Scammers Work Around Two-Factor Authentication With Social Engineering 186
mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."
Re:Victim never knew a thing? (Score:5, Informative)
He received an SMS which he believed to be from Vodaphone, stating that they were having network difficulties and he would experience loss of cell service for the next 24 hours.
The Blame Game (Score:5, Informative)
So the banks say it's not their problem, it's the fault of mobile operators for making numbers portable. Yet the banks were offered access to the national mobile database so they could check if a number was recently ported, but declined to use the information. Meanwhile the fraudsters are getting away with their winnings...
CBA Security is ok. (Score:4, Informative)
To operate with that bank on-line, you need an Internet acc number (which is different to a normal account number), and at least a password. Additional secret question knowledge is required for 2 answers to set up a new transfer. Then, and only then is the SMS verification code needed. He must of been very slack to have made all that info available to the scammers.
Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.
Re:The Blame Game (Score:5, Informative)
So the banks say it's not their problem,
No they didn't. They paid up fully and automatically. First they blocked his account:
The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.
Then they sorted everything out and paid for everything automatically.
Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.
They had even been part of a group which had investigated the MNP security fixes available but decided not to implement them because of security problems.
“We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.
I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.
Re:Account security (Score:5, Informative)