A good amount of money has been stolen from my bank account bypassing the double factor authentication.

blackbird9 said:
Were you actually using the cloudflare secure dns when this hack happened? If so, that's definitely worrying.
Click to expand...

I kept cloudflare enabled on the PC with FreeBSD since yesterday basically,but on the phone is disabled since a lot of time because I forgot to activate the client....I even forgot to have it :) It's also true that my phone was always connected to the same LAN with my PC. Actually it will not happen anymore.
 
Yes, I agree. And if you pay for the service, there is no guarantee that the security is actually any better. Just because you're paying, doesn't necessarily mean you're going to get something better.
 
blackbird9 said:
It's hard to imagine how they got that cvc code.
Click to expand...

This attack in my opinion can be defined a multiple attack in 1 only shot,because it involves the security breach of every protection mechanism there is on the phone. Basically he knew everything : user ID,PIN,the code to disable the bank app and the security code located to the back of the card. That's incredible. I presume that when you know the first one (and what's the first one that you should know ? maybe is only the phone number),you can know the remaining,one after another. Or,maybe it does not work like this at all.
 
ZioMario said:
I kept cloudflare enabled on the PC with FreeBSD since yesterday basically,but on the phone is disabled since a lot of time because I forgot to activate the client....I even forgot to have it :) It's also true that my phone was always connected to the same LAN with my PC. Actually it will not happen anymore.
Click to expand...
The easy way is just to disable wifi on the phone, and use the 4G all the time. I don't use my phone for much, anyway, so it's no big deal.
 
ZioMario said:
all that you say means only that the phone should not be used at all to make money transactions :)
Click to expand...
And it shouldnt. If you played by this rule, this thread would not exist. Im sorry to hear what happened to you, but if this is not a lesson and wake up call for you, i dont know what is. In these scenarios you HAVE TO assume you are fully compromised everywhere and start from scratch. That means new phone, new banking account, new email address, and new everything. And you also need to be very careful how you approach this whole process.
 
The catch of course is that the bank wants you to use a banking app on the phone, for authentication. There isn't much you can do about that. But apart from that... nothing financial on the phone, IMHO.
 
MrBSD said:
And it shouldnt. If you played by this rule, this thread would not exist. Im sorry to hear what happened to you, but if this is not a lesson and wake up call for you, i dont know what is. In these scenarios you HAVE TO assume you are fully compromised everywhere and start from scratch. That means new phone, new banking account, new email address, and new everything. And you also need to be very careful how you approach this whole process.
Click to expand...

I'm not so paranoic. The reason I started this thread is also for understanding which parts COULD BE compromised.
 
And that is the problem. We don't know for certain the phone is the problem. As Cy said a while back, the entire chain is suspect. We haven't isolated the bug yet. But I agree with starting over from scratch. If in doubt, use brute force.

It will be interesting to know how the hack was done, if you ever figure it out!
 
blackbird9 said:
And that is the problem. We don't know for certain the phone is the problem. As Cy said a while back, the entire chain is suspect. We haven't isolated the bug yet. But I agree with starting over. If in doubt, use brute force.
Click to expand...

I think that using a new phone,a new phone number with a virtual operator and using a new rechargeable card is a good starting point. Not sure about changing bank. But I will look for the one (that or which ?) offers the hardware tokens. I don't think FreeBSD and my email address or my paypal account are compromised. Rationale suggests me that If I change everything I will not understand what's broken.
 
blackbird9 said:
It might be enough, I guess.
Click to expand...

Maybe I'm a little bit masochistic,yes,but also a bastard inside. I mean that I would like that in the future this kind of attack will happen again. For sure,my goal is to create some kind of bait. If and when it will happen,the attacker will find less money inside the account but he will be exposed one more time and will be easier for the police to find him.
 
