Viewing 40 posts - 81 through 120 (of 171 total)
  • Online Fraud Advice
  • breatheeasy
    Free Member

    If it’s malware, is coop bank not a pretty odd target? I mean it must be a quite small usershare even if the malware targets an array of banks.

    Well, there are still many £millions in the Coop, and if the baddies have worked out their particular authentication process can be ‘modified’ slightly to work in their advantage they could be an easy target. Also, maybe Coop implies a more elderly audience they might be more likely to fall for phishing scmas etc.

    Tom-B
    Free Member

    Update, Fraud team manager at Co-Op has upheld the decision to not authorise a refund on the basis that I gave away my Lin number. They really are trying their hardest to avoid being helpful in any way!!!

    Do we think that going to the press is worthwhile? I’d imagine that with the amount we’re talking (five figure sum) it’s pretty news worthy?

    wwaswas
    Full Member

    I’ve said it above – you need to get someone who knows what they’re doing to examine your pc.

    I would talk to a specialist solicitor.

    Also talk to ombudsman – be seen to follow appopriate escalation path.

    Press? I’d save that for later if it were me but for a five figure sum it might be easier said than done – I’d be frantic by now 🙁

    Fresh Goods Friday 696: The Middling Edition

    Fresh Goods Friday 696: The Middlin...
    Latest Singletrack Videos
    martinhutch
    Full Member

    That’s crap. I’m not sure that press would be helpful to your cause – the angle would more be about ‘making people aware’ rather than ‘crap, unhelpful bank’. So unless you want ‘sadface’ in the papers, it’s not worth the effort.

    Ombudsman might be your best bet. Is it just a single login password, or is there some kind of two-factor authentication provided by the bank? I would have said that the former is inadequate these days given the likely sophistication of the malware/spoofing attack you’ve experienced.

    Keep plugging away at them.

    Jamie
    Free Member

    Do we think that going to the press is worthwhile? I’d imagine that with the amount we’re talking (five figure sum) it’s pretty news worthy?

    What have you got to lose?

    your.problems@observer.co.uk

    consumer.champions@theguardian.com

    Email addresses from https://www.theguardian.com/money/2013/nov/20/consumer-work-experts-guardian

    boblo
    Free Member

    I know this may be an unpopular question but, if the OP’s PC has been compromised and he’s consequently given his secrets away to a cunning third party who has then stolen his cash, why should the bank (and by extension its other customers) be liable to make good the loss?

    Unless the bank can be shown to have been negligent or complicit, why are they liable apart from by having more money to throw around?

    Sorry, not trying to be provocative just curious.

    Jamie
    Free Member

    I assume the CoOp’s fraud dept have explained exactly how they think the attack took place to the OP?

    1. So it doesn’t happen again
    2. To explain why they have decided to not refund his money.

    Tom-B
    Free Member

    Given that they got my PIN number (which seems to be the crux) via the coop’s card reader I’d say the the banks security has been pretty negligent? Surely it should be able to be hijacked in this way?

    Also, why wasn’t a 5 figure transfer flagged up as suspicious by the bank? It’s hardly like I routinely move that amount of money around!!!

    Jamie
    Free Member

    Tom.

    You need them to tell you exactly what they think happened. As I just cannot see how they can say get bent, but not say how they have shifted liability onto you.

    the-muffin-man
    Full Member

    How have they got your PIN number? Your PIN number is never entered on the Co-Op banking site for any transaction, only in the card reader thingy. And the card reader isn’t connected to the computer in any way.

    martinhutch
    Full Member

    It’s up to the bank to demonstrate that you have been ‘grossly negligent’ in revealing your pin. Not sure how they can do this in the circumstances you describe. Escalate and Ombudsman.

    Tom-B
    Free Member

    That’s what I’ve been arguing thus far! It’s up to them to demonstrate gross negligence on my part.

    Anyway, I’ve raised the complaint with the bank (which is what I need to do before going to the ombudsman)

    I have also just emailed the CEO’s of coop asking them to look into it (probably a waste of time but hey ho)

    My trip to the Alps in 2 weeks is suddenly looking rather extravagant compared to how much money I now have! Should be able to afford at least one beer I guess!

    zilog6128
    Full Member

    I assume the CoOp’s fraud dept have explained exactly how they think the attack took place to the OP?

    if it’s a case of OP logging into the actual bank website but then being tricked into authorising a payment using the card reader, due to malware on his PC such as the “overlay kit” mentioned earlier (never heard of that before; scary stuff) then surely it’ll just look like a legit transaction from the bank’s point of view? No attack to explain as such as bank security itself not compromised. Best of luck OP.

