A good amount of money has been stolen from my bank account bypassing the double factor authentication.

ZioMario said:
How ?
Click to expand...
How what?

As I said, electronic mail on the internet is something entirely different to the WWW aka HTML. One has nothing to do with the other, and e-mail did exist long before and independent from the WWW.

Now if people insist that they want to use a service that provides their e-mail on a web-page, that they want to use a service that can open within their browser some spreadsheets attached to an e-mail by just clicking on them, that they want to use a service that will open any URL inserted into an e-mail (or a spreadsheet) within their browser by simpliy clicking on it, then that is their business that equates their business.

BTW, the same goes for viruses. By design an OS cannot get viruses. There is only one thing that is malconstructed and poses as an OS, that can get viruses, and that is called microsoft windows. I do not understand why anyone in the world would use such. I for my part did dump MS-DOS in 1990, because already then it failed to properly function.

Now I cannot solve people's problems, because I do not even understand why they have these problems (or why they are doing what they are doing), in the first place. I can only state that I do not have these problems, and can explain what I am doing - but that does typically only yield me negative reputation.
 
astyle said:
Differently-branded browsers (like Konqueror and Firefox) are not a bad layer. Use one to check links, the other to log in - and stick to it, be disciplined. Takes a LOT of self-discipline to resist the temptation of convenience in this scenario.
Click to expand...
What is very scary is this.

I used to build SeaMonkey from custom ports tree. I usually use packages for everything. I need no custom ports..
One time I was having issues with something SeaMonkey and did some dubugging. It was there I noticed that SeaMonkey was allowing some web thingy to access programs built into the ports tree.
I was blown away. I did not think a program could reach back into the ports tree to use some tool leftover from a build...

Scary thoughts.
Trick or Treat?
 
Phishfry said:
What is very scary is this.

I used to build SeaMonkey from custom ports tree. I usually use packages for everything. I need no custom ports..
One time I was having issues with something SeaMonkey and did some dubugging. It was there I noticed that SeaMonkey was allowing some web thingy to access programs built into the ports tree.
I was blown away. I did not think a program could reach back into the ports tree to use some tool leftover from a build...

Scary thoughts.
Trick or Treat?
Click to expand...
Don't spread FUD, buddy. SeaMonkey has dependencies for building and running, all of them in the Ports tree. That is called re-using components. And most of the time, people are simply reluctant to admit that they have been phished - this thread is a good example.
 
astyle said:
Don't spread FUD, buddy. SeaMonkey has dependencies for building and running, all of them in the Ports tree. That is called re-using components. And most of the time, people are simply reluctant to admit that they have been phished - this thread is a good example.
Click to expand...

I have admitted that I have been phished as soon as I've seen clear evidences that's happened. Why this thread is a good example ?
 
ZioMario said:
I have admitted that I have been phished as soon as I've seen clear evidences that's happened. Why this thread is a good example ?
Click to expand...
It took you 6 or 7 pages to admit to getting phished. Before that, you did try to pin the blame on software being insecure or out of date (which was not really the case).
 
ZioMario said:
Slow and steady wins the race.
Click to expand...
:rolleyes:

You would have been better off if you took less time to admit and own up to something uncomfortable. 'Slow and steady' applies to people who were trying to help you. Yeah, off-hand, quick suggestions are not always the ones that solve the actual problem.
 
astyle said:
:rolleyes:

You would have been better off if you took less time to admit and own up to something uncomfortable. 'Slow and steady' applies to people who were trying to help you. Yeah, off-hand, quick suggestions are not always the ones that solve the actual problem.
Click to expand...

Bro,I didn't realize I'd clicked to the phishing email. If someone hadn't suggested that I might have done so, I wouldn't have figured it out for a long time, maybe never. The reason I checked was because I believed in your competence and experience.
 
ZioMario said:
Bro,I didn't realize I'd clicked to the phishing email. If someone hadn't suggested that I might have done so, I wouldn't have figured it out for a long time, maybe never. The reason I checked was because I believed in your competence and experience.
Click to expand...
Yeah, sometimes it takes a bit longer for some people to realize what the real problem is.

And in all honesty, with you specifically, I think you're probably in the normal range for the amount of time it takes.

I'm glad this thread did help diagnose the issue correctly, and to get it resolved.

Some things just don't make sense on the surface, and need to be checked out carefully, to avoid getting burned. Like Phishfry looking at SeaMonkey's compilation process and making a nonsensical correlation to the very compilation process being a security hole, using a very nonsensical basis to explain the conclusion. Now that I think back on that post, he was probably joking.

Computer security is like that. Most of the time, it's really a matter of paying attention to what you've got, and making sure it works as it's supposed to. Going back to the analogy I made about a door lock, even a simple and crappy lock that is easy to break is better than nothing, and most of the time, it's usually actually enough to deter casual, opportunistic miscreants. Well, if you find your stuff missing inside your place, then yeah, invest in a better lock. But even a better lock will not prevent theft if you leave the door open and unlocked anyway.
 
_martin said:
I lean towards what VladiBG said - more likely you entered your data to a phising site by accident. Relatively easy to pull off and with suprisingly good results.

This happened to my gf's friend 2 weeks ago or so - she was busy with her kids doing homeworks and such; she felt like something was off went with it anyway.
Unfortunatelly she never saw her money again.

Not that long ago there was a malware that was lurking around faceid/fingerprint scanner and popped just when you were trying to auth a payment. I remember ESET was informing about this - the "face stealing scams".
Click to expand...
It is amazing how easy it is to fall for stuff when you are busy. One time I got a message that a FedEx package had been delivered. And I did, in fact, have a FedEx package on the way. Just before I clicked on the link, I said "Wait a minute, FedEx sends messages to my home address, not my work address."
 
