A good amount of money has been stolen from my bank account bypassing the double factor authentication.

Sure, the phishing attack was the key event. But how did they get the CVV from the back of the card??? That question is puzzling me! Because it suggests a browser hack on freebsd, and reading the CVV from the browser history. He said he never did any bank website transactions on the phone, only on freebsd pc. So maybe the hackers have been targetting him for some time... in multiple stages... ? Well, I'm just making guesswork...
that question is a puzzle; how did they get the CVV?
 
blackbird9 said:
Going back to trying to use secure DNS to protect against being directed to spoofed websites, I found this interesting forum thread on using Tor to provide DNS service, in place of cloudflare, quad9 etc (at least, I think that's what she is suggesting). Quite interesting, I haven't tried this, I don't know anything about tor, or how advisable doing this would be. Perhaps it provides an alternative to things like cloudflare though, if cloudflare is suspect.

S

Thread 'How to make local_unbound using DNS from the tor network, which is heavily encrypted.'

By following these instructions, is possible to obtain an encrypted DNS connection for internal local network or local computer running FreeBSD. The local_unbound package allows to hash DNS queries on the local machine, this prevents DNS from querying the site addresses, which is another security feature.

What is needed:
Computer with local unbound package. It is installed by default, so is not nessesy to install it.
TOR package

First, we install the tor package
Code: 
 pkg install tor

Because tor requires a packet filter to operate, and most importantly, it checks the permissions...
  • Like

Does anyone have any views on whether doing this would be a good or bad idea?
Click to expand...

I worked on the TOR configuration some years ago in this forum and I used it for some time...when I realized that it does not give a stable connection,I stopped using it.
 
_martin said:
I mentioned it now 3 times. Not all transactions require CVV.

But yes, this is Mario-styled thread :) There are more questions than answers.
Click to expand...

I read it. What I wanted to say is that,in my opinion,that choice does not protect well the customers,so the bank for me is responsible for this behavior. I can say that it does not act as a good family man.
 
I would ask the bank if they are prepared to provide any compensation. If they say 'no', then maybe it's easier to forget it. If you hire a lawyer to to fight the bank, it can cost a lot of money, especially if you lose. Or if you go "no-win, no fee" route, then the lawyer will take 90% of the compensation... :mad:
Of course it depends how big the stolen amount was... if he bought a brand new lamborghini with your card, then maybe it's time to fight :)
 
blackbird9 said:
I can't remember a transaction where they don't ask for it.... in UK, anyway. I guess it's possible though.
Click to expand...
I mean me too to be honest. Some don't require 2FA for sure but CVV was sent (name+card #+cvv). But I know some don't and I think I was suprised like this before.

But here only ZioMario knows what he was actually doing (hopefully) and what he approved by mistake.
 
blackbird9 said:
Or if you go "no-win, no fee" route, then the lawyer will take 90% of the compensation
Click to expand...
While thread says "good amount of money" I have a feeling it was not that much. Enough to get angry for sure but not enough to sue a bank.
One more "beer advice" I'll give -- consult this with a lawyer. 200-300EUR for consultation would be worth it if "good amount of money" is .. well, good amount of money.

In all seriousness -- just make sure you understand where you did mistake and how to avoid it in the future.
 
When you are busy working... in a rush... family comittments... sometimes you can't keep track of every detail, and things get through. Of course that is how the scammers win... :mad:. It's easy to miss something and then they have got your money.
 
eternal_noob said:
Great advice. I think fighting for a refund is wasted time.
Click to expand...

For sure I want to fight for a refund. But at the same time I have thought about some new strategies for the future. Can I do both things ? Maybe not,but people fights for cents. People kills for nothing,today.
 
_martin said:
I mean me too to be honest. Some don't require 2FA for sure but CVV was sent (name+card #+cvv). But I know some don't and I think I was suprised like this before.

But here only ZioMario knows what he was actually doing (hopefully) and what he approved by mistake.
Click to expand...

I have only clicked on the damn url hidden inside a scheme that looked so similar to the web page of my bank. Nothing more than that.
 
I don't see much merit in lawyer.
You have admitted you made the error. Clicking a link in an email.

What are the police going to do for you? At least they can add you to the statistics.

I like how xpdf does not have working html links. You have to cut and paste into browser.
Just an extra hurdle but it makes you think twice about going to a random site. You have to want the abuse.
 
Its funny working in an IT environment as a consumer.
We use Office365 and its dreaded email system.
Production Department starts at 6AM and IT starts at 7:30AM.
So we get these emails at 7:30AM Monday Morning about don't open some explosive email bomb.
An hour and a half into our workday.
Great Job Skippy
 
Phishfry said:
I don't see much merit in lawyer.
You have admitted you made the error. Clicking a link in an email.

What are the police going to do for you? At least they can add you to the statistics.

I like how xpdf does not have working html links. You have to cut and paste into browser.
Just an extra hurdle but it makes you think twice about going to a random site. You have to want the abuse.
Click to expand...

Bro. The phishing is a crime even if I have clicked on the wrong link by mistake.
 
Anyone can click on a link in a moment of not being 100% vigilent. No-one is perfect, it's an easy mistake to make. In truth, the banks know this will happen and bear some responsibility, and they likely have insurance against customer claims arising from phishing attacks. Especially if they close bank branches and force customers to use online banking, they are doing that to increase their profits, and they are fully aware of the risks to their customers. Specifically, they stand accused of off-loading the risks of online banking onto their customers, which is not a good look. When you sign up to use online banking, they don't highlight a warning saying "use it at your own risk", instead they have a smiling couple, look how convenient it is, everything is great!... etc, etc.