    Cougar
    Full Member

    TBH, I think I’d play dumb. “This happened, I’ve no idea how, I’ve never knowingly disclosed my details to anyone.” Let them prove otherwise.

    irc
    Full Member

    Bit of a nightmare this one. Could happen to almost any online customer presumably.

    I’m still with phone banking so that’s one less way I can be a fraud victim. My bank now has voice recognition when I call them.

    http://www.moneysavingexpert.com/news/banking/2016/07/voice-recognition-to-replace-passwords-for-13-million-first-direct-customers-within-two-months

    I’ve got my e-mail and paypal set up so I need to enter a pin sent to my mobile when logging in. Got that tip from a topic here.

    Jamie
    Free Member

    I am still curious as to how a third party intercepted the connection, and then inplemented their own response code system.

    Has to be malware, no? If so is OP still using same laptop….and is it still connected to the web?

    joebristol
    Full Member

    So 2 issues here.

    1. How you got directed to another site. Unless the bank’s own site has been hacked, then the bank isn’t liable for this. Might be worth asking the question around their own security – especially if they’re suddenly taking the system down for ‘updates’.

    2. Giving away a challenge code from your reader. This is effectively like giving someone the PIN number for your debit card – in that case the bank won’t refund loss of funds. I’ve worked for 2 of the big 4 U.K. Banks and there’s usually emphasis on their websites when you log in about not giving away your card reader codes and that they’ll only ask for a code for authorising a new payee / sending funds to a new payee. I’m more familiar with my ex employers site as recently moved, but it specifically said we won’t ask for a code for any other reason.

    So does Co-op say the same / have they got warnings on their site? If not then maybe you could argue that wasn’t obvious?

    Seems you entered the code for a reason you believed wasn’t for initiating a payment.

    bails
    Full Member

    Joe, to address those two points
    1. The OP didn’t leave the co-op bank site, he was always at a legitimate URL.
    2. The scammers could wait until you try to pay a new account and make their move then. So you’re already expecting a challenge and to have to generate a code, but instead of doing it for the £50 you’re paying to a friend they’re using the code to clear out your account.

    joebristol
    Full Member

    On point one – the op must have seen another site to get the instruction on the screen to generate a security code. I won’t claim to be ‘techie’, but it’s happened.

    Point 2 – I’ve never banked with co-op (nor will I ever) – but on the online banking sites I’ve used, part of the challenge code entered in the process uses some of the digits of the account number you’re setting up for payments.

    Jamie
    Free Member

    Banks and there’s usually emphasis on their websites when you log in about not giving away your card reader codes and that they’ll only ask for a code for authorising a new payee / sending funds to a new payee

    I know Barclays asks you for a code when logging in, but it has different responses for different challenges.

    For example logging in will ask for an identity code, but for signing new transactions it would need to be a signing code.

    Looks like the CoOp one is not that smart, and is purely for authorising new payments, so as they warn should never be used to identify yourself:

    Using your Card Reader:

    Your card and Card Reader are for you and only you to use when banking online. You may be asked to use the Card Reader when you do the following tasks:
    set up or amend standing orders
    set up, amend or make bill payments
    set up, amend or make funds transfers
    Remember – we will never call you to ask you to use your Card Reader to set up, make or amend any payments or contact you to ask you to use your Card Reader to confirm your identity.

    http://www.co-operativebank.co.uk/global/security/card-reader

    leffeboy
    Full Member

    On point one – the op must have seen another site to get the instruction on the screen to generate a security code. I won’t claim to be ‘techie’, but it’s happened.

    And this is the point. All of the pages in his browser history, including the transfer pages, are from the correct co-op site pages. This is why this is so worrying and strange. There is new European legislation (oh yes) coming Jan 2018 to enforce two factor authentication on transfers over 10 EUR (so thats 200 GBP 🙂 ) but this attack makes two factor look inadequate

    Jamie
    Free Member

    This is why I was concerned about the laptop still being given web access. If there is malware on there, then the operator could/maybe has, removed evidence.

    As well as continue to view OP’s activities.

    Tom-B
    Free Member

    Maybe time to stop using the laptop then!

    Posting this from my phone…..had an email back from the CEO first thing this morning saying that he’s got a senior staff member looking into it. Basically resigned to the fact that they won’t be refunding me now, and I’ll have to wait and see what funds they manage to recover from the account that it went to (I’ll not be holding my breath for much!)

    Guess it’s time to alter the plans for the next couple of years and start saving again…..and to switch banks!

    Pierre
    Full Member

    Might be worth getting in touch with Radio 4’s You And Yours too – another consumer programme but definitely one with clout, especially with older listeners.

    https://ssl.bbc.co.uk/programmes/b006qps9/contact

    Flaperon
    Full Member

    On my card reader you put your debit card in, enter the PIN number associated with that card at it generates the 8 digit code. Unless the random 8 digit codes is a ruse to make you think it’s more secure!

