So.....on Sunday I had a large sum of money taken out of my account as a fraudulent transaction.
Here's what happened in brief:
Login into bank online banking....get asked for security details, provide them, website crashes....when I log back in, notice that my account is lacking a big chunk of the balance. Phone up the bank fraud line, they say that the funds will be refunded within 1 working day, reset all info etc
Fast forward to today.....phone up the bank to see whether or not my new card is in the post, ask to hear my balance and realise that the money isn't in there! After a long hold, I'm told that I was misinformed on Sunday and that the bank are not liable to refund me as in providing my details on a phishing website (even though I logged in through their website) that I authorised the transaction.....although they blocked the second attempt to empty my account!!! They've basically just said that they're trying to recover the funds for me 😯 In essence, it is all of my money to my name that they've got (was to be buying a house shortly) probably shouldn't have left it all in my current account but there we go.
Any tips? I've called action fraud etc and got a crime number....
the bank are not liable to refund me as in providing my details on a phishing website (even though I logged in through their website) that I authorised the transaction...
But you didn't do that, so they are liable? Seems straight forward to me.
How did you get compromised, then?
Did you google the bank and click on a result rather than typing in the correct URL?
Have you scanned your computer for malware? As it sounds like they are saying it was a man in the middle type attack. Which would have to be initiated locally.
Edit: As above, and below. Did you login in via the banks homepage? Need exact details really.
Login into bank online banking....get asked for security details, provide them, website crashes....when I log back in
I think we need more detail here (if you have it) since it's key to your problem as to how your account got compromised.
If you PM your login details and passwords etc to me I can probably sort it out for you.*
*not really.
I think what's happened is that the 'online banking' site that you went to was fake - so when you logged in and it 'crashed', what they had really done was harvested your credentials, then immediately logged into the 'real' online banking site and rinsed your account.
How did you get to the online banking site - click on a link somewhere, typed it into the address bar, saved favourite? Did you notice anything suspicious about the site that crashed - certificate errors / no https:// at the start of the link etc? Can you check your browser history to see what the address you ended up at really was?
There's a couple of ways this could have been done - and unless it was really the real bank website that you went to, the bank isn't liable 🙁
In future I would suggest to them that their online banking security measures aren't good enough (static passwords, no 'pick the third / seventh / last letter from your secret word' type random questions, no having to confirm your identity before setting up a new bank transfer via sms / mobile etc) and that you will be moving your business elsewhere!
After a long hold, I'm told that I was misinformed on Sunday and that the bank are not liable to refund me as in providing my details on a phishing website (even though I logged in through their website) that I authorised the transaction.....
If all you've said to them is that you logged in and your account has been emptied then that is a massive conclusion to jump too. I'd be back on to them to escalate the issue, or even better get into a branch
Yeah I went through google to the website.....seems that through their website I got redirected at the login stage....the first result in my web history is the legit coop web address (could this still be a none legit site though?) afterwards at the login in stage, the web address has changed slightly.
Id check for malaware perhaps. Some kind of redirect within the browser.
Unless you genuinely believe Co Op website was compromised and every one logging in that day was getting redirected to a phishing site.
Does the bank website not ask you to verify a "new" bank transfer via a 3rd level security ?
The online banking wabsite should only allow you to transfer money to known
payees without strict verification.
If you PM your login details and passwords etc to me I can probably sort it out for you.**not really.
Dude. You have to learn to turn it off sometimes.
Does the bank website not ask you to verify a "new" bank transfer via a 3rd level security ?
The online banking wabsite should only allow you to transfer money to known
payees without strict verification.
This. My phone would be pinging and I'd have to enter PIN numbers sent by text for this to happen.
I'm with Co-Op and for transfers to new accounts you have to use the little card reader machine that creates am 8 digit code you then enter to confirm.
