Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[Pankhuri]

Again you don't understand what tokenized means.

The virtual cards would be encrypted on OP's device. The tokens are one time use and don't carry any information about the card rather is a string of gibberish characters and cannot be used online.

AFAIK tapping is the most secure way of paying anything in-person today and hasn't been cracked as yet.

There is a misunderstanding because of the word tokenized, as it is used for two similar but separate things. First is the one as you mentioned, this is mainly used for mobile wallet payments like apple pay or samsung pay or google pay(international version, not the Indian one).

Another tokenization is of e-comm partner. So what used to happen was e-com websites used to save card data of their consumer for easy checkouts but during breaches that data used to get exposed. So all network providers came up with the solution that when you first add a card on a website, it is tokenized and that token is then saved on the e-com website. This way if there is a breach, cc data is not exposed.

 

[Rkr]

There is a misunderstanding because of the word tokenized, as it is used for two similar but separate things. First is the one as you mentioned, this is mainly used for mobile wallet payments like apple pay or samsung pay or google pay(international version, not the Indian one).

Another tokenization is of e-comm partner. So what used to happen was e-com websites used to save card data of their consumer for easy checkouts but during breaches that data used to get exposed. So all network providers came up with the solution that when you first add a card on a website, it is tokenized and that token is then saved on the e-com website. This way if there is a breach, cc data is not exposed.

Yes nice explanation. Simple way is , one primary card can be used to make many tokenised card at different different platform.

 

[PiperatGatesofDawn]

There is a misunderstanding because of the word tokenized, as it is used for two similar but separate things. First is the one as you mentioned, this is mainly used for mobile wallet payments like apple pay or samsung pay or google pay(international version, not the Indian one).

Another tokenization is of e-comm partner. So what used to happen was e-com websites used to save card data of their consumer for easy checkouts but during breaches that data used to get exposed. So all network providers came up with the solution that when you first add a card on a website, it is tokenized and that token is then saved on the e-com website. This way if there is a breach, cc data is not exposed.

Again your understanding of these things is completely wrong.

That's not tokenization at all. What you're talking about is encryption - and it really doesn't apply here at all if this incident happened in the last few weeks.

What used to happen a while back in India is that e-com websites used to store all your card information. The bad ones used to store it in a flat text file. The slightly better ones used to use hash algorithms which unfortunately could be brute forced and the best ones used salted hash algorithms which are nearly impossible to crack.

While some bad sites (mainly in the US) used to save CVV, Flipkart & Google has never saved your CVV information. So even if they were hacked and your card number and other details were exposed the CVV would always remain unknown to the hacker.

Also that practice of saving your card information in ANY form on a e-com website in India has long stopped. Flipkart & Google has wiped all your old card data from their servers.

Also, FYI, tokenization is not just used in Apple Pay, Samsung Pay, phoren Google Pay etc. but also in every tap and pay that you do anywhere in the world. Tokenization is also used by all online sites in India that accept payments and "save" your card information. In reality these sites don't save any of your card information. That's what makes it so secure for now. Till some really smart people come along and figure out ways to get around it.

 

[arko]

the problem is the email otp. If somehow gmail is hacked which is quite dificult with 2fa then the hacker can directly login in flipkart using google and with any cvv he is buying voucher. I request everybody not to save any card which send otp over email. like rbl,axis

my concern is the email hack.

 

[VISHESH_BANSAL]

Also, FYI, tokenization is not just used in Apple Pay, Samsung Pay, phoren Google Pay etc. but also in every tap and pay that you do anywhere in the world.

Tap and Pay(NFC) txns Processed via Samsung Pay , GPAY and other Similar Apps are only Processed if you tokenized the Card on the respective App.

When You Tap your Mobile Phone at a POS Your Orginal Card Number is Masked and A virtual Card number is shared with Merchant.
This Virtual Card Number Last 04 digits also reflects in Respective App

Do a txn by Tapping your Phone at POS and Check the Last 04 digits of Card number Mentioned on Charge Slip.
Last 04 digits would not match your Actual Card Number Last 04 digits that means Txns Happens via Tokenized Card
Where Actual Card Number is Masked and a Virtual Number is transmitted.

Now When You Tap your Physical Card at POS then Again Notice Last 04 digits on Charge Slip
Last 04 digits would Exactly Match your Actual Card Number Last 04 digits.
This means when You Tap your Physical Card, tokenization is not involved.

 

[Pankhuri]

Again your understanding of these things is completely wrong.

That's not tokenization at all. What you're talking about is encryption - and it really doesn't apply here at all if this incident happened in the last few weeks.

visa cvv free transaction: Visa launches CVV-free payments for tokenised credit, debit cards - The Economic Times

The merchants who adopt this will not have to ask customers for their CVV every time they do a domestic transaction. They will be verifying this three-digit number on the back of the card only once, at the time of tokenising the card.

m.economictimes.com

>The merchants who adopt this will not have to ask customers for their CVV every time they do a domestic transaction. They will be verifying this three-digit number on the back of the card only once, at the time of tokenising the card.

