[manchandap]

Quote:

Hopefully, I am posting in correct forum. I choose this particular forum due to earlier threads posted here (ICICI Bank Phishing Alert !!!! - New Technique). I could not find a recent thread, so I started a new one.

Quote:

When the going gets tough, turn to T-BHP

Wanted to share the phishing/vishing attack that happened to me, my actions and get the feedback from experts.

Here's the sequence of events:

• Sunday May 10, 2020: around 10:35 PM or so. I am half sleepy when I get a familiar SMS beep on my mobile. Out of curiosity, I check the phone. To my horror, I discover a SMS with OTP to access my net banking.
  • Trying to keep calm and make sense of what could have happened, my first reaction was to check my account details via net banking. I am able to login and so far no spurious transactions.
  • My next step is to write a mail to the bank's customer care team requesting them to trace to details from the access has been made.

• Monday 11, 2020: I get 3 calls from +91 7595047187 between 11:23 AM and 11:26 AM:
  • In the first call, the caller claimed to be from my Mobile Service Provider's Customer Support team. He wanted me to convert my SIM to 4g or else the my services would be stopped. For this he asked me to send a SMS
    • When I told him that I will contact Mobile Service Provider's customer care. He got abusive and I disconnected.
  • In the second call he was again abusive and I disconnected
  • In the third call he was abusive again and threatened to empty my bank account. After giving me a mouthful, he disconnected

I think on Sunday night, the caller/hackers have been able to concretely establish that my mobile number is associated with a particular bank account.

Probably, they would have tried multiple ways to get through but were unsuccessful.

On Monday, they tried to bully me into sending a SMS, so that they can deactivate my sim and get the OTP on their SIM.

I have informed both my bank and mobile service provider of this attempt.

So, my questions:

• What else I need to do to safeguard my mobile number and net banking account
• Do the hackers have a clone of my SIM and do they just need to get my SIM deactivated to start receiving OTPs.
• What else these hackers can do. I know this is a complex question but would be great to listen to the ideas experiences.

[dark.knight]

Here are things you should do in order :

1) Make a police complaint of the above incident, include every detail possible of those cybergoons. Keep the FIR slip with you for future references.

2) Change your mobile number linked to the account if you have an alternative number (higher precaution).

3) Change all bank passwords.

4) Uninstall all banking apps for a few months.

5) Do not give out any sort of information to any number, ever, be it banks, cellular providers etc. These service agencies mostly request your presence in real time and not through online means, to change anything.

Things are getting desperate for people, scam call centers and bank hacking industry in NCR itself, is a multi-crore rupee (per day!) industry, with the lockdown things are getting desperate and they are getting so desperate that they arent even following a script it seems, just call, abuse and bulldoze the way into a password.

Pathetic, better to starve and attain moksha than do all these antics. Atleast the soul will be in peace.

[J4J]

By not giving any info/SMS to these people, you handled it the right way.
If you have any credit card linked to that bank, please disable international transactions and set the daily limit. We don't know from where these people got the info and if by any chance, they also have the credit card info, then international transactions don't even require an OTP.

Next time don't engage with these people for too long. Social engineering is a hacking tool. Whenever I get such calls and they look genuine, I only ask them to mail it to me from their official email id and cut the call. If the next question is: "Sir what is your email id". Then you know who is calling. Don't reveal anything about yourself (Date of birth, place or any personal question) on the phone.

[RedTerrano]

+1 to everything dark.knight said.
In addition to it, my ₹0.02
1) It might be a good idea to record all future calls. Who knows the authorities may be able to trace the criminal via some voice recognition software?
2) I take it that the criminals might have gained access to one particular account (or trying to). Got another bank account? Transfer all money online to that account.

In case you are not aware, you can lodge a complaint online
Check out this link
https://cybercrime.gov.in/Webform/crmcondi.aspx

[Chetan_Rao]

All add-on precautions aside, one's primary defense to such attacks, and the bit you got spot on, was refusing to share information on a call that didn't originate from you.

ALWAYS insist on calling back the organization such callers claim to belong to (bank, network operator etc.), irrespective of how genuine the caller sounds, or may actually be. Genuine ones actually appreciate your due diligence, or at least understand your healthy skepticism.

Most online transactions need the current registered user of the service to take some action (usually a validation check of some sort), and that's why these guys try desperately to get that action triggered, instead of just doing stuff in the background. Some use sophisticated tactics, some just try to brute-force it, as happened in your case.

Technology is on your side as much as theirs, use it wisely to safeguard yourself.

P.S. Explore what options your bank provides for additional transaction authentication and managing card-not-present (CNP) transactions. That way, damage can still be limited even if someone gains access to your internet banking profile.

[Rehaan]

If they've got to the OTP stage, it means they probably know your password.

They have 1 of the 2 factors required for 2FA (Two-Factor Authentication).

You need to bring that back down to 0 to minimize your risk.

CHANGE YOUR PASSWORD -- but ensure you do it carefully:
- On a computer or device you know is not compromised
- Via typing the URL into the address bar (or via Google), NOT from a link in an email/sms.
- Don't re-use a password you've used elsewhere.

Additionally:
- If you auto-save passwords in your browser or a password manager, change the master password
- Ensure you are signed out of all other locations (example)

[Turbanator]

I don't think OP needs to do anything. OTP can be even for resetting the password. Knowing Mobile number linked with any account won't help them in anyway.

