Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Work Around Two-Factor Authentication With Social Engineering

Posted by Unknown on from the duh-you-need-three-factors dept.

mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."

3 of 186 comments (clear)

  1. Re:Victim never knew a thing? by Fjandr · · Score: 5, Informative

    He received an SMS which he believed to be from Vodaphone, stating that they were having network difficulties and he would experience loss of cell service for the next 24 hours.

  2. The Blame Game by enoz · · Score: 5, Informative

    So the banks say it's not their problem, it's the fault of mobile operators for making numbers portable. Yet the banks were offered access to the national mobile database so they could check if a number was recently ported, but declined to use the information. Meanwhile the fraudsters are getting away with their winnings...

    1. Re:The Blame Game by rtfa-troll · · Score: 5, Informative

      So the banks say it's not their problem,

      No they didn't. They paid up fully and automatically. First they blocked his account:

      The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.

      Then they sorted everything out and paid for everything automatically.

      Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.

      They had even been part of a group which had investigated the MNP security fixes available but decided not to implement them because of security problems.

      “We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.

      I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();