A good amount of money has been stolen from my bank account bypassing the double factor authentication.

[MrBSD]

That's why I never use a shoe-phone for *any* security- or privacy-critical task. I don't trust them even half the distance I could throw them - and I'm using a de-googled lineageOS on my phones (ever since I had to retire my last Blackberry...)

Use TOTP as a second factor and for banking *only* rely on a physical TAN-generator, and only the most simple version without any connectivity. The type where you have to *physically* insert your banking card and either enter an init-code or scan it from a QR code.
If your bank tries to force you to use some phone-crap or even want you to do all your banking on a toy-phone, tell them to sod off. Between all those annoying and useless EU-regulations, thankfully there are a few useful ones, e.g. some that forbid them to make such app-crap mandatory as they still have to enable access for people without a smartphone. (of course except for *optional* account models that are specifically tailored for such apps)

Thats how it supposed to be used. But when i suggest something like this to my friends, they say its too much hassle, inconvenient and its not needed. Im too paranoid and i should relax. Being stupid is a choice.

 

[scottro]

I agree with sko and MrBSD. I have no payment apps on my phone--I think google pay is on there, but I'm not signed up for it. My wife does use her Apple Pay and finds it convenient, but I use my phone almost entirely for calls, texts, and as an ereader using Nook and Kindle apps. My email on it is a throwaway one that is used only to give stores and anything else where I expect spam. Being old and a bit of a Luddite, I find myself agreeing with some comedian (also an older person) who did a whole routine about someone using their phone to pay for something like a $2.00 USD cup of coffee.

 

[hruodr]

Between all those annoying and useless EU-regulations, thankfully there are a few useful ones, e.g. some that forbid them to make such app-crap mandatory as they still have to enable access for people without a smartphone.

Many banks are forcing people to install apps to do everything on the phone, not only tan generation, and they found a way to do it conforming EU laws. An example is n26. I just deposit there no more than 100 EUR and recharge after expending almost all. I use it as cheap pre paid visa. For more than that such a bank not usable.

 

[ZioMario]

I want to remark some interesting points you have raised :

1) search for a bank that can provide hardware tokens.

It's hard to find them. Today I talked with two banks directors. They said that there aren't banks that offers hardware tokens anymore,at least here.

2) opened a phishing page

By looking the events happened in sequence,I don't think that I have opened a phishing page. Basically I never use the phone to surf the internet and I don't use the app installed on the phone to play with money. When the connection is established,I'm pushed to use Firefox installed on FreeBSD. Anyway,I don't think that a phishing page can emulate the two factor authentication used by the bank.

How he has been able to steal my money ? These are the steps followed :

1) the attacker tried to register the bank app to my phone. I got the code 4 sms.

2) the attacker tried to register the bank app to his phone. I got the code 4 sms,BUT 
at this point he read it in some way because we jump to point 3.

3) the attacker has been able to login inside the app (I've been warned by email). 
So. He discovered the code sent on point 2.

3) Access to banks, government services, etc. is only through a PC with FreeBSD. Confirmations are sent to the push-button phone,which doesn't have internet access.

Without internet access I can't use the app and I can't login inside my bank account.

4) Android is evil

I know. But every bank here forces the customers to install the app for Android for that particular bank. If you don't want to do it,you can't have a relation with it.

 

[ZioMario]

What I can do for the future ? I think that I will buy a new low cost phone with a new sim card,that I will use only for making my money transactions. No one should know what number it is and I will never use Android on top of it.

From what I've heard,I'm forced to install an Android app if I want to do some home banking. So the only defence strategy that I have is that no one will know the phone number assigned.

 

[CeXP1917]

Internal factor may present too: some bad guy, who have access to internal DBs and services which send "special messages" to "special app". In this case you can not do anything.

 

[_martin]

Anyway,I don't think that a phishing page can emulate the two factor authentication used by the bank.

They don't need to emulate that. You provided them id/password. They can send that info to the actual bank (as if you were logging to actual bank), wait for you to send the token back to them and go from there.

