A good amount of money has been stolen from my bank account bypassing the double factor authentication.

Phishfry · 2025-10-21T02:49:02+0100

My point is every hop on somebody else's network you are introducing third parties. More people seeing your packets.
American Tower Company owns tower and rack mounts shed.
Local Internet company may provide tower fiber feed.
Israeli company does all the billing.
Carlos Slim owned the MVNO.

There are just so many holes its not funny or secure.

cracauer@ · 2025-10-21T02:50:21+0100

ZioMario said:
I'm planning to buy a very inexpensive Android phone (max 50 Euros),that I will use only for the home banking. I will not install anything,nada de nada inside it. Or maybe a very old iphone ? (always no more than 50 euros),if it is more secure than an Android phone. Or ? Someone wants to suggest something ?

I don't think that is a good plan. Getting a phone put together at amateur hour? No way.

freezmi · 2025-10-21T03:21:51+0100

ZioMario said:
I'd also like to add a small detail. Once the guy accessed my bank account, he didn't withdraw the money, he made no transfers from mine to his c/c. Obviously, I'd say so. But he made purchases on several websites, one for buying video games and the other one to buy clothing. So, he used my credit card details. The point is, that to do that, you need to know the security code written to the back of the card. And no one knows that code. And I'm sure it is not listed inside any bank account.

so he also bypassed 3DSecure 2FA while paying for online goods? or is this a service not enabled by your bank?

what I recommend (not sure which of these exist in your part of the world):

- make sure you got a debit card not a credit card. this way they can't get funds from thin air
- enable 3DSecure 2FA
- set up very tight limits to daily POS and withdrawal amounts (these are set separately for each card)
- enable sms notifications for every purchase/transfer done via your current account and double check them on your phone
- do not leave lots of money in your current account - move them to deposits so they are out of the card's reach
- distribute your money to multiple banks, disable the card issued by those banks where you only have long term deposits

of course some of these can be circumvented if they are able to login into your homebanking, but it's important to try to cover as much as you can.

and regarding your browser security:
- disable password/form autocompletion (they might have got your CCV from here?)
- do not use extensions outside of uBlock, privacy badger, no script
- use strict protection
- as others have said, use a separate userid for your browser and yet another userid dedicated to only do banking with your browser. always close other browsers when a banking browser is running (x11 is very keylogger friendly, every application gets all keystroke events)
- enable the 'delete cookies and site data once the browser is closed'

also if you end up buying a second hand phone/tablet make sure you can re-install the official OS from scratch without jailbraking it.

astyle · 2025-10-21T04:00:51+0100

Just my 2 cents here, but some of those phone apps do not completely disconnect when the banking chore is over. One needs to properly log out every time, even if it's a bit of a chore. Click that 'logout' link, navigate to your profile in the app, and log out using that logout link.

Also - some phone apps do not completely close when they get dismissed. You can still switch between open apps (including the banking app) after dismissing the app from the phone's screen. It's possible to completely close a dismissed app, but it takes some effort and discipline.

But probably the most important part - keep a tight leash on the money, know ALL of what's coming in and what's coming out. Yeah, it's that important. That way, it's easier to spot a suspicious item/transaction that you did not authorize - and yes, take the bank to task on that. It might take resetting the entire mechanism a few times before you get it right.

blackbird9 · 2025-10-21T04:11:54+0100

cracauer@ said:
I am not sure the Phone bashing is justified.

IOS and Android are very much like macOS and Linux software hosting wise, but with a lot more mitigations enabled when the desktop stuff lacks behind.

Then there is the whole encrypted boot process which is pretty streamlined.

Yes, could be. Perhaps the issue is that like ms-windows, android in particular attracts a lot more hacking attempts, because they know there is a very large large group of users, so statistically the hackers have a higher chance of success. I'm regularly reading about apps loaded with malware being removed from appstores, for example.

cy@ · 2025-10-21T04:12:40+0100

cracauer@ said:
I am not sure the Phone bashing is justified.

Ok, I'll bite.

Taking this thread sideways, when her kids were still babies, to keep them quiet my daughter would give her phone to them. Invariably kids would bash the phone, using it as a hammer. No wonder her phone was always cracked and beat up.

Phone bashing isn't justified and neither is giving your phone to a baby to use as a hammer.

Sorry. I couldn't help myself.

