Bank Fraud scams utilising your phone

Spocker

Marleigh Tasty Spittoon wrote: »

It's not encrypted and is therefore the data is transmitted over an unsecured connection.
The same with people sending passwords or credit card details by email. It's very easy once you know how to capture the data and see what it contains.

Actually this is not correct. The carrier may not encrypt their traffic, but I'd be very surprised if any financial service that uses mobile application does not use https or other security for their traffic.

I work for a mobile application development company, and all our traffic is using https for traffic.

wmpdd3

I though this too, I just think there is an easier less sophisticated way the money was taken.

Op, go back over every transaction over the last month and see if anything rings a bell.

The bank or the police may never give a reason the money was taken.

all we can be sure of is the thief knew their phone number and that they banked with boi. (or any bank that uses a text code to set up payees).

Where did they get the phone connection? Online?

rovoagho

Marleigh Tasty Spittoon wrote: »

It's not encrypted and is therefore the data is transmitted over an unsecured connection.

How do you know this?

In this particular case phone encryption doesn't even appear to be relevant, since it looks like the attack vector was actually a computer. We don't have the details yet, but it looks like the mobile was simply used for two-factor authentication, and the SIM was either cloned or a copy acquired from the carrier; both of which are social engineering problems.

You would know this if you had read the thread fully. And if this is actually the case then by your logic you should be advising people not to use computers for transactions. Which wouldn't be correct either.

murphaph

OP: was the phone used to access the online banking as well as receive codes for transactions?

uck51js9zml2yt

the experts seem to think mobile apps aren't secure. http://www.icttf.org/blogs/2/449/10-reasons-not-to-use-a-banking.

28064212

Marleigh Tasty Spittoon wrote: »

the experts seem to think mobile apps aren't secure. http://www.icttf.org/blogs/2/449/10-reasons-not-to-use-a-banking.

Expert. And going by this article, that's a stretch.

1. So the bank gave a perfectly legitimate explanation? Not to mention the bizarre contrast of him fully trusting them with his money, but not his smartphone pics
2. There's exactly the same amount of legislation for a smartphone as there is for laptop/PC banking
3. It's not "easy" to sniff an SSL connection, which all Irish banks use, and again, it's exactly the same for laptops
4. "Most" users? Most users I know do have a passcode. And all Irish banking apps require you to login using the same details you would use on your laptop
5. Because PCs never get infected by malware. If anything, the permissions system on smartphones is stronger than the PC one
6. See 5
7. The rare valid point. But has little to do with Online Banking.
8. [Citation needed]
9. High percentage rises don't mean much when starting from a low level. I can guarantee the percentage of PCs with infections is far, far higher than the percentage of smartphones infected
10. Again, the permissions system is stronger on smartphones than it is on PCs.

28064212

And none of it has anything to do with your assertion that smartphones are insecure because "You are sending this information over an unsecured wireless service"

Metroid diorteM

Which Irish banks do validation for adding a new payee by text instead of by code card?

If my bank does this I want to request that text validation is blocked.

Fred Swanson

This post has been deleted.

dobsdave

Fred Swanson wrote: »

This post has been deleted.

As do BOI.

GarIT

This is why you absolutely need a good security product like Norton on your phone if you are going to let it connect to the internet.

28064212

GarIT wrote: »

This is why you absolutely need a good security product like Norton on your phone if you are going to let it connect to the internet.

What part of the OP's story would having a security product on their phone have prevented?

GarIT

28064212 wrote: »

What part of the OP's story would having a security product on their phone have prevented?

If it was malware on the phone it would have stopped it.

murphaph

28064212 wrote: »

And all Irish banking apps require you to login using the same details you would use on your laptop

The BoI Android app does not require the user ID which is required any time you log in to 365online.

I still generally believe that a smartphone is every bit as secure as a phone for online banking as long as you follow common sense precautions. I'm really interested to find out how the OP was actually scammed but the fact the guards don't appear to want to even take a statement from them doesn't inspire confidence in me that it'll ever be solved.

B00MSTICK

28064212 wrote:

Expert. And going by this article, that's a stretch.

QFT - I'd question the majority of that list too.

Has your OH installed any apps recently OP?

Just in case there was some apps with shady permissions, but my bet is still on it being PC malware with dynamic web injects and then SIM swapping/cloning.

We haven't seen an explosion of true mobile banking malware because the fraudsters are having success with the online banking arm.
That and the ability to add new payees via a mobile banking app is still a rarity - but watch this space...

Rips

Well the good news is the money was refunded. We got a courtesy call from the bank on Monday to say this had been processed, and we received it today. Phew.

On the other aspect, it appears it will not be investigated by the guards :mad:
I say this because we also managed to get the details of the phone bill (eventually - the bill phone is still not working, not connected to a network, we'll be cancelling the contract and looking for a refund)
We rang the guards immediately to give them the details, there were a number of phone numbers, which are all answering. Guards didn't bother to take the details, said the case handler would be on to us, no word since.