It was with Co-op
Was asked to use the card reader to update security details on the website....which in actual fact was authorising a payment I guess! Still can't quite believe that the card reader worked with a fake website, and that a 5 figure transaction was allowed to go through.....nothing even remotely that much money is sent normally!!
Still can't quite believe that the card reader worked with a fake website
the card reader just needs the key points (usually payee account number and amount) but that could be put to you as "enter these security numbers into your card reader" etc
Given it's fairly clear youve been phished, Id be trying to isolate the point at which you were redirected from what you say is the authentic CoOp site.
we had this a few years ago with S'der who use a OTP code - long story short something seemed fishy and the site crashed and I logged in again they managed to take abt 4K out before I logged off.
S'der refunded the money though and asked us to download Rapport for future use.
Looked like we had some malware on the computer at the time.
All the best and hope you get it resolved
Dude. You have to learn to turn it off sometimes.
You're right....... Mea Culpa. 😳
Apologies to the OP for an ill judged attempt to introduce a little levity into a serious situation.
I can see in my browser history the redirected web address....seems to have happened at login. Police have this info now (two frigging days after it happened ffs!)
This sounds really odd.
On my card reader you put your debit card in, enter the PIN number associated with that card at it generates the 8 digit code. Unless the random 8 digit codes is a ruse to make you think it's more secure!
Hope you get it sorted - not good to hear Co-Op are washing their hands of it so quickly.
None required Perchy....in-spite of my current less than cool and collected mindset, I took it in the spirit that it was meant.....now off to bed with no pudding you massive cockweasel!
Horrible situation OP, hope you get it sorted.
What address were you redirected to, out of curisoity. Was it
http://www.co-operativebank.co.uk/onlinebanking to something like
http://www.co- [u][b]o[/b][/u]operativebank.co.uk/onlinebanking?
Or was it the change to https://bank.co-operativebank.co.uk
(I don't bank with co-op, I've just gone on their website and clicked the link to see the change).
now off to bed with no pudding you massive cockweasel!
🙂
Seriously, the dude that I spoke to at Co-op this morning about it, had THE most blase attitude you can imagine! FFS.....This is literally all of the capitol I've made in my entire life....and I do not come from a well off background at all!
went from:
www.co-operativebank.co.uk to
bank.co-operativebank.co.uk
That second address is the legit link (Assuming my PC isn't infected with the same malware too)
Yeah I've just realised that too! Mystery remains unsolved then!
.....incidentally, I have the surname, sort code and account number of the bank that my money went to. Not sure of what use it'll prove yet though.
I can't really help but I would go and sit in a branch until they let you talk to someone who can do something or at least give you a path to get to where you want to be.
I'd be using the assurance given on Sunday as a reason why you didn't escalate it there and then and possibly have more chance of recovering the funds rather than where you are now 48 hours later.
I'd also contact consumer advice orgs outside of the ombudsman.
Banks always seem to be able to recover money when it's their own they've transferred in error.
Tom not sure if you have seen their no risk policy [url= http://www.co-operativebank.co.uk/htmlfragment/callouts/security/no-risk-policy ]No Risk Policy[/url]
Can't see why they are refusing to make you good again given what looks like you followed their policy
Had a long phone call to the 'head of the fraud team' (yeah right!) about an hour ago.....he apologised for the information given on Sunday, said that he is looking into it, and will have an answer (to my request that they do indeed refund the money!) within 24 hours. I'll not be holding my breath! Think the next port of call will be to go through the financial ombudsman......then to look into selling organs failing that!
tuskaloosa, they're saying that I did indeed give my details to someone else, hence they aren't paying up!
I feel sick reading this – I can't begin to imagine how you must be feeling right now. Fingers crossed they see sense and refund your money.
BTW, do you have any insurance that might cover you for such a loss? A long shot I know (especially as you were saving to buy a house so may not presently have home insurance that might cover you).
'Trying to recover the funds for me'
Was it a BACS transfer? Are they attempting to reverse it? Since it's clearly a fraudulent transaction (so much so that they blocked the second attempt), they should be moving heaven and earth to get that reversed for you.
