Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[1RC]

That makes sense thank you
BTW I use apple keychain for storing passwords and cards virtually so no need of any other 3rd party password management apps
Just want to know if any encrypted mail services available like proton mail but free is 500mb which won’t suffice and annual plan is 5400/- per annum which is big atleast for india 🇮🇳
TIA

So here is my opinion to all in account security purpose. For all your "Finance and Banking" related email account(s), get yourself a physical T2F key.

I am sure all of you here are using password managers, complex passwords, and 2 Factor Authentication process such as OTP to validate your login. However, for the purpose of keeping your accounts very secure - I'll recommend you get hardware authentication devices such as Yubico -

Yubico Home

Get the YubiKey, the #1 security key, offering strong two factor authentication from industry leader Yubico.

www.yubico.com

. Many email account providers accept hardware authentication devices. For your banking needs just have an hardware key. Malicious actors will not have access to your hardware key.

Coming to your post my fellow member:

• Apple Keychain - Good that you are using Apple Keychain, however saving passwords on keychain is not enough, I hope you are actively making sure that your passwords are strong and generated by Apple Keychain and you are not randomly making passwords for ease of use. Saving cards on Apple Keychain is fine. But for ease of access and store various other type of information - I'll still recommend a password manager such as 1Password (my personal fav.) or Bitwarden. Please skip Lastpass.
• Encrypted email - Not exactly sure why you need an encrypted email unless you think the "State" is monitoring you or you are Threat Actor. Having an encrypted email service provider is not enough. One should know how to encrypt the email contents. These days all email headers (which contain PII) are anyway encrypted (Gmail, outlook etc) so its not easy to deciper the origin so the "State Actors" have to reach out to the email service provider, who comply willfully. I am not going to explain how one can encrypt his/her email but I'll encourage to check what "PGP encryption" means. Google it. Get yourself Thunderbird and use OpenPGP. Goodluck.

1RC

 

[Deleted member 9785]

So here is my opinion to all in account security purpose. For all your "Finance and Banking" related email account(s), get yourself a physical T2F key.

I am sure all of you here are using password managers, complex passwords, and 2 Factor Authentication process such as OTP to validate your login. However, for the purpose of keeping your accounts very secure - I'll recommend you get hardware authentication devices such as Yubico -

Yubico Home

Get the YubiKey, the #1 security key, offering strong two factor authentication from industry leader Yubico.

www.yubico.com

. Many email account providers accept hardware authentication devices. For your banking needs just have an hardware key. Malicious actors will not have access to your hardware key.

Coming to your post my fellow member:

• Apple Keychain - Good that you are using Apple Keychain, however saving passwords on keychain is not enough, I hope you are actively making sure that your passwords are strong and generated by Apple Keychain and you are not randomly making passwords for ease of use. Saving cards on Apple Keychain is fine. But for ease of access and store various other type of information - I'll still recommend a password manager such as 1Password (my personal fav.) or Bitwarden. Please skip Lastpass.
• Encrypted email - Not exactly sure why you need an encrypted email unless you think the "State" is monitoring you or you are Threat Actor. Having an encrypted email service provider is not enough. One should know how to encrypt the email contents. These days all email headers (which contain PII) are anyway encrypted (Gmail, outlook etc) so its not easy to deciper the origin so the "State Actors" have to reach out to the email service provider, who comply willfully. I am not going to explain how one can encrypt his/her email but I'll encourage to check what "PGP encryption" means. Google it. Get yourself Thunderbird and use OpenPGP. Goodluck.

1RC

Nice -It surely helps from email hacks. Any such way to avoid mobile hacks as well?

Get started with YubiKey 5 Series

Learn how you can set up your YubiKey 5 Series security key. Get started using your YubiKey 5 to protect your favorite services today!

www.yubico.com

 

[1RC]

Nice -It surely helps from email hacks. Any such way to avoid mobile hacks as well?

