- This topic has 170 replies, 61 voices, and was last updated 7 years ago by beaker.
-
Online Fraud Advice
-
breatheeasyFree Member
If it’s malware, is coop bank not a pretty odd target? I mean it must be a quite small usershare even if the malware targets an array of banks.
Well, there are still many £millions in the Coop, and if the baddies have worked out their particular authentication process can be ‘modified’ slightly to work in their advantage they could be an easy target. Also, maybe Coop implies a more elderly audience they might be more likely to fall for phishing scmas etc.
Tom-BFree MemberUpdate, Fraud team manager at Co-Op has upheld the decision to not authorise a refund on the basis that I gave away my Lin number. They really are trying their hardest to avoid being helpful in any way!!!
Do we think that going to the press is worthwhile? I’d imagine that with the amount we’re talking (five figure sum) it’s pretty news worthy?
wwaswasFull MemberI’ve said it above – you need to get someone who knows what they’re doing to examine your pc.
I would talk to a specialist solicitor.
Also talk to ombudsman – be seen to follow appopriate escalation path.
Press? I’d save that for later if it were me but for a five figure sum it might be easier said than done – I’d be frantic by now 🙁
Fresh Goods Friday 696: The Middling Edition
Latest Singletrack VideosFresh Goods Friday 696: The Middlin...martinhutchFull MemberThat’s crap. I’m not sure that press would be helpful to your cause – the angle would more be about ‘making people aware’ rather than ‘crap, unhelpful bank’. So unless you want ‘sadface’ in the papers, it’s not worth the effort.
Ombudsman might be your best bet. Is it just a single login password, or is there some kind of two-factor authentication provided by the bank? I would have said that the former is inadequate these days given the likely sophistication of the malware/spoofing attack you’ve experienced.
Keep plugging away at them.
JamieFree MemberDo we think that going to the press is worthwhile? I’d imagine that with the amount we’re talking (five figure sum) it’s pretty news worthy?
What have you got to lose?
your.problems@observer.co.uk
consumer.champions@theguardian.com
Email addresses from https://www.theguardian.com/money/2013/nov/20/consumer-work-experts-guardian
bobloFree MemberI know this may be an unpopular question but, if the OP’s PC has been compromised and he’s consequently given his secrets away to a cunning third party who has then stolen his cash, why should the bank (and by extension its other customers) be liable to make good the loss?
Unless the bank can be shown to have been negligent or complicit, why are they liable apart from by having more money to throw around?
Sorry, not trying to be provocative just curious.
JamieFree MemberI assume the CoOp’s fraud dept have explained exactly how they think the attack took place to the OP?
1. So it doesn’t happen again
2. To explain why they have decided to not refund his money.Tom-BFree MemberGiven that they got my PIN number (which seems to be the crux) via the coop’s card reader I’d say the the banks security has been pretty negligent? Surely it should be able to be hijacked in this way?
Also, why wasn’t a 5 figure transfer flagged up as suspicious by the bank? It’s hardly like I routinely move that amount of money around!!!
JamieFree MemberTom.
You need them to tell you exactly what they think happened. As I just cannot see how they can say get bent, but not say how they have shifted liability onto you.
the-muffin-manFull MemberHow have they got your PIN number? Your PIN number is never entered on the Co-Op banking site for any transaction, only in the card reader thingy. And the card reader isn’t connected to the computer in any way.
martinhutchFull MemberIt’s up to the bank to demonstrate that you have been ‘grossly negligent’ in revealing your pin. Not sure how they can do this in the circumstances you describe. Escalate and Ombudsman.
Tom-BFree MemberThat’s what I’ve been arguing thus far! It’s up to them to demonstrate gross negligence on my part.
Anyway, I’ve raised the complaint with the bank (which is what I need to do before going to the ombudsman)
I have also just emailed the CEO’s of coop asking them to look into it (probably a waste of time but hey ho)
My trip to the Alps in 2 weeks is suddenly looking rather extravagant compared to how much money I now have! Should be able to afford at least one beer I guess!
zilog6128Full MemberI assume the CoOp’s fraud dept have explained exactly how they think the attack took place to the OP?
if it’s a case of OP logging into the actual bank website but then being tricked into authorising a payment using the card reader, due to malware on his PC such as the “overlay kit” mentioned earlier (never heard of that before; scary stuff) then surely it’ll just look like a legit transaction from the bank’s point of view? No attack to explain as such as bank security itself not compromised. Best of luck OP.
