A good amount of money has been stolen from my bank account bypassing the double factor authentication.

[ZioMario]

To safeguard against DNS spoofing leading you to a fake phishing website, you could set up secure DNS over TLS (DOT) to try to guarantee that you when you type a URL in the browser search bar you will actually get to the real website you want to get to. There are a couple of useful articles here https://blog.des.no/tag/dns on setting up DOT to both cloudflare and quad9 on freebsd. To prove it is working you can block outgoing port 53 in your firewall, guaranteeing all DNS requests are routed via local_unbound, which itself is configured to talk to the secure DNS server over TLS. That website has a nice explanation of how it all works. I've been doing that since freebsd 12, it seems to work fine. So perhaps cloudflare or quad9 log the sites I visit... well, I'd rather that than end up on a phishing fake bank site.

Recent versions of firefox also have their own version of secure DNS called DNS over HTTPS (DOH), however I have read some articles saying there are some security concerns with that, it is vulnerable to other types of attack, so I have stuck with DOT. Of course this is not a 100% guarantee that you won't end up on a phishing site but AFAIK it's about the best you can do (although I'm no security expert, so you shouldn't listen to what I say ). There is a test page here from cloudflare that you can run to check that your browser has encrypted DNS enabled https://www.cloudflare.com/ssl/encrypted-sni (click on "check my browser"). Of course this does mean you are putting your trust in cloudflare, quad9, google or whoever's encrypted DNS server you are going to use, over the one your internet provider has given you.

When the thief has been able to disable my bank app I was using CloudFlare. As I said,mine and his connections have been established simultaneously and I don't think that this happened for a coincidence. I suspect that he needed that my connection was alive to use it,in some way,to operate. I would like to know if the fact that I was using CloudFlare helped him to accomplish his fraudolent project or not.

 

[blackbird9]

Have you handed your phone to anyone recently, maybe to pay a bill in a restaurant, where it went out of your sight for a short time?

 

[ZioMario]

I know IPhones are expen$ive ... ( I did NOT use that tariff word! )

Any chance you can buy an IOS 26.x capable IPhone and turn on Lockdown Mode, turn off ICloud and other Apple junk? At least then you would be using the Apple Store and not will not be wondering around in the Droid wilderness? Sure ! It's proprietary, will likely be sunset into a "an un-upgradable brick" by Apple in 5 years, and all those terrible, terrible things -- but it also runs a (heavily modified) version of *BSD Unix and you get a lot of patches quickly for it.

Do you trust Google? Apple? or No One?

* Really sorry this happened to you. As mentioned above your best bet is to assume everything is compromised and start over. Good luck !

I've thought at this today. One of my friend has a new iphone and he uses the face detection to authenticate himself. Another friend of mine uses his finger. They feel secure. But,what happens if they received an attack like mine ? I mean,if the hacker was able to disable their bank app and then to enable it again on a OLDER phone model ? I suspect that the bank app would still work even if the new phone, the hacker's phone, didn't have the ability to authenticate you with your finger or your face. In this case the app probably will propose you to insert the pin number using the app and it will send you an sms if you aren't able to write the pin number in a reasonable amount of time for 3 times.

 

[blackbird9]

When the thief has been able to disable my bank app I was using CloudFlare. As I said,mine and his connections have been established simultaneously and I don't think that this happened for a coincidence. I suspect that he needed that my connection was alive to use it,in some way,to operate. I would like to know if the fact that I was using CloudFlare helped him to accomplish his fraudolent project or not.

It certainly doesn't sound like a coincidence. However, I don't know enough to know what happened. It sounds like he spoofed your phone, made another phone duplicate your phone. And somehow he appears to be able to log into your account at the bank?

 

[blackbird9]

So... one question is, is this a one-off attack that no-one has ever heard of before... or has it happened to other people using the same bank and the same phone app? Have their been any reports in the press or media about similar attacks? It sounds like the attacker had the sequence of events carefully planned, which would suggest they have done the same thing in the past, to other people. It seems to be very carefully thought out.

The attack seems to be centred on the phone and the app.

 

[ZioMario]

Have you handed your phone to anyone recently, maybe to pay a bill in a restaurant, where it went out of your sight for a short time?

Nope. I never use my phone or my c/c to pay in restaurants,shops,and so on. I use only paper money.

 

[_martin]

He disabled the bank app from my phone (Samsung Note) and he activated it on his phone (Iphone 14),so even the phones come from different makers.

