gehenna: Friend of a friend stories rarely turn out to be accurate. Even friend stories can be 50/50 lol

Friend of a friend stories often are actually about "me"

tdgeek:

 

gehenna: Friend of a friend stories rarely turn out to be accurate. Even friend stories can be 50/50 lol

 

Friend of a friend stories often are actually about "me"

 

Nope it's not me, i have no Australian SMS 2FA

kyhwana2:

 

Bank phishing and banking trojans are sophisticated enough to get all of this. If there is money involved, SMS 2FA is NOT sufficient, as attackers can port or intercept SMS 2FA token https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoins

Ah yes - you're correct here. Totally forgot about that fact. And agree with you on SMS 2FA and furthermore, trust me when I say this is being worked on.

Bung:
You saying "don't use POLi" is like whispering into a thunder storm. The Banks are letting it happen what signal does that send?

Again - sorta right. If banks downright blocked POLi then many customers would complain - I remember (not too long ago) an IB release of ANZ's broke POLi and many customers phoned up to complain. Our status was "Don't use POLi" however most customers ignored this. POLi had it all fixed later that day. It is easier to allow it, however advise it is breaching the customers T&C's than to block it and deal with the customer complaints. I'm not going to touch any more on this, I've spoken why it is a terrible idea many many times on here to use POLi.

blakamin:

 

But if the customer has ever upgraded their limit (which most people with a need to transfer more than $1k will do. For instance, I transfer more than that to my Mrs every fortnight just to pay bills, Would be more if I got paid monthly).

 

What's onlinecode?? I bank with ANZ, have changed phones, and ported about 8 times, in the last 4 years alone and have never heard of it. If they have my number, they have my SMS verification.

 

I transfered/juggled many many thousands when we bought our last house to cover stamp duty and other things when the was some issues with another bank account... Nothing ever triggered any fraud things.

ANZ Australia and ANZ NZ are two different systems, different processes and are fully separated in every way. I'm talking about the NZ side of things, not Australia. I honestly have no idea how Australia work things. Onlinecode is SMS verification here in NZ.

Oh, and while you're there, tell head office in Oz that i'm seriously unimpressed with them holding my wages hostage overnight (or until tuesday if my pay goes in on a saturday) for them to "clear" from a company that also banks with ANZ. It's a rort and they're bastards.

Different technology, different processes, different ways of doing things in Australia vs NZ. There is a reason behind this but it isn't my area to speak on it. Also, I have no say either as I don't work for Australia...

That is it from me. It sounds like we're talking about Australia and not NZ and in this place, I can't add any more to this thread as I simply don't know...

It's worth noting Vodafone have recently restricted DIY SIM swaps which is potentially a result of people having their SIM cards compromised or swapped without their permission.

So i guess the solution is don't use SMS 2FA for banking?

Batman:

 

So i guess the solution is don't use SMS 2FA for banking?

 

Its not perfect, but from that to not using it?!

By that logic: Passwords can be intercepted, so don't use them?

jarledb:

 

Batman:

 

So i guess the solution is don't use SMS 2FA for banking?

 

 

Its not perfect, but from that to not using it?!

 

By that logic: Passwords can be intercepted, so don't use them?

 

RSA securiID software token - basically an app downloaded to your phone. You enter a PIN and it generates a one time key.

That, or a similar system, is used by some banks for their next level up online banking platforms.

However the maintenance (initial setup, reinstalls due to changed phones, resets of forgotten PINs etc..) are much, much higher than simple SMS 2FA.

My co-worker had this happen to her this weekend. 

First she knew about it was not receiving phone calls over the weekend (was receiving texts but realised afterwards it was only imessages coming through).  When she contacted vodafone she found out that her number had been ported over to 2 degrees.  Next thing a sum of money had been transferred from savings to chequing and then transferred from her bank to another bank.  Her ird had another bank account added as a primary bank account.  

Her bank has locked her account and won't reinstate internet/phone banking until she can prove her computer / phone has been "cleaned" (her words).  The police are involved.

Vodafone at first said they had no record of who instigated the port, but an IT guy at work contacted someone higher up and they are working on it.

So believe it or not this is a thing.

so how can you protect yourself from it?

kiwifidget:

 

so how can you protect yourself from it?

 

It sounds like it's a matter of ensuring that you've got a two factor authentication solution that is not tied to your phone number.

I know that BNZ offer app based 2FA as well as the old 'battleships' Netguard card, and Rabodirect provide a seperate physical device with rolling codes.

...something like Authy?

Even though its on my phone, its tied to my email address I think, and not my phone number.

kiwifidget:

so how can you protect yourself from it?

blackjack17:

 

So believe it or not this is a thing.

Oh I know it is a thing. The crazy thing here is the amount of information that is required to do a port, login to IB and do the transfers. The criminals would have had to get this somehow too and you've got to wonder how they did this. It could even be as simple as password reuse (very common) so a good opportunity to teach your colleague about a password manager like lastpass, 2 factor on emails and online services (Authy) as well as ensuring this password or passwords like it are never used again. Also get your colleague to look at https://haveibeenpwned.com and look at pwned passwords too.

The sad thing is the person who received the money is the one that will be affected - the money will get reversed to the victims in most cases putting the mules account into an overdraft (if it is caught early-on). The mules normally believe they've signed up to a "work from home" job and this is their paycheck however often the scammers will say to them "we've sent you too much - transfer it here or convert it to Bitcoin".

Read more here: https://cffc.govt.nz/building-wealthy-lives/frauds-and-scams/are-you-a-money-mule-for-criminals/

Banks have to protect themselves and the customer - they will in most cases put a stop to all accounts depending on when the fraud was picked up and ensure the customer is not going to get compromised again before unlocking them again. Every time one of these fraud cases occur it costs customers and the bank and this is why banks are very big on getting staff members (like myself) out to places like retirement villages to give talks on fraud and security in an attempt to make the NZ market less appealing to scammers.

Batman:

kiwifidget:

 

so how can you protect yourself from it?

 

Don't use 2FA with sms

Don't reuse passwords.

2FA is fine with SMS (it is not the best but it helps if you don't have any other option) but also ensure that you've got app-based 2FA on your email and other online services that may have information about yourself, bank accounts, mobile providers etc.