back to article Fraud cops collar two blokes accused of dodging bank's 2-factor auth

Indian police have arrested two men who allegedly circumvented a bank's two-factor authentication protection and looted online accounts. The pair are suspected of buying victims' personal details from other crooks and then tricking mobile phone companies into giving the duo replacement SIM cards. Anyone in possession of these …

COMMENTS

This topic is closed for new posts.

Have to be honest, the Indians know how to do a good takeaway.

1
0
Silver badge
Meh

THEFT? Or OUTSOURCING?

This isn't about stealing, this is about outsourcing.

Pay peanuts to employees (outsourcing to India) and expect some form of corruption.

I wonder how many times this has happened but the banks have kept the problem 'in house' to avoid the scandal.

2
0

This actually sounds like a very clever way of stealing. Thankfully, they weren't clever enough to get away with it

0
1
Facepalm

Whose 'fault' ?

Now what doesn't get mentioned is who is going to put the money back into the bank account. Is the phone company going to do anything other than 'adjust' the bill for that month's service? Is the bank going to say "hey we just used the phone number you told us to use"?

So this poor sot used the gold standard of two-factor security and gets taken anyway. And likely nobody is going to make the failure good.

That's the IT angle. What do we do now for security?

1
0
Silver badge

Re: Whose 'fault' ?

IANAL but from my viewpoint, it's the banks fault. They paid money to somebody who wasn't the rightful recipient. End of story. It makes no difference if the thieves cloned a phone, wore a false moustache, or just said "this is my account" while waving their hand. It's up to the BANK to verify the identity of the recipient. And it's up to the BANK to devise a system that does that.

The logical conclusion of any other way of looking at it (i.e. it's not the banks fault) means that if the banks computers were hacked, or stolen, or if their data centre when "boom", would be that all account holders would suddenly have no balance, and the bank would just say "oops".

3
1
Silver badge
Coat

Lackeys?

Dacoits, surely?

0
0

Suggestion

Before issuing replacement sims, how about sending a text message saying so to the original sim. If that sim is still in use, then the recipient gets the chance to prove ownership and prevent the replacements from being activated, or, at worst, to amend any security that relies on the associated mobile number.

Longer term, banks should work with the mobile telcos and come up with a service where the IMEI and/or the sim are validated before delivering the PIN, so that a replacement sim or in a different phone does not deliver the PIN.

1
0
Anonymous Coward

Re: Suggestion

Any text or email message I get from somebody claiming to be a bank gets deleted.

2
0
Silver badge
Unhappy

Re: Suggestion

I'd be keen for my bank to send an SMS (or email) every time my account is accessed. I'd wager a system like this (with an opt out, for those that must) would reduce fraud by a considerable amount.

0
0
Silver badge

Re: Suggestion

"Any text or email message I get from somebody claiming to be a bank gets deleted."

Any email I get from somebody claiming to be a bank is automatically forwarded to the bank's address for reporting such emails, if they have one (which most seem to).

0
0
Bronze badge

Is this not a wakeup call for Banks and telcos to beat the RNG/fob

Key thingy? I have a friend in China who is a foreigner, and he does all his banking via the RNG/lookup thingy. Even if his phone is cloned or the SIM card is cloned, the attackers still need a bit more to compromise him or his banking funds.

Now, for how long this remains so, I have no idea.

0
0
This topic is closed for new posts.

Forums