SUBJECT: Disavowal Case No. 01

Dear Customer MARIO ZIO,

We are referring to case no. 01 regarding the disavowal of transactions performed using the following accounts:
payment card no. 44

for the total amount of €, which has already been credited to you by the Bank pending the appropriate checks.
The checks now completed have revealed that at the time the disavowed transactions were carried out, the Bank's technological infrastructure was not showing any anomalies or malfunctions, and that they were carried out using secure electronic commerce and authorized through the Remote Service with the credentials entrusted exclusively to you (static and dynamic codes).

This circumstance highlights a failure to comply with the obligations regarding the safekeeping of the credentials entrusted to you,and therefore your request cannot be accepted. Therefore, since the checks carried out show that the disavowed transactions were correctly authorized, we will debit the amount we credited to you when opening the case, as provided for in point B of the disavowal form you signed.
 
blackbird9 said:
The only way I can think of that he got your card's cvc code was you must have typed the cvc in at some point to make an online purchase, and he's got it from your browser. Which means either your browser has been hacked, or you unknowingly typed the cvc in on a phishing fake website. Or it was a genuine website that you bought something from, and that website itself got hacked at the vendor's end, without your knowledge. Perhaps somewhere you did a transaction with suffered a data breach and those customer details were sold on the dark web. It's a nightmare.

I can't think of any other way he could have got that code. Unless he has hacked the bank itself and got it from them, of course. Or if you handed the card to someone in a retail setting and they copied it down, but you've already said that didn't happen. That is an interesting detail. Clearly he did get the cvc from somewhere.
Click to expand...
If one logs into a bank account via browser the he/she can see a list of cards. I think many platforms provide a way to see the card's details, like the card's number, owner, etc. Then often expose the CVV number as well. Even the PIN of the card can be shown. However, to see the card's details an additional authorization is required.
 
igork said:
If one logs into a bank account via browser the he/she can see a list of cards. I think many platforms provide a way to see the card's details, like the card's number, owner, etc. Then often expose the CVV number as well. Even the PIN of the card can be shown. However, to see the card's details an additional authorization is required.
Click to expand...

I didn't give any kind of authorization. I have only clicked on that damn email,without be aware that I did it. They say that I haven't been able to safekeep the credentials entrusted to me. This is the crucial point. That in my opinion,I acted as a normal user, certainly not an expert in the area, since I accidentally clicked on an email while already connected to the bank's website. But the point here is that users are required to take greater precautions, which implies that they must have further knowledge of the subject beyond the usual use of the tool. Something like: out of 100 people, how many occasionally check their emails while making a transaction with the bank ? In my opinion, this is intended to punish ignorance asking users to develop a certain level of knowledge in a field that isn't theirs. And who pays for the additional security knowledge they must acquire ? I'd also add that since the world is now so financialized and we've been provided with so many conveniences at our fingertips, simply telling us to do without a useful tool is acting like a bastard. Because first they create easy conditions for you to make mistakes and get scammed, then once you've fallen for it, they tell you why you signed up. So, if you didn't want me to sign up, why did you tempt me in a thousand ways and make it necessary for me to use a tool that appears safe,at least from the perspective of a user who isn't well-versed in security,but it isn't.
 
eternal_noob said:
Aw, bad news. But i knew this would happen.
Click to expand...

Bank is telling lies. At the same time they aren't providing any proof. A big question is still open. Since the attacker knew every detail of the card,simply I suspect that they have some responsability,because their level of security wasn't so great.
Now I don't know what could be the next step for me,to safeguard my rights.
 
No, i don't think it makes sense to complain about the bank there. I would talk to a lawyer then. Unfortunately, lawyers want money to talk to them.

Or consider it a learning experience and do nothing.
 
eternal_noob said:
No, i don't think it makes sense to complain about the bank there. I would talk to a lawyer then. Unfortunately, lawyers want money to talk to them.

Or consider it a learning experience and do nothing.
Click to expand...

It seems I can counter the bank's stance. That's already a lot. I'd like to ask you, highly skilled IT and security experts, to draft a brief document that raises concerns and crucial questions about how banks protect their customers. This is because they cling to the belief that their systems are super secure. They can't say any system is. However, we can remind them that the customer is never entirely responsible in these cases. I'm referring primarily to the fact that the attacker knew the security code on the back of the card. Since I'd never used my card credentials to make purchases directly with it, I never entered it online. This leaves me perplexed that that code could have been stolen from the bank's database. Not to mention that the transactions the thief made didn't require my authorization. From the dynamics of the event, I have established (and have the proofs) that the app was uninstalled from the phone and reactivated on the thief's phone. I strongly believe this level of incisiveness could call into question the security procedures they have in place, as I didn't have the codes to do so.
 
lgrant said:
It is amazing how easy it is to fall for stuff when you are busy. One time I got a message that a FedEx package had been delivered. And I did, in fact, have a FedEx package on the way. Just before I clicked on the link, I said "Wait a minute, FedEx sends messages to my home address, not my work address."
Click to expand...
I've had just that experience. An official looking text pops up saying "your DPD delivery is late, click this link"... and I had just recently ordered something on ebay. I stopped myself from clicking the link. The parcel was delivered later that same day. The text was phishing. Or sometimes they mention a particular delivery company, I go check where I bought the thing from and it's coming with a different carrier... :)

I guess if they send out thousands of texts saying "your parcel with big well known carrier is late" they are bound to score a few hits from people who are using the same carrier for real, by sheer chance.
 
You must log in or register to reply here.
Back
Top