Get started with YubiKey 5 Series

Learn how you can set up your YubiKey 5 Series security key. Get started using your YubiKey 5 to protect your favorite services today!

www.yubico.com

Regarding phone hacks. Again - I am no cyber sec / infosec expert but I'll still classify myself informed member. Here's my opinion:

For iPhone - Avoid installing any profiles on your iPhone. Profiles will allow any malicious threat actor to install 3rd party applications which are typically not available on App store and your data can be backed up to their own servers. To those who are provided with corporate iPhones will know about the Apple Profiles. Look for what Apple MDM means and how those threats impact regular people. That being said there are zero-day exploits which are typically used by more sophisticated groups - cyber corporations and state actors. I'll say a typical iPhone user is safe from them.

For Android - Now this all depends from manufacture to manufacture. Some by default have restricted 3rd party APK installation, which can be turned off later on. But for any typical user, its not turned on but for some phone, such guards are usually off. Installation of APKs are fairly easy and can be done by any malicious website pretending to be a pop-up. So try avoiding anything that looks suspicious to you. If you think something is off and then go by your gut.

Now coming to the mother of all Phone Hacks (applicable to both iPhone and Android users) - Social Engineering:
It may sound lame but trust me, it's the best and easiest form of getting to you for financial criminals. Such hacks allow people to get your personal information which can allow them to reset your email password or banking credentials. These types of hacks try to circumvent the security by pretending that you have lost access to your phone and backup email, and want to brute force their way in by knowing your DOB, your personal information which you may have used to fill as security question. These criminals also target retired people because they understand that they may not be aware much.

I remember getting a call from someone pretending to be from Citibank, saying my miles were getting expired and should immediately convert them, and for security reasons they will be sending one-time password to verify that I am the holder of that credit card. Trust me this lady sounded very well versed with Citibank products and somehow knew my address and CC's last four digits. She knew my email ID as well. So it all sounded very comforting to know that she may actually be calling from Citibank until I read the SMS very carefully and I knew what she was up to. So be aware of such calls and messages.

Thats all I have for you all. We all can be aware as much as possible but if something were to happen. All we can do is stay strong and fight our way through it.

1RC

 

[Wealth is my birth right!]

Regarding phone hacks. Again - I am no cyber sec / infosec expert but I'll still classify myself informed member. Here's my opinion:

For iPhone - Avoid installing any profiles on your iPhone. Profiles will allow any malicious threat actor to install 3rd party applications which are typically not available on App store and your data can be backed up to their own servers. To those who are provided with corporate iPhones will know about the Apple Profiles. Look for what Apple MDM means and how those threats impact regular people. That being said there are zero-day exploits which are typically used by more sophisticated groups - cyber corporations and state actors. I'll say a typical iPhone user is safe from them.

For Android - Now this all depends from manufacture to manufacture. Some by default have restricted 3rd party APK installation, which can be turned off later on. But for any typical user, its not turned on but for some phone, such guards are usually off. Installation of APKs are fairly easy and can be done by any malicious website pretending to be a pop-up. So try avoiding anything that looks suspicious to you. If you think something is off and then go by your gut.

Now coming to the mother of all Phone Hacks (applicable to both iPhone and Android users) - Social Engineering:
It may sound lame but trust me, it's the best and easiest form of getting to you for financial criminals. Such hacks allow people to get your personal information which can allow them to reset your email password or banking credentials. These types of hacks try to circumvent the security by pretending that you have lost access to your phone and backup email, and want to brute force their way in by knowing your DOB, your personal information which you may have used to fill as security question. These criminals also target retired people because they understand that they may not be aware much.

I remember getting a call from someone pretending to be from Citibank, saying my miles were getting expired and should immediately convert them, and for security reasons they will be sending one-time password to verify that I am the holder of that credit card. Trust me this lady sounded very well versed with Citibank products and somehow knew my address and CC's last four digits. She knew my email ID as well. So it all sounded very comforting to know that she may actually be calling from Citibank until I read the SMS very carefully and I knew what she was up to. So be aware of such calls and messages.

Thats all I have for you all. We all can be aware as much as possible but if something were to happen. All we can do is stay strong and fight our way through it.

1RC

Thanks a lot dude
iOS migration by me some 5 yrs back from Samsung with a big investment is really worth for the price
Email Reg encryption I noted your inputs thanks again

 

[beingmohit]

So here is my opinion to all in account security purpose. For all your "Finance and Banking" related email account(s), get yourself a physical T2F key.