What authentication does the account log-in use - is there any extra authentication or just a static password? Are there any restrictions, perhaps additional verification, on making a payment from a new device or terminal? Again, if the bank are being unhelpful, perhaps the ombudsman would have a view on what security systems should be the default for online banking.
Also interesting to see that their online banking is going to be down this weekend - are they upgrading their security? Have they had lots of such fraudulent transactions take place recently? That might strengthen your case.
Not sure what to advise or say.
Though the financial ombudsman or legal action failing any success with the former as I don't think it's as easy for the bank to say 'you gave your details to someone else' if the phishing website was identical to theirs etc
went from:http://www.co-operativebank.co.uk to
bank.co-operativebank.co.uk
Those URLs are both legit. With .co.uk domains, the part immediately to the left is the domain name and the part before that is the host, the server name if you like.
So, if you went from www.domainname.co.uk to bank.domainname.co.uk you've just changed to a different server within the same organisation. If you're redirected from bank.domainname.co.uk to bank.otherdomainname.co.uk though, this is potentially a different organisation entirely, so possibly a scammer.
Note that they can be sneaky, co-operative.bank.co.uk looks legit at first glance, but it's not. Renember, it's what's directly next to the .co.uk that's important, anything else is window dressing.
(For the benefit of fellow geeks, this is an oversimplification for clarity).
Cheers for the advice and well wishes chaps, let's hope that some good comes from this situation.....hard to describe how I feel to be honest! I'm not a money driven person at all, but more money than I've had before or will likely have again getting taken in this way is pretty crap!
This is really horrible but if the address is correct as you say then even using the card reader they would have to be doing some sort of man in the middle attack and I didn't think that was possible with https
The only thing I can think is that you have something that is fooling your browser into showing a url that is wrong but that isn't so easy
In any case it looks as though it would gave caught almost anyone. Im off to split up my accounts 🙁
Bloody hell that's awful.
I've been doing some work in customer service with another bank and often see attempted phishing stuff, but it's usually totally obvious - not as sophisticated as this.
If it helps, these things usually get resolved once it's clear that there's nothing fishy going on - but you should be prepared to jump through lots of hoops and try to be patient and understand that the bank needs to make sure you are not scamming them.
I really think devices should be able to verify the identity of banking sites, it shouldn't be too hard to setup a database to check against and flag up if there's a discrepancy in URLs?
Nasty attack there - misleading you into authorise a new transfer
by asking you to re-authenticate .
My online account requires the authorisation of a new transfer using
strict "authorise" rather than "authenticate" procedures, even so
this could be cleverly spun to lead you with the right story/questions
to do as the web page tells you to do - which is what it has done.
Going through my browsing history, it's showing up 'send money' and 'confirm transfer' pages, all of these have a legit coop web address....none of those pages showed up on my screen at the time though!
they would have to be doing some sort of man in the middle attack and I didn't think that was possible with https
The only thing I can think is it's some sort of sophisticated browser hijack which waits for you to clear security and then fires its own data before you can continue. I'm just trying to convince myself whether that's possible or not; I'm guessing it could be if it's just sending text to the browser outside of the secure connection endpoint.
Have you tried Googling the rogue account details, see if anyone else has been caught, might shed light on the cause?
Assuming it is an infection:
https://downloads.malwarebytes.com/file/mb3/
... is your next port of call. Run that and let me know what it finds.
Given the value of the potential loss it might be worth getting an 'official' expert to go through your pc and produce a report on the sequence of events? Might be worth not changign anything else on your pc for now - removing malware or whatever might make proof more difficult to obtain.
Your router may show details of traffic too. And ISP's have to keep it now but not sure what you need to do to get their info...
Will the Co-Op have logged the IP addresses of the login attempts? Might not be able to find the attacker, but that might pin down when and how it happened.