This is now a wild speculation on my side: the first thing that comes to my mind is that he got an active login to your account, i.e. he was able to manage it. He was thefore able to disable your devices and add his own. Not all banks have 2FA (mbank doesn't), then it's fully possible to add your device as legit device linked to the account.
How did he got that ? I still think you are victim of a phishing attack. But then you mentioned here you got your FreeBSD forums account stolen .. that is suspicious. So too much speculations on that part ..

I have two banks (one beign that forementioned mbank) and the other one I don't remember how I went about setting up 2FA. I think I was physically present in the bank when doing so (as Zare mentioned above). I can't login to my bank without a cell. Has its downsides too..

 

[ZioMario]

So... one question is, is this a one-off attack that no-one has ever heard of before... or has it happened to other people using the same bank and the same phone app? Have their been any reports in the press or media about similar attacks? It sounds like the attacker had the sequence of events carefully planned, which would suggest they have done the same thing in the past, to other people. It seems to be very carefully thought out.

The attack seems to be centred on the phone and the app.

It's hard to say if this has happened to anyone. There are so many techniques, so many variables, so many exploits to try and ...so much ignorance all around.

 

[ZioMario]

But then you mentioned here you got your FreeBSD forums account stolen .. that is suspicious. So too much speculations on that part ..

Are u able to share the post where I said that my FreeBSD forums account has been stolen ?

I have two banks (one beign that forementioned mbank) and the other one I don't remember how I went about setting up 2FA. I think I was physically present in the bank when doing so (as Zare mentioned above). I can't login to my bank without a cell. Has its downsides too..

Here almost all bank accounts are low cost and they force you to install the bank app. Their price is 5 euros each month,more or less. But some banks also offers the classic bank account,that does not requires the app but it costs 20 euros. Let's think carefully to this kind of behavior. And tell me what you think at first sight.

 

[cy@]

Yes maybe Cy is right, maybe worrying about the machine being hacked is barking up the wrong tree.

We don't have enough information to make any determination of anything ATM. From what I can tell everything in the chain is suspect.

 

[cracauer@]

I am not sure the Phone bashing is justified.

IOS and Android are very much like macOS and Linux software hosting wise, but with a lot more mitigations enabled when the desktop stuff lacks behind.

Then there is the whole encrypted boot process which is pretty streamlined.

 

[ZioMario]

I'd also like to add a small detail. Once the guy accessed my bank account, he didn't withdraw the money, he made no transfers from mine to his c/c. Obviously, I'd say so. But he made purchases on several websites, one for buying video games and the other one to buy clothing. So, he used my credit card details. The point is, that to do that, you need to know the security code written to the back of the card. And no one knows that code. And I'm sure it is not listed inside any bank account.

 

[_martin]

Are u able to share the post where I said that my FreeBSD forums account has been stolen ?

I didn't read the post through but I remember reading the headline of your "Someone tried or has been able to guess my password ?" thread. Assuming so (as I mentioned in my post).

 

[ZioMario]

I didn't read the post through but I remember reading the headline of your "Someone tried or has been able to guess my password ?" thread. Assuming so (as I mentioned in my post).

I almost remember. Someone tried to login here using my credentials,but with the 2 factors authentication,he failed.
It was interesting to know what was the IP number that tried.

 

[Zare]

Here almost all bank accounts are low cost and they force you to install the bank app. Their price is 5 euros each month,more or less. But some banks also offers the classic bank account,that does not requires the app but it costs 20 euros. Let's think carefully to this kind of behavior. And tell me what you think at first sight.

Upkeep (the amount you pay to have account) doesn't matter for this case.
What matters is the procedure of installation of m-banking on the cellphone. Do you have to physically go to the bank to activate the application or can it be done 'automatically'?

 

[ZioMario]

Upkeep (the amount you pay to have account) doesn't matter for this case.
What matters is the procedure of installation of m-banking on the cellphone. Do you have to physically go to the bank to activate the application or can it be done 'automatically'?

The account can be activated by me,but I can't use it if the clerk at the bank does not prepare it. I saw that he takes a grid of codes and enters them into his terminal...the app works only on the phone where it has been prepared.

 

[_martin]

I'd also like to add a small detail. Once the guy accessed my bank account, he didn't withdraw the money, he made no transfers from mine to his c/c. Obviously, I'd say so. But he made purchases on several websites, one for buying video games and the other one to buy clothing. So, he used my credit card details. The point is, that to do that, you need to know the security code written to the back of the card. And no one knows that code. And I'm sure it is not listed inside any bank account.