CougarFull MemberTBH, I think I’d play dumb. “This happened, I’ve no idea how, I’ve never knowingly disclosed my details to anyone.” Let them prove otherwise.
ircFull MemberBit of a nightmare this one. Could happen to almost any online customer presumably.
I’m still with phone banking so that’s one less way I can be a fraud victim. My bank now has voice recognition when I call them.
I’ve got my e-mail and paypal set up so I need to enter a pin sent to my mobile when logging in. Got that tip from a topic here.
JamieFree MemberI am still curious as to how a third party intercepted the connection, and then inplemented their own response code system.
Has to be malware, no? If so is OP still using same laptop….and is it still connected to the web?
joebristolFull MemberSo 2 issues here.
1. How you got directed to another site. Unless the bank’s own site has been hacked, then the bank isn’t liable for this. Might be worth asking the question around their own security – especially if they’re suddenly taking the system down for ‘updates’.
2. Giving away a challenge code from your reader. This is effectively like giving someone the PIN number for your debit card – in that case the bank won’t refund loss of funds. I’ve worked for 2 of the big 4 U.K. Banks and there’s usually emphasis on their websites when you log in about not giving away your card reader codes and that they’ll only ask for a code for authorising a new payee / sending funds to a new payee. I’m more familiar with my ex employers site as recently moved, but it specifically said we won’t ask for a code for any other reason.
So does Co-op say the same / have they got warnings on their site? If not then maybe you could argue that wasn’t obvious?
Seems you entered the code for a reason you believed wasn’t for initiating a payment.
bailsFull MemberJoe, to address those two points
1. The OP didn’t leave the co-op bank site, he was always at a legitimate URL.
2. The scammers could wait until you try to pay a new account and make their move then. So you’re already expecting a challenge and to have to generate a code, but instead of doing it for the £50 you’re paying to a friend they’re using the code to clear out your account.joebristolFull MemberOn point one – the op must have seen another site to get the instruction on the screen to generate a security code. I won’t claim to be ‘techie’, but it’s happened.
Point 2 – I’ve never banked with co-op (nor will I ever) – but on the online banking sites I’ve used, part of the challenge code entered in the process uses some of the digits of the account number you’re setting up for payments.
JamieFree MemberBanks and there’s usually emphasis on their websites when you log in about not giving away your card reader codes and that they’ll only ask for a code for authorising a new payee / sending funds to a new payee
I know Barclays asks you for a code when logging in, but it has different responses for different challenges.
For example logging in will ask for an identity code, but for signing new transactions it would need to be a signing code.
Looks like the CoOp one is not that smart, and is purely for authorising new payments, so as they warn should never be used to identify yourself:
Using your Card Reader:
Your card and Card Reader are for you and only you to use when banking online. You may be asked to use the Card Reader when you do the following tasks:
set up or amend standing orders
set up, amend or make bill payments
set up, amend or make funds transfers
Remember – we will never call you to ask you to use your Card Reader to set up, make or amend any payments or contact you to ask you to use your Card Reader to confirm your identity.http://www.co-operativebank.co.uk/global/security/card-reader
leffeboyFull MemberOn point one – the op must have seen another site to get the instruction on the screen to generate a security code. I won’t claim to be ‘techie’, but it’s happened.
And this is the point. All of the pages in his browser history, including the transfer pages, are from the correct co-op site pages. This is why this is so worrying and strange. There is new European legislation (oh yes) coming Jan 2018 to enforce two factor authentication on transfers over 10 EUR (so thats 200 GBP 🙂 ) but this attack makes two factor look inadequate
JamieFree MemberThis is why I was concerned about the laptop still being given web access. If there is malware on there, then the operator could/maybe has, removed evidence.
As well as continue to view OP’s activities.
Tom-BFree MemberMaybe time to stop using the laptop then!
Posting this from my phone…..had an email back from the CEO first thing this morning saying that he’s got a senior staff member looking into it. Basically resigned to the fact that they won’t be refunding me now, and I’ll have to wait and see what funds they manage to recover from the account that it went to (I’ll not be holding my breath for much!)
Guess it’s time to alter the plans for the next couple of years and start saving again…..and to switch banks!
PierreFull MemberMight be worth getting in touch with Radio 4’s You And Yours too – another consumer programme but definitely one with clout, especially with older listeners.
