If it's malware, is coop bank not a pretty odd target? I mean it must be a quite small usershare even if the malware targets an array of banks.
Well, there are still many £millions in the Coop, and if the baddies have worked out their particular authentication process can be 'modified' slightly to work in their advantage they could be an easy target. Also, maybe Coop implies a more elderly audience they might be more likely to fall for phishing scmas etc.
Update, Fraud team manager at Co-Op has upheld the decision to not authorise a refund on the basis that I gave away my Lin number. They really are trying their hardest to avoid being helpful in any way!!!
Do we think that going to the press is worthwhile? I'd imagine that with the amount we're talking (five figure sum) it's pretty news worthy?
I've said it above - you need to get someone who knows what they're doing to examine your pc.
I would talk to a specialist solicitor.
Also talk to ombudsman - be seen to follow appopriate escalation path.
Press? I'd save that for later if it were me but for a five figure sum it might be easier said than done - I'd be frantic by now 🙁
That's crap. I'm not sure that press would be helpful to your cause - the angle would more be about 'making people aware' rather than 'crap, unhelpful bank'. So unless you want 'sadface' in the papers, it's not worth the effort.
Ombudsman might be your best bet. Is it just a single login password, or is there some kind of two-factor authentication provided by the bank? I would have said that the former is inadequate these days given the likely sophistication of the malware/spoofing attack you've experienced.
Keep plugging away at them.
Do we think that going to the press is worthwhile? I'd imagine that with the amount we're talking (five figure sum) it's pretty news worthy?
What have you got to lose?
your.problems@observer.co.uk
consumer.champions@theguardian.com
Email addresses from https://www.theguardian.com/money/2013/nov/20/consumer-work-experts-guardian
I know this may be an unpopular question but, if the OP's PC has been compromised and he's consequently given his secrets away to a cunning third party who has then stolen his cash, why should the bank (and by extension its other customers) be liable to make good the loss?
Unless the bank can be shown to have been negligent or complicit, why are they liable apart from by having more money to throw around?
Sorry, not trying to be provocative just curious.
I assume the CoOp's fraud dept have explained exactly how they think the attack took place to the OP?
1. So it doesn't happen again
2. To explain why they have decided to not refund his money.
Given that they got my PIN number (which seems to be the crux) via the coop's card reader I'd say the the banks security has been pretty negligent? Surely it should be able to be hijacked in this way?
Also, why wasn't a 5 figure transfer flagged up as suspicious by the bank? It's hardly like I routinely move that amount of money around!!!
Tom.
You need them to tell you exactly what they think happened. As I just cannot see how they can say get bent, but not say how they have shifted liability onto you.
How have they got your PIN number? Your PIN number is never entered on the Co-Op banking site for any transaction, only in the card reader thingy. And the card reader isn't connected to the computer in any way.
It's up to the bank to demonstrate that you have been 'grossly negligent' in revealing your pin. Not sure how they can do this in the circumstances you describe. Escalate and Ombudsman.
That's what I've been arguing thus far! It's up to them to demonstrate gross negligence on my part.
Anyway, I've raised the complaint with the bank (which is what I need to do before going to the ombudsman)
I have also just emailed the CEO's of coop asking them to look into it (probably a waste of time but hey ho)
My trip to the Alps in 2 weeks is suddenly looking rather extravagant compared to how much money I now have! Should be able to afford at least one beer I guess!
if it's a case of OP logging into the actual bank website but then being tricked into authorising a payment using the card reader, due to malware on his PC such as the "overlay kit" mentioned earlier (never heard of that before; scary stuff) then surely it'll just look like a legit transaction from the bank's point of view? No attack to explain as such as bank security itself not compromised. Best of luck OP.I assume the CoOp's fraud dept have explained exactly how they think the attack took place to the OP?
TBH, I think I'd play dumb. "This happened, I've no idea how, I've never knowingly disclosed my details to anyone." Let them prove otherwise.
Bit of a nightmare this one. Could happen to almost any online customer presumably.
I'm still with phone banking so that's one less way I can be a fraud victim. My bank now has voice recognition when I call them.
