Authorised New Payee That Wasn't...

Discussion in 'privacy problems' started by philby, Sep 28, 2018.

  1. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Hello All

    Long time, no post...

    I've recently had to re-install Windows on a customer's machine after a payment that they are certain they did not authorise was made to a new payee from their bank account.

    The customer somehow suffered a silent TeamViewer install (they are again certain that they did not click on any links in any mails etc.) and the log shows that there was a remote connection active around the time that the payment was made.

    However, given that the bank requires card authentication to add a new payee via a card reader, I cannot understand how the rogue payment to a new payee was authorised: The bank is saying that the customer must have authorised the payment via the card reader and will not offer compensation. The customer is absolutely sure that they did not use the card reader to authorise the new payee.

    My question is: How could the requirement for physical authorisation of the new payee via the card reader have been circumvented as it obviously was?

    Thanks!
     
    Last edited: Sep 28, 2018
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    You're losing me on this one in regards to the card reader reference.

    I assume this payment authorization was made via the bank's web site? This means either someone was able to log on to the person's bank account or, the browser was hacked during an online banking bill payment session done by the individual and the unauthorized payment done at that time.

    What I do know is this which might be an eye opener to some. My bank which is one of the largest in the U.S. will link to an external non-bank web site for online payment activity. I found that out since the external site doesn't support TLS 1.1+; only TLS 1.0. As such, it is entirely possible some MITM or like interception activity could occur in the transfer process.
     
  3. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Hi itman
    Customer was logged in to online banking and just checking his account when this payment suddenly appeared in his outward transactions. His online banking session was concurrent to the silent Teamviewer session I later discovered.

    The point about the card reader is that this is a physically separate device that's required for authentication prior to any new payee being added whilst in online banking - you have to place your card in the reader and a one time code is then generated which you enter during set up of the new payee during your online session.

    So, even though the customer's online banking credentials were compromised, how could the physically independent card reader have been simultaneously compromised in order for the new payee to be authorised?

    Hope that makes more sense...
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    OK. Appears you are referring to what is described in this article: https://www.makeuseof.com/tag/online-banking-card-readers-work-secure/ . Note the following article excerpt:
    Appears to me and unfortunately for your customer, you or he will have to find out if the card reader itself; i.e. firmware, is infected. Also whatever is being transmitted by the card reader I assume is being done via the customer's PC existing network connection? So malware related to that or even router based are possibilities.
     
  5. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Yes, card reader might have been compromised - but the card reader doesn't communicate with anything at all other than the chip in the card to generate the one-time code for online banking.

    So, perhaps his card may have been chip-read in some way that allowed one-time codes to be generated via the criminal's own card reader...?? I can't think of any other way the payment could have been authorised.

    That said though, what are the chances of having both your card's chip compromised and your online banking credentials compromised at the same time?
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Using the details in the prior posted link:
    Let's analyze.

    Let's assume the card reader is compromised. Therefore the person's PIN could be captured.

    Next, let's assume the PC was compromised by malware so that user banking credentials were gained. The perpetrator also got his hands on some stolen or otherwise obtained card stock used by the bank. He also has mag stripe encoding equipment. He could use a legit issued bank card and copy all the encoded info substituting the user's PIN onto a bogus card mag stripe. He then logs on to the user's account. He then swipes the bogus card with his card reader and enters the user's PIN.

    Looks like you and your customer have a lot of detective work to do.

    The user needs to immediately reset all his bank credentials after it is ensured his PC is malware free. He also needs to request a new bank card w/new pin and a new card reader. Personally, I would find a bank that does not require a card reader validation.
     
  7. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Yes, that scenario would make sense - though scraping the pin from the reader would be difficult without physical access to it (customer's had no break-ins or unusual visitors).

    I've reformatted/reinstalled, changed all router security and advised re. new online credentials, card and pin.

    Bank simply refuses to believe that the payment was not authorised by the user, so a significant amount has been lost.

    Customer has called bank repeatedly, offering to submit TeamViewer log that I saved before reformat and also the card reader for analysis - no interest at all from them.

    Never seen anything like this before - have only seen (many) cases where user caution was minimal to say the least.

    Thanks for your input!
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Another and more likely scenario is his bank card mag stripe info was captured by a card "skimmer" that was attached to some card reader at a place of business he frequented. This would be the case if it was a bank issued debit card for instance. This is the reason Visa/Mastercard implemented their smart chip technology. Also the PIN is encoded on the mag stripe so it is reasonable to assume the user's home card reader probably was not compromised.

    Bottom line - swiping a bank issued debit card via mag strip anywhere these days is akin to playing Russian roulette. So if the place of business does not have a chip reader or your debit card does not have a smart chip, always use a credit card.

    Also one has to fully assess the risk of using a debit card anywhere these days since the card is directly tied to one's bank account. And bank issued debit cards, even if they are Visa/Mastercard sponsored, have different loss liability limits than corresponding credit cards do. Finally, one can ask for just a bank issued ATM card with use restricted to ATM machines and tie that card to an account with limited funds.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Like I stated, find a bank without a card reader requirement.

    My bank has additional verification for funds transfers. How that works is they send me the authorization code to my cell phone. Great as long as the hacker doesn't get your banking credentials at which time he logs on and changes your cell phone number. They do send e-mail alerts about that activity however.

    Or maybe the best solution is just don't do online banking.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.