I am sure all of you here are using password managers, complex passwords, and 2 Factor Authentication process such as OTP to validate your login. However, for the purpose of keeping your accounts very secure - I'll recommend you get hardware authentication devices such as Yubico -

Yubico Home

Get the YubiKey, the #1 security key, offering strong two factor authentication from industry leader Yubico.

www.yubico.com

. Many email account providers accept hardware authentication devices. For your banking needs just have an hardware key. Malicious actors will not have access to your hardware key.

Coming to your post my fellow member:

• Apple Keychain - Good that you are using Apple Keychain, however saving passwords on keychain is not enough, I hope you are actively making sure that your passwords are strong and generated by Apple Keychain and you are not randomly making passwords for ease of use. Saving cards on Apple Keychain is fine. But for ease of access and store various other type of information - I'll still recommend a password manager such as 1Password (my personal fav.) or Bitwarden. Please skip Lastpass.
• Encrypted email - Not exactly sure why you need an encrypted email unless you think the "State" is monitoring you or you are Threat Actor. Having an encrypted email service provider is not enough. One should know how to encrypt the email contents. These days all email headers (which contain PII) are anyway encrypted (Gmail, outlook etc) so its not easy to deciper the origin so the "State Actors" have to reach out to the email service provider, who comply willfully. I am not going to explain how one can encrypt his/her email but I'll encourage to check what "PGP encryption" means. Google it. Get yourself Thunderbird and use OpenPGP. Goodluck.

1RC

To add to what you said about secure emails, services like Proton or Tutanota are good for privacy, not security! Gmail is as secure as any other email service provider (if not more). Caring about your privacy is important and that is a separate topic altogether. But, for security's sake, you don't really need any fancy email service provider. A word of caution, refrain from using Outlook or Yahoo. From what I know, a lot of Outlook's security features are hidden behind a paywall. And again, do your due diligence before selecting an email service provider for your financial transactions.

 

[Dr_Card]

To add to what you said about secure emails, services like Proton or Tutanota are good for privacy, not security! Gmail is as secure as any other email service provider (if not more). Caring about your privacy is important and that is a separate topic altogether. But, for security's sake, you don't really need Gmail. A word of caution, refrain from using Outlook or Yahoo. From what I know, a lot of Outlook's security features are hidden behind a paywall. And again, do your due diligence before selecting an email service provider for your financial transactions.

You have mentioned in the middle of para "for security's sake, you don't really need Gmail"

What it means ?

 

[beingmohit]

To be blunt here - you are not the right person to audit yourself.

Don't get me wrong, but you and generally most people "don't see it coming". The answer maybe at plain sight but sometimes, things that are too obvious that one may not give much weight to it. I read this entire thread and the 1st thing that came up in my mind right after reading initial comments "It must be the emails" and voila, others (rightly pointed out) and including you said it yourself - it was the email hack albeit in trash (pun intended).

I can assure you, it's not a case of session hijacking. Session hijacking is not mass attack game for financial criminals. I'll show you why. See attached screenshot shows all the attempts made to login to my account. These are financial criminals who have access to my email id and old password, and trying to login to my account using software that jumps geographies.

You may want to introspect all these with fresh mind after some months, because right now you are trying to find a "reason/cause" as to why it happened. You may end with a wrong reason just because you are looking for one.

That being said, since you barely use your RBL card, it will be easier to track down your expense via its statements. See if your card was involved with the following folks: (Got these from HaveIbeenpwned)

Indian Firm	Hacked On
Dominos India	April 2021
Donzo	June 2019
HDB Financial Service (related to HDFC)	March 2023
Bigbasket	October 2021
Aditya Birla Fashion and Retail (and its subsidiaries)	December 2021
RentoMojo	April 2023
IndiaMart	August 2021

You may want to run your email ID by HaveIbeenpwned because some of the above breaches had unsecured CC data leaked and before tokenization many Indian companies used to store CC data including CVV.


It's unfortunate that this has happened to you. As a fellow member here - All I can say is, you are still healthy and well, you'll earn well and this phase will pass. No lesson to be learned here just experience of life.