That's what I would expect as its difficult to get in the middle between your pc and the bank. The real question is how they persuaded your browser to display something else 🙁
Unless of course its a completely fake version of your browser. 🙁
Running that now Cougar....please tell me I've not fallen for another scam and am about to lose the little bit of cash that I currently have to my name?! ....I've only got two days worth of food left!
Just messaged you with the results of that scan cougar
Tom B - are you saying you can see the history of all the transfer pages on your own browser history for the time/date of the fraud transaction?
If so it suggests someone took over your browser and made the transfer via your machine?
If they had this level of control they may well have removed any trace of the history of you visiting their dubious site in the first place.
Out of interest, what browser do you use?
In my browser history, I can see all of the different co-op webpages that I visited on Sunday, after the login pages there are several 'move money pages' followed by a website error page. After that was when I logged back in and saw the money missing. I use google chrome.
So did you hit those pages? Sorry, poorly structured question, essentially were you trying to login and move money anyway, or can you see pages that you didn't visit in your history?
Particularly interested as my wife had her card details used several times recently and I'm not sure where they got all the details including CVV from. I can only think either cloning the card and scanning the CVV in a shop or via online capture.
I was logging in at the time yes, but as for transferring money etc, no, I didn't click any of those pages....
Just messaged you with the results of that scan cougar
So you have. You've got a couple of things in there including a browser / search engine hijack, but nothing I can immediately see that would cause your symptoms. They're all listed as "PUP" - potentially unwanted programs which are usually annoying rather than malicious - which are deselected for removal by default in MBAM.
Nonetheless, we could do with removing them. I'd uninstall "Advanced System Care" from control panel for a start, along with anything that references bitrco.com or GoSearchMe. You might need to manually reset some settings in Chrome too, but we'll come to that.
Run MBAM again and tell it remove any leftovers, then reboot and run it again to see if it's actually clean or if they've sprung back.
If you look at the bottom of the log where it gives you a list of files, that should give you a clue as to the source of the infection.
What AV do you use, out of interest?
actually, you might [i]not[/i] want to uninstall anything until you have talked to the bank tomorrow. Otherwise they might just assume it really was you doing the transfer rather than a hijack
Here, in fact. Do this:
https://www.pcrisk.com/removal-guides/9351-search-bitcro-com-redirect
(Remove anything that mentions booking.com too.)
Then do the MBAM scans as I suggested. Do not download anything from this site! The advice is sound but I've no idea whether their software is legit or not, for every good malware removal site there's a dozen dodgy ones.
actually, you might not want to uninstall anything until you have talked to the bank tomorrow. Otherwise they might just assume it really was you doing the transfer rather than a hijack
I'd wager they'll be able to tell from the time stamps anyway, I expect it all happened far faster than anyone can feasibly type. Also, it's probably an overseas account, and normal users don't typically transfer their life savings to a random bloke in Nigeria.
True, but it's also not unknown for there to be an intermediate UK account that's only up for a week and the stuff is continually transferred out of there until it is spotted. It's getting harder to do though so it may have been directly outAlso, it's probably an overseas account, and normal users don't typically transfer their life savings to a random bloke in Nigeria
I'd airgap the laptop, and wait to hear back from CoOp's fraud bods.
Working for a bank (not co-op) I can see what's probably happened. You've got malware on your pc that has directed you to a fake site that looks like the co-op. They've watched you key in all your details and they've opened another screen and logged on using those details.
They've then tricked you into entering a reader challenge code which they've used on their screen to pay the funds away.
I haven't seen the co-op site, but on both major banks I've worked for they have warnings plastered everywhere that they won't ask for a challenge code except for when making a payment to a 3rd party for the first time.
I suspect you'll struggle to challenge them if they take the stance they won't refund you (unless they get lucky and manage to recover the funds).