1761200390087.png


Personally in this situation I would talk to the bank and see if they are prepared to do anything. If they are not, you could try contacting consumer rights groups or free legal advice or perhaps the media. In the UK we have radio programs and newspapers that people can write to to make this kind of problem public, often after it becomes public knowledge the bank will pay up to make the person be quiet, they don't want to lose customers. I would be wary of starting to pay lawyers... it can be very expensive and maybe cost you more than you lost in the first place.

I would try to analyse what has happened some more first. Was this a one-off event, did the phishing email and the link click give them everything they needed to steal the money? Or have they been targetting Mario for a longer time... weeks or months?... to gather information, get the CVV, with the phishing email the final step? Perhaps the same criminals have been targetting lots of people with the same fraud, in which case the bank will likely know about it already. Maybe other people have already gone to the bank asking for compensation for the same phishing email. Of course the bank will keep quiet about that. But if there are more people who have been attacked, you might be able to make a combined claim against the bank.

The phishing email itself is the key piece of evidence.

It depends... is it just one lone scumbag acting alone, doing this from his bedroom... or is it an organised crime gang that has carried out this fraud on 10s or 100s of people, perhaps right across the country. Someone must know, perhaps the police, or the bank itself. Have many other people received that same email? These are the kind of questions I would be asking.

But if it was me, I would not jump straight into hiring a lawyer and sueing the bank... certainly not at this stage. Try to find out more first, and be very sure of your ground. Does Italy have a national cyber crime unit? Or is there a citizens free legal advice group you can contact? And of course you must report the crime to the police, at least, I think that is what the UK situation would be.
 
ZioMario said:
I have only clicked on the damn url hidden inside a scheme that looked so similar to the web page of my bank. Nothing more than that.
Click to expand...
Now there are some things, that contain security issues - responsibilities - by your side that may seem not so obvious at the first glance:
First You re-acted on something sent to you. When and if I do banking transactions I am the one who shoots first, by opening my bank's website etc. I do not react on things sent to me which I don't explicitly asked for, and especially not before I'm 100% crystal what's it for, and who's it from.
And for sure I do not have my moneytransactions that automated it could be done by simply clicking on anything at all.

There is lots of inventions today to make people's lifes more comfortable - help them to spend more money even quicker, like paying with just holding your card or phone near some machine without the freaking enormous tedious effort to validate anymore. But it's up to you to accept such services, and to limit the amount of money that can be charged this way.
As an "old grey-beard from the stone ages refusing modern progress" all my moneytransactions always contain the need of at least one step I finally have to check and willfully agree to the transaction, e.g. by entering something only I know in my own head independently from any machine, like e.g. my pin number.
Which brings us to the second point:
If a money transaction from your account was possible by just clicking on a link, your password, pin number, or what else you need to identify yourself as the valid person and agree to the transaction, had to be somehow somewhere stored on your machine, accessably for the thief('s software).
That's what I would re-consider if I were you: What I feed my passwordmanger with, and for what I use the old fashion way with having login data not stored on any machine, but e.g. in my head, only.
🥸

Since a few weeks ago you reported a very well made fake email looking like FreeBSD forums login reset sent to you I suppose you are a victim of some targeted attack. It seems somebody was/is watching you here in this forums, and maybe other places, maybe used the fake FreeBSD forums looking mail (maybe you received more like that?) to get more information about your machine. Maybe.
While counterhacking was one way in theory, besides it's highly uncertain you get your money back from the actual thief back this way, it brings you also in the additional danger of doing something illegal yourself.

Maybe there could be some kind of banking-honeypot you can place: The thief believes she grabbed some money from your bank account, but in reality the minus sign was invisible.:-/ So instead the theft money is transferred from his to your account.
Was nice if it can be combined somehow with some kind of zip-bomb, so the amount of money tried to be stolen explodes hundred thousand times... I like to see the thief explaining that to the police."You see, I was just trying to steal a few hundred bucks from this guy, right? Then..." 😁
 
ZioMario said:
Bro. The phishing is a crime even if I have clicked on the wrong link by mistake.
Click to expand...
That's right. But so are a lot many others.
How many people drive way over the speed limit? It's not allowed. And in certain situations it's a real crime, because it's really dangerous. But as long as they don't run into a radar speed trap they walk free.
It's like you forgot your backpack in the train by mistake. And when you got it back all cash from your wallet is gone. Yes, of course it's a crime. But the police will tell you, what anybody else will tell you:
There is nothing you can do but to watch out for your stuff.

The point is always to catch the offender, and convict him/her, which requires to first know who it does, and then find her/him, and prove it.
Else the law is just paper, and we need to rely on the majority is fair, and see our stuff is save.
There is a proverb:
An open door may tempt a saint.
Which means opportunity makes the thief.
 
I wonder if they read the CVV from the browser cache, when you clicked the link and went to the phishing page; perhaps the phishing page contained some javascript that can read the stored "auto-fill" credentials? I'm just guessing. So maybe it's possible that the phishing website is the entire exploit. You said they seemed to know everything about you, all your details. But I have no knowledge of this area.. I'm just a complete beginner hahaha 😂. Maybe someone who has some real knowledge of how this kind of phishing attack works can help? I wonder if there are public cyber crime forums about this that you can ask questions on. I don't know the answer, I have been lucky, it has never happened to me, so far! But it's interesting to learn about it, so we can be warned about how it works.
 
You must log in or register to reply here.
Back
Top