A good amount of money has been stolen from my bank account bypassing the double factor authentication.

[ZioMario]

Hello to everyone.

a few days ago a good amount of money was stolen from my bank account (I have home banking,but not for much longer).

I am still trying to think about how this could have happened,by reasoning about the traces left by the thief. What I know is that :

a) at the same moment that I've logged into my bank account,I've got an email message,telling me that someone with an "Iphone 14 Pro Max" has been able to login. But I read this email later,when I logged out,because when I was inside , my attention was focused... to the money spent.

b) the messages that I've got to my email address say that he has been able to enter using the Android App installed on my phone /that I never use/,because after having logged in using the double factor authentication,I use my FreeBSD system to surf to the bank home page using Firefox

c) looking the timing the thief has gained access to my bank account simultaneously with me (a man on the middle attack ?)

d) I've got some sms telling me that he also tried to activate the Android app of the bank to my phone and to his phone,requesting the code,but since it has been sent to my phone he didn't know it and he failed (this makes me think that my phone is not compromised)

My question is how he has been able to bypass the double factor authentication ? How has he been able to know the user id,the pin code and to validate his connection through my phone ? It seems to be complicated,but probably it seems to be like this because I don't fully understand the method used. Probably for him it has been easy. It becomes easy to do something that you know and that you did several times already,not ?

Take also in consideration that I had already requested to change my credit card codes twice recently.

Please be free to express your thoughts.

 

[Espionage724]

My question is how he has been able to bypass the double factor authentication ?

Does your bank have routing/account checking access?

I can withdraw money from my bank externally though PayPal no authentication, even with my bank account having 2FA and its own card use notifications. I connected the bank to PayPal with routing/account number.

 

[ZioMario]

Does your bank have routing/account checking access?

I can withdraw money from my bank externally though PayPal no authentication, even with my bank account having 2FA and its own card use notifications. I connected the bank to PayPal with routing/account number.

To gain access to the bank account I open the web page,I enter the userid and the pin and then it sends a request to a specific Android app that I have installed to my phone. What I need to do is to enter the pin number and it will be accepted automatically and then I will jump to the web page of the bank to my PC where I have installed FreeBSD + Firefox.

 

[eternal_noob]

I would let police do the detective work.

 

[ZioMario]

I would let police do the detective work.

Ciao bro. That's 4 sure. But I would also understand what happened,to learn something new and to learn what to do in the future to counter events like this.

 

[eternal_noob]

That's understandable but you might erase traces by accident if you play around. At least make a backup of both your phone and computer before.

 

[Phishfry]

Using text messaging for securing accounts is ludicrous. TEXT MESSAGES ARE NOT SECURE.

Why companies would try to use them for security funtions is dumb.

How to Prevent Sim Swapping

With SIM swapping on the rise, phone owners should be aware of what these attacks are, what signs to look for, and how to prevent a devastating attack.

www.kaspersky.com

 

[fjdlr]

Hello to everyone.

a few days ago a good amount of money was stolen from my bank account (I have home banking,but not for much longer).

I am still trying to think about how this could have happened,by reasoning about the traces left by the thief. What I know is that :

a) at the same moment that I've logged into my bank account,I've got an email message,telling me that someone with an "Iphone 14 Pro Max" has been able to login. But I read this email later,when I logged out,because when I was inside , my attention was focused... to the money spent.

b) the messages that I've got to my email address say that he has been able to enter using the Android App installed on my phone /that I never use/,because after having logged in using the double factor authentication,I use my FreeBSD system to surf to the bank home page using Firefox

c) looking the timing the thief has gained access to my bank account simultaneously with me (a man on the middle attack ?)

d) I've got some sms telling me that he also tried to activate the Android app of the bank to my phone and to his phone,requesting the code,but since it has been sent to my phone he didn't know it and he failed (this makes me think that my phone is not compromised)

My question is how he has been able to bypass the double factor authentication ? How has he been able to know the user id,the pin code and to validate his connection through my phone ? It seems to be complicated,but probably it seems to be like this because I don't fully understand the method used. Probably for him it has been easy. It becomes easy to do something that you know and that you did several times already,not ?

Take also in consideration that I had already requested to change my credit card codes twice recently.

Please be free to express your thoughts.

Wireless connection ?

 

[ZioMario]

Using text messaging for securing accounts is ludicrous. TEXT MESSAGES ARE NOT SECURE.

Why companies would try to use them for security funtions is dumb.

How to Prevent Sim Swapping

With SIM swapping on the rise, phone owners should be aware of what these attacks are, what signs to look for, and how to prevent a devastating attack.

www.kaspersky.com

SMS is offered as the last chance to gain access....only if you can't insert the pin number inside the App.

 

[ZioMario]

Wireless connection ?

