Early Riser
Registered User
- Messages
- 1,643
Agreed.When I read these stories usually use Occam's Razor. What's more plausible: a sophisticated hack by expert cryptographers or luck by the thief and/or ineptitude by the customer. In this case most likely the thieves spied her inputting her PIN over her shoulder, or she had it written down in her bag, or she had a PIN which was something common like her date and month of birth which they figured out from her ID.
An RTÉ researcher had his bank account emptied last week, see article here. The article focusses on the fraudsters calling up to get him to insert his card into the reader and provide the code. This was to transfer a five-figure sum from his current account to the fraudsters' accounts.
What is completely glossed over is that this was the final step. The fraudsters had been moving funds from his deposit account to his current account for a few days previously. For this the fraudsters didn't need the card reader but must have already had his customer number, PIN, and telephone number. Again, what is more plausible: that someone hacked into the bank's systems or the customer divulged these details accidentally?
Banks' systems are not infallible but they spend hundreds of millions on security systems that are by now close to impossible to hack by brute force or luck. Most fraud now relies on the unwitting participation of the customer. There is a lot of shame around this. I had a colleague tell me recently about how she fell victim to a really basic and obvious phishing fraud involving someone selling something on facebook, and was four figures down. She then swore to me to keep it secret as she felt so stupid.
I've rarely read one of these stories where I don't feel that the customer is holding back something pretty obvious with regard to their own participation.
I haven't been a customer for a few years but AIB used to ask only for three random digits of a six-digit password. Asking for the full password should have aroused some suspicion.I would expect that what happened is that the RTE guy clicked the link in the text and filled out his online banking details in the scammers' website, thinking it was AIB.
An RTÉ researcher had his bank account emptied last week, see article here. The article focusses on the fraudsters calling up to get him to insert his card into the reader and provide the code. This was to transfer a five-figure sum from his current account to the fraudsters' accounts.
What is completely glossed over is that this was the final step. The fraudsters had been moving funds from his deposit account to his current account for a few days previously. For this the fraudsters didn't need the card reader but must have already had his customer number, PIN, and telephone number. Again, what is more plausible: that someone hacked into the bank's systems or the customer divulged these details accidentally?
I haven't been a customer for a few years but AIB used to ask only for three random digits of a six-digit password. Asking for the full password should have aroused some suspicion.
I tend to agree. This kind of scam demands a much greater law enforcement response and I don't see this as vaguely a priority for AGS.I'm not a fan of blaming the victim, partly because we need more people to talk about this in public.
I'd forgotten about that! BoI usernames is at least somewhat random and they seem to still ask for three of the six digits as standard.online banking customer number is unfortunately based on date of birth.
It's nice - I'd never seen it framed as such!A timely article: https://bam.kalzumeus.com/archive/optimal-amount-of-fraud/
But presumably the app needs some or all of password, fingerprint, or facial recognition to log in. I can't access a banking app with my screen unlocked.If you could nick someone's phone and they don't have a lock screen, maybe it's quite possible to run some software to crack the app and view the PIN. I'm not au fait with phone cracking, but it looks like even a lock screen can be bypassed easily enough:
Would thieves have that knowledge? Perhaps or they could be script kiddies who've bought an illicit bit of PC software that does all those steps for them. I'm taking this woman at her word that someone got the PIN from the app by through no fault of hers and speculating how it was done.
Charlotte said she was told her card had been used to make about £8,000 worth of purchases from her current account, with goods bought from the Apple store at Westfield shopping centre in Shepherd's Bush, the Apple store in Regent Street, and Selfridges on Oxford Street - all within 90 minutes.
Santander apologised for initially "incorrectly declining her refund request and for the customer service she received", and it has paid her £750 in compensation. However, it said its "security logs" showed there had been "no compromise with our mobile banking app".
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?