Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[beingmohit]

You figured out where the breach was on your end?

Unfortunately, I haven't. This is what scares me. I have reviewed everything and yet I have no info. They got access to my Gmail account, but I have no idea how.

 

[beingmohit]

Hello Everyone,

I am new to this forum, as I got to know about it after searching for a similar problem I faced yesterday.

The same incident happened to me. Yesterday someone used my FLIPKART account and bought Google Play vouchers worth around 30K from my RBL Bank card, whereas I immediately called the bank and told them about the incident and reported the same to FLIPKART. I don't think they used my Gmail in this case, as I was doing some work on my mobile while all this happened and there was no trace of any OTP on my email.

I am told to register a complaint with Cybercrime, but I am not able to do it because they require a transaction ID, which has not yet been generated by the bank as of now they are giving the same answer that the transaction is still. in process while Flipkart is investigating the issue from their end.

Still waiting to get resolution on the same.

Flipkart may block your account in a few days (they did that to me). I would suggest you keep talking to them (record all communications). If you can get the gift voucher codes, you may get some of your money back.

does dlipkart not have 2FA?

No, they do not. I don't think any ecom platform has it

 

[Pankhuri]

No, they do not. I don't think any ecom platform has it

Amazon has. They allow authenticator apps too.

 

[beingmohit]

Amazon has. They allow authenticator apps too.

One more reason to end all associations with Flipkart. I am going to delete my account from all apps that do not support 2FA going forward.

 

[Rkr]

One more reason to end all associations with Flipkart. I am going to delete my account from all apps that do not support 2FA going forward.

Dont take such a harsh step. Solution is Flipkart/Amazon Always ask for saving your card at the time of making payment from a new card.The moment you tick the box of save you card , As per RBI guidelines They have to tokenised your card in order to save it on their platform instead of actual card numbers. Here may be the original problem. Once the card is saved in tokenised form, then any random CVV will also trigger the transaction(though it is not supposed to be but it is happening) and asked for OTP. Don't' save your card on any E commerce site for tokenisation.

 

[Pankhuri]

One more reason to end all associations with Flipkart. I am going to delete my account from all apps that do not support 2FA going forward.

I would say don't take such harsh decisions. For example a simpler solution is to have your purchases shifted to amazon where you can and then deleting all credit or debit card data from flipkart and never save anything on that again. Same with other less secure websites. Trust me, I have been where you are now but the reality is most websites don't take security serioisly, hell not even banks. For example, for singing into axis and hdfc, it is not compulsory to have 2fa and even the banks which make this compulsory mostly use sms which is comparatively a bit less secure.

Best way to protect yourself is to not give info to websites that you don't trust. I keep all of my cards except amazon pay on bitwarden only. When I need to pay for something, it is just 10 secs extra to copy and paste info from there.


I would seriously recommend setting up bitwarden and make it a point to use it for 1 month. It takes care of insecure passwords which is many times the major issue.

 

[knight]

I believe banks were supposed to launch a way to manage tokens for our cards. Has HDFC launched it yet?

 

[Pankhuri]

Once the card is saved in tokenised form, then any random CVV will also trigger the transaction(though it is not supposed to be but it is happening) and asked for OTP

Tbh, this is how it is supposed to work. The whole point of having cvv was to have a tool to verify that you actually have the card. What tokenisation does is that it verifies that you actually do possess the card and gives ecom websites a token to save on their end instead of your card details. This was done due to rise of e-com led to many websites with questionable security practises now saving financial data that could possibly ruin someone. The problem that these networks missed becsuse of optimising for efficiency is that the account directly could be used to purchase something by already saved tokens.

 

[Pankhuri]

I believe banks were supposed to launch a way to manage tokens for our cards. Has HDFC launched it yet?

Yes. You can delete tokens from mycards pwa. I will have to check for other banks but SBI allows this too.

 

[Rkr]

Tbh, this is how it is supposed to work. The whole point of having cvv was to have a tool to verify that you actually have the card. What tokenisation does is that it verifies that you actually do possess the card and gives ecom websites a token to save on their end instead of your card details. This was done due to rise of e-com led to many websites with questionable security practises now saving financial data that could possibly ruin someone. The problem that these networks missed becsuse of optimising for efficiency is that the account directly could be used to purchase something by already saved tokens.

Yes correct..Its kind of loophole need to fixed ASAP from bank.

 

[Pankhuri]

Yes correct..Its kind of loophole need to fixed ASAP from bank.

