I find it interesting that many people lament crypto about lack of transparency and how we went through this and that and that's why we have these sort of regulations in the legacy banking system, etc.. etc.. The reality is that, these regulations mostly exist in the US (through credit card protection), and some in the EU. For the rest of the world, if you got your account siphoned, you are mostly on your own.
And about transparency: I have a debit card from an EU bank. It's barely usable because every time I need to make a purchase, it has to go through 3DS and 50/50 the transaction gets rejected. On POS in Asia, it's 80/20. So quite frustrating. Anyway, two months ago, I get a 60-70 EUR transaction on it from some merchant. Not sure how the scammer got the numbers (some shady POS in Thailand?) but the operation was via "an online interface" and there was no confirmation.
More bizarre: No one can tell me who exactly debited my card. Not even the bank itself has any idea who the merchant or his identity is. There you have it, a fully dysfunctional system and yet somehow it has become solid because a "less" secure one has lost some people some money.
> I have a debit card from an EU bank. It's barely usable because every time I need to make a purchase, it has to go through 3DS and 50/50 the transaction gets rejected
I have 2 debit cards and two credit cards from UK banks, and my partner has the same. I genuinely don't think I've ever had 3DS reject a transaction for either of us.
> a fully dysfunctional system and yet somehow it has become solid because a "less" secure one has lost some people some money.
No, it's solid because of legislation. Improving the technical details doesn't help the situation, as most of the issues are legislative.
>I have 2 debit cards and two credit cards from UK banks, and my partner has the same. I genuinely don't think I've ever had 3DS reject a transaction for either of us.
I get a 50/50 rate with local businesses in Mexico when paying online with European cards. I don't even bother with foreign cards for local government portals, the success rate is close to 0% when paying online.
Also, many payments have to be authenticated with a SMS, which is sent to my European number. Thankfully some banks allow to add a US Google Voice number.
I'm talking about normal banks, fintech banks, such as Revolut, are actually pretty good. But I still can't pay the water bill with it.
Reading between the lines a little bit here, it sounds like you're a digital nomad of sorts, with an EU bank account, and are attempting to pay "household bills" in a foreign country using details that don't quite add up.
If so, surely you can see that you are likely to be an absolute outlier and how your behaviour is likely almost indecipherable from actual fraud, unless you tell your bank your not actually living in the country (at which point presumably they close your account which is why you're doing this in the first place).
> I'm talking about normal banks, fintech banks, such as Revolut, are actually pretty good.
My bank accounts are NatWest and starling and CC's are Amex and NatWest - pretty traditional.
It's the same if you're not an elite anywhere. I once had an ex-girlfriend use my debit card to buy $18,000 worth of stuff over a few weeks on Amazon before I noticed.
Amazon said there was nothing they could do because I had purchased products to send to her address before (true). Police said they couldn't do anything because there was no proof(false they were too lazy to do anything). Bank said they couldn't do anything because I should have changed my bank account information.
I had to beg the judge and prosecutor to even press charges but she never showed up and the warrant for her arrest (for not showing up 3x) got thrown out within days of being filed.
Looked into getting a civil suit going and was quoted around the same amount of money as was stolen. I guess New Jersey must be "the rest of world".
I think a society has to have a certain level of overall, widely-distributed, wealth for people to be willing to pay for the general protections from those sorts of regulations. The money to reimburse consumers doesn't come out of the air, it's a sort of ambient tax on people/the system in general that people are willing to pay since it's not that relatively large compared to the mean income/spending of people using the credit card system.
You have credit from one continent good in another continent, there was some minor fraud and you make an argument that this somehow equates this intercontinental banking system with online ledger of tokens where the money markets for these tokens are routinely involved in billion dollar fraud criminal cases?
My mom always says no to any marketing offers. Last time I thought she was stupid for missing out on deals, but now I think she's a genius for having a strong spam filter and delegating the rest to her "IT" son.
The amount and sophistication of scam is very worrying.
My parents have always had the policy of, "if I didn't call you, I don't want it."
I didn't understand it as a kid (being told to hang up the phone a lot), but the policy has saved us all a lot of heartache and I've adopted it for myself.
Mark Cuban recently lost $870k in crypto by a fake app scheme:
> “I’m pretty sure I downloaded a version of MetaMask with some shit in it,” Cuban told DL News. He said he had searched for Circle on Google, not MetaMask. [1]
"Look, idiot, if you do not perfectly follow all of this op sec, your money could disappear at literally any moment. In which case, sucks to be you. Oh, and also those crypto exchanges where people leave their money - those also have a good chance of disappearing in the night. Best to keep it under the digital equivalent of your mattress."