Hm, that suggests this was some sort of "script kiddie". Normally you'd expect stolen money to "be gone".

Not all transactions require CVV (card verification value), it could be he tried his luck.

 

[ZioMario]

Hm, that suggests this was some sort of "script kiddie". Normally you'd expect stolen money to "be gone".

Not all transactions require CVV (card verification value), it could be he tried his luck.

A guy not so smart,because he took a relatively high amount of money and he triggered the system protection for "security" reason. Now I don't know if that sum of money will come back to me or if I will have lost it after the restriction will be removed.

 

[eternal_noob]

How much money we are talking about? You don't have to answer if you don't want to.

 

[ZioMario]

I'm planning to buy a very inexpensive Android phone (max 50 Euros),that I will use only for the home banking. I will not install anything,nada de nada inside it. Or maybe a very old iphone ? (always no more than 50 euros),if it is more secure than an Android phone. Or ? Someone wants to suggest something ?

 

[Espionage724]

Someone wants to suggest something ?

How much security do the apps need? Waydroid on Linux runs apps, but I'm not sure about integrity checks.

Otherwise I might go for a cheap iPhone (older iOS security likely better than older cheaper Androids); maybe a 6S+ or SE1 at a minimum unless apps knowingly need a newer iOS version.

---

I don't know how Play Store integrity works nowadays; my OnePlus 6 used to pass strong integrity, but now can't even after doing known-full stock restores (not sure if it's some deep partition/keystore thing or if Google just doesn't like old devices). Kind of tricky to recommend devices based on random Google decisions

I have a SE1 still that boots and iCloud logs-in no problem that I'd consider using for "secure" apps, but 16GB is a bit limited (I'd recommend 32GB+ unless you don't plan on taking pics and have very few apps; iirc more than half of the 16GB is OS-reserved too)

 

[Phishfry]

I'm planning to buy a very inexpensive Android phone

I want to avoid the hardware aspect and focus on Cellular Carriers. Cheap ones

This is going to be different country to country but here in US we have MVNO operators.
They do not have towers but have carriage agreement with major carriers.
Resellers if you will.
Straight Talk and Consumer Cellular are big as is Tracfone.

I use StraightTalk but I feel as an MVNO customer Verizon/ATT sells my information more than they would a customer of theirs.
I literally have no expectation of privacy because I am always "roaming".
When spammers get notice I am moving between towers I get text messages from spammers.
They are sold the info that I am moving and use it.

I would like to think that Verizon and ATT are somewhat more discreet with their own customers. Perhaps not.

So consider this. Roaming Customer or Network Customer. Who do you think they care more about.

Mobile virtual network operator - Wikipedia

en.wikipedia.org

 

[Espionage724]

I use StraightTalk but I feel as an MVNO customer Verizon/ATT sells my information more than they would a customer of theirs.

Tracfone probably has enough things going on to worry about selling user data (they can't tell me after years why VVM won't activate on Android aside from a IMEI check -> device is too old vagueness; also managed to send out a new iPhone from their store without charging a card or order details )

I like they kind-of make tower switching easy with SIM kits in dollar stores (I tried AT&T and T-Mo for different hotspot stuff and VoLTE); they're extra picky about trying to get on Verizon's towers though. Not sure about tower tracking, but I do Tower Collector (OpenCellID) and give that info away for free anyway

I'm mainly familiar with SafeLink but Tracfone's umbrella is huge; iirc there's 3 semi-secret corporate phone numbers if you need to contact support and know what you're doing. Hotspot restrictions differ between ATT and TMo

 

[Phishfry]

My point is every hop on somebody else's network you are introducing third parties. More people seeing your packets.
American Tower Company owns tower and rack mounts shed.
Local Internet company may provide tower fiber feed.
Israeli company does all the billing.
Carlos Slim owned the MVNO.

There are just so many holes its not funny or secure.

 

[cracauer@]

I'm planning to buy a very inexpensive Android phone (max 50 Euros),that I will use only for the home banking. I will not install anything,nada de nada inside it. Or maybe a very old iphone ? (always no more than 50 euros),if it is more secure than an Android phone. Or ? Someone wants to suggest something ?

I don't think that is a good plan. Getting a phone put together at amateur hour? No way.