Analyzing Another Banking Fiasco

-

The news about the "mysterious" loss of 1 million pesos from someone's bank account is making the rounds of social media right now (see video below).

  https://fb.watch/hmCZUoZpiQ/?mibextid=v7YzmG

Here are my thoughts on the incident:

  • The victim should have been suspicious when a barrage of OTP notifications are received on her phone. She should have gone to her bank to check on her account
  • Although not the culprit, the person who attended the call of the customer should have done a better job checking the system when the customer called.
What probably happened:
  • Based on what I saw in the video, this is probably a complex case of phishing and SIM Swapping.  According to the victim, she has not enrolled her account to the online facility meaning that the perpetrator/s was able to use the victim's cellphone number to enroll the account.  To enroll an account to such a facility, the perpetrator must know the victim's information as stored in the bank. The only way to get this is through phishing.
  • Another possibility is that it is an "inside job" NOT on the part of the bank but on the part of the victim.  Someone close to the victim could have enrolled the account to the online facility and found a way to clone the victim's SIM.

This is one nightmare scenario for the affected bank and should be addressed immediately because if one looks closely at the video, the bank can easily be identified on the shots they took of the cellphone.  Oh, and to GMA News, please blur the shot where vital information about the victims are visible.

Oh, and one more thing.  The comments on the GMA News video is hilarious!  I didn't know that Facebook has this much Fraud Analysts. :D

DISCLAIMER: I do not have all the facts with me so all the conclusions I have outlined may not be entirely correct.  However, this incident exposed a flaw in the security of the bank -- they lack the necessary KYC (know your customer) procedure in connection with the enrollment process of their online facility.

Comments

Post a Comment

Popular posts from this blog

A Visit to Mataas na Kahoy, Lipa, Batangas

-
Image
My friend Debbie, a classmate from way back in Elementrary and High School invited me again to their town fiesta at Mataas na Kahoy, Batangas City.  Having previously visited their place, I promptly brought wifey and kiddo with me and had lunch there. The visit was capped by a sumptuous lunch and the main highlight of the meal was a boneless lechon by Dante's Lechon de Kahoy . As with our other visits, I was still in awe at the place, the beauty of which is accentuated by the cool Tagaytay-level cool wind. To get a feel of the place, just click on the video above. A day well spent with my family and friend at a very relaxing place.
Read more

Introduction to Personal Technology Security

-
Image
We live in such wonderful times.  More and more people are exposed to technology that, years ago, were too expensive a few years ago.  Information is now available to a lot more people thanks to the high adoption rate of smartphones, tablets and laptops.  Students never had it so good because I still remember having to commute to different libraries in order to write research papers. People who need to do banking can do a lot of financial transactions simply by downloading and using the mobile banking applications of their respective banks.  Mobile payment platforms are slowly replacing the need to carry cash in order to pay for their groceries, medicines, monthly bills etc. However, with all these conveniences, comes danger.  Hackers and fraudsters are taking advantage of this to take advantage of people who are not-too-savvy with technology to steal information and even money.  Text messages purporting to come from government agencies, dubious foundations even famous peopl
Read more

WARNING: GCash Phishing Leveraging the SIM Registration Act

-
Image
A lot has happened since the Philippine SIM Registration Act has been implemented.  There are people who are for and against its implementation.  That is an issue that can only be resolved in time.  However there is a bigger issue has stemmed from it.  The law is now being leveraged by threat actors that seeks to gather personal information from their potential victims. While reviewing my SPAM folder for legitimate messages that have slipped into the cracks, I noticed this interesting sender. A casual look makes it appear as if it came from GCash, a service I use for my digital wallet needs.  Although the display name says "admin@gcashmobile.com", it was sent "via sendgrid".  Just to let you know, legitimate emails from GCash comes from the "@gcash.com" email domain so this is already a big red flag.   Here is the body of the message: Looks convincing, right?  However, one thing that everyone should be aware of is this: Companies will always refer to you b
Read more