Here’s the direct link, since The Hill article doesn’t make it clear and doesn’t provide the relevant quotes:

Just an FYI regarding login.gov. Nobody mentioned this before and I did not know, since I did not need to use that service until now. What’s very interesting and very cool about it, is that it does not require any of your personally identifying information. You may provide a phone number if you select SMS as your second factor, but it’s not required. It does not care who you are, it simply allows you to login (ha!) with an email address, password, and at least one of multiple available 2FA methods. After you create the account, you can associate it with the actual government service that requires it. That service is the one that collects all your personal info.

The big idea behind this service is to make it simple for the average person to “use one account and password for secure, private access to participating government agencies.” But what’s even better, and I would highly recommend in the context of this thread, is to create a separate login.gov account for each and every government service that uses login.gov, just like you would if they didn’t all rely on login.gov.

This way if someone else gains access to one account, they won’t necessarily gain access to all of them. It’s in the same line of thinking as not reusing your login/email address and password across multiple services.

Lots of bad information in the first article. Unauthorized transactions are unauthorized and carry legal protections, even if the bank tries to claim they’re authorized. They also straight up imply that Zelle is an app. It’s not – it’s a service that also happens to have an app. The second article is not of much better quality, but it’s more concerning, because it implies that the victim’s phone was hacked. One easy solution is to not install any banking apps on your phone.

That’s good advice for the Zelle app, but it won’t help if they use a bank’s app and have multiple accounts at that bank – you can select another source for transfers.

Banks implement various transaction limits for Zelle, and I think $5K/day is the max. Some start with lower limits at first and increase with use. They should send 2FA codes when you’re adding a new contact or sending more than usual. Losing $40K like the first article claims is no easy task without a full-on phone hack.

I think the issue is that many people are authorizing the transactions TO scammers while many other people are mistakenly giving scammers ACCESS and the scammers are authorizing the transactions. The bank has to decide how much they are going to fight to say it was the customer’s fault. Then these articles come along and the reporter makes no distinction between the two scams.

My understanding is that, if a scammer figures out your bank login and password and they want to add a recipient (themselves) to Zelle, they are going to have to do some social engineering. Because bank websites don’t just let you add a recipient to Zelle and pay them with only an email address and password. That is where the argument over “authorized transactions” comes in. The customer has to “authorize” the addition of the recipient or the payment usually via text message authentication, but in order for the scammer to get away with it, they had to have the account hacked in the first place. So the question then becomes, did the customer really “authorize” the “transaction” or did they get hacked. I would argue they got hacked because no where along the way of the customer giving that text message code did they realize the scammer had access to their account. The fact the scammer was in their account without them having permission makes all the transactions “UNauthorized.” But, I’m sure there are sometimes where the customer not only gives out the text message code, but gave out the login/password too. I think in those cases, the bank can argue everything was authorized. If the customer is adamant they didn’t give out the login/password, only the text message authentication code, the transaction should still be considered unauthorized. But I don’t know how an arbitrator or judge would view it. Probably 50/50.

The old lady, on the other hand, tricked into Zelleing money to her “grandson” for bail - that was an authorized transaction and she shouldn’t expect the bank to cover her for that.

One big difference between Zelle and most other money payment and transfers that regular people use regularly is that they’re not instant and are reversible. Even wire transfers are reversible, I think. Given Zelle’s origins, there really must be more protections against fraudulent transfers – transactions must be reversible.

Are you suggesting they change their process to something where the money “shows up” instantly like it does now, but it is left “pending” or otherwise unable to be withdrawn by the receiving party for 2-3 business days? I think that makes sense and would instill more confidence in users. As long as the receiving bank that leaves it pending doesn’t overdraw people’s accounts in the meantime before the transactions fully posts.

It’d be no better than Venmo if they did that. I’m thinking they should just be smarter about sending money to new recipients. They must ensure that the link is legitimate and authorized – send verification requests to both parties, don’t allow large initial transfers, place a long hold on the first transaction (or the first few), etc. Once the link has been established for a while, instant transfers should not be an issue.

I agree. Transferring immediately, but putting a 48 hour hold on just the first transaction for a new recipient makes a ton of sense.

Isnt that - placing a hold on a deposit - based on the receiving bank’s policy, not Zelle? I’m pretty sure that most banks do not place holds any electronic deposits (ACH, Wire, etc) that are pushed from other banks.

Regardless if it’s done on the front end or the back end, a longer transfer period, and therefore a longer period in which the banks/zelle have the ability to stop the transaction from getting to the scammer, seems to make sense for newly added recipients.

My point was, Zelle cannot do it on the back end. The only option they have is to delay sending the money, in which case it cannot be posted to the recieving account ‘immediately’. 8,000 individual bank policies would need to be tweaked to hold the payment after it’s posted to the recipient.

Even ADP/payroll processors have ‘early’ direct deposit prior to official payday, but it’s still on each individual bank receiving the money as to when they actually make it available to their customer.

Post was deleted by the author.

I don’t see why not. The receiving bank knows the money is coming from Zelle. Make the receiving bank responsible for fraud and they’ll put a hold on the money just like they put a hold on big check deposits.

I think this would only work if everyone who accepted Zelle payments would agree to a new rule from Zelle. This could easily be forced, but …

Also, it would require IT sign-off (as in, review if it’s doable), legal review, legal amendment to user agreement, some code work to identify new recipients, code changes to communicate who is a new recipient (and subject to the new rule) to the receiving institution. You’re easily looking at a $20,000,000 expenditure.

Although banks make tons of money, they’re almost as frugal as we are. They’re not going to approve that expenditure until forced to do so, or more than likely, to get gubment funds to “protect” the public.

From the Washington Post:

Direct link: https://www.washingtonpost.com/technology/2022/06/24/delete-yourself-online/

Scrubbing public information from the internet is a silly, never-ending exercise. It’s too easy and too cheap to obtain public records without a reasonable permissible purpose, and then to sell it. IMO such aggregation and sale by unrelated entities should be illegal.

As the article says: “You can’t fully scrub yourself from the internet.” Unless you’re rich and own nothing in your name and are not a public figure.

ETA: I guess also if you’re broke and own nothing in your name

As Reason has previously reported, there are substantial constitutional issues raised by the FBI’s raid of U.S. Private Vaults that ought to worry any American concerned about privacy.

Importantly, the warrant authorizing the raid explicitly forbade the FBI from seizing the safe deposit boxes or their contents.

But agents seized hundreds of safe deposit boxes anyway, then opened many of them and rifled through their contents under the guise of cataloging the items. That effort seems to have been a little more than a fishing expedition in search of additional criminality, and attorneys for the victims of the FBI’s warrantless search are now asking that all records created by that effort be destroyed.

From the Bill of Rights:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Modest request:

Will somebody please tell the FBI!