express, #26 Ally, #33 Discover, and probably some others might have good enough interest rates and customer service.

Might be worth a quick google for bad behavior such as security negligence or defrauding customers. Wells Fargo is the obvious example, but there’s others such as #22 Fifth Third: https://www.consumerfinance.gov/about-u ... -accounts/

Schwab, Fidelity, or Vanguard might be reasonable choices but I feel more comfortable keeping bank and brokerage separate, and I’d like the possibility of using any of those three as a broker someday.
Topic Author
mrsbetsy
Posts: 508
Joined: Mon Jun 26, 2017 12:16 am

Re: Patelco Credit Union Ransonware Attack

Post by mrsbetsy »

Thanks for the feedback. We live in a small remote town and sometimes need to make an actual paper check deposit. I've always been leery of putting a mobile app on my phone, but we're going to think about transferring everything to Schwab. That seems like the easiest choice for moving money around anyway.

An important lesson learned. So many different things to consider these days. Patelco says everything will be worked out in the end and they will cover late fees, etc. But we are diligent with our finances and the CEO response to this has been too cavalier for me.
Dufus
Posts: 202
Joined: Mon Sep 25, 2023 8:35 pm

Re: Patelco Credit Union Ransonware Attack

Post by Dufus »

I use a couple of regional credit unions and they use 2fa. If you have any kind of problem at Wells Fargo, good luck getting it resolved. I filed over 20 executive escalations for my parents and never got anywhere. One of their branch managers that was trying to help got so mad himself that he was threatening to quit (and may have). I had to give up for my health.
Lastrun
Posts: 1778
Joined: Wed May 03, 2017 6:46 pm

Re: Patelco Credit Union Ransonware Attack

Post by Lastrun »

mrsbetsy wrote: Wed Jul 10, 2024 8:35 am Thanks for the feedback. We live in a small remote town and sometimes need to make an actual paper check deposit. I've always been leery of putting a mobile app on my phone, but we're going to think about transferring everything to Schwab. That seems like the easiest choice for moving money around anyway.

An important lesson learned. So many different things to consider these days. Patelco says everything will be worked out in the end and they will cover late fees, etc. But we are diligent with our finances and the CEO response to this has been too cavalier for me.
One thing to consider on the paper check and phone app. I have only one financial phone app on my phone and it is to my big bank burner account. I don’t keep a lot in this account so don’t care about loss of interest and I use this account for the phone app for paper check deposits, Zelle, Venmo, paper checks sent in the mail, things that I consider risky. The you can use Schwab or whoever for your serious banking. I can think of an infinitely worse number of things that could happen in my life than this burner account getting hacked.

As a side note and off-topic, I consider all paper checks risky these days. Why? Say I give a paper check to my nephew for graduation in a personal envelope. Later at home he opens the envelope and says “thanks boomer” as he laughs at the check, takes a picture on his phone app, and then what happens to the check is anyone’s guess. Point is, in the old days the order or bearer would hand the check over to a responsible party typically. Today, who knows where the app deposited check ends up, which contains my account and routing number, address, and signature. I digress.
Topic Author
mrsbetsy
Posts: 508
Joined: Mon Jun 26, 2017 12:16 am

Re: Patelco Credit Union Ransonware Attack

Post by mrsbetsy »

Lastrun wrote: Wed Jul 10, 2024 8:50 am
mrsbetsy wrote: Wed Jul 10, 2024 8:35 am Thanks for the feedback. We live in a small remote town and sometimes need to make an actual paper check deposit. I've always been leery of putting a mobile app on my phone, but we're going to think about transferring everything to Schwab. That seems like the easiest choice for moving money around anyway.

An important lesson learned. So many different things to consider these days. Patelco says everything will be worked out in the end and they will cover late fees, etc. But we are diligent with our finances and the CEO response to this has been too cavalier for me.
One thing to consider on the paper check and phone app. I have only one financial phone app on my phone and it is to my big bank burner account. I don’t keep a lot in this account so don’t care about loss of interest and I use this account for the phone app for paper check deposits, Zelle, Venmo, paper checks sent in the mail, things that I consider risky. The you can use Schwab or whoever for your serious banking. I can think of an infinitely worse number of things that could happen in my life than this burner account getting hacked.

As a side note and off-topic, I consider all paper checks risky these days. Why? Say I give a paper check to my nephew for graduation in a personal envelope. Later at home he opens the envelope and says “thanks boomer” as he laughs at the check, takes a picture on his phone app, and then what happens to the check is anyone’s guess. Point is, in the old days the order or bearer would hand the check over to a responsible party typically. Today, who knows where the app deposited check ends up, which contains my account and routing number, address, and signature. I digress.
Fair point. I could open a small account in a local yocal office. I live in a very remote 55+ community and you'd likely not be surprised with how money is handled here. Friend, "I'll sign up and pay for the wine tasting for all of us and then just pay me back." Then friend, and sometimes me, ends up with 6 checks for $15. Round and round we go every single time. I do use Venmo regularly, but can't seem to convince some people to go that route.

