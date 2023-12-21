HARRISBURG, Pa. (WHTM) — He said he wanted to help other people, even if he never got his own money back.

In the end, Scott Zeiders achieved both goals: More people know about the importance of setting up multi-factor authentication (sometimes called “two-step verification”) on all their accounts, and the companies involved (although they didn’t provide specifics) are perhaps redoubling their security efforts — and Zeiders got his $12,000 back.

Someone had stolen the money via wire transfer from his Wells Fargo bank account. The bank texted a code to Zeiders’ cell phone — that’s a second factor of authentication. But the code went to the bad guy, who had previously hijacked Zeiders’ Xfinity Mobile cell phone number by logging into that account — which didn’t have multi-factor authentication — and changing the SIM card number, which associated a phone with a phone number.

Both companies told Zeiders there was nothing more they could do.

A cybersecurity expert said both could have done more to prevent the theft: Xfinity should have required a second factor of authentication to change a SIM card number, and Wells Fargo should have called Zeiders, a retired truck driver, to verify what was — for him — a highly unusual transaction before releasing the money, said Jonathan S. Weissman, a principal lecturer at the Rochester Institute of Technology Department of Cybersecurity.

Contacted by abc27 News, Wells Fargo said it continued investigating. Last week, someone from Wells Fargo called Zeiders. His first clue she might have good news. “Her voice sounded a little bit more positive,” Zeiders recalled.

His hunch was correct: The bank had finished its investigation and decided to put $12,000 back in Zeiders’ account ($11,975 in stolen funds plus a $25 wire transfer fee).

“I want to thank [abc]27 News because I don’t think I would have gotten it back if it wouldn’t have been for the media coverage,” Zeiders said.

But remember, that was only half of what he wanted. His message for everyone else? “If you don’t have two-step verification, put it on there. Because once they get your passwords, you’re done.”

If you don’t know how to do that, call the companies you do business with at a number you’re sure is theirs, such as one that appears on your bill. Don’t provide information to people who call, email, or text you claiming to be from a company. If you ever feel unsure about an interaction you’re having, hang up and call the company directly or visit a company office, if a local one exists.