Have to be honest, the Indians know how to do a good takeaway.
Indian police have arrested two men who allegedly circumvented a bank's two-factor authentication protection and looted online accounts. The pair are suspected of buying victims' personal details from other crooks and then tricking mobile phone companies into giving the duo replacement SIM cards. Anyone in possession of these …
THEFT? Or OUTSOURCING?
This isn't about stealing, this is about outsourcing.
Pay peanuts to employees (outsourcing to India) and expect some form of corruption.
I wonder how many times this has happened but the banks have kept the problem 'in house' to avoid the scandal.
This actually sounds like a very clever way of stealing. Thankfully, they weren't clever enough to get away with it
Whose 'fault' ?
Now what doesn't get mentioned is who is going to put the money back into the bank account. Is the phone company going to do anything other than 'adjust' the bill for that month's service? Is the bank going to say "hey we just used the phone number you told us to use"?
So this poor sot used the gold standard of two-factor security and gets taken anyway. And likely nobody is going to make the failure good.
That's the IT angle. What do we do now for security?
Re: Whose 'fault' ?
IANAL but from my viewpoint, it's the banks fault. They paid money to somebody who wasn't the rightful recipient. End of story. It makes no difference if the thieves cloned a phone, wore a false moustache, or just said "this is my account" while waving their hand. It's up to the BANK to verify the identity of the recipient. And it's up to the BANK to devise a system that does that.
The logical conclusion of any other way of looking at it (i.e. it's not the banks fault) means that if the banks computers were hacked, or stolen, or if their data centre when "boom", would be that all account holders would suddenly have no balance, and the bank would just say "oops".
Before issuing replacement sims, how about sending a text message saying so to the original sim. If that sim is still in use, then the recipient gets the chance to prove ownership and prevent the replacements from being activated, or, at worst, to amend any security that relies on the associated mobile number.
Longer term, banks should work with the mobile telcos and come up with a service where the IMEI and/or the sim are validated before delivering the PIN, so that a replacement sim or in a different phone does not deliver the PIN.
Any text or email message I get from somebody claiming to be a bank gets deleted.
I'd be keen for my bank to send an SMS (or email) every time my account is accessed. I'd wager a system like this (with an opt out, for those that must) would reduce fraud by a considerable amount.
"Any text or email message I get from somebody claiming to be a bank gets deleted."
Any email I get from somebody claiming to be a bank is automatically forwarded to the bank's address for reporting such emails, if they have one (which most seem to).
Is this not a wakeup call for Banks and telcos to beat the RNG/fob
Key thingy? I have a friend in China who is a foreigner, and he does all his banking via the RNG/lookup thingy. Even if his phone is cloned or the SIM card is cloned, the attackers still need a bit more to compromise him or his banking funds.
Now, for how long this remains so, I have no idea.