I've got my e-mail and paypal set up so I need to enter a pin sent to my mobile when logging in. Got that tip from a topic here.
I am still curious as to how a third party intercepted the connection, and then inplemented their own response code system.
Has to be malware, no? If so is OP still using same laptop....and is it still connected to the web?
So 2 issues here.
1. How you got directed to another site. Unless the bank's own site has been hacked, then the bank isn't liable for this. Might be worth asking the question around their own security - especially if they're suddenly taking the system down for 'updates'.
2. Giving away a challenge code from your reader. This is effectively like giving someone the PIN number for your debit card - in that case the bank won't refund loss of funds. I've worked for 2 of the big 4 U.K. Banks and there's usually emphasis on their websites when you log in about not giving away your card reader codes and that they'll only ask for a code for authorising a new payee / sending funds to a new payee. I'm more familiar with my ex employers site as recently moved, but it specifically said we won't ask for a code for any other reason.
So does Co-op say the same / have they got warnings on their site? If not then maybe you could argue that wasn't obvious?
Seems you entered the code for a reason you believed wasn't for initiating a payment.
Joe, to address those two points
1. The OP didn't leave the co-op bank site, he was always at a legitimate URL.
2. The scammers could wait until you try to pay a new account and make their move then. So you're already expecting a challenge and to have to generate a code, but instead of doing it for the £50 you're paying to a friend they're using the code to clear out your account.
On point one - the op must have seen another site to get the instruction on the screen to generate a security code. I won't claim to be 'techie', but it's happened.
Point 2 - I've never banked with co-op (nor will I ever) - but on the online banking sites I've used, part of the challenge code entered in the process uses some of the digits of the account number you're setting up for payments.
Banks and there's usually emphasis on their websites when you log in about not giving away your card reader codes and that they'll only ask for a code for authorising a new payee / sending funds to a new payee
I know Barclays asks you for a code when logging in, but it has different responses for different challenges.
For example logging in will ask for an identity code, but for signing new transactions it would need to be a signing code.
[img] 
[/img]
Looks like the CoOp one is not that smart, and is purely for authorising new payments, so as they warn should never be used to identify yourself:
Using your Card Reader:Your card and Card Reader are for you and only you to use when banking online. You may be asked to use the Card Reader when you do the following tasks:
set up or amend standing orders
set up, amend or make bill payments
set up, amend or make funds transfers
Remember - we will never call you to ask you to use your Card Reader to set up, make or amend any payments or [b]contact you to ask you to use your Card Reader to confirm your identity.[/b]
http://www.co-operativebank.co.uk/global/security/card-reader
And this is the point. All of the pages in his browser history, including the transfer pages, are from the correct co-op site pages. This is why this is so worrying and strange. There is new European legislation (oh yes) coming Jan 2018 to enforce two factor authentication on transfers over 10 EUR (so thats 200 GBP 🙂 ) but this attack makes two factor look inadequateOn point one - the op must have seen another site to get the instruction on the screen to generate a security code. I won't claim to be 'techie', but it's happened.
This is why I was concerned about the laptop still being given web access. If there is malware on there, then the operator could/maybe has, removed evidence.
As well as continue to view OP's activities.
Maybe time to stop using the laptop then!
Posting this from my phone.....had an email back from the CEO first thing this morning saying that he's got a senior staff member looking into it. Basically resigned to the fact that they won't be refunding me now, and I'll have to wait and see what funds they manage to recover from the account that it went to (I'll not be holding my breath for much!)
Guess it's time to alter the plans for the next couple of years and start saving again.....and to switch banks!
Might be worth getting in touch with Radio 4's You And Yours too - another consumer programme but definitely one with clout, especially with older listeners.
On my card reader you put your debit card in, enter the PIN number associated with that card at it generates the 8 digit code. Unless the random 8 digit codes is a ruse to make you think it's more secure!
No, the card reader is directly interfacing with the chip on the card (where the clever stuff actually happens). Interestingly there's a well documented flaw with the system where a fraudster can convince someone to generate a valid response code from a zero value transaction.