 

[freezmi]

From what I've heard,I'm forced to install an Android app if I want to do some home banking. So the only defence strategy that I have is that no one will know the phone number assigned.

here in Romania the banking system introduced a shared database containing a set of personal information tied to every single IBAN number - used to identify the holder of an IBAN account when wire transfers are initiated. the data set contains the iban #, name of the account holder, address and the phone number.

and my hunch is that this database has been leaked already - since I received a scam phone from someone that knew this exact data set and tried to fool me to send them money in order to disable a credit line that I never asked for. watch out if this is also a thing in Italy.

they started to sunset hardware tokens here as well because of all the muppets requesting to do everything with their damn phone, but fortunately some of the banks still support it. can't wait for the next generation of authenticators that replace phones with everyone's AI copilot.

 

[covacat]

any fscking utility has your name, phone number and bank account # if you ever wired money to them
also countless shitty state agencies which happen to wire you money for some reason
like child allowance , scholarship money and probably others

 

[rootbert]

ZioMario : we had a compromised account in summer, and your case sounds very similar. I did the post mortem analysis. May I ask, what browser and version were you using?

 

[blackbird9]

To safeguard against DNS spoofing leading you to a fake phishing website, you could set up secure DNS over TLS (DOT) to try to guarantee that you when you type a URL in the browser search bar you will actually get to the real website you want to get to. There are a couple of useful articles here https://blog.des.no/tag/dns on setting up DOT to both cloudflare and quad9 on freebsd. To prove it is working you can block outgoing port 53 in your firewall, guaranteeing all DNS requests are routed via local_unbound, which itself is configured to talk to the secure DNS server over TLS. That website has a nice explanation of how it all works. I've been doing that since freebsd 12, it seems to work fine. So perhaps cloudflare or quad9 log the sites I visit... well, I'd rather that than end up on a phishing fake bank site.

Recent versions of firefox also have their own version of secure DNS called DNS over HTTPS (DOH), however I have read some articles saying there are some security concerns with that, it is vulnerable to other types of attack, so I have stuck with DOT. Of course this is not a 100% guarantee that you won't end up on a phishing site but AFAIK it's about the best you can do (although I'm no security expert, so you shouldn't listen to what I say ). There is a test page here from cloudflare that you can run to check that your browser has encrypted DNS enabled https://www.cloudflare.com/ssl/encrypted-sni (click on "check my browser"). Of course this does mean you are putting your trust in cloudflare, quad9, google or whoever's encrypted DNS server you are going to use, over the one your internet provider has given you.

 

[Zare]

Android internet banking applications security is based on X.509, at least that is the case for major European banks.

My m-banking application requires physical activation at the bank. You download the application normally from the store whenever prior. But it is at that moment that you sign activation papers, and your encrypted certificate bundle is downloaded to the device, and then the clerk generates activation numbers, which decrypt the bundle, and you go on to protect it with PIN definition.

Man in the 2FA middle doesn't work because of physical human contact.

Later on, it's like anything else, where Android sucks, but you should still have nominal security. E.g. I don't believe something like Google Pixel can be easily remote exploited. Installing shady applications from Google Play might leak out some of your personal data but application keystores, and exploit the system to catch PIN entry, I don't think so.

The problem is that my bank removed e-access to m-access years ago. Technically people have been nagging about that for a while, because no one likes having to manage a separate device just to have a sense of mobile security, but people yield down and install it on main phone they tend to use with care (meaning only Google steals your data), and we still haven't got any decent case where the system was exploited without grave, capital user error.

 

[CShell]

I know IPhones are expen$ive ... ( I did NOT use that tariff word! )

Any chance you can buy an IOS 26.x capable IPhone and turn on Lockdown Mode, turn off ICloud and other Apple junk? At least then you would be using the Apple Store and not will not be wondering around in the Droid wilderness? Sure ! It's proprietary, will likely be sunset into a "an un-upgradable brick" by Apple in 5 years, and all those terrible, terrible things -- but it also runs a (heavily modified) version of *BSD Unix and you get a lot of patches quickly for it.

