Surely the following stories will not be strange to people in recent years:
Those are real examples of users losing money in their bank accounts, which have been reported in the press recently. So the cause of these incidents come from? Is it easy to get money from a bank because its security system is weak? Or because hackers are so good, can do such “extraordinary” things? Or simply from the owners of these bank accounts? To get a satisfactory answer, follow the article below.
Analysis of technical factors
Banking information technology system
These banks have IT systems which are invested quite large in terms of operating manpower as well as costs to ensure the safety of their own systems. I used to work at bank T, a large bank in Vietnam, so I understood that it was not easy to hack into their IT systems. There they have a 24-hour continuous monitoring system (called SOC), a server system as well as a multi-layer protected network, the system uses a lot of products to help protect the system’s safety. their. Not to mention their security personnel are also people with technical expertise and long experience in the security industry. Therefore, it is quite difficult for hackers to steal money from hackers’ systems. Of course, nothing is absolute, but I believe it is not easy to do this. Not to mention, if you’re good enough to do it, I believe banks can be able to track down who you are, or even come to your door to ask for money or make you suffer. Responsibility for his behavior:
But it’s not that these big banks are absolutely safe, sometimes we still hear information about bank X and bank Y being exposed to user data. For example, a cult case:
In 2019, on the famous hacker forum Raidforum, an account posted an article confirming it was holding information of 2 million customers at a T *** bank. See more here . This information is the information our customers need to be protected, and there really is a problem here. But it also can not make us lose money right away.
When making transactions
Next we see what transactions do we need? Firstly, the account is logged into banks to use internet banking and mobile banking services … this information is provided by the bank and of course only the owner of the bank account knows. Some banks also require customers’ passwords to be strong and change periodically, not shared with others.
Secondly, when performing operations or transactions, we need to add 1 factor is 2FA 2-step authentication, which will usually be the code sent to the customer’s mobile phone via the mobile phone number that the customer Prior registration with the bank via SMS or soft-token (Code will be generated in the application and sent on the application on the phone). These code snippets are codes with a length of 6-8 characters, randomly generated and only valid for a short period of time (1-3 minutes). Only after entering this code correctly will your transaction be able to perform successfully.
The only account I know is, the phone I have in my hand so who can get my money? Exactly, that is absolutely true. But it’s only true when you don’t disclose it to anyone, and nobody sees it.
So why is the customer’s account still losing money ??
The answer is here, hackers use social engineering to launch customer-stealing attacks. What is Social Engineering?
Social Engineering (or non-technical attack) is a common term in the field of information security, describing the type of attack using forms of manipulating human behavior instead of focusing on exploiting security holes. secret of machinery and equipment. Thereby, an attacker can achieve his goals such as entering the system, accessing important information, … without having to perform too sophisticated attack techniques.
Analysis of attack process
There are many different attack scenarios, but the most common is to take advantage of the greed of hacker victims to deceive users into winning valuable rewards and require users to confirm with an account. the bank from which to hijack accounts and steal money. Or hackers pretending to be units such as police, police, bank employees to trick users into providing bank account information
Here is an illustrative example:
Step 1: Lure the user to access to the phishing website
Taking advantage of the greed of the victim, a hacker sends a message or email to the customer with the following content:
Congratulations X, you are one of the 100 luckiest people in the “Customer Gratitude” program of brand Y. Your gift is a cash reward worth VND 500 million. To receive the reward, please visit the link: http://nhanthuongtrian-vietcombank.com.vn to confirm the reward account.
This is a website created by hackers before with the identical interface of VCB but the domain name is not of VCB. Hackers can use tools to create an identical website with a real website interface such as: SEtoolkit in Kali Linux (refer here . Of course, if you win someone who is not happy, the victim will click right away) When opening the website, a website with the interface of vietcombank bank is opened, and users will enter their account and password without a doubt.
Step 2: Get the OTP code to perform the transaction
As soon as the user enters the user account / password, a pop-up appears asking to enter that OTP code. In essence, after gaining an account, the hacker will immediately create a transfer to the bank account of the hacker, and need the OTP code to complete the transaction. At the same time, the OTP will be sent to the customer’s phone, the customer will enter the op-up box that appears on the fake website and the hacker will immediately use this OTP to complete the transaction.
Or another scenario here, the hacker will take the phone (of course not the bank’s sdt) to call the victim and trick the victim into providing OTP code to complete the transaction.
So without a victim’s phone, a hacker can still get an OTP code simply
Step 3: Lose money
At this point, you will receive a notice that your bank account has been deducted from the amount and of course, no more than 500 million has been transferred to your account.
Whose responsibility is that?
At this point, the job of the first customer will be a call to the bank. Those who understand the technology and care about the news a little bit will understand and quickly notify the bank to lock the account as well as ask the bank for assistance to find the fraud. Those who think “too sensitive” will call heaven that the bank has been hacked, I did nothing but my account lost money.
So is the bank responsible here? The answer is no, guys. It is the bank’s responsibility to provide constant alerts to customers through various channels to avoid fraudulent frauds. And of course this scam is due to insufficient customer awareness should be cheated. The bank here will be able to assist you to find the fraud mastermind through coordination with the police. And of course, this is when you lose a lot of money. And if for a very small amount, up to 96.69% you will not be able to get your money back. Because of course you can’t sue the bank because it doesn’t do anything wrong.
Fortunately, many banks will limit the loss of large amounts of money by if you make a transaction with a large amount of money, the transaction will not be done immediately but will have confirmation from the bank for the transaction. this. If it’s your own deal, it will be done. If it is your mistake or a scam, the money will immediately be blocked and you will not lose that money.
So in which case will I be compensated by the bank? Naturally, if the fact that the banking IT system has security holes or attacks leads to customers losing money, they will be responsible for solving and compensating damages to customers.
So the bottom line is that in this case of fraud, the bank will not be responsible for paying you back, because the fault is not their fault, they are only responsible for helping you find the culprit and support you issues. involve. Of course, if you’re lucky enough to find the culprit or the bank might still help you get your money back. Although rare, it is not without exception
So what do we need to do to protect ourselves?
So how can we not be deceived and lose money? A few notes for you to avoid unfortunate incidents occur:
- Do not be greedy because you believe in winning notices online, it’s not as easy as we think. Because if there is a real winner also need countless steps, paperwork, confirm the type, you will receive the reward.
- Always be wary of websites that have a bank-like interface (double check that the website url is the correct address of the bank’s website)
- Absolutely do not give your account, password, otp to anyone even a bank employee because the bank itself never asks for this
- Set strong passwords, regularly update your bank account password to avoid revealing account information
- Always raising awareness of yourself and those around you, updating news regularly to avoid becoming a victim of attacks.
- Always remember one thing, money goes into the gut. If you are not responsible for keeping yourself, do not rely on others.