I don't think it is in their hand. RBI would need to step up and mandate something here.

 

[Rkr]

I don't think it is in their hand. RBI would need to step up and mandate something here.

Still checks are there...Without OTP no domestic transaction will go through..
Till some solid ways implemented by RBI and Banks, avoid saving cards on any Apps/Websites.

 

[PiperatGatesofDawn]

OP needs to figure out or get someone to figure out how the hacker got his information. Based on whatever he's said so far... he hacker has enough access to his personal information to do it again and again and again. Changing passwords and cards won't help.

 

[Pankhuri]

OP needs to figure out or get someone to figure out how the hacker got his information. Based on whatever he's said so far... he hacker has enough access to his personal information to do it again and again and again. Changing passwords and cards won't help.

Not really tbh. There is a very good chance that hacker doesn't have much if any personal information of OP. This seems like a session hijack, which gets resolved as soon as you change passwords.

 

[PiperatGatesofDawn]

Not really tbh. There is a very good chance that hacker doesn't have much if any personal information of OP. This seems like a session hijack, which gets resolved as soon as you change passwords.

TBH!!!

To go by your theory of a session hijack... let's assume you know what that means esp. how it can be done. Let's assume OP was a totally random victim where the hacker got hold of some Gmail cookies over an unsecure network. How does a session hijack get OP's CVV information? That too of a card OP has used twice in the last year?

Also, what is preventing the hacker from hijacking OP again. By your theory the hijacker started with 0 information about OP to start with and got it all. What's preventing them going in again with 0 information and getting it all again?

I suspect OP either doesn't know or isn't sharing some information.

 

[knight]

TBH!!!

To go by your theory of a session hijack... let's assume you know what that means esp. how it can be done. Let's assume OP was a totally random victim where the hacker got hold of some Gmail cookies over an unsecure network. How does a session hijack get OP's CVV information? That too of a card OP has used twice in the last year?

Also, what is preventing the hacker from hijacking OP again. By your theory the hijacker started with 0 information about OP to start with and got it all. What's preventing them going in again with 0 information and getting it all again?

I suspect OP either doesn't know or isn't sharing some information.

From what i recall, the issue was not because of CVV but rather because the cards were tokenized.

In such case, As long as the hacker doesn't have a keylogger or any other strong control over OP's devices, to regain the new password, changing pw and removing known devices should help.

 

[PiperatGatesofDawn]

From what i recall, the issue was not because of CVV but rather because the cards were tokenized.

Again you don't understand what tokenized means.

The virtual cards would be encrypted on OP's device. The tokens are one time use and don't carry any information about the card rather is a string of gibberish characters and cannot be used online.

AFAIK tapping is the most secure way of paying anything in-person today and hasn't been cracked as yet.

 

[hks789]

Again you don't know what that means.

The virtual cards would be encrypted on OP's device. The tokens are one time use and don't carry any information about the card rather is a string of gibberish characters and cannot be used online.

AFAIK tapping is the most secure way of paying anything in-person today and hasn't been cracked as yet.

He is talking about card tokenization in flipkart. Once your card is saved in Flipkart account, even a wrong CVV will work.

 

[PiperatGatesofDawn]

He is talking about card tokenization in flipkart. Once your card is saved in Flipkart account, even a wrong CVV will work.

OK security experts you need to chill. No it doesn't work like that at all. And even if it did - how do you explain the PlayStore hack?

When your card is "tokenized" by Flipkart - they are NOT storing any data about your card. All they are doing is becoming authorised routing partners between you and your card issuer and your card network.

Flipkart has nothing to do with your tokens nor can they read or store them or let anyone perform multiple transactions with the one time use tokens which have to originate from the card owner.

Call me a skeptic but I think OP hasn't shared everything or doesn't know how it happened which is even more troubling.

 

[Pankhuri]

TBH!!!

How does a session hijack get OP's CVV information? That too of a card OP has used twice in the last year?

They didn't know OP's cvv or card details. That's why they used his cards from his account, knowing fully well that if the OP caughts up to them before they recieve vouchers, he can cancel them.

What's preventing them going in again with 0 information and getting it all again?

OP having their guard up. I suggested many things in my previous comment few days back, few hiurs after OP posted. If even half of those are implemented, OP is good unless he installs something from a shady site.

I suspect OP either doesn't know or isn't sharing some information.

OP's story is pretty common one, in session hijack cases, except for the use of e-com part. He mentioned he recently traveled abroad. Airports are very notorious in installing malware.