A good amount of money has been stolen from my bank account bypassing the double factor authentication.

ZioMario

ZioMario

Hello to everyone.

a few days ago a good amount of money was stolen from my bank account (I have home banking,but not for much longer).

I am still trying to think about how this could have happened,by reasoning about the traces left by the thief. What I know is that :

a) at the same moment that I've logged into my bank account,I've got an email message,telling me that someone with an "Iphone 14 Pro Max" has been able to login. But I read this email later,when I logged out,because when I was inside , my attention was focused... to the money spent.

b) the messages that I've got to my email address say that he has been able to enter using the Android App installed on my phone /that I never use/,because after having logged in using the double factor authentication,I use my FreeBSD system to surf to the bank home page using Firefox

c) looking the timing the thief has gained access to my bank account simultaneously with me (a man on the middle attack ?)

d) I've got some sms telling me that he also tried to activate the Android app of the bank to my phone and to his phone,requesting the code,but since it has been sent to my phone he didn't know it and he failed (this makes me think that my phone is not compromised)

My question is how he has been able to bypass the double factor authentication ? How has he been able to know the user id,the pin code and to validate his connection through my phone ? It seems to be complicated,but probably it seems to be like this because I don't fully understand the method used. Probably for him it has been easy. It becomes easy to do something that you know and that you did several times already,not ?

Take also in consideration that I had already requested to change my credit card codes twice recently.

Please be free to express your thoughts.
 
ZioMario said:
My question is how he has been able to bypass the double factor authentication ?
Click to expand...
Does your bank have routing/account checking access?

I can withdraw money from my bank externally though PayPal no authentication, even with my bank account having 2FA and its own card use notifications. I connected the bank to PayPal with routing/account number.
 
Espionage724 said:
Does your bank have routing/account checking access?

I can withdraw money from my bank externally though PayPal no authentication, even with my bank account having 2FA and its own card use notifications. I connected the bank to PayPal with routing/account number.
Click to expand...

To gain access to the bank account I open the web page,I enter the userid and the pin and then it sends a request to a specific Android app that I have installed to my phone. What I need to do is to enter the pin number and it will be accepted automatically and then I will jump to the web page of the bank to my PC where I have installed FreeBSD + Firefox.
 
Using text messaging for securing accounts is ludicrous. TEXT MESSAGES ARE NOT SECURE.

Why companies would try to use them for security funtions is dumb.

www.kaspersky.com

How to Prevent Sim Swapping

With SIM swapping on the rise, phone owners should be aware of what these attacks are, what signs to look for, and how to prevent a devastating attack.
www.kaspersky.com www.kaspersky.com
 
ZioMario said:
Hello to everyone.

a few days ago a good amount of money was stolen from my bank account (I have home banking,but not for much longer).

I am still trying to think about how this could have happened,by reasoning about the traces left by the thief. What I know is that :

a) at the same moment that I've logged into my bank account,I've got an email message,telling me that someone with an "Iphone 14 Pro Max" has been able to login. But I read this email later,when I logged out,because when I was inside , my attention was focused... to the money spent.

b) the messages that I've got to my email address say that he has been able to enter using the Android App installed on my phone /that I never use/,because after having logged in using the double factor authentication,I use my FreeBSD system to surf to the bank home page using Firefox

c) looking the timing the thief has gained access to my bank account simultaneously with me (a man on the middle attack ?)

d) I've got some sms telling me that he also tried to activate the Android app of the bank to my phone and to his phone,requesting the code,but since it has been sent to my phone he didn't know it and he failed (this makes me think that my phone is not compromised)

My question is how he has been able to bypass the double factor authentication ? How has he been able to know the user id,the pin code and to validate his connection through my phone ? It seems to be complicated,but probably it seems to be like this because I don't fully understand the method used. Probably for him it has been easy. It becomes easy to do something that you know and that you did several times already,not ?

Take also in consideration that I had already requested to change my credit card codes twice recently.

Please be free to express your thoughts.
Click to expand...
Wireless connection ?
 
Phishfry said:
Using text messaging for securing accounts is ludicrous. TEXT MESSAGES ARE NOT SECURE.

Why companies would try to use them for security funtions is dumb.

www.kaspersky.com

How to Prevent Sim Swapping

With SIM swapping on the rise, phone owners should be aware of what these attacks are, what signs to look for, and how to prevent a devastating attack.
www.kaspersky.com www.kaspersky.com
Click to expand...

SMS is offered as the last chance to gain access....only if you can't insert the pin number inside the App.
 
cracauer@ said:
Can you clarify which method you used for the second factor?
Click to expand...

To gain access to the bank account I open the web page,I enter the userid and the pin and then it sends a request to a specific Android app that I have installed to my phone. What I need to do is to enter the pin number and it will be accepted automatically and then I will jump to the web page of the bank to my PC where I have installed FreeBSD + Firefox. If you don't enter the pin number for 3 times because the time has expired,app asks to send a code to the phone number via SMS.

I talked about second factor authentication because it's not only the PC involved in the authentication,but also the phone.
 
cracauer@ said:
Is that Android app homemade by that bank?
Click to expand...

yes.

cracauer@ said:
And as mentioned above, falling through to SMS is stupid. Very easy to hijack.
Click to expand...

How can this be possible if my phone and the SIM card are always on my pocket ? I suspect more a man on the middle attack because my phone WAS connected via Wi-Fi. Is this kind of attack easy to do ? Should the person who does this attack lives within the range of my Wi-Fi connection ?
 
You must log in or register to reply here.
Back
Top