My phone is connected via Wi-Fi,yes. My PC uses the Ethernet cable.

 

[cracauer@]

Ciao bro. That's 4 sure. But I would also understand what happened,to learn something new and to learn what to do in the future to counter events like this.

Can you clarify which method you used for the second factor?

 

[ZioMario]

Can you clarify which method you used for the second factor?

To gain access to the bank account I open the web page,I enter the userid and the pin and then it sends a request to a specific Android app that I have installed to my phone. What I need to do is to enter the pin number and it will be accepted automatically and then I will jump to the web page of the bank to my PC where I have installed FreeBSD + Firefox. If you don't enter the pin number for 3 times because the time has expired,app asks to send a code to the phone number via SMS.

I talked about second factor authentication because it's not only the PC involved in the authentication,but also the phone.

 

[cracauer@]

Is that Android app homemade by that bank?

And as mentioned above, falling through to SMS is stupid. Very easy to hijack.

 

[ZioMario]

Is that Android app homemade by that bank?

yes.

And as mentioned above, falling through to SMS is stupid. Very easy to hijack.

How can this be possible if my phone and the SIM card are always on my pocket ? I suspect more a man on the middle attack because my phone WAS connected via Wi-Fi. Is this kind of attack easy to do ? Should the person who does this attack lives within the range of my Wi-Fi connection ?

 

[freezmi]

How can this be possible if my phone and the SIM card are always on my pocket ? I suspect more a man on the middle attack because my phone WAS connected via Wi-Fi. Is this kind of attack easy to do ? Should the person who does this attack lives within the range of my Wi-Fi connection ?

check out this live demo of a SIM duplication procedure

tldr:

- the attacker's location does not have to be anywhere near you
- the attacker does not need to perform any social engineering to duplicate your SIM
- the attacker needs to pay an (illegal) low 5 digit USD monthly subscription fee to a service that would allow him to sniff and inject data as he were a legit mobile phone company
- the attacker only needs to know you phone number as a starting point
- a bit unclear to me, but apparently the roaming service needs to be active on the target number in order for this particular attack to work, so disable it if you're not actively using it

In case your bank supports it, switch to a hardware token that generates TOTPs instead of using anything that is tied to the internet or a mobile phone service.

 

[ZioMario]

check out this live demo a SIM duplication procedure

tldr:

- the attacker's location does not have to be anywhere near you - it's a global attack
- the attacker does not need to perform any social engineering to duplicate your SIM
- the attacker needs to pay an illegal low 5 digit USD monthly subscription fee to a service that would allow him to sniff and inject data as he were a legit mobile phone company
- the attacker only needs to know you phone number as a starting point
- a bit unclear to me, but apparently the roaming service needs to be active on the target number in order for this attack to work, so disable it if you're not actively using it

In case your bank supports it, switch to a hardware token that generates TOTPs instead of using anything that is tied to the internet or a mobile phone service.

Thanks for this clarification. First of all I never kept the roaming enabled. This is what happened one event after another :

1) the attacker tried to register the bank app to my phone. I got the code 4 sms.

2) the attacker tried to register the bank app to his phone. I got the code 4 sms,BUT at this point he read it in some way because we jump to point 3.

3) the attacker has been able to login inside the app (I've been warned by email). So. He discovered the code sent on point 2.

What now ? Is my sim card and / or my mobile phone compromised ?

 

[freezmi]

Thanks for this clarification. First of all I never kept the roaming enabled. This is what happened one event after another :

1) the attacker tried to register the bank app to my phone. I got the code to my mobile phone (I've been warned by sms)

2) the attacker tried to register the bank app to his phone. I got the code to my mobile phone,BUT at this point he read it in some way (I've been warned by sms) because we go to point 3)

3) the attacker has activated the bank app on his phone and he has been able to login inside (I've been warned by email). So. He has discovered the code sent on point 2.

sorry to hear this. did you manage to recover the money, or at least make the bank understand they allowed a non-authorized transfer?

 

[ZioMario]

What now ? Is my SIM card and / or my mobile phone compromised ? Should I change SIM card ? Phone ? This is important for me to know.

---> In case your bank supports it, switch to a hardware token that generates TOTPs instead of using anything that is tied to the internet or a mobile phone service.

They offered it for free for some time. I used it. But at some point they stopped. From that moment they started to give it only to paid customers.

I think the time to change bank is came. They have a low level of protection. If you want more protection you should pay 4 it. That's NOT good.

 

[freezmi]

there are multiple attack vectors that would allow someone to hijack your mobile phone as you can see in this thread - either via SIM duplication or SIM swapping or compromise via a trojan phone app.

1. use your phone only as a phone. uninstall all garbage, don't use it for banking.
2. search for a bank that can provide hardware tokens.