As far as the other questions:
-No dodgy apps, we always read permissions etc
- BOI App was installed on the phone but not used.
- AIB use a code card system instead of mobile authorisation (you have a card with a load of different number sequences, and it requests two of these to authorise transfers/payments)

murphaph

Rips wrote: »

We rang the guards immediately to give them the details, there were a number of phone numbers, which are all answering. Guards didn't bother to take the details, said the case handler would be on to us, no word since.

Sad to say but I'm not surprised. I don't rate AGS as a police force at all. I think they're more like Keystone Cops than real ones. This is a crime waiting to be solved and they simply aren't that bothered.

Fred Swanson

This post has been deleted.

Nonoperational

Fred Swanson wrote: »

This post has been deleted.

No you won't.

paulfosters

Rips wrote: »

Well the good news is the money was refunded. We got a courtesy call from the bank on Monday to say this had been processed, and we received it today. Phew.

On the other aspect, it appears it will not be investigated by the guards :mad:
I say this because we also managed to get the details of the phone bill (eventually - the bill phone is still not working, not connected to a network, we'll be cancelling the contract and looking for a refund)
We rang the guards immediately to give them the details, there were a number of phone numbers, which are all answering. Guards didn't bother to take the details, said the case handler would be on to us, no word since.

As far as the other questions:
-No dodgy apps, we always read permissions etc
- BOI App was installed on the phone but not used.
- AIB use a code card system instead of mobile authorisation (you have a card with a load of different number sequences, and it requests two of these to authorise transfers/payments)

great to hear it. all too often we dont hear the end of the situation. glad you got sorted must be a big relief.

murphaph

Until the next person gets scammed by the same gang the guards couldn't be bothered investigating.

wmpdd3

Not until a guards account is cleaned it would anything happen.

I knew they wouldn't investigate, if you had a video of the person taking the money, they would still have to think about it.

I still don't get why the phone is not working? were you in contact? Was it a sun change that happened?

Also what does the bank say, how can they guarantee that no more payees will be added with out you knowledge?

AIB no longer use a code card, they now have a code generator thing like a calculator that you put your card into.

I would be closing my back account asap.

monty_python

the answer to how the phone was controlled was given already

The Eurograbber banking Trojan is an all-in-one hit, researchers say. It successfully compromises desktops and mobile devices, and has gotten around commonly used two-factor authentication practices in Europe.

How can banking institut
( http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1 )

op, does this sound familiar?
The bank customer is initially and transparently infected, either when they succumb to a phishing e-mail and click on a malicious link in that e-mail, or possibly just by surfing the Internet and clicking on a malicious link. Unbeknownst to the user, once infected, the Eurograbber version of the Zeus Trojan is downloaded onto their desktop computer.

At a later point, when that bank customer accesses their bank account, the Trojan wakes up and the customer, since they've accessed their bank account, believes what appears on their screen. That Trojan ... injects into the banking session instructions for upgrading the user's online-banking system. It asks the user to follow the instructions to improve security. It starts off by asking some questions, and some of the information it asks for is information about their mobile phone, including their mobile number, saying that in order to complete the upgrade, they need to proceed to their mobile phone and follow the instructions that the bank will send.
( http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1 )

murphaph

monty_python wrote: »

the answer to how the phone was controlled was given already

The Eurograbber banking Trojan is an all-in-one hit, researchers say. It successfully compromises desktops and mobile devices, and has gotten around commonly used two-factor authentication practices in Europe.

How can banking institut
( http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1 )

op, does this sound familiar?
The bank customer is initially and transparently infected, either when they succumb to a phishing e-mail and click on a malicious link in that e-mail, or possibly just by surfing the Internet and clicking on a malicious link. Unbeknownst to the user, once infected, the Eurograbber version of the Zeus Trojan is downloaded onto their desktop computer.

At a later point, when that bank customer accesses their bank account, the Trojan wakes up and the customer, since they've accessed their bank account, believes what appears on their screen. That Trojan ... injects into the banking session instructions for upgrading the user's online-banking system. It asks the user to follow the instructions to improve security. It starts off by asking some questions, and some of the information it asks for is information about their mobile phone, including their mobile number, saying that in order to complete the upgrade, they need to proceed to their mobile phone and follow the instructions that the bank will send.
( http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1 )

To be honest that sounds rather unsophisticated to me, but I'm sure people who shouldn't be using online banking could be caught out with it. At the end of the day, if you're gullible enough you can be scammed out of your debit card and PIN.

fits

I very much doubt that's what happened in this case. Would be interesting to know how they managed it all the same.

wmpdd3

Yeah, I would like to think this wouldn't happen, anytime Ptsb ask for anything new or put up a new screen in their banking their pipelines are jammed when I call for verification.

But you never know.

Sam Mac

Glad to hear you got the money back OP.

What a useless response from the Guards - to be expected though, they are known for doing sweet fcuk all.

rovoagho

A lot of station staff simply wouldn't understand these issues, and there seems to be a problem within the Gardaí that if they don't understand it, it's not a crime. The Fraud squad do understand it though, I'd recommend talking to them if you're serious about dealing with it. They may need you to go back to a station to report it again, but with a referral. You can find their contact details here:

http://www.garda.ie/Controller.aspx?Page=29