Tokenization is also used by all online sites in India that accept payments and "save" your card information. In reality these sites don't save any of your card information. That's what makes it so secure for now.

You say I don't understand but then repeat what I have said in my last comment. So what gives?

Till some really smart people come along and figure out ways to get around it.

Future is now.

 

[Rkr]

Tap and Pay(NFC) txns Processed via Samsung Pay , GPAY and other Similar Apps are only Processed if you tokenized the Card on the respective App.

When You Tap your Mobile Phone at a POS Your Orginal Card Number is Masked and A virtual Card number is shared with Merchant.
This Virtual Card Number Last 04 digits also reflects in Respective App

Do a txn by Tapping your Phone at POS and Check the Last 04 digits of Card number Mentioned on Charge Slip.
Last 04 digits would not match your Actual Card Number Last 04 digits that means Txns Happens via Tokenized Card
Where Actual Card Number is Masked and a Virtual Number is transmitted.

Now When You Tap your Physical Card at POS then Again Notice Last 04 digits on Charge Slip
Last 04 digits would Exactly Match your Actual Card Number Last 04 digits.
This means when You Tap your Physical Card, tokenization is not involved.

Perfectly elobararted. Yes i am samsung Pay user.The moment you add a card on samsung pay it automactically get tokenised and new card number will be there against your added card number marked as virtual card...The same virtual card last 4 digit will be there on chargeslip for every card transaction made using samsung pay.

 

[Pankhuri]

the problem is the email otp. If somehow gmail is hacked which is quite dificult with 2fa then the hacker can directly login in flipkart using google and with any cvv he is buying voucher. I request everybody not to save any card which send otp over email. like rbl,axis

my concern is the email hack.

SBI, Indus, HDFC also send via email. Tbh I find it quite convinient, don't have to have phone on me to use cc.

 

[Pankhuri]

Yes i am samsung Pay user.

Does it support UPI too?

 

[PiperatGatesofDawn]

Tap and Pay(NFC) txns Processed via Samsung Pay , GPAY and other Similar Apps are only Processed if you tokenized the Card on the respective App.

When You Tap your Mobile Phone at a POS Your Orginal Card Number is Masked and A virtual Card number is shared with Merchant.
This Virtual Card Number Last 04 digits also reflects in Respective App

Do a txn by Tapping your Phone at POS and Check the Last 04 digits of Card number Mentioned on Charge Slip.
Last 04 digits would not match your Actual Card Number Last 04 digits that means Txns Happens via Tokenized Card
Where Actual Card Number is Masked and a Virtual Number is transmitted.

Now When You Tap your Physical Card at POS then Again Notice Last 04 digits on Charge Slip
Last 04 digits would Exactly Match your Actual Card Number Last 04 digits.
This means when You Tap your Physical Card, tokenization is not involved.

For the last time NO. NO. NO.

Your virtual card number is there for reconciliation plus additional security so that even in a printed receipt the merchant or anyone else won't learn the last 4 digits of your card number. It isn't really a different 16 digit virtual credit card at all but just 4 digits. What is transmitted is what seems to be a string of random characters in an encrypted manner. eg: XKNGFO9882NXW19174 or something similar.

TOKENS ARE GENERATED AND SENT WHEN YOU DO TAP AND PAY, DIP YOUR CARD, USE ONLINE TOKENIZED WEBSITES, USE APPS LIKE APPLE/SAMSUNG PAY etc.

The EMV chip in your card is responsible for the token. So you've been actually using a token system for years now every time you've dipped your card in a card machine. You just didn't know it. The only problem with dipping a card is that the magnetic stripe is also going into the machine and so with malicious machines the card can still be skimmed. To remove the magnetic stripe contact, which is the second weakest link in the entire chain of things (the weakest being merchant card storage), tap and pay was created. Tap and Pay USES tokenization and is the most secure payment method currently.

 

[4uziaul]

Does it support UPI too?

Indeed it does.

 

[Rkr]

Does it support UPI too?

Yes, but not through Rupay CC upi payment..
All POS and tap & pay through Credit/debit card and Upi through linked bank account only as of now.

 

[PiperatGatesofDawn]

my concern is the email hack.

Exactly... which is why it could very well happen again.

visa cvv free transaction: Visa launches CVV-free payments for tokenised credit, debit cards - The Economic Times

The merchants who adopt this will not have to ask customers for their CVV every time they do a domestic transaction. They will be verifying this three-digit number on the back of the card only once, at the time of tokenising the card.

m.economictimes.com

>The merchants who adopt this will not have to ask customers for their CVV every time they do a domestic transaction. They will be verifying this three-digit number on the back of the card only once, at the time of tokenising the card.



You say I don't understand but then repeat what I have said in my last comment. So what gives?




Future is now.

OP said he hasn't used his RBL card in 2 years or so. I don't think you could have tokenized cards in Flipkart 2 years ago. Hence my CVV related question. Now if that's incorrect and he had used it with Flipkart already it's a different matter.

Lesson to all use a password manager with a separate authenticator app and don't store your card details with anyone as much as you can no matter how much they tempt you with their bright shiny boxes telling you to click on the "Save Card" button. Apart from security every payment gateway is using it to track you and sell your data.

