Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[beingmohit]

Actually what you said was "as I have only used it once or twice in 2 years". So I misunderstood that and stand corrected.

Which doesn't change the premise of what I was saying to begin with about this situation. And I've seen people in OPs situation many many times before. OP - you have made all the right noises about security including 24/7 VPNs, 2FAs, OS updates and what nots. Which means that it could be one of two things:

1. You were hacked by a state actor who got greedy and stupid and tried to encash a Flipkart voucher/GC which has incredibly limited use. Not only doing something that's highly traceable due to the limited use of Flipkart GVs (third party GCs from Amazon would have been a wiser choice) but also alerting you to the fact that your systems have been compromised. I say this not because OS', VPNs etc. can't be got around but because financial fraudsters generally do not have the technical sophistication or time/effort to get around these systems of target victims individually.
2. Your attacker used social engineering to get you

I am inclined to believe the latter which means either:
1. You know (or suspect) or you got socially hacked but you're not sharing that with us
2. You don't have a clue what happened which means you're still potentially exposed to your attacker

So figuring out what and how it happened is the only way you can prevent it from happening to yourself (and a few others) again.

Well, I have shared all that happened. I don't think social engineering is the cause. I used to be a heavy torrent user till a few months back. Could it be possible that some junk file/app that I downloaded some time in the past was the reason? Any normal person would think the hacker would have tried to gain access as soon as they get an entry point, but there have been instances of malware laying dormant for months before they do their trick.

 

[Deleted member 9785]

i generally use my apple phone or ipad to make payments. Apple is safer and virus free

 

[Rkr]

i generally use my apple phone or ipad to make payments. Apple is safer and virus free

This problem is raised as general concern by a victim.
Not everyone has Iphone for making Payments but lessons learnt from this thread ,Surely many of us now get alerted while doing transaction and will take necessary measures to avoid the same irrespective of phone they held.

 

[beingmohit]

i generally use my apple phone or ipad to make payments. Apple is safer and virus free

'Apple is safer' is a huge misconception. I would love to know the source of your information.

 

[PiperatGatesofDawn]

Most probably laptop. It is quite harder to hijack session data from mobile devices, especially apps.

VPN is never for security, never ever put your faith in that. Even the good ones like proton. The whole job of VPN is to show your location at a different place and that's about it. Btw I am not blaming you but using vpn most of the time does put you at a bit higher risk. Location change is one of the vectors google uses to determine if something fishy is going on. But if you are using vpn all the time, it means in Google's eyes sudden location change in your account isn't something abnormal.

Again I would disagree. VPNs do provide a very good level of security and should certainly always be used especially in public networks. Like everything else they're far from perfect and depend a lot on the vendor, OS, user etc. to be effective.

Location change is always a trigger for Google even if you are traveling or changing your location a lot. If you log in from a different device in a different state or area Google will start asking questions, no matter how much you've physically or virtually roamed the world before that. What prevents the triggers esp. for Google is when you use your "own" device. Google's fingerprinting and associated security is terrible so stealing cookies and pretending to be OP is not very hard. However getting into OPs system to steal his cookies is technically (but not socially) very hard.

 

[PiperatGatesofDawn]

Well, I have shared all that happened. I don't think social engineering is the cause. I used to be a heavy torrent user till a few months back. Could it be possible that some junk file/app that I downloaded some time in the past was the reason? Any normal person would think the hacker would have tried to gain access as soon as they get an entry point, but there have been instances of malware laying dormant for months before they do their trick.

Why would they wait for months? What exactly are they waiting for once they have access to your system?

Waiting exponentially increases the chances that their attack will be discovered and thwarted. They will also be worried that another rival attacker will discover your system is/can be compromised and steal your monies first leaving them with nothing.

Nobody waits. They're in and out as fast as possible.

 

[PiperatGatesofDawn]

i generally use my apple phone or ipad to make payments. Apple is safer and virus free

That is not true at all nor is it relevant to financial fraudsters stealing your monies. Apple has a huge list of known critical vulnerabilities that they haven't fixed for years. iOS/iPadOS/MacOS has been made by humans no smarter or dumber than the ones at Google, Microsoft, IBM and the like. iOS' great VPN issue comes to mind - for years and years they knew their VPN leaked data but never fixed it.