I will stick with a bank which is regulated to protect my money, and heads will roll if funny business happens.
I too love my bank which, like most others, is known for its lack of funny business, owing to the regulations that it definitely doesn't skirt at every opportunity (otherwise its execs would go to jail for doing crimes, obviously)
Probably a poor choice of words, but with a bank I have strong assurances that my account will not be drained tomorrow without possibility of recourse.
The government went above and beyond (generating moral hazard) in protecting SVB clients.
To be fair, a lot of the crypto hype is predicated, if indirectly, on how few heads roll when (barely quasi-legal) funny business happens through official institutions.
I'm not saying they're right, just saying that "regulations will help" won't really be a big selling point for those who already have lost trust in such institutions.
Crypto aside, I have idly wondered how/where the mega rich keep their money.
Is there a money manager effectively controlling a Schwab account with $1+ billion dollars? How do you minimize the blast radius to prevent internal/external loss of control? Even sub-dividing a fortune across N investment managers still leaves enormous targets painted on those accounts.
Or is it the more implicit threat that you do not steal from these people or the full weight of the government will aid in recovering these funds?
The family office will manage the investment portfolio, typically across not only brokerages and banks but also direct investments / private equity/ vc / etc.
The reality is that relying on a cold storage wallet for security is just too much overhead when it's competing against a biometric scanner to authorisar a transaction that can be reversed with a phone call.
Can someone explain how a third party app is getting access to her banking information on Android?
Aren't apps sandboxed?
Was this using regular Android security permissions, or was this relying on security vulnerabilities? And if vulnerabilities, is the problem that Androids often stop getting updates, so a large proportion of phones are sitting ducks?
> The seller texted Ms Khoo on WhatsApp and instructed her to download a third-party app called Grab&Go on her phone. The app prompted her to make a $5 payment through PayNow as a “deposit” before her order could be placed, but she asked if she could pay when her order arrived.
> The seller reassured her that he did not need her banking details and asked her to enter her name, address and phone number on the app to check out her purchase.
My guess would be the payment information combined with the personal information (and using that personal information to get more personal information online) was just enough to call the bank and impersonate her.
The app eating CPU and battery is definitely a red herring, even with a vulnerability that let it directly get at banking details there's no reason for it to do that. Probably just badly written.
Really? In my mind that would be the most difficult. The simplest is telling a non-tech person to install a shady app, approve a bunch of permissions, and ask them to input even more information directly. The phone being hot can just be them running a crypto miner as they already maxed out the information she gave them. Or them intentionally crashing her phone to give themselves more time to siphon off accounts, avoiding her from contacting her banks and freezing cards.
I am more interested in the question if this was available on the app store or if the social engineering included her enabling 3rd party apps and side loading. A redacted copy of the chat would probably reveal a lot more how this worked.
I wonder how best to solve this from a software or hardware POV, rather than from a policy standpoint. It seems so easy to take full control of phones these days.
This is a social problem. She was instructed to do xyz over whatsapp. Any device can be compromised. It’s all about informing people what not to do. Like how very slowly old people are starting to wake up to the idea that you don’t pay the IRS with google play gift cards.
Totally agree that it’s a social problem. But it’s getting worse, not better.
There are hard security rules that you should always follow, for example, never click on links from an unknown sender. In the last five years I’ve noticed a trend of bureaucracies in every institution now want you to violate generally accepted security rules for their own convenience.
For example, I got a text from a new number saying (sic) “we’re your dentist office and we’ve changed over to a new system, please click this link and provide some sensitive PII for us ahead of your visit.” Although I had a dentist appointment coming up in a week, I called their office to confirm the appointment, no one over the phone asked me to do anything different, so I ignored the text.
When I got into the office, the receptionist politely told me that I did not fill out the patient forms ahead of my visit, and that I should have received a text message, and now they had to print the forms, which is a problem for them because they’re trying to go paperless. It was a very polite interaction, but the subtext was that I violated an implied contract with their office to engage regularly with them.
As members of the public, we’re asked to click on links from places we don’t recognize, to support the functioning of bureaucracies. Everyone engages in this behavior. I’ve found financial and insurance companies to be the worst offenders.
Regardless, institutions in authoritative positions are opening up massive avenues for social engineering by requiring the general public to ignore security best practices to interact with them. It succeeds in reducing administrative costs from them, but introduces systemic risk that the public is paying for in the form of security breaches.
Did you try getting your government to prosecute those scammers? I'm always confused by Americans inventing 100 different software ways to try to lockout people from their devices for "security", but noone wonders why exactly this kind of egregious scammage isn't actually punished and money retured?