I keep on getting such calls, normally; I don't abuse even when angry but for unknown reasons, my Brain changes suddenly and most of these guys or even Ladies hear nice Punjabi & Haryanvi expletives from me.. In fact, I get charged up by venting my frustrations on such crooks

[anjan_c2007]

Quite a disturbing sequence of events that can happen to any bank customer using net banking. I have read all the suggestions that are quite logical.

My suggestion would be to accord topmost priority to lodge a FIR with the local cyber cell, who nab such criminals within no time.

[manchandap]

Quote:

Originally Posted by RedTerrano

+1 to everything dark.knight said.
In addition to it, my ₹0.02
1) It might be a good idea to record all future calls. Who knows the authorities may be able to trace the criminal via some voice recognition software?
2) I take it that the criminals might have gained access to one particular account (or trying to). Got another bank account? Transfer all money online to that account.

In case you are not aware, you can lodge a complaint online
Check out this link
https://cybercrime.gov.in/Webform/crmcondi.aspx

I have lodged a complaint on this portal. I was not able to upload the audio recording of the third call. Will share it when (hopefully) authorities start taking action on this.

Keeping fingers crossed.

Looks like these incidents are pretty common and as mentioned earlier, in few posts, would become more rampant as economy slides down.

There were earlier attempts of fraud with me using the Insurance Policy as a guise. The caller claimed that I have a decade old policy for which only the first premium has been paid. The policy is with their team and they are offering me a chance to revive the same by paying the premium. Otherwise they will discontinue my policy and I would get only 10% of the amount paid.
These people had insider information like the name of the agent whom I use for my insurance policies. This information spooked me when they called me first time. So, I checked with my agent and he confirmed after checking with the insurance company that no such policy has been bought.
The scammers didn't follow up on this.
However, after a long break I got another call with the same guise. I told them that I don't want to continue the policy and credit whatever amount is due to my account. They disconnected after venting their frustration.

Interestingly, in both of these cases the commonality is that the bank and the insurance company belong to same group.

[mvadg]

Quote:

Originally Posted by manchandap

I have lodged a complaint on this portal.

I have a few questions, but I guess it all boils down to one - how do you think they got to the point where they need your OTP? I mean, they seem to have figured out your username and password.

I would change my username and password from a browser on a bootable Linux disk to be safe (or even do it at the bank) and avoid using the systems at work and at home for any sensitive purposes until you find out how they managed to get hold of your credentials.

[saket77]

^^or the easier method: get card details. And use it for online shopping or bill payments.

[manchandap]

Quote:

Originally Posted by mvadg

I have a few questions, but I guess it all boils down to one - how do you think they got to the point where they need your OTP? I mean, they seem to have figured out your username and password.

A very valid question. The bank under discussion is ICICI. They have option to login using registered mobile number and OTP (sent to registered mobile number).

Getting this data is not very difficult these days . Let me give another example:

When my car's insurance was due for renewal last year, I started getting calls from many insurance sellers/resellers. I have not contacted anyone for the insurance quote. Also, I make a point to use my secondary phone/mail for such interaction. Here in this case they had my primary mobile number.

So, my guess would be that they knew about my registered mobile number with ICICI or they were able to figure out via brute force. Try a number on bank's site, if it goes through, then move on to the next step of the scam i.e. fool the person into disabling his/her sim card. If that goes through, the scammers have a signed blank cheque.

[blackwasp]

Quote:

Originally Posted by manchandap

A very valid question. The bank under discussion is ICICI. They have option to login using registered mobile number and OTP (sent to registered mobile number).

Since you mention ICICI, I would like to point out that its one of the most complicated to break into as you need grid on the back of your debit card for verifying transactions.

I would suggest you request a new debit card, change net banking password and if possible use only a credit card for transactions. Keep the debit card unused only for online transactions / net banking. Don't use it on POS machines that is.

This is the method I follow. I have had a skimming attack on my SBI credit card on a shady fuel bunk, but when they tried to use the card again, I got an SMS and immediately informed the call centre and blocked the card. I had a replacement card in 2 days and the transaction as reversed too. Had it been a debit card, the amount would have already been debited from my account and getting it back would be time consuming.

[Chetan_Rao]

Quote:

Originally Posted by blackwasp

...

I would suggest you request a new debit card, change net banking password and if possible use only a credit card for transactions. Keep the debit card unused only for online transactions / net banking. Don't use it on POS machines that is....

Specific to ICICI, debit card spend limits can be set for individual transaction types (separately for domestic and international ones): ATM withdrawals, POS and online transactions.

Mine is set to a reasonably small amount for domestic ATM withdrawal, all others disabled by default. All editable from the app and online banking, so I can change anything as needed and it's enabled/disabled instantly.

[vik99]

Quote:

Originally Posted by manchandap

...

Interestingly, in both of these cases the commonality is that the bank and the insurance company belong to same group.

This is usually the result of breach in the IT systems of the concerned financial institution. A breach doesn't necessarily have to be due to a cyber criminal exfiltrating information from the compromised IT Systems of the affected organisation, insiders are often more dangerous. All they need is a usb flash drive to siphon off large amounts of data.

In many countries there exists a legal framework which makes reporting of such breaches mandatory. Sadly, the most common response to any news of such incidents is denial when it comes to the Indian context.

This leaves us customers with very limited options to ensure that our identities aren't stolen by scammers to clear out our bank accounts. Stay vigilant, stay safe!