Still learning important lessons every day.
adam1712
Posts: 571
Joined: Fri Jun 01, 2007 5:21 pm

Re: Patelco Credit Union Ransonware Attack

Post by adam1712 »

I think it's worth considering bank diversification these days. I could get money relatively quickly from my regional bank with a local branch or from my accounts at Schwab or at Vanguard (although Vanguard would be more of a challenge to use for my regular banking needs).

When you say not much is liquid at Schwab, what does that mean? Is it something like CDs? Or is it you don't want to sell stock funds? Or in retirement funds you don't want to withdraw because of taxes?
The stock market has been up lately so I don't think it's too big of a deal to sell stocks in an emergency. Based on being in a 55+ community, I would think you'd be withdrawing from retirement accounts so an additional withdrawal doesn't seem to me like too big of a deal.

This board often has threads about investments all at one place and being worried about a Bernie Madoff like situation. But I think a short-term liquidity issue like this is something to worry about much more.
User avatar
AAA
Posts: 1912
Joined: Sat Jan 12, 2008 7:56 am

Re: Patelco Credit Union Ransonware Attack

Post by AAA »

boogiehead wrote: Wed Jul 10, 2024 12:42 am Smaller credit unions/banks definitely have a higher risk, they just don't have the budget to hire a full IT team (worked with a small regional bank where they only had 1 FT IT personnel) and most of their systems are legacy systems that don't have any IT security functionalities in mind when the systems were created back in the days.
I'm finding that out about my local credit union. For a few years now I've been after it to implement two factor authentication and so far they haven't done it. Their website doesn't appear to have changed in many years. My suspicion is that no one is around any longer who knows what to do. After a current CD matures, I won't be keeping any significant sum there.
stan1
Posts: 14842
Joined: Mon Oct 08, 2007 4:35 pm

Re: Patelco Credit Union Ransonware Attack

Post by stan1 »

adam1712 wrote: Wed Jul 10, 2024 9:25 am I think it's worth considering bank diversification these days.
Agree, with ransomware attacks moving from educational institutions and medical providers to financial institutions there will be an increasing hassle factor. I see no future where this will stop, and unless there are drastic geo-political changes it is going to get much worse. I am going to take action to have 3 months worth of expenses at three different large institutions. Maybe that's overkill. I don't do business with any small financial institutions, but it is just a matter of time until Chase, Vanguard, Fidelity, Schwab, B of A etc. gets hit. Hopefully they have better ability to recover. While I would not close my local credit union account at this time (if I had one) I'd have a backup. Vanguard likely is not good enough as a first backup since they do not have cash management features. I would not rely on Cash Plus at this time as an alternative to a bank.
User avatar
simplesimon
Posts: 4720
Joined: Mon Feb 25, 2008 7:53 pm

Re: Patelco Credit Union Ransonware Attack

Post by simplesimon »

anagram wrote: Wed Jul 10, 2024 12:17 am Patelco is not a small credit union.

https://www.advratings.com/credit-unions

I used the have an account there but was not impressed with them. Until recently I did all my banking at Ally and have moved to Schwab Bank for the small amount of banking that I now do. I am mostly using Vanguard CP.
Agreed that a $9 billion bank is sizable. This is a Patelco issue not a credit union issue.

OP, sorry this happened to you, but I'm not sure that moving your money to a big bank vs another credit union of similar size guarantees more safety.
Topic Author
mrsbetsy
Posts: 508
Joined: Mon Jun 26, 2017 12:16 am

Re: Patelco Credit Union Ransonware Attack

Post by mrsbetsy »

adam1712 wrote: Wed Jul 10, 2024 9:25 am I think it's worth considering bank diversification these days. I could get money relatively quickly from my regional bank with a local branch or from my accounts at Schwab or at Vanguard (although Vanguard would be more of a challenge to use for my regular banking needs).

When you say not much is liquid at Schwab, what does that mean? Is it something like CDs? Or is it you don't want to sell stock funds? Or in retirement funds you don't want to withdraw because of taxes?
The stock market has been up lately so I don't think it's too big of a deal to sell stocks in an emergency. Based on being in a 55+ community, I would think you'd be withdrawing from retirement accounts so an additional withdrawal doesn't seem to me like too big of a deal.

This board often has threads about investments all at one place and being worried about a Bernie Madoff like situation. But I think a short-term liquidity issue like this is something to worry about much more.
Yes, CDs and funds that pay out monthly are deposited into our investor checking account at Schwab, but we don't typically keep much there but that will be changing now. We do have an ATM card for it if we need cash, which we usually don't and put everything on credit cards.

We paid off the credit card on 6/28 using bill pay, but those transactions have not been processed and the fill-in-the-blank pat answers from Patelco are disappointing.