    No, the card reader is directly interfacing with the chip on the card (where the clever stuff actually happens). Interestingly there’s a well documented flaw with the system where a fraudster can convince someone to generate a valid response code from a zero value transaction.

    How old is your card reader?

    https://en.wikipedia.org/wiki/Chip_Authentication_Program

    More concerningly however, if a respond request is issued by a bank, using the sign mode with the same number and an amount of ¤0.00 will again generate a valid result which creates a possibility for a fraudster to instruct a customer to do a “test” challenge response for an amount of ¤0.00 which is in fact going to be used by the fraudster to verify a respond command in order for them to add themselves as a payee on the victim’s account; these attacks were possible to carry out against banks that used strong authentication devices that were not canceling activities until an amount of at least 0.01 was entered.

    DezB
    Free Member

    Do we think that going to the press is worthwhile? I’d imagine that with the amount we’re talking (five figure sum) it’s pretty news worthy?

    Yes, there is a woman who almost always gets results – they followed up a scam someone I know fell for. I’ll get you the woman’s details and post it here.
    This thread has got me all wound up so want to help! Will know never to bank with the Co-Op (or Santander, who wouldn’t help with the previously mentioned.)

    johndoh
    Free Member

    I don’t understand why the police don’t get more involved – if someone came around to my house and stole a five figure sum (ie a confidence trickster who talked their way in) I wouldn’t expect them to say ‘tough shit, you invited them in’.

    The bank and the police should be taking this crime much more seriously.

    DezB
    Free Member

    Damn right johndoh. OP seems to be coping remarkably well, a lot of people wouldn’t, me included.

    jam-bo
    Full Member

    The bank and the police should be taking this crime much more seriously.

    bank transfers seem to be a bit of a black hole where the banks can just put their hands up and say not my problem guv.

    they seem quite capable of recovering the money if they’ve lost out…

    Tom-B
    Free Member

    Thanks so much for the help so far people. I guess I am coping pretty well….my girlfriend has been amazing (we don’t share finances!!! Ha) not slept too well, and if I’m not keeping busy then I’m finding it tough…..I feel very helpless tbh, the world rather unsurprisingly, has kept on turning though!

    phead
    Free Member

    Separate from anything you did, the bank still seems to be at fault for saying that ” they say that the funds will be refunded within 1 working day”

    They didn’t start an immediate investigation, they didn’t follow the funds to freeze them. Off to the regulator you go.

    thegreatape
    Free Member

    the police should be taking this crime much more seriously.

    We do. I’ve dealt with a number of these scams in the last couple of years. Frequently the locus (where the crime is committed from) is outside our area so responsibility for investigating is transferred to the relevant force. In almost every case the money is immediately withdrawn and sent abroad via Western Union or Moneygram, from where it cannot be recovered. Not by us anyway. We have had more than one conviction and in one case the culprit has been forced by the court to sell his house to pay the compensation awarded by the court.

    There are so many scams that I dare say I’m not aware of them all – the OPs one is a new one to me. I think there should be a lot more layers of security in the online banking system. A ballache, probably, but less of one than getting scammed.

    xora
    Full Member

    Unfortunately Bank security is a matter of derision within the actual computer security circles. Just look at the kinda TFA most of them operate instead of real TFA which would be simple for them to implement.

    I would certainly not be using that Laptop until its had a full clean. From what you have said someone has unrestricted access to it and could do it again on pretty much any website they choose.

    DezB
    Free Member

    Tom – here’s who you have to write to for results – Jessica Gorse-Williams, (Telegraph).

    Might take a while, but worth it.

    Tom-B
    Free Member

    Thank you so much DezB

    plyphon
    Free Member

    Feel for OP. Got my credit card cloned June last year and that was scary enough seeing £2k+ appear on my CC. Can’t imagine the shock to see current account/ISA drained.

    Interested to see the results. I think wire fraud should be protected by the banks as it’ll act as an incentive to invest properly in info/network security. Also, these attacks are impossible to predict, even harder to detect until the deed is done, and are only getting more sophisticated written by teams of incredibly smart programmers. It’s unfair to have a burden of responsibility on the end user when the odds are stacked massively against them.

    bearnecessities
    Full Member

    FWIW I think wwasawaswas and phead have called out the avenue I’d be screaming my face off at the bank persuing.

    Don’t give up.

    DezB
    Free Member

    Hope it helps, that’s all!

    cornholio98
    Free Member

    some of the IT security guys started circulating this fileless malware is infecting banks around the globe

Viewing 40 posts - 81 through 120 (of 171 total)

The topic ‘Online Fraud Advice’ is closed to new replies.