Also, financial fraudsters aren't technical wizards hacking your computer from a excel sheet on their Nokia phone. Technical hacking requires an incredible high degree of sophistication and it's pay out is usually exponentially exponentially more than what your bank account daily transaction limit or your credit card limits are.

Financial fraud is almost 100% committed by social engineering and for that reason iOS users are as vunerable as Android or Linux users. In fact an iOS user is generally a more attractive target for a attacker because they know that a iOS user would statistically be wealthier than an Android user.

 

[Deleted member 9785]

People have exposed their bank accounts to Aadhar frauds and are worried about the smaller ones

Bank Scam using AADHAR - Deactivate Aadhaar Enabled Payment Service (AePS)

Very Imp Lock AADHAR Based authentication on UDAI website. Only open it for short while when u need to do a KYC https://www.dnaindia.com/personal-finance/report-new-fraud-method-exposed-cyber-scammers-clear-bank-accounts-with-aadhaar-number-no-otp-needed-3043409

www.technofino.in

 

[Deleted member 9785]

This is a old problem. Surprised Flipkart cant put 2FA in place

Cyber expert asks Flipkart users to reset passwords to avoid fraud

According to the expert Rajashekhar Rajaharia, cyber criminals are selling sets of email addresses and passwords of customers from allegedly leaked databases of BigBasket that match with accounts of e-commerce firm Flipkart and Amazon

economictimes.indiatimes.com

 

[Wealth is my birth right!]

People have exposed their bank accounts to Aadhar frauds and are worried about the smaller ones

Bank Scam using AADHAR - Deactivate Aadhaar Enabled Payment Service (AePS)

Very Imp Lock AADHAR Based authentication on UDAI website. Only open it for short while when u need to do a KYC https://www.dnaindia.com/personal-finance/report-new-fraud-method-exposed-cyber-scammers-clear-bank-accounts-with-aadhaar-number-no-otp-needed-3043409

www.technofino.in

Always lock aadhaar 👍

 

[Pankhuri]

i generally use my apple phone or ipad to make payments. Apple is safer and virus free

Not really.

 

[MOhit __]

I once set my ICICI transaction limit to 5000, and that month, ICICI reported that amount as my limit in CIBIL.
Therefore, I don't believe that decreasing transaction limits is a good idea.

 

[thanix]

Two bank cards and email compromise is not very common. Since you have 2FA enabled for email, have you added your mobile or laptop as trusted device. My suspicion is one of your device is the one that is compromised.

By any chance, your password of Flipkart and email was same? Many people use common password for all online websites and only banking is segregated.

 

[Dr. Drake]

I already have 2FA enabled. The hacker was clearly able to bypass it (not sure how).

Cookies. Never save sessions

 

[1RC]

Well, I have shared all that happened. I don't think social engineering is the cause. I used to be a heavy torrent user till a few months back. Could it be possible that some junk file/app that I downloaded some time in the past was the reason? Any normal person would think the hacker would have tried to gain access as soon as they get an entry point, but there have been instances of malware laying dormant for months before they do their trick.

To be blunt here - you are not the right person to audit yourself.

Don't get me wrong, but you and generally most people "don't see it coming". The answer maybe at plain sight but sometimes, things that are too obvious that one may not give much weight to it. I read this entire thread and the 1st thing that came up in my mind right after reading initial comments "It must be the emails" and voila, others (rightly pointed out) and including you said it yourself - it was the email hack albeit in trash (pun intended).

I can assure you, it's not a case of session hijacking. Session hijacking is not mass attack game for financial criminals. I'll show you why. See attached screenshot shows all the attempts made to login to my account. These are financial criminals who have access to my email id and old password, and trying to login to my account using software that jumps geographies.

You may want to introspect all these with fresh mind after some months, because right now you are trying to find a "reason/cause" as to why it happened. You may end with a wrong reason just because you are looking for one.

That being said, since you barely use your RBL card, it will be easier to track down your expense via its statements. See if your card was involved with the following folks: (Got these from HaveIbeenpwned)

Indian Firm	Hacked On
Dominos India	April 2021
Donzo	June 2019
HDB Financial Service (related to HDFC)	March 2023
Bigbasket	October 2021
Aditya Birla Fashion and Retail (and its subsidiaries)	December 2021
RentoMojo	April 2023
IndiaMart	August 2021

You may want to run your email ID by HaveIbeenpwned because some of the above breaches had unsecured CC data leaked and before tokenization many Indian companies used to store CC data including CVV.