We are selling nothing. Social Security and other direct deposits are at Patelco so those funds can't be accessed. Now we know that 40K in liquid funds (12 months of 4 wall expenses) with one institution is not a good idea!!!!

Yes, should be a wakeup call for others as well. Diversify banking institutions as well.
stan1
Posts: 14842
Joined: Mon Oct 08, 2007 4:35 pm

Re: Patelco Credit Union Ransonware Attack

Post by stan1 »

We have to assume same will eventually happen at Fidelity, Schwab, Vanguard, Chase, B of A, etc. Assuming it will never happen is a bad assumption. No credible cybersecurity professional will say it won't happen, and will be focused on planning for quick recovery as much as defensive measures.


Hopefully not at all simultaneously but adversaries could try that when the attackers intent is disruption and psychological operations (loss of will) against the American people as much as economic gain (ransom).
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

mrspock wrote: Wed Jul 10, 2024 1:04 am
anagram wrote: Wed Jul 10, 2024 12:21 am
mrspock wrote: Tue Jul 09, 2024 11:42 pm Sorry to hear you've been caught up in all this, I've been following it from a far. This said, I've never understood why anyone would bother with credit unions like this for anything other than a mortgage in this day and age. Go with Schwab... hands down. No brainer. They are probably the best "all around" bank in the country, and that's saying a lot since that isn't even their core business.

They aren't perfect (see their "voice is my password" fiasco), but I just can't see this happening over there. They can afford to hire and pay for far better IT/eng folks vs. some shop like Patelco, and their brokerage business has such high stakes ($7.38 trillion dollars under management), they need to have a much better game.
What was the fiasco? AI impersonation?
You could use publicly accessible information to get past their security checks to set yourself a "voice password", and then call back in to use the password to initiate wire transfers, or whatever other nefarious things you want to do. They have since hardened their security procedures, but I'd highly suggest to setup a password so nobody can do it for you.
Set up a voice password? The problem is with a few seconds of voice audio one can create any sentence or phrase. Congress has summoned Schwab and others to testify because Congress is rightly concerned about the security of voice authentication. I believe it should be removed immediately.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

stan1 wrote: Wed Jul 10, 2024 10:13 am
adam1712 wrote: Wed Jul 10, 2024 9:25 am I think it's worth considering bank diversification these days.
Agree, with ransomware attacks moving from educational institutions and medical providers to financial institutions there will be an increasing hassle factor. I see no future where this will stop, and unless there are drastic geo-political changes it is going to get much worse. I am going to take action to have 3 months worth of expenses at three different large institutions. Maybe that's overkill. I don't do business with any small financial institutions, but it is just a matter of time until Chase, Vanguard, Fidelity, Schwab, B of A etc. gets hit. Hopefully they have better ability to recover. While I would not close my local credit union account at this time (if I had one) I'd have a backup. Vanguard likely is not good enough as a first backup since they do not have cash management features. I would not rely on Cash Plus at this time as an alternative to a bank.
Depends what you need from a bank. All I need are direct debits and Vanguard CP does that very well indeed.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

mrsbetsy wrote: Wed Jul 10, 2024 10:36 am
adam1712 wrote: Wed Jul 10, 2024 9:25 am I think it's worth considering bank diversification these days. I could get money relatively quickly from my regional bank with a local branch or from my accounts at Schwab or at Vanguard (although Vanguard would be more of a challenge to use for my regular banking needs).

When you say not much is liquid at Schwab, what does that mean? Is it something like CDs? Or is it you don't want to sell stock funds? Or in retirement funds you don't want to withdraw because of taxes?
The stock market has been up lately so I don't think it's too big of a deal to sell stocks in an emergency. Based on being in a 55+ community, I would think you'd be withdrawing from retirement accounts so an additional withdrawal doesn't seem to me like too big of a deal.

This board often has threads about investments all at one place and being worried about a Bernie Madoff like situation. But I think a short-term liquidity issue like this is something to worry about much more.
Yes, CDs and funds that pay out monthly are deposited into our investor checking account at Schwab, but we don't typically keep much there but that will be changing now. We do have an ATM card for it if we need cash, which we usually don't and put everything on credit cards.

We paid off the credit card on 6/28 using bill pay, but those transactions have not been processed and the fill-in-the-blank pat answers from Patelco are disappointing.

We are selling nothing. Social Security and other direct deposits are at Patelco so those funds can't be accessed. Now we know that 40K in liquid funds (12 months of 4 wall expenses) with one institution is not a good idea!!!!

Yes, should be a wakeup call for others as well. Diversify banking institutions as well.
You could call Social Security and if you explain the situation I believe they are able to direct next month and subsequent months to a different financial institution e.g. Schwab. Normally it takes a couple of months to redirect but they aer able to do it in a month. But you need to call to do this , not online.