FlaperonFull MemberOn my card reader you put your debit card in, enter the PIN number associated with that card at it generates the 8 digit code. Unless the random 8 digit codes is a ruse to make you think it’s more secure!
No, the card reader is directly interfacing with the chip on the card (where the clever stuff actually happens). Interestingly there’s a well documented flaw with the system where a fraudster can convince someone to generate a valid response code from a zero value transaction.
How old is your card reader?
https://en.wikipedia.org/wiki/Chip_Authentication_Program
More concerningly however, if a respond request is issued by a bank, using the sign mode with the same number and an amount of ¤0.00 will again generate a valid result which creates a possibility for a fraudster to instruct a customer to do a “test” challenge response for an amount of ¤0.00 which is in fact going to be used by the fraudster to verify a respond command in order for them to add themselves as a payee on the victim’s account; these attacks were possible to carry out against banks that used strong authentication devices that were not canceling activities until an amount of at least 0.01 was entered.
DezBFree MemberDo we think that going to the press is worthwhile? I’d imagine that with the amount we’re talking (five figure sum) it’s pretty news worthy?
Yes, there is a woman who almost always gets results – they followed up a scam someone I know fell for. I’ll get you the woman’s details and post it here.
This thread has got me all wound up so want to help! Will know never to bank with the Co-Op (or Santander, who wouldn’t help with the previously mentioned.)johndohFree MemberI don’t understand why the police don’t get more involved – if someone came around to my house and stole a five figure sum (ie a confidence trickster who talked their way in) I wouldn’t expect them to say ‘tough shit, you invited them in’.
The bank and the police should be taking this crime much more seriously.
DezBFree MemberDamn right johndoh. OP seems to be coping remarkably well, a lot of people wouldn’t, me included.
jam-boFull MemberThe bank and the police should be taking this crime much more seriously.
bank transfers seem to be a bit of a black hole where the banks can just put their hands up and say not my problem guv.
they seem quite capable of recovering the money if they’ve lost out…
Tom-BFree MemberThanks so much for the help so far people. I guess I am coping pretty well….my girlfriend has been amazing (we don’t share finances!!! Ha) not slept too well, and if I’m not keeping busy then I’m finding it tough…..I feel very helpless tbh, the world rather unsurprisingly, has kept on turning though!
pheadFree MemberSeparate from anything you did, the bank still seems to be at fault for saying that ” they say that the funds will be refunded within 1 working day”
They didn’t start an immediate investigation, they didn’t follow the funds to freeze them. Off to the regulator you go.
thegreatapeFree Memberthe police should be taking this crime much more seriously.
We do. I’ve dealt with a number of these scams in the last couple of years. Frequently the locus (where the crime is committed from) is outside our area so responsibility for investigating is transferred to the relevant force. In almost every case the money is immediately withdrawn and sent abroad via Western Union or Moneygram, from where it cannot be recovered. Not by us anyway. We have had more than one conviction and in one case the culprit has been forced by the court to sell his house to pay the compensation awarded by the court.
There are so many scams that I dare say I’m not aware of them all – the OPs one is a new one to me. I think there should be a lot more layers of security in the online banking system. A ballache, probably, but less of one than getting scammed.
xoraFull MemberUnfortunately Bank security is a matter of derision within the actual computer security circles. Just look at the kinda TFA most of them operate instead of real TFA which would be simple for them to implement.
I would certainly not be using that Laptop until its had a full clean. From what you have said someone has unrestricted access to it and could do it again on pretty much any website they choose.
DezBFree MemberTom – here’s who you have to write to for results – Jessica Gorse-Williams, (Telegraph).
Might take a while, but worth it.
plyphonFree MemberFeel for OP. Got my credit card cloned June last year and that was scary enough seeing £2k+ appear on my CC. Can’t imagine the shock to see current account/ISA drained.
Interested to see the results. I think wire fraud should be protected by the banks as it’ll act as an incentive to invest properly in info/network security. Also, these attacks are impossible to predict, even harder to detect until the deed is done, and are only getting more sophisticated written by teams of incredibly smart programmers. It’s unfair to have a burden of responsibility on the end user when the odds are stacked massively against them.
bearnecessitiesFull MemberFWIW I think wwasawaswas and phead have called out the avenue I’d be
screaming my face off at the bankpersuing.Don’t give up.
cornholio98Free Membersome of the IT security guys started circulating this fileless malware is infecting banks around the globe
The topic ‘Online Fraud Advice’ is closed to new replies.