Your best bet is lodging an official complaint with their customer services and see if they are willing to refund you out of goodwill (depends how much money was paid away). If they say no you could ask it to be referred to the financial ombudsman - I'm not sure if they'll do much in this case though. It does often cost the bank (especially later in the year) if the ombudsman get involved, so they sometimes will do something to avoid that cost.
Possible, except his browser is showing the correctly urls, not fake ones
Check to see what Chrome extensions you have installed....
Check to see what Chrome extensions you have installed....
Going off the MBAM log, he's using IE I think.
http://www.securityweek.com/remote-overlay-toolkit-makes-online-banking-fraud-easy
Possibly you have been compromised by this, when you log in it overlays an image over the top of your browser asking for your token details etc 🙁
Cougar - I think he said Chrome earlier in the thread...
Ah - you're right, mia culpa.
An overlay is most likely if that is possible
Possibly you have been compromised by this, when you log in it overlays an image over the top of your browser asking for your token details etc
Wow. Yeah, it sounds like it, doesn't it.
Bizarre that neither AV nor MBAM flagged it up, mind. Might be worth an online scan in case the installed AV software's been compromised (unless of course, there isn't any installed).
Id have been surprised that he was able to download the mbam stuff if he was that compromised :(.
Just on programs to try and stop the malware, some of the banks recommend something called trusteer rapport. Think it's made by IBM, but most banks recommend it and let you download it for free.
Only issue I found with it was that although I didn't appear to get any malware, it massively slowed down my laptop. That said it was never a great laptop in terms of speeds even from new (even though it should have been ok with the specs in it).
If it's malware, is coop bank not a pretty odd target? I mean it must be a quite small usershare even if the malware targets an array of banks.
For what little it's worth I got screwed over in a similar way (tricked into authenticating a transfer; yeah yeah, I know), and it was impressively complex - they'd set up a recipient account in my name, sent texts from the same number Barclays actually use etc, looks like it stemmed from the bank having not updated my home address and a spare card going walkabout. Got the money back with no issues, despite arguably being culpable.
I'd expect a degree of uniformity in how banks handle this sort of thing.
some of the banks recommend something called trusteer rapport
Things may have changed since I last looked as it was a few years ago, but when my bank started pimping it I tried and failed to get any information about what it actually [i]did[/i]. And if you think I'm installing some third party "security" software without knowing [b]exactly[/b] what it does, you're one off.
Was defo using chrome.....av had expired so was just using firewall/defender 😕
Things may have changed since I last looked as it was a few years ago, but when my bank started pimping it I tried and failed to get any information about what it actually did
[url= http://www.trusteer.com/User-Guides/Rapport-User-Guide-3.5.1207/747.htm ]http://www.trusteer.com/User-Guides/Rapport-User-Guide-3.5.1207/747.htm[/url]
To my uniformed brain it seems to work like a "super" security certificate, making sure that you're actually connecting to the website you think you are e.g. your bank, and warning you if there's anything amiss. Claims to block lots of common methods that scammers/malware might use such as altering the way the browser works, etc. It also stops screen grabs & claims to stop key loggers.
It's from IBM, not merely a random third party to my mind. I've got no reason not to trust them. I suppose the tinfoil hat brigade might want to steer clear; seems like a great thing to have though otherwise especially for less informed or more vulnerable computer users.And if you think I'm installing some third party "security" software
which is just fine, as long as it was enabled and running updates regularlyav had expired so was just using firewall/defender
There is an s missing from http - just saying
In mbam make sure you do a custom scan and select the rootkit check box.
Particularly interested as my wife had her card details used several times recently and I'm not sure where they got all the details including CVV from. I can only think either cloning the card and scanning the CVV in a shop or via online capture.
You could have a key logger on the laptop. Or the perps have managed to crack an obscure site (or bought the details) that your wife uses that has exactly the same email address and password as, say, Amazon. Fairly simple to pick out the details they need then, tho CCV would be harder.
So many ways to do it, even just ringing up some company and paying over the phone, who knows who is just jotting the details down at same time as processng them.