1RC

I had used my RBL card only on my Flipkart account.
I was inclined to believe it was a session hijack because I had 2FA enabled on my Gmail account. I was sleeping when the hack was ongoing. So, there was no way the hacker could have logged in to my account as I could not have approved the login from my phone (my phone was on a table, far enough that it couldn't have been because of accidental touches).
If my laptop was compromised, I am sure they would have tried to compromise my wife's account as well. Or maybe they tried, but could not find anything.
You rightly said that I am looking for an explanation and my approach may not be rational. TBH, I don't think I will ever get to know what really happened. What it has done is made me cautious about my digital presence. Many of our fellow community members have suggested excellent measures to prevent such hacks. So, I take all the learnings and move forward.

 

[beingmohit]

You have mentioned in the middle of para "for security's sake, you don't really need Gmail"

What it means ?

I am sorry, that was a type. I have rectified it now

 

[beingmohit]

Thanks a lot dude
iOS migration by me some 5 yrs back from Samsung with a big investment is really worth for the price
Email Reg encryption I noted your inputs thanks again

Once again, I would like to point out that all claims of Apple being more secure than Android are false. Samsung flagships (and probably Google) are as secure as Apple, if not more. I would be happy if anyone can back their claims of 'Apple is more secure' with proof. But, till then, my research suggests this is just a misconception.

 

[Rkr]

Once again, I would like to point out that all claims of Apple being more secure than Android are false. Samsung flagships (and probably Google) are as secure as Apple, if not more. I would be happy if anyone can back their claims of 'Apple is more secure' with proof. But, till then, my research suggests this is just a misconception.

You skill and your konwledge is only precious wall against all threats..No phone helps, let it be android or iphone, if your are not using your own conscience on World wide web MayaJal..😀😄😄😄

 

[Wealth is my birth right!]

You skill and your konwledge is only precious wall against all threats..No phone helps, let it be android or iphone, once your are not using your own conscience on World wide web MayaJal..😀😄😄😄

Exactly
We can buy a lock for several lakhs price but due to absence of mind if we forget to lock the house then no use of that high worthy lock
Lets be own firewall for our digital safety and security 👍

 

[arko]

I had used my RBL card only on my Flipkart account.
I was inclined to believe it was a session hijack because I had 2FA enabled on my Gmail account. I was sleeping when the hack was ongoing. So, there was no way the hacker could have logged in to my account as I could not have approved the login from my phone (my phone was on a table, far enough that it couldn't have been because of accidental touches).
If my laptop was compromised, I am sure they would have tried to compromise my wife's account as well. Or maybe they tried, but could not find anything.
You rightly said that I am looking for an explanation and my approach may not be rational. TBH, I don't think I will ever get to know what really happened. What it has done is made me cautious about my digital presence. Many of our fellow community members have suggested excellent measures to prevent such hacks. So, I take all the learnings and move forward.

I am pretty sure your gmail got hacked.---dont know how with 2fa
If phone was hacked then they could have used other credit cards also which send only mobile otp which they did not.
Try to reach gmail support for deleted email if it can be retreived .If the otp messages from your mail is deleted then i am sure your gmail was hacked. If you have otp on phone then your phone is safe.

 

[beingmohit]

I am pretty sure your gmail got hacked.---dont know how with 2fa
If phone was hacked then they could have used other credit cards also which send only mobile otp which they did not.
Try to reach gmail support for deleted email if it can be retreived .If the otp messages from your mail is deleted then i am sure your gmail was hacked. If you have otp on phone then your phone is safe.

Yeah, it was my Gmail account. I have a few emails that the hacker could not delete before I took control of my account.
Google has refused to help me access deleted emails.

 

[yolofino]

@beingmohit any idea where's the 2FA backup codes are stored?

Also still no clue on how CVV is accessible?

any key loggers/malwares or something in your phone or laptop?

I have seen many transactions going through with wrong CVV, especially on Flipkart & especially using SBI credit cards.

 

[arko]

Yeah, it was my Gmail account. I have a few emails that the hacker could not delete before I took control of my account.
Google has refused to help me access deleted emails.

if your otp is deleted then 100% gmail is hacked else who will delete otp from mail. If your phone was hacked then all other tokenized cards could have been used by the hacker.