I think if Chase was hit you would also get "fill-in-the-blank pat answers". Customer service is not what it used to be.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

stan1 wrote: Wed Jul 10, 2024 10:46 am We have to assume same will eventually happen at Fidelity, Schwab, Vanguard, Chase, B of A, etc. Assuming it will never happen is a bad assumption. No credible cybersecurity professional will say it won't happen, and will be focused on planning for quick recovery as much as defensive measures.


Hopefully not at all simultaneously but adversaries could try that when the attackers intent is disruption and psychological operations (loss of will) against the American people as much as economic gain (ransom).
Well under the psy ops scenario, just wait till they attack the water systems and the electrical grid. Much easier targets than banks. Look at the situation for the folks in southern TX now.
the_wiki
Posts: 3432
Joined: Thu Jul 28, 2022 11:14 am

Re: Patelco Credit Union Ransonware Attack

Post by the_wiki »

Ask anyone who works in IT, and they will probably say it's not if but when these days. The attackers only have to succeed one time and it is considered a security failure. Find one software that had a vulnerability, one user who will open their bad email or web page, one misconfiguration. Modern IT is complex, there are dozens of applications, perhaps hundreds or thousands of computers and devices. And there are thousands of attackers in every part of the world, attempting attacks every hour of the day. Some of them even state sponsored with high resources and patience.

Big banks have better IT, but they also have more complex environments and more notoriety, meaning more attempts.

I would instead focus on having a backup plan wherever you bank. Temporary loss of access can happen to any account for a number of reasons.
stan1
Posts: 14842
Joined: Mon Oct 08, 2007 4:35 pm

Re: Patelco Credit Union Ransonware Attack

Post by stan1 »

anagram wrote: Wed Jul 10, 2024 11:10 am
stan1 wrote: Wed Jul 10, 2024 10:46 am We have to assume same will eventually happen at Fidelity, Schwab, Vanguard, Chase, B of A, etc. Assuming it will never happen is a bad assumption. No credible cybersecurity professional will say it won't happen, and will be focused on planning for quick recovery as much as defensive measures.


Hopefully not at all simultaneously but adversaries could try that when the attackers intent is disruption and psychological operations (loss of will) against the American people as much as economic gain (ransom).
Well under the psy ops scenario, just wait till they attack the water systems and the electrical grid. Much easier targets than banks. Look at the situation for the folks in southern TX now.
Yes, that will happen too.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

stan1 wrote: Wed Jul 10, 2024 11:22 am
anagram wrote: Wed Jul 10, 2024 11:10 am
stan1 wrote: Wed Jul 10, 2024 10:46 am We have to assume same will eventually happen at Fidelity, Schwab, Vanguard, Chase, B of A, etc. Assuming it will never happen is a bad assumption. No credible cybersecurity professional will say it won't happen, and will be focused on planning for quick recovery as much as defensive measures.


Hopefully not at all simultaneously but adversaries could try that when the attackers intent is disruption and psychological operations (loss of will) against the American people as much as economic gain (ransom).
Well under the psy ops scenario, just wait till they attack the water systems and the electrical grid. Much easier targets than banks. Look at the situation for the folks in southern TX now.
Yes, that will happen too.
Geographical diversification is also needed.
User avatar
Vulcan
Posts: 3119
Joined: Sat Apr 05, 2014 11:43 pm

Re: Patelco Credit Union Ransonware Attack

Post by Vulcan »

stan1 wrote: Wed Jul 10, 2024 10:13 am Vanguard likely is not good enough as a first backup since they do not have cash management features. I would not rely on Cash Plus at this time as an alternative to a bank.
Why not?

DW and I have all our cash flow tied into Vanguard CP since January.
Payroll direct deposits and all ACH billpays (utilities, credit cards, insurance, college, etc).
No complaints whatsoever.

We also have Fidelity CMA & Schwab for checkwriting/ATM access, as well as Ally (previous primary checking) and a couple CUs, as backup.

"One-stop shop" is all nice and well so long as you have some other shops to fall back on.

We don't have a lot of cash sitting in backup accounts because we can quickly redirect payroll if necessary and have a lot of I Bonds.

But I agree with others, I wouldn't trust any one institution with reliably providing services. Always have a plan B.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
patrick
Posts: 2630
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: Patelco Credit Union Ransonware Attack

Post by patrick »

anagram wrote: Wed Jul 10, 2024 12:17 am Patelco is not a small credit union.

https://www.advratings.com/credit-unions

I used the have an account there but was not impressed with them. Until recently I did all my banking at Ally and have moved to Schwab Bank for the small amount of banking that I now do. I am mostly using Vanguard CP.
Small may be a matter of perspective here. According to the slightly more updated data on https://www.mx.com/blog/biggest-us-cred ... sset-size/ Patelco has grown to 9.8 billion in assets which now makes it the 27th largest credit union. But that is still rather small by bank standards -- per the list https://www.usbanklocations.com/bank-ra ... ssets.html there are 168 banks with more assets than Patelco.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

patrick wrote: Wed Jul 10, 2024 11:52 am
anagram wrote: Wed Jul 10, 2024 12:17 am Patelco is not a small credit union.