How old is your card reader?
https://en.wikipedia.org/wiki/Chip_Authentication_Program
More concerningly however, if a respond request is issued by a bank, using the sign mode with the same number and an amount of ¤0.00 will again generate a valid result which creates a possibility for a fraudster to instruct a customer to do a "test" challenge response for an amount of ¤0.00 which is in fact going to be used by the fraudster to verify a respond command in order for them to add themselves as a payee on the victim's account; these attacks were possible to carry out against banks that used strong authentication devices that were not canceling activities until an amount of at least 0.01 was entered.
[i]Do we think that going to the press is worthwhile? I'd imagine that with the amount we're talking (five figure sum) it's pretty news worthy?[/i]
Yes, there is a woman who almost always gets results - they followed up a scam someone I know fell for. I'll get you the woman's details and post it here.
This thread has got me all wound up so want to help! Will know never to bank with the Co-Op (or Santander, who wouldn't help with the previously mentioned.)
I don't understand why the police don't get more involved - if someone came around to my house and stole a five figure sum (ie a confidence trickster who talked their way in) I wouldn't expect them to say 'tough shit, you invited them in'.
The bank and the police should be taking this crime much more seriously.
Damn right johndoh. OP seems to be coping remarkably well, a lot of people wouldn't, me included.
The bank and the police should be taking this crime much more seriously.
bank transfers seem to be a bit of a black hole where the banks can just put their hands up and say not my problem guv.
they seem quite capable of recovering the money if they've lost out...
Thanks so much for the help so far people. I guess I am coping pretty well....my girlfriend has been amazing (we don't share finances!!! Ha) not slept too well, and if I'm not keeping busy then I'm finding it tough.....I feel very helpless tbh, the world rather unsurprisingly, has kept on turning though!
Separate from anything you did, the bank still seems to be at fault for saying that " they say that the funds will be refunded within 1 working day"
They didn't start an immediate investigation, they didn't follow the funds to freeze them. Off to the regulator you go.
the police should be taking this crime much more seriously.
We do. I've dealt with a number of these scams in the last couple of years. Frequently the locus (where the crime is committed from) is outside our area so responsibility for investigating is transferred to the relevant force. In almost every case the money is immediately withdrawn and sent abroad via Western Union or Moneygram, from where it cannot be recovered. Not by us anyway. We have had more than one conviction and in one case the culprit has been forced by the court to sell his house to pay the compensation awarded by the court.
There are so many scams that I dare say I'm not aware of them all - the OPs one is a new one to me. I think there should be a lot more layers of security in the online banking system. A ballache, probably, but less of one than getting scammed.
Unfortunately Bank security is a matter of derision within the actual computer security circles. Just look at the kinda TFA most of them operate instead of real TFA which would be simple for them to implement.
I would certainly not be using that Laptop until its had a full clean. From what you have said someone has unrestricted access to it and could do it again on pretty much any website they choose.
Tom - here's who you have to write to for results - [url= http://www.telegraph.co.uk/finance/personalfinance/money-saving-tips/jessicainvestigates/10957255/How-to-contact-Jessica-Gorst-Williams-of-The-Telegraph.html ]Jessica Gorse-Williams[/url], (Telegraph).
Might take a while, but worth it.
Thank you so much DezB
Feel for OP. Got my credit card cloned June last year and that was scary enough seeing £2k+ appear on my CC. Can't imagine the shock to see current account/ISA drained.
Interested to see the results. I think wire fraud should be protected by the banks as it'll act as an incentive to invest properly in info/network security. Also, these attacks are impossible to predict, even harder to detect until the deed is done, and are only getting more sophisticated written by teams of incredibly smart programmers. It's unfair to have a burden of responsibility on the end user when the odds are stacked massively against them.
FWIW I think wwasawaswas and phead have called out the avenue I'd be [s]screaming my face off at the bank [/s]persuing.
Don't give up.
Hope it helps, that's all!
some of the IT security guys started circulating this [url= https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/ ]fileless malware is infecting banks around the globe[/url]
Press is one route but I agree with those who say not to do that yet. That kind of thing can burn bridges and while you may feel like doing that it's a last resort.
