Fellow Cybersecurity Professionals. I fell victim to a sophisticated and what appears to be a targeted cyber-attack where the attacker spoofed my banks phone number claiming to be from their fraud department informing me, they detected a suspicious activity on my credit card. They used social engineering and exploited a vulnerability in my banking institutions online access and authentication process. Somehow, the attacker obtained my logon username and tricked me using the temporary password reset option by sending me a text code which was actually the temporary password needed for them to set a new password and gain access to my account. Additionally, they were familiar with the random security code generated by my banks mobile app that they use on occasion to verify identity, and also aware of my institutions phone authentication procedures where they were able to authenticate through my institutions phone system.
I've since stepped up my self-Cybersecurity awareness and performed some cyber hygiene to increase protections. What I'm trying to figure out is how this attacker was able to associate me to my banking institution and obtained my username. This information is not stored in very many places. Does anyone have any ideas how the attacker may have been able to obtain this information? I've reported the crime to the FBI, and they haven't been very much help so far. I've ruled out a data breach at my bank, wiped my computer in case of undetected spyware, I don't believe it's a MIT attack but can't rule it out yet.
Any ideas would be greatly appreciated as I'm working with my bank to have them change their procedures for access and authentication.
You likely will never know. The bank is under no obligation to describe to you how an attack may have exploited weaknesses in their system. And frankly, they have very strong business reasons (reputation and copycats) to keep said weaknesses as confidential as legally permitted. Similarly, law enforcement is not going to divulge the information either for fear that you may become a copycat. My bank does include verbiage in their texts along the lines of "we will never ask you for this code". If your bank starts to lose lots of money due to this avenue of attack, perhaps they too will add similar verbiage.
The one thing you could have done in retrospect is to realize that when someone calls you, you have no obligation to authenticate yourself to them. Instead, it is you who needs to authenticate the caller. The best thing to do in this scenario is to ask for a case number and then return the call using the number on the back of your card. My bank had no issues with me doing this the one time they called me.
@jbacon83 wrote:Fellow Cybersecurity Professionals. I fell victim to a sophisticated and what appears to be a targeted cyber-attack where the attacker spoofed my banks phone number claiming to be from their fraud department
I see this as the tip of the iceberg. The fundamental rule of all interactions is always initiate the contact. Hang up and then call the 1-800 number you know (or that's on the back of your credit card number). Same thing as never click a link in an email or text. Similarly, if someone contacts you, you should never have to tell them your SSN