But how much is Linux capable of running Android apps ? The idea would be to install them directly on Linux or emulate it with qemu-kvm...or even Android with bhyve for FreeBSD (x86/64 bit or on Arm),but that's more complicated. And then I could install the bank app inside the virtual machine. The problem here is convincing the bank employee to activate your account this way. Because if they don't activate it at the branch, you install the app but then it doesn't work. Or, even better,since Linux on the PC runs on 64-bit Intel and Android runs on ARM, it wouldn't be a good idea to use an Android x86 emulator... since it's not fully compatible... so you buy an ARM board and install Android on it.Then you show up at the bank with the board where you installed Android on and tell him to validate the app for you. Hahahahaha. For example, you could use a Raspberry Pi. But there are a lot of ARM boards on the market. You should give him the impression that it's a real phone, not a homemade device made by you. But it's not impossible, since the bank employees don't understand a damn thing about it. Would there be any advantage to making all this fuss ? Because you'd still be using unofficial versions of Android...This is both an advantage and a disadvantage because maybe the attacker expects a certain phone to have a stock ROM or a modified ROM already known to the majority,but instead he finds an odd version of Android, used by a few people,that doesn't have the vulnerabilities he'd expect ;D
 
ZioMario said:
yeah,the goal is don't spread the c/c credentials on the internet. Well,it's a good idea,but as u can see,it's not enough. There are 10000 methods to be hacked.
Click to expand...
Nothing is perfect, but security is usually a tradeoff between safety and convenience. 2FA helps, but also never save passwords or cc credentials in a browser-managed wallet. Having to type in that stuff every time is a hassle, but that's what it takes to be on the safer side.

I do think that it's important to know how you got in trouble - this will identify the places where you do need to tighten the screws and pay attention. I personally am of firm opinion that not paying attention to details is what gets most people into trouble. The devil is in the details, so get him out before he bites.
 
ZioMario said:
But how much is Linux capable of running Android apps ? The idea would be to install them directly on Linux or emulate it with qemu-kvm...or even Android with bhyve for FreeBSD (x86/64 bit or on Arm),but that's more complicated. And then I could install the bank app inside the virtual machine. The problem here is convincing the bank employee to activate your account this way. Because if they don't activate it at the branch, you install the app but then it doesn't work. Or, even better,since Linux on the PC runs on 64-bit Intel and Android runs on ARM, it wouldn't be a good idea to use an Android x86 emulator... since it's not fully compatible... so you buy an ARM board and install Android on it.Then you show up at the bank with the board where you installed Android on and tell him to validate the app for you. Hahahahaha. For example, you could use a Raspberry Pi. But there are a lot of ARM boards on the market. You should give him the impression that it's a real phone, not a homemade device made by you. But it's not impossible, since the bank employees don't understand a damn thing about it. Would there be any advantage to making all this fuss ? Because you'd still be using unofficial versions of Android...This is both an advantage and a disadvantage because maybe the attacker expects a certain phone to have a stock ROM or a modified ROM already known to the majority,but instead he finds an odd version of Android, used by a few people,that doesn't have the vulnerabilities he'd expect ;D
Click to expand...
Its not going to work because those apps are checking phone IMEI number. And thats something you cant spoof or emulate.
 
MrBSD said:
Its not going to work because those apps are checking phone IMEI number. And thats something you cant spoof or emulate.
Click to expand...

Interesting. I'm not expert of this,but rationale is telling me that it can be done. What about if the pinephone can run Android and or the Android apps ?
 
ZioMario said:
Interesting. I'm not expert of this,but rationale is telling me that it can be done. What about if the pinephone can run Android and or the Android apps ?
Click to expand...
Not all banking apps are checking for IMEI number, but if they dont, thats a huge security risk right there. You have to understand that banking apps are not classic android apps. They tie to your phone IMEI, email address, and even phone number. On top of that, many of them are calculating unique identifier number that gets tied to your phone, and they calculate that number based on phone number, imei...etc. As long as your Pinephone has a valid IMEI number, you can use it. Check IMEI number by typing *#06* on phone keypad and validate it here.
 
You must log in or register to reply here.
Back
Top