Can't be solved completely, anything can be social engineered. But thats no excuse for not solving as completely as possible. I couldn't discern from the article the extent to which any technical vulnerabilty was involved -- or if it was pure social engineering, eg with the criminals using the info they had gotten out of the user to gain access to their accounts via more social engineering of their bank? Was an Android system exploit involved? Was the malware app able to escalate its privilege and access info from other apps? If either of those, what about Android's security model or implementation needs to be further hardened? (Naive questions, I'm neither a security nor a Android engineer.)
I think the OP implies that she should not be allowed to control her own phone to the point where she can't do that - more corporate control and more corporate baby sitting.
Actually I was saying more of, one app can just allow a hacker to take control of your phone completely. It’s quite scary especially knowing that the public isnt well-educated on this yet.
There’s a little bit of alert fatigue on this stuff. Online internet privacy/security folks kick up a fuss about a lot of things that I don’t think cause me any harm, and it’s reducing my ability to detect legitimate threats. I can’t constantly evaluate whether something is Google “spying on my web browsing” or “this guy can steal your money”.
Fortunately, the solution of just sticking to mainstream platforms works. If I’m on a Mac with an iPhone, anything that hits me hits half of Americans. I’ll be in a nice big class-action once the damages are widespread.
Interestingly, this disincentivizes niche platforms.
> Fortunately, the solution of just sticking to mainstream platforms works.
Well, it depends. For widespread non-targeted attacks, like the one mentioned in the parent comment, I think using a niche platform is a form of security through obscurity that can actually work, because it's possible the generic exploit you encounter is not designed to work on your non-standard system (like a virtual machine, a hardened configuration, a non-mainstream OS like OpenBSD...). Although this is more difficult on phones, because it's not possible to use some mainstream services on niche platforms due to attestation requirements.
My wife had a $50k transfer initiated yesterday from her savings account (Bank of America). She was able to cancel the transaction by calling the bank in time, but still have no idea how it happened. Uses an iPhone 12 and hasn't downloaded any new apps in a while. Primarily uses a Mac Air but sometimes does banking on a Windows machine but is admin-managed by her (large) corp.
Getting scary out there...
Only other apps are from big companies with a reputation for strong security practices. That means no sports and weather apps, no restaurant or game apps, no Samsung or Tmobile apps, no TikTok.
Banking and brokerage are all in the browser, on a Chromebook, with no third-party extensions installed. This means no adblock and no other browsing on that user profile.
Most banks and brokerages don't offer FIDO 2FA, they all just want to do SMS. Their hardware tokens are a pain, but they work.
I've been seriously thinking of getting a separate phone which would just be used for financial apps. It seems apps are now required to log into a few of the institutions I use, and you can do virtually everything with their apps. Two factor seems to edging towards one factor, when a fingerprint can do everything.
Sadly, the banking apps always require new and up-to-date phones (for security reasons), yet most phones have a limited lifetime from a security pov, so you'd have to keep buying a new second phone.
That's how I deal with gaming and intrusive anticheat systems for a while now - we have a dedicated computer for gaming in our house, with the browser and most apps restricted. This is the only way to somewhat tolerate a ring0 spying system that also insists I have no hypervisors anywhere in sight.
From one perspective, this crime makes the case for walled-garden app stores. From another perspective, it should shame the phone/OS producers for such awful security practices. If the phone/OS producers cannot protect users from these crimes, why should the users trust them and their "secure" app stores?
I would like to see an analysis of this third party Android app the victim downloaded.
It seems like the creators of this malicious app found a way to break out of the app sandbox [1] and obtain root access. From there getting access to other apps was trivial. Why the Hong Kong bank fraud detection did not block these transactions or freeze the account for suspicious activity is another issue.
I think Google should reach out here and get more information. Perhaps give this woman a lifeline. Something like this shouldn’t be possible.
Seems like banks really should have some kind of extra security mode that requires app verification for anything not whitelisted.
Especially when a lot of scams go through crypto. I should be able to say "I do not ever buy any cryptocurrency, nor do I do any hand picked random investments, don't let me do anything but pay for stuff at retail stores or online sites in the top 100 largest without app verification".
And about transparency: I have a debit card from an EU bank. It's barely usable because every time I need to make a purchase, it has to go through 3DS and 50/50 the transaction gets rejected. On POS in Asia, it's 80/20. So quite frustrating. Anyway, two months ago, I get a 60-70 EUR transaction on it from some merchant. Not sure how the scammer got the numbers (some shady POS in Thailand?) but the operation was via "an online interface" and there was no confirmation.
More bizarre: No one can tell me who exactly debited my card. Not even the bank itself has any idea who the merchant or his identity is. There you have it, a fully dysfunctional system and yet somehow it has become solid because a "less" secure one has lost some people some money.