LAS VEGAS (KTNV) — It's the case of the disappearing money for one local small business to the tune of $10,000. 13 Investigates Anchor Tricia Kean shows us, sometimes your security measures just aren't enough.
"Almost $10,000 was withdrawn from the account and transferred to an unknown person," says Kyle Stokley, managing director at Desert Gymcats.
It's a nightmare scenario for any small business. It happened to Desert Gymcats back in September.
FRAUDULENT TRANSACTION
"Initially it was just okay, this is clearly a fraudulent transaction. We're going to report it to the bank and... We would get it refunded," says Kyle.
But Bank of America denied the claim.
AUTHORIZED METHODS
"They said that this transaction went through via authorized methods... Didn't really make too much sense. From there we had months of meetings with workers at the bank and managers of our local branch," says Kyle.
When that didn't provide answers, Desert Gymcats reached out to 13 Investigates. We contacted Bank of America. They tell us the money was sent using a required security code.
In a statement the bank says the transaction "...involved our sending a code to the sender's device that must be correctly entered by the sender before the transaction can proceed."
WEAK LINK
But Kyle claims that never happened. Local IT Expert, Curt Miller says there's a weak link that crooks can exploit.
"If someone has access to your email or the computer itself and they login to that website, they have everything they need," says Curt, Founding Partner of ANEXEON.
He says it's possible someone hacked into their email.
"We are seeing it right and left now in our industry, peoples' emails getting hacked. They go in, they use tools to pilfer all the private information," says Curt.
PASSCODE RESET
We had Kyle do some digging and he discovered these emails from September, when Bank of America contacted his business saying "...your Online Banking Passcode was reset... "If you didn't make this change, please contact us immediately..."
Now Kyle's convinced Desert Gymcats was hacked. He also worries it could happen again.
"Because unless we were to change accounts every day and change our username and password every day, this sort of transaction could go unchecked," says Kyle.
MULTI-FACTOR AUTHENTICATION
Curt says it's definitely important to use multi-factor authentication to protect yourself. Just make sure not to use your email.
"I recommend if the website allows it, that you always send it to a device in the form of a text message. Because the code will come in, in a way that is very difficult to hack or find unless they actually have the device in their hand," says Curt.
DUO AND AUTHENTICATOR APPS
He even suggests going one step further. Additional security like Duo verifies a users' identity when logging on.
"Duo Push is the fastest and most secure method of two-factor authentication available. I open the push on my smartphone, read the contextual information on the notification to confirm and hit the green button to accept," says Duo's introductory video on YouTube.
There are also free authenticator apps.
"Instead of sending you a code to a device, they will actually tell you on the screen, open your authenticator app and it's generating numbers. They change every 30 seconds and it says enter the number that you see on your screen right now," says Curt.
Curt admits anything can be hacked and these extra security steps are just a deterrent. But it may be just enough to get a hacker moving on to someone else.
"I get that it's a second step and a little bit of a nuisance, but it's five extra seconds that could save you thousands of dollars in money transfers out of your account," says Curt.