ZioMario · 2025-10-21T09:01:03+0100

freezmi said:
so he also bypassed 3DSecure 2FA while paying for online goods? or is this a service not enabled by your bank?

what I recommend (not sure which of these exist in your part of the world):

- make sure you got a debit card not a credit card. this way they can't get funds from thin air
- enable 3DSecure 2FA
- set up very tight limits to daily POS and withdrawal amounts (these are set separately for each card)
- enable sms notifications for every purchase/transfer done via your current account and double check them on your phone
- do not leave lots of money in your current account - move them to deposits so they are out of the card's reach
- distribute your money to multiple banks, disable the card issued by those banks where you only have long term deposits

of course some of these can be circumvented if they are able to login into your homebanking, but it's important to try to cover as much as you can.

and regarding your browser security:
- disable password/form autocompletion (they might have got your CCV from here?)
- do not use extensions outside of uBlock, privacy badger, no script
- use strict protection
- as others have said, use a separate userid for your browser and yet another userid dedicated to only do banking with your browser. always close other browsers when a banking browser is running (x11 is very keylogger friendly, every application gets all keystroke events)
- enable the 'delete cookies and site data once the browser is closed'

also if you end up buying a second hand phone/tablet make sure you can re-install the official OS from scratch without jailbraking it.

man,make it easier : all that you say means only that the phone should not be used at all to make money transactions

blackbird9 · 2025-10-21T10:02:03+0100

ZioMario said:
When the thief has been able to disable my bank app I was using CloudFlare. As I said,mine and his connections have been established simultaneously and I don't think that this happened for a coincidence. I suspect that he needed that my connection was alive to use it,in some way,to operate. I would like to know if the fact that I was using CloudFlare helped him to accomplish his fraudolent project or not.

It does make me worry if cloudflare themselves have been hacked. The whole point of secure dns is to prevent website spoofing. But if the secure dns service provider itself has been hacked, all bets are off.

blackbird9 · 2025-10-21T10:06:31+0100

This is the kind of headline that makes me nervous about using a phone to do financial transactions. And by that I mean don't use actual bank websites on the phone. The 'phone bashing' is not completely irrational.

Like windows, it's too large a target audience for the crims not to go after it. This article was posted just a couple of months ago. Remember these are just the apps they know about.

77 malicious apps removed from Google Play Store

Researchers have found 77 malicious apps in the official Google Play Store ranging from adware to state of the art banking Trojans.

www.malwarebytes.com

Quote:-
"One of the malware families discovered by the researchers is a banking Trojan known as Anatsa or TeaBot. This banking Trojan is a highly sophisticated Android malware, which focuses on stealing banking and cryptocurrency credentials.

Anatsa is a classic case of mobile malware rapidly adapting to security research progress. Its stealth tactics, exploitation of accessibility permissions, and ability to shift between hundreds of financial targets make it an ongoing threat for Android users worldwide."

If the bank gave you a supposedly secure app to perform 2FA, then that is more acceptable, of course. But I would minimise the number of other apps I installed on the phone.

There is also the observation that no matter how often I change my SIM, they always seem to be able to send me spam texts and phone calls. People say they use random call generators, but it makes me wonder.

Espionage724 · 2025-10-21T10:35:25+0100

gjohnson5 said:
That's because YOU SPECIFICALLY authorized paypal to access your bank account via api and an MFA code was probably used to create the connection. So yes , every time you use PayPal to buy something on ebay , the MFA is bypassed because you authorized api access to your bank account

PayPal's authorization was quiet bank-side, unless I had notifications on <$1 transactions (I've seen some do $1-10 minimal notifications). A couple days of unnoticed access can probably attach PayPal easy.

ngnicholson · 2025-10-21T10:54:08+0100

No matter what you do no system is hacker proof. I am as careful online as i can. When i make purchases with my credit card i have the cookies & all data flushed from the browser, i double check the website addresses etc & have no other programs running on the system. However i have had my card hacked three times, twice on my card that has never left the property & once the wife card. My card is only used for 3 websites. These website claimed to cyber-crime department that they had not been hacked. Hacker must have accessed web browser data. My bank is closing all the local bricks & mortar banks & going online with phone apps. It is only a matter of time before i hear about a bank app been owned.

blackbird9 · 2025-10-21T10:58:58+0100

Wow... well, that just goes to show what can happen. Seems I've been lucky, so far. Yes my local bank branch has just been closed too, it's bad news. Luckily the one a few miles away is staying open, but it's still a pain.

blackbird9 · 2025-10-21T11:00:34+0100

Of course you can check your email address here https://haveibeenpwned.com/
It is supposedly legitimate, run by security researchers. Fingers crossed.

blackbird9 · 2025-10-21T11:13:57+0100

ZioMario said:
I'd also like to add a small detail. Once the guy accessed my bank account, he didn't withdraw the money, he made no transfers from mine to his c/c. Obviously, I'd say so. But he made purchases on several websites, one for buying video games and the other one to buy clothing. So, he used my credit card details. The point is, that to do that, you need to know the security code written to the back of the card. And no one knows that code. And I'm sure it is not listed inside any bank account.

The only way I can think of that he got your card's cvc code was you must have typed the cvc in at some point to make an online purchase, and he's got it from your browser. Which means either your browser has been hacked, or you unknowingly typed the cvc in on a phishing fake website. Or it was a genuine website that you bought something from, and that website itself got hacked at the vendor's end, without your knowledge. Perhaps somewhere you did a transaction with suffered a data breach and those customer details were sold on the dark web. It's a nightmare.

I can't think of any other way he could have got that code. Unless he has hacked the bank itself and got it from them, of course. Or if you handed the card to someone in a retail setting and they copied it down, but you've already said that didn't happen. That is an interesting detail. Clearly he did get the cvc from somewhere.