It's unfortunate that this has happened to you. As a fellow member here - All I can say is, you are still healthy and well, you'll earn well and this phase will pass. No lesson to be learned here just experience of life.


1RC

 

[Strange]

To be blunt here - you are not the right person to audit yourself.

Don't get me wrong, but you and generally most people "don't see it coming". The answer maybe at plain sight but sometimes, things that are too obvious that one may not give much weight to it. I read this entire thread and the 1st thing that came up in my mind right after reading initial comments "It must be the emails" and voila, others (rightly pointed out) and including you said it yourself - it was the email hack albeit in trash (pun intended).

I can assure you, it's not a case of session hijacking. Session hijacking is not mass attack game for financial criminals. I'll show you why. See attached screenshot shows all the attempts made to login to my account. These are financial criminals who have access to my email id and old password, and trying to login to my account using software that jumps geographies.

You may want to introspect all these with fresh mind after some months, because right now you are trying to find a "reason/cause" as to why it happened. You may end with a wrong reason just because you are looking for one.

That being said, since you barely use your RBL card, it will be easier to track down your expense via its statements. See if your card was involved with the following folks: (Got these from HaveIbeenpwned)

Indian Firm	Hacked On
Dominos India	April 2021
Donzo	June 2019
HDB Financial Service (related to HDFC)	March 2023
Bigbasket	October 2021
Aditya Birla Fashion and Retail (and its subsidiaries)	December 2021
RentoMojo	April 2023
IndiaMart	August 2021

You may want to run your email ID by HaveIbeenpwned because some of the above breaches had unsecured CC data leaked and before tokenization many Indian companies used to store CC data including CVV.


It's unfortunate that this has happened to you. As a fellow member here - All I can say is, you are still healthy and well, you'll earn well and this phase will pass. No lesson to be learned here just experience of life.


1RC

Which email service you are using?

 

[knight]

What are your views on password managers?

Though one or two people did suggest bitwarden above.
I do remember Lastpass and few others being hacked.

When it comes to pw managers with encryption keys, safeguarding keys becomes an additional hazard.
And what are some actually reliable managers that can be used across devices.

 

[BeingIncog]

And what are some actually reliable managers that can be used across devices.

write it down in smoll diary. bess.

 

[Wealth is my birth right!]

To be blunt here - you are not the right person to audit yourself.

Don't get me wrong, but you and generally most people "don't see it coming". The answer maybe at plain sight but sometimes, things that are too obvious that one may not give much weight to it. I read this entire thread and the 1st thing that came up in my mind right after reading initial comments "It must be the emails" and voila, others (rightly pointed out) and including you said it yourself - it was the email hack albeit in trash (pun intended).

I can assure you, it's not a case of session hijacking. Session hijacking is not mass attack game for financial criminals. I'll show you why. See attached screenshot shows all the attempts made to login to my account. These are financial criminals who have access to my email id and old password, and trying to login to my account using software that jumps geographies.

You may want to introspect all these with fresh mind after some months, because right now you are trying to find a "reason/cause" as to why it happened. You may end with a wrong reason just because you are looking for one.

That being said, since you barely use your RBL card, it will be easier to track down your expense via its statements. See if your card was involved with the following folks: (Got these from HaveIbeenpwned)

Indian Firm	Hacked On
Dominos India	April 2021
Donzo	June 2019
HDB Financial Service (related to HDFC)	March 2023
Bigbasket	October 2021
Aditya Birla Fashion and Retail (and its subsidiaries)	December 2021
RentoMojo	April 2023
IndiaMart	August 2021

You may want to run your email ID by HaveIbeenpwned because some of the above breaches had unsecured CC data leaked and before tokenization many Indian companies used to store CC data including CVV.


It's unfortunate that this has happened to you. As a fellow member here - All I can say is, you are still healthy and well, you'll earn well and this phase will pass. No lesson to be learned here just experience of life.


1RC

That makes sense thank you
BTW I use apple keychain for storing passwords and cards virtually so no need of any other 3rd party password management apps
Just want to know if any encrypted mail services available like proton mail but free is 500mb which won’t suffice and annual plan is 5400/- per annum which is big atleast for india 🇮🇳
TIA

 

[1RC]

Which email service you are using?

I am old school. I am sticking with Microsoft.