https://www.advratings.com/credit-unions

I used the have an account there but was not impressed with them. Until recently I did all my banking at Ally and have moved to Schwab Bank for the small amount of banking that I now do. I am mostly using Vanguard CP.
Small may be a matter of perspective here. According to the slightly more updated data on https://www.mx.com/blog/biggest-us-cred ... sset-size/ Patelco has grown to 9.8 billion in assets which now makes it the 27th largest credit union. But that is still rather small by bank standards -- per the list https://www.usbanklocations.com/bank-ra ... ssets.html there are 168 banks with more assets than Patelco.
And there are 5000+ banks in the USA. So Patelco is not small. Otherwise no one should bank with anyone but Chase.
lazyday
Posts: 3870
Joined: Wed Mar 14, 2007 10:27 pm

Re: Patelco Credit Union Ransonware Attack

Post by lazyday »

the_wiki wrote: Wed Jul 10, 2024 11:17 amTemporary loss of access can happen to any account for a number of reasons.
Such as an algorithm that flags you as a risky customer. There’s been multiple articles in the NY Times on frozen or closed bank accounts. Here’s one that was updated in June:

https://www.nytimes.com/2023/12/30/your ... fixes.html
The accounting professor whose bank closed his accounts — and whose audit of his own transactions found nothing remotely suspicious.

The tech executive whose entire family lost banking privileges because an estranged family member — with a single account linked to one parent’s account — committed a crime.

The former European central banker who served as a senior fellow at Harvard and abruptly lost his banking privileges with no explanation.
anoop
Posts: 4066
Joined: Tue Mar 04, 2014 12:33 am

Re: Patelco Credit Union Ransonware Attack

Post by anoop »

mrsbetsy wrote: Tue Jul 09, 2024 11:33 pm We have, unfortunately, been part of the Patelco Credit Union ransomware attack. We have our every day accounts there (about 40K) and the rest at Schwab (not too much liquid there though).

We have been locked out of our accounts since June 29th and the communication from Patelco has been "cut and paste" style with no real answers. It's been terrible for us. We did everything in bill pay on June 28th and to date nothing has been paid: Chase credit card bills, PGE. utilities, etc.

Do you think smaller credit unions like this have a higher likelihood of this sort of attack? Do you think larger banks have a better security system/team to handle attacks such as this?

We are ready to cut and run, but they can't even tell us our balances. It's a major headache with all the direct deposits that go in there to change banking systems and I am loathe to do it, but this is absolutely ridiculous.

Where is the safest place to bank?
I do think bigger banks have more resources to create secure infrastructure. Whether they are actually put to effective use is another matter. The problem with big banks nowadays is customer service. It's hard to get help on the phone (very long wait times > 30 min) or even in branches.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

lazyday wrote: Wed Jul 10, 2024 1:03 pm
the_wiki wrote: Wed Jul 10, 2024 11:17 amTemporary loss of access can happen to any account for a number of reasons.
Such as an algorithm that flags you as a risky customer. There’s been multiple articles in the NY Times on frozen or closed bank accounts. Here’s one that was updated in June:

https://www.nytimes.com/2023/12/30/your ... fixes.html
The accounting professor whose bank closed his accounts — and whose audit of his own transactions found nothing remotely suspicious.

The tech executive whose entire family lost banking privileges because an estranged family member — with a single account linked to one parent’s account — committed a crime.

The former European central banker who served as a senior fellow at Harvard and abruptly lost his banking privileges with no explanation.
You posted a paywalled article.

https://web.archive.org/web/20240510005 ... fixes.html

It is time Congress and the regulators took action to force banks to provide more detailed information and help customers as the article points out. For those of us who have lived outside of the USA know this is not normal in other western countries.
User avatar
mrspock
Posts: 2177
Joined: Tue Feb 13, 2018 1:49 am
Location: Vulcan

Re: Patelco Credit Union Ransonware Attack

Post by mrspock »

anagram wrote: Wed Jul 10, 2024 10:50 am
mrspock wrote: Wed Jul 10, 2024 1:04 am
anagram wrote: Wed Jul 10, 2024 12:21 am
mrspock wrote: Tue Jul 09, 2024 11:42 pm Sorry to hear you've been caught up in all this, I've been following it from a far. This said, I've never understood why anyone would bother with credit unions like this for anything other than a mortgage in this day and age. Go with Schwab... hands down. No brainer. They are probably the best "all around" bank in the country, and that's saying a lot since that isn't even their core business.