Do you trust Google? Apple? or No One?

* Really sorry this happened to you. As mentioned above your best bet is to assume everything is compromised and start over. Good luck !

 

[kpedersen]

Its been said a few times here before. Smart phones are the least secure devices that you can use. I would highly recommend separating your important data from them.

 

[freezmi]

Do you trust Google? Apple? or No One?

* Really sorry this happened to you. As mentioned above your best bet it to assume everything is compromised and start over. Good luck !

this event surely put more kindling on his fire idea of creating a FreeBSD based phone. with blackjack and hookers.

 

[cy@]

There is no solution that will 100% mitigate this hack. A SIM card swap attack and email spoofing are both simple tasks for anyone intent on putting in the work to steal identity. Even authenticator apps like M$'s and Google's can be spoofed.

 

[rootbert]

c) looking the timing the thief has gained access to my bank account simultaneously with me (a man on the middle attack ?)

d) I've got some sms telling me that he also tried to activate the Android app of the bank to my phone and to his phone,requesting the code,but since it has been sent to my phone he didn't know it and he failed (this makes me think that my phone is not compromised)

The hacker compromised your browser: he had access to your cookie/session data and tried to login to your bank account, triggering the sms/banking app. When you logged in, you validated your browser session for login - this information was stored on the server as well as some data that resides in your cookies. He simply took the data of your browser and hijacked your session.

The question is: how did he transfer that money? Was it via small amounts that did not need your banking app to confirm? Did you confirm transactions by error?

 

[blackbird9]

I never, ever do anything remotely financial on a phone. Any phone.

 

[blackbird9]

I maintain a separate unix userid that I only use for financial stuff. I strictly isolate that user from the rest of the system, and it only does financial and related work. I run a separate X11 session for it and a separate isolated instance of the browser. The next level up would be to dedicate a separate physical machine to financial. Or run a jail or VM dedicated to it. Maybe I need to think about doing something like that.

 

[blackbird9]

The hacker compromised your browser: he had access to your cookie/session data and tried to login to your bank account, triggering the sms/banking app. When you logged in, you validated your browser session for login - this information was stored on the server as well as some data that resides in your cookies. He simply took the data of your browser and hijacked your session.

How was the browser compromised? How did they hack the browser?

 

[hruodr]

How was the browser compromised? How did they hack the browser?

Perhaps he was able to login and see .mozilla?

ZioMario can see who logged in?

 

[blackbird9]

It seems to me eirher (a) this was a dns spoof and phishing attack of (b) they ran a browser exploit for example using javascript that gained control of the browser process or (c) they actually compromised the machine itself and hacked their way in to get a login. I expect there are other possibilities I haven't thought of. Hmm or (d) maybe the machine has picked up a rootkit from somewhere ... there are lots of possibilities. Or maybe the attack originated at the server end.

 

[blackbird9]

There is no solution that will 100% mitigate this hack. A SIM card swap attack and email spoofing are both simple tasks for anyone intent on putting in the work to steal identity. Even authenticator apps like M$'s and Google's can be spoofed.

Yes maybe Cy is right, maybe worrying about the machine being hacked is barking up the wrong tree.

 

[_martin]

this event surely put more kindling on his fire idea of creating a FreeBSD based phone. with blackjack and hookers.

In fact, forget the blackjack.

I'd doubt that any modern EU e-banking system would rely on a cookie alone to pull this off; true though didn't test this myself and web pentesting is not my cup of tee; this should be /relatively/ easy to try at home.

As you started this thread/Q ZioMario rootbert asked a good question - how did you transfer the money? What was the action resulting in you losing it? You didn't mention by what means you lost it either (credit card, money transfer..).

Btw. since Oct 09, 2025 EU requires SEPA transfers to match IBAN with account name (VoP - verification of payee). While it doesn't protect against the user mistake of "pushing through" with the payment it helps with raising a red flag when you do send money.