You're engaged with the fraud team currently.
Have you raised an official complaint?Both related to the initial view you were given regarding a refund and also regards the banks position given this seems to be a sophisticated attack, as opposed to handing out your details.
You can't approach the financial services onmusbusman until you have been through the bank complaint process.
You need a letter from the bank with what they state is their final response to the complaint. Until then the onmusbusman won't even look at it.
Also you want to step through your options one at a time to ensure you give each the chance to work.
Complaints are handled far quicker for example than a request to the ombudsman. If the ombudsman can't help then the press and your MP are the only options, so only go there when you need to.
A complaint is highly defined for a bank. They have to follow a process, they have to report it to the FCA if it's still open after 24 hours etc.
You need to make sure you are in that process. If you haven't used the words I want to make a complaint then the bank may be treating the exchange as a grumble i.e. Not a reportable complaint.
I had this with a credit card fraud, after about a week of me chasing them I used the magic word complaint. From that point forward everything changed. I was read a printed script and then passed to an entirely new team who picked up and sorted my complaint and phoned me daily.
If you do go to the press then a number of the Sunday papers have consumer / money sections that often champion customer complaints. Money box on radio 4 is another. Again though these are last resorts for me.
Good luck, shocking position to be put in.
some of the IT security guys started circulating this fileless malware is infecting banks around the globe
Fascinating and terrifying at the same time.
Good post, fozzyuk. I hope the OP heeds your advice and doesn't follow to some of the silly suggestions offered on here.
BTW, OP, I really feel for you and hope everything comes good in the end.
Spot on advice from fozzyuk. You need to let the bank go through the complaints process before going to the ombudsmen
have you considered using OpenDNS or google DNS settings in your router
this won't help Tom , of course, but is a free and simple way to way to ensure that websites visited are authentic -in the future [and for other potential victims]
My email to the CEO has done the job.....his executive complaints dude phoned me up to say he was personally investigating....within the hour, the person that I have been dealing with has confirmed that THE FULL £10,000 IS TO BE REFUNDED BY MIDNIGHT!!!
Sat here crying like a baby! Maybe I'll splurge on a new laptop!!
Thank you so much for all of the help, kind wishes and suggestions guys, it has been a very long couple of days!
I will 100% be pushing forward with the criminal complaint etc....if for nothing else than to try and eventually get back the 2/3 of a days wages that I lost on Tuesday when I first found out about this!
That's fantastic news, well done Tom!
Good stuff
coke and hookers are on Tom 🙂
Great news.
Now bleach your laptop, install the necessary apps like Rapport etc (not convinced myself, but if the bank asks for it) and buy a lottery ticket.
Congratulations. This really is a nightmare scenario and I'm so glad it worked out.
I'm still not so happy that we don't understand how it was done though :(. This doesn't sound like any sort of attack that I know how to deal with. I'm not sure if Rapport would deal with it but I would be installing it. In fact normally I use 3 different browsers and I reserve IE with Rapport for only financial stuff. Chrome/Edge is for everything else
I agree, Leffeboy.
If I was a computer security dude at CoOp, I would have asked for the laptop in return for the £10k going back. As would want to find out exactly what happened.
Great news, I've been sat here with everything crossed hoping everything would work out for you. Paranoia has kicked into overdrive here, and I'm certainly going to extra cautious after this tale of criminality.
What a relief!
I'm relieved for you; so god only knows how you must feel..
Good work.. 8)
Fabulous result. Well done.
And dump Windows,- go to Linux.
THE FULL £10,000 IS TO BE REFUNDED BY MIDNIGHT!!!
Get in. Well done.
Maybe I'll splurge on a new laptop!!
Surely worth a Premier sub for 12 months... (-:
I was reading this thread with a horrible sinking feeling yesterday evening but am so happy for you that the bank have come good for you in the end. What a relief!!!
Great news well played.
Just reading through this; glad to hear you're sorted..
Out of interest my cousin's wife has a business, and her business partner got similarly scammed for a very large sum of their money (several times your figure...). Their bank refunded them as they had not followed their own verification practice before letting the cash go out to the scammers...