Oh and also don't save your passwords in your browser/app. Use the password manager, or fingerprint or some secondary means of logging in whenver you can.

And I put "save" in quotes didn't I. And explained that they're not really saving any card information.

 

[arko]

SBI, Indus, HDFC also send via email. Tbh I find it quite convinient, don't have to have phone on me to use cc.

indusind sends but for me hdfc and sbi do not send via email.

 

[hks789]

indusind sends but for me hdfc and sbi do not send via email.

For me, hdfc only send email for money transfers.
Indusind, axis, amex and bob send email for cc.

One suggestion is to use separate mails for financial entities and other shopping sites.

 

[beingmohit]

Exactly... which is why it could very well happen again.



OP said he hasn't used his RBL card in 2 years or so. I don't think you could have tokenized cards in Flipkart 2 years ago. Hence my CVV related question. Now if that's incorrect and he had used it with Flipkart already it's a different matter.

Lesson to all use a password manager with a separate authenticator app and don't store your card details with anyone as much as you can no matter how much they tempt you with their bright shiny boxes telling you to click on the "Save Card" button. Apart from security every payment gateway is using it to track you and sell your data.

Oh and also don't save your passwords in your browser/app. Use the password manager, or fingerprint or some secondary means of logging in whenver you can.

And I put "save" in quotes didn't I. And explained that they're not really saving any card information.

I mentioned that I had used my card twice in the last 1 year. My card was "tokenized" on Flipkart. So, transactions were successful even with incorrect CVVs.
I am quite confident that this was a session hijack attack. I have deployed almost all of the security measures @Pankhuri has suggested thus far, and then some more. But, the only problem that remains is that I have no clue as to how my session got hijacked. Could it have been through my phone or my laptop?
I mostly keep my laptop OS updated, and always use a VPN (even on the home network). I am guessing it could have been some file I downloaded from some place. But, I don't remember downloading anything from a shady website or torrents recently.

 

[Pankhuri]

OP said he hasn't used his RBL card in 2 years or so. I don't think you could have tokenized cards in Flipkart 2 years ago. Hence my CVV related question. Now if that's incorrect and he had used it with Flipkart already it's a different matter.

This has been live since 2021.

 

[Pankhuri]

Could it have been through my phone or my laptop?

Most probably laptop. It is quite harder to hijack session data from mobile devices, especially apps.

I mostly keep my laptop OS updated, and always use a VPN (even on the home network). I am guessing it could have been some file I downloaded from some place. But, I don't remember downloading anything from a shady website or torrents recently.

VPN is never for security, never ever put your faith in that. Even the good ones like proton. The whole job of VPN is to show your location at a different place and that's about it. Btw I am not blaming you but using vpn most of the time does put you at a bit higher risk. Location change is one of the vectors google uses to determine if something fishy is going on. But if you are using vpn all the time, it means in Google's eyes sudden location change in your account isn't something abnormal.

 

[PiperatGatesofDawn]

I mentioned that I had used my card twice in the last 1 year. My card was "tokenized" on Flipkart. So, transactions were successful even with incorrect CVVs.
I am quite confident that this was a session hijack attack. I have deployed almost all of the security measures @Pankhuri has suggested thus far, and then some more. But, the only problem that remains is that I have no clue as to how my session got hijacked. Could it have been through my phone or my laptop?
I mostly keep my laptop OS updated, and always use a VPN (even on the home network). I am guessing it could have been some file I downloaded from some place. But, I don't remember downloading anything from a shady website or torrents recently.

Actually what you said was "as I have only used it once or twice in 2 years". So I misunderstood that and stand corrected.

Which doesn't change the premise of what I was saying to begin with about this situation. And I've seen people in OPs situation many many times before. OP - you have made all the right noises about security including 24/7 VPNs, 2FAs, OS updates and what nots. Which means that it could be one of two things:

1. You were hacked by a state actor who got greedy and stupid and tried to encash a Flipkart voucher/GC which has incredibly limited use. Not only doing something that's highly traceable due to the limited use of Flipkart GVs (third party GCs from Amazon would have been a wiser choice) but also alerting you to the fact that your systems have been compromised. I say this not because OS', VPNs etc. can't be got around but because financial fraudsters generally do not have the technical sophistication or time/effort to get around these systems of target victims individually.
2. Your attacker used social engineering to get you

I am inclined to believe the latter which means either:
1. You know (or suspect) how you got socially hacked but you're not sharing that with us
2. You don't have a clue what happened which means you're still potentially exposed to your attacker

So figuring out what and how it happened is the only way you can prevent it from happening to yourself (and a few others) again.

 

[PiperatGatesofDawn]

This has been live since 2021.

Again no.

Directive for tokenization was issued by RBI on 7 Sept 2021 for implementation by 1st Jan 2022. That directive received 0.00% compliance from merchants and hence was deferred by RBI and implemented by merchants around mid last year.

Explained: What is tokenisation and why has RBI issued new guidelines?

In September 2021, the RBI prohibited merchants from storing customer card details on their servers with effect from January 01, 2022, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card storage.

indianexpress.com