They aren't perfect (see their "voice is my password" fiasco), but I just can't see this happening over there. They can afford to hire and pay for far better IT/eng folks vs. some shop like Patelco, and their brokerage business has such high stakes ($7.38 trillion dollars under management), they need to have a much better game.
What was the fiasco? AI impersonation?
You could use publicly accessible information to get past their security checks to set yourself a "voice password", and then call back in to use the password to initiate wire transfers, or whatever other nefarious things you want to do. They have since hardened their security procedures, but I'd highly suggest to setup a password so nobody can do it for you.
Set up a voice password? The problem is with a few seconds of voice audio one can create any sentence or phrase. Congress has summoned Schwab and others to testify because Congress is rightly concerned about the security of voice authentication. I believe it should be removed immediately.
So there’s no voice recognition involved for wire transfers (the voice recognition is more to get account balances and such). For wires, you must supply the previously setup password. The problem is, how easy it is (was?) to setup a password over the phone, if a customer has previously not set one up.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

mrspock wrote: Wed Jul 10, 2024 3:26 pm
anagram wrote: Wed Jul 10, 2024 10:50 am
mrspock wrote: Wed Jul 10, 2024 1:04 am
anagram wrote: Wed Jul 10, 2024 12:21 am
mrspock wrote: Tue Jul 09, 2024 11:42 pm Sorry to hear you've been caught up in all this, I've been following it from a far. This said, I've never understood why anyone would bother with credit unions like this for anything other than a mortgage in this day and age. Go with Schwab... hands down. No brainer. They are probably the best "all around" bank in the country, and that's saying a lot since that isn't even their core business.

They aren't perfect (see their "voice is my password" fiasco), but I just can't see this happening over there. They can afford to hire and pay for far better IT/eng folks vs. some shop like Patelco, and their brokerage business has such high stakes ($7.38 trillion dollars under management), they need to have a much better game.
What was the fiasco? AI impersonation?
You could use publicly accessible information to get past their security checks to set yourself a "voice password", and then call back in to use the password to initiate wire transfers, or whatever other nefarious things you want to do. They have since hardened their security procedures, but I'd highly suggest to setup a password so nobody can do it for you.
Set up a voice password? The problem is with a few seconds of voice audio one can create any sentence or phrase. Congress has summoned Schwab and others to testify because Congress is rightly concerned about the security of voice authentication. I believe it should be removed immediately.
So there’s no voice recognition involved for wire transfers (the voice recognition is more to get account balances and such). For wires, you must supply the previously setup password. The problem is, how easy it is (was?) to setup a password over the phone, if a customer has previously not set one up.
Do you mean at Schwab you need a separate password for wires? Can one set up a password for this purpose and for it not to be a voice password? I have not seen Schwab publicize this and they should if this is a security vector.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

mrspock wrote: Wed Jul 10, 2024 3:26 pm
anagram wrote: Wed Jul 10, 2024 10:50 am
mrspock wrote: Wed Jul 10, 2024 1:04 am
anagram wrote: Wed Jul 10, 2024 12:21 am
mrspock wrote: Tue Jul 09, 2024 11:42 pm Sorry to hear you've been caught up in all this, I've been following it from a far. This said, I've never understood why anyone would bother with credit unions like this for anything other than a mortgage in this day and age. Go with Schwab... hands down. No brainer. They are probably the best "all around" bank in the country, and that's saying a lot since that isn't even their core business.

They aren't perfect (see their "voice is my password" fiasco), but I just can't see this happening over there. They can afford to hire and pay for far better IT/eng folks vs. some shop like Patelco, and their brokerage business has such high stakes ($7.38 trillion dollars under management), they need to have a much better game.
What was the fiasco? AI impersonation?
You could use publicly accessible information to get past their security checks to set yourself a "voice password", and then call back in to use the password to initiate wire transfers, or whatever other nefarious things you want to do. They have since hardened their security procedures, but I'd highly suggest to setup a password so nobody can do it for you.
Set up a voice password? The problem is with a few seconds of voice audio one can create any sentence or phrase. Congress has summoned Schwab and others to testify because Congress is rightly concerned about the security of voice authentication. I believe it should be removed immediately.
So there’s no voice recognition involved for wire transfers (the voice recognition is more to get account balances and such). For wires, you must supply the previously setup password. The problem is, how easy it is (was?) to setup a password over the phone, if a customer has previously not set one up.
Thank you. I understand now. I will set up a wire password to close off this vector.
moneyflowin
Posts: 314
Joined: Sat Oct 16, 2021 6:14 am

Re: Patelco Credit Union Ransonware Attack

Post by moneyflowin »

Banks and CUs are heavily regulated, but mainly to fight money laundering, crime, tax evasion, and to protect the banking system from bank runs or financial crises. Those are their priorities. IT security is secondary. The people who work at and run the banks have backgrounds in banking and finance, not IT. They probably do insecure things like sending sensitive information by email without thinking about it. They click on insecure links. With WFH being more common, I'd bet all sorts of appalling stuff is being behind the scenes with customer data that we're not aware of.