I love a story with a happy ending 🙂 looks like you'll be celebrating in the Alps.
Superb news
Delighted for you Tom, that's great news.
With respect to...
I will 100% be pushing forward with the criminal complaint
...then once you've been refunded , you're no longer the victim, the bank is, since they're the one £10,000 out of pocket. Whether they want it investigated is down to them. Which is a bit crap I think, as it seems they frequently would rather take the hit than have the culprits caught.
Fantastic news. Your composure up to this point (stop crying!) has been something to behold.
Now you can afford at least three beers in an Alpine resort. 🙂
Great news!
Both myself and the wife bank with the Co-op
and my wife's account was hacked a few weeks ago, albeit for a lot less than yours.
They refunded the money immediately after a few questions, but they did state that the hackers knew every bit of her security information and it looked to all intents and purposes as though the transaction was undertaken by herself.
Off the back of that I googled Co-op bank and the top hit was an advert on Google which took you to a very convincing website which looked like the banks own login page. I gave them a call and reported it.
Currently running a full scan on my own laptop off the back of this thread!
Brilliant news, glad it's sorted!
Phew... well done Tom and all the best going forward
I is happy for you 🙂
Brilliant news. I've alerted friends and family to this issue so hopefully it'll help them not to fall for the same scam.
Surely worth a Premier sub for 12 months... (-:
LOL 😆
Yay. So pleased to hear it. 🙂
Happy for you, Tom.
Going back to how it was done, and finding the overlay link that jon_n posted quite convincing, you posted
went from:
http://www.co-operativebank.co.uk to
bank.co-operativebank.co.uk
Is it correct that the second link has no http:// - because if it was the real page, it should have had https:// - the s meaning it's encrypted. My guess is that it's hard to show a dummy https:// page, or to get you to type onto what appears to be one. Maybe another clue to watch for?
Thats great news. Well done CoOp, and well done OP for getting it sorted.
The bank probably are very familiar with this type of thing and have no need for the laptop.
I once was super hungover and decided to format a computer. Straight after the format, completely fresh, I went to Google to download chrome. I searched for "Chrome download" and hit the first link. The website looked a little weird - like it hadn't loaded some CSS properly - but in my hungover state I glanced over it. I hit download & install Chrome.
Next thing I know, my freshly formatted PC was packed full of junkware. Toolbars, search helpers, other useless crap. I was so mad with myself. I work in software development, I'm supposed to be good at computers.
I also felt betrayed by Google. How was the first result to their own product junkware? I still have absolutely no idea how that was possible. Maybe I mis-spelt "download chrome" (totally possible in my state) and that was the top result.
POINT IS it happens, and it can happen to everyone. One slip and you've got all your desktop shortcuts replaced with pictures of genitals.
It was quicker to format the drive again then bother trying to remove everything. What a morning.
That's great news TomB - I'm relieved and it wasn't my money so can't imagine how you;re feeling.
I bank with Smile so the ease with which this happened has left me wonderign if I could get caught too.
Google will put any old tat #1 if you pay them, can be hard to spot the way they mix ads with search, not to mention the occasions scammers fool natural search (often by hacking a legit site first) there's lots of cases just google it... oh wait...
OP mentioned this is the path he took to coop link, for banking it's better to type the address in. Don't trust a robot!
Fantastic news. I had no advice to offer but was watching the thread with fingers crossed.
Oh, wow. Really pleased for you Tom. Amazing what a nudge to the big boss can do. I had a similar experience with an insurance company - CEO emailed... next thing "Hello sir" sorted.
Now switch bank to Lloyds and only bank using the phone app... Fingerprint ident! 😆
Great news, OP. I hope you enjoy a lovely relaxing weekend.
As a bit of an update, received an email from action fraud yesterday (the organisation that you report online fraud to) whom basically said that there were no leads to follow etc, so the case won't even be passed onto the police!
In other news, I had an offer accepted on a house and am in the process of that going through currently. Cheers again for all the good wishes at the time.
Watch out for the fake solicitor's account bank transfer scam!