ZioMario · 2025-10-21T11:16:39+0100

blackbird9 said:
This is the kind of headline that makes me nervous about using a phone to do financial transactions. And by that I mean don't use actual bank websites on the phone. The 'phone bashing' is not completely irrational.
Like windows, it's too large a target audience for the crims not to go after it. This article was posted just a couple of months ago. Remember these are just the apps they know about.

77 malicious apps removed from Google Play Store

Researchers have found 77 malicious apps in the official Google Play Store ranging from adware to state of the art banking Trojans.

www.malwarebytes.com

Quote:-
"One of the malware families discovered by the researchers is a banking Trojan known as Anatsa or TeaBot. This banking Trojan is a highly sophisticated Android malware, which focuses on stealing banking and cryptocurrency credentials.

Anatsa is a classic case of mobile malware rapidly adapting to security research progress. Its stealth tactics, exploitation of accessibility permissions, and ability to shift between hundreds of financial targets make it an ongoing threat for Android users worldwide."

If the bank gave you a supposedly secure app to perform 2FA, then that is more acceptable, of course. But I would minimise the number of other apps I installed on the phone.

There is also the observation that no matter how often I change my SIM, they always seem to be able to send me spam texts and phone calls. People say they use random call generators, but it makes me wonder.

As I said,here a lot of banks force the customers to install an app to the phone if they want the home banking. Do they know that it's not secure at all ? I think totally yes. So why they do it ? Why they don't offer the hardware tokens anymore ?

ZioMario · 2025-10-21T11:18:59+0100

blackbird9 said:
It does make me worry if cloudflare themselves have been hacked. The whole point of secure dns is to prevent website spoofing. But if the secure dns service provider itself has been hacked, all bets are off.

I have always suspected cloudflare was insecure. But it's free. VPNs costs money.

blackbird9 · 2025-10-21T11:32:57+0100

ZioMario said:
As I said,here a lot of banks force the customers to install an app to the phone if they want the home banking. Do they know that it's not secure at all ? I think totally yes. So why they do it ? Why they don't offer the hardware tokens anymore ?

Because they save money closing bricks and mortar branches and getting the customer base online. No more wages bill for the tellers, branch managers, etc. No building rental or upkeep. More profit. If they lose some money from compensating customers for money they have lost, that's probably still less than the cost of running a branch network. It also means they don't have all the costs of handling cash, which is expensive. They don't have to pay for the security van turning up each week with the guards to take the cash away. Well, it must be profitable for them, or they would not be moving customers online. They aren't doing it for your personal convenience.

blackbird9 · 2025-10-21T11:35:14+0100

ZioMario said:
I have always suspected cloudflare was insecure. But it's free. VPNs costs money.

"If it's free, you are the product". Yes, it's a bit worrying. How do they monetise that secure dns service? Selling lists of which websites users visit, perhaps? I don't know. But it doesn't run itself for free.
So I don't know what the answer is; do you go back to unencrypted dns requests? It seems we can't win.

ZioMario · 2025-10-21T11:37:22+0100

blackbird9 said:
The only way I can think of that he got your card's cvc code was you must have typed the cvc in at some point to make an online purchase, and he's got it from your browser.

I never used my c/c credentials to buy stuff using my Android phone. I use FreeBSD or Linux and...I rarely added my c/c details even there,because I prefer to pay with paypal.

blackbird9 · 2025-10-21T11:39:23+0100

Were you actually using the cloudflare secure dns when this hack happened? If so, that's definitely worrying.

blackbird9 · 2025-10-21T11:43:35+0100

ZioMario said:
I never used my c/c credentials to buy stuff using my Android phone. I use FreeBSD or Linux and...I rarely added my c/c details even there,because I prefer to pay with paypal.

It's hard to imagine how they got that cvc code.

ZioMario · 2025-10-21T11:46:36+0100

blackbird9 said:
"If it's free, you are the product". Yes, it's a bit worrying. How do they monetise that secure dns service? Selling lists of which websites users visit, perhaps? I don't know. But it doesn't run itself for free.
So I don't know what the answer is; do you go back to unencrypted dns requests? It seems we can't win.

The winner is the one who, when asked whether he wants choose between comfort and safety, he answers safety most of the times.

blackbird9 · 2025-10-21T11:49:25+0100

If this kind of hack is happening to people here, who at least know something about computers and security, even if only a little, then what chance does the average home user have with a windows pc and an android phone with 50 apps loaded onto it.

ZioMario · 2025-10-21T11:51:17+0100

blackbird9 said:
It's hard to imagine how they got that cvc code.

Anyway,he left interesting traces from the movements that he done,everything is written on the bank statement that I've got. It won't be difficult for the police to track him down. The only difficult thing is to figure out how he did it.

ngnicholson · 2025-10-21T11:53:50+0100

Cloudflare's salesforce has been hacked in August, hackers gained access to customer support & case management. That's two breaches in as many years.