It makes sense to spread your money across 2-3 financial institutions. Having more accounts would reduce the chances of all your money being tied up at once by hackers, but it increases the chances that one account is someday affected.
User avatar
nisiprius
Advisory Board
Posts: 53131
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Patelco Credit Union Ransonware Attack

Post by nisiprius »

I am ashamed to say that until I read this thread, I had assumed that you didn't need to worry about government-insured deposits in a credit union or bank. According to their web page--well, I even checked at the NCUA website--Patelco is NCUA-insured, and it doesn't help.

NCUA and FDIC insure against losing your deposits if the institution fails, but apparently do nothing at all to insure your ability to withdraw your funds in a timely manner. Someone in another thread was warning about this--the majority of FDIC rescues are done over a weekend with very little inconvenience to depositors, but not 100% of the time.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

nisiprius wrote: Wed Jul 10, 2024 7:31 pm I am ashamed to say that until I read this thread, I had assumed that you didn't need to worry about government-insured deposits in a credit union or bank. According to their web page--well, I even checked at the NCUA website--Patelco is NCUA-insured, and it doesn't help.

NCUA and FDIC insure against losing your deposits if the institution fails, but apparently do nothing at all to insure your ability to withdraw your funds in a timely manner. Someone in another thread was warning about this--the majority of FDIC rescues are done over a weekend with very little inconvenience to depositors, but not 100% of the time.
Exactly so. The CFPB might be able to help in cases where you cannot withdraw your funds in a timely manner. The banks and CUs can close you account at any time, not tell you the reasons why and not help you at all. The article link earlier in the thread says it all.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

moneyflowin wrote: Wed Jul 10, 2024 7:18 pm Banks and CUs are heavily regulated, but mainly to fight money laundering, crime, tax evasion, and to protect the banking system from bank runs or financial crises. Those are their priorities. IT security is secondary. The people who work at and run the banks have backgrounds in banking and finance, not IT. They probably do insecure things like sending sensitive information by email without thinking about it. They click on insecure links. With WFH being more common, I'd bet all sorts of appalling stuff is being behind the scenes with customer data that we're not aware of.

It makes sense to spread your money across 2-3 financial institutions. Having more accounts would reduce the chances of all your money being tied up at once by hackers, but it increases the chances that one account is someday affected.
Well priorities are going to have to change. Bad actors are not going away and we are going to have more cases like this if something is not done.
User avatar
Chv396
Posts: 1043
Joined: Fri Jun 30, 2023 8:44 pm
Location: Tee #6, Par 3, 195 Yards

Re: Patelco Credit Union Ransonware Attack

Post by Chv396 »

We live in Northern California and have been following the Patelco cybersecurity attack. Simply flabbergasted that their systems are still unavailable, without a definitive update on a recovery time. We diversify banks, just in case.
“Stay the Course” - My Portfolio (BND, VOO, VT, VXUS) Spouse’s Portfolio (VEA, VGSH, VOO)
User avatar
Sandi_k
Posts: 2414
Joined: Sat May 16, 2015 11:55 am
Location: SF Bay Area

Re: Patelco Credit Union Ransonware Attack

Post by Sandi_k »

Yes, we were hit too. The account to which my paycheck is deposited was frozen before receipt was logged; so those funds have essentially disappeared.

Luckily we kept some funds in the savings account as "backup" to regular billpaying; I've been able to get cash on three different occasions, and use the cash for groceries, Costco, etc. I used a credit card to pay utilities.

Happily, we have our emergency funds at Fidelity; I've now moved funds from Fidelity to my DH's Wells Fargo account; we will push the mortgage payment from there.

I also changed my direct deposit for the next paycheck, and will send it directly to Fidelity instead of Patelco.

We had been discussing consolidating bank accounts; that discussion has now been tabled. :twisted:
Topic Author
mrsbetsy
Posts: 508
Joined: Mon Jun 26, 2017 12:16 am

Re: Patelco Credit Union Ransonware Attack

Post by mrsbetsy »

A second full week has come to an end and we are still locked out of our accounts. CEO hasn't updated in 2 days.

Husband went to to the "local" office. It takes 3 bridges (subject to delays due to boat traffic) and a $7 toll to get there and they told him they cannot see our account either. It's not just online banking that is out. He could withdraw a maximum of $500 in cash. No check that we could upload to Schwab checking. (We moved last year and never switched banks to something more local - our bad.)

This is so unacceptable. Bogleheads beware and make sure you diversify your banking. We thought we'd keep it simple with Patelco and Schwab - not realizing that if one fails, we have a huge headache on our hands.

Lesson learned.
Last edited by mrsbetsy on Fri Jul 12, 2024 10:08 pm, edited 1 time in total.
RetiredAL
Posts: 3819
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Patelco Credit Union Ransonware Attack

Post by RetiredAL »

mrsbetsy wrote: Fri Jul 12, 2024 9:28 pm
Sorry for your misfortune.

You have gotten me to think about having backup plans in place for DW and myself in case our accounts at our Mega-bank get locked for whatever reason. I have a mostly dormant local credit union account I was thinking of closing, now I'm considering revitalizing it.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

mrsbetsy wrote: Fri Jul 12, 2024 9:28 pm A second full week has come to an end and we are still locked out of our accounts. CEO hasn't updated in 2 days.

Husband went to to the "local" office. It takes 3 bridges (subject to delays due to boat traffic) and a $7 toll to get there and they told him they cannot see our account either. It's not just online banking that is out. He could withdraw a maximum of $500 in cash. No check that we could upload to Schwab checking. (We moved last year and never switched banks to something more local - our bad.)

This is so unacceptable. Bogleheads beware and make sure you diversify you banking. We thought we'd keep it simple with Patelco and Schwab - not realizing that if one fails, we have a huge headache on our hands.

Lesson learned.
I'm sorry this has happened to you.

After this I think everyone will withdraw all their funds and Patelco will cease to exist.
User avatar
anagram
Posts: 2369
Joined: Fri Aug 04, 2023 1:03 am

Re: Patelco Credit Union Ransonware Attack

Post by anagram »

RetiredAL wrote: Fri Jul 12, 2024 9:58 pm
mrsbetsy wrote: Fri Jul 12, 2024 9:28 pm
Sorry for your misfortune.

You have gotten me to think about having backup plans in place for DW and myself in case our accounts at our Mega-bank get locked for whatever reason. I have a mostly dormant local credit union account I was thinking of closing, now I'm considering revitalizing it.
It might be better to pick another large bank or Schwab Bank. I have a feeling a lot of credit unions could easily be in the Patelco situation.
RetiredAL
Posts: 3819
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Patelco Credit Union Ransonware Attack

Post by RetiredAL »

anagram wrote: Fri Jul 12, 2024 10:10 pm
RetiredAL wrote: Fri Jul 12, 2024 9:58 pm
mrsbetsy wrote: Fri Jul 12, 2024 9:28 pm
Sorry for your misfortune.

You have gotten me to think about having backup plans in place for DW and myself in case our accounts at our Mega-bank get locked for whatever reason. I have a mostly dormant local credit union account I was thinking of closing, now I'm considering revitalizing it.
It might be better to pick another large bank or Schwab Bank. I have a feeling a lot of credit unions could easily be in the Patelco situation.
I said "backup", not daily use. Something I could fully activate in a handful of days in necessary. I'm not of a chicken-little mindset worrier so I'm not spending a lot of effort ahead of time beyond having a skeleton process in place.

I already have a large sum at Schwab. Adding them as banking would adding more eggs to that one basket.

I also have check writing on one Fidelity brokerage account
IfIOnlyKnew
Posts: 67
Joined: Thu Sep 24, 2020 11:05 pm

Re: Patelco Credit Union Ransonware Attack

Post by IfIOnlyKnew »

mrsbetsy wrote: Fri Jul 12, 2024 9:28 pm A second full week has come to an end and we are still locked out of our accounts. CEO hasn't updated in 2 days.

Husband went to to the "local" office. It takes 3 bridges (subject to delays due to boat traffic) and a $7 toll to get there and they told him they cannot see our account either. It's not just online banking that is out. He could withdraw a maximum of $500 in cash. No check that we could upload to Schwab checking. (We moved last year and never switched banks to something more local - our bad.)

This is so unacceptable. Bogleheads beware and make sure you diversify your banking. We thought we'd keep it simple with Patelco and Schwab - not realizing that if one fails, we have a huge headache on our hands.

Lesson learned.
You have my sympathy. I’m sure the situation must be stressful. My son has a small account at Patelco so I’ve been following it. Their lack of regular updates seems totally unacceptable to me. For example, it’s Friday night and the last update posted on the Patelco website is from Tuesday. Maybe they don’t want to admit they have no clue and it could still be weeks before things are mostly functional…?
User avatar
8foot7
Posts: 4510
Joined: Mon Jan 05, 2015 6:29 pm

Re: Patelco Credit Union Ransonware Attack

Post by 8foot7 »

As far as I am concerned, this institution has failed. Two weeks without access to valance information. Limited withdrawals. Ignored payment instructions. No transfers. What else does one need to classify this as a de facto bank failure?
ScubaHogg
Posts: 4034
Joined: Sun Nov 06, 2011 2:02 pm

Re: Patelco Credit Union Ransonware Attack

Post by ScubaHogg »

OP, I’m sorry this has happened to you

This is exactly the sort of weird thing that can happen that has had me saying for awhile now have at least two institutions from which you can pay your bills and/or get cash. At least for a month or two.
“Anyone may arrange his affairs so that his taxes shall be as low as possible; he is not bound to choose that pattern which best pays the treasury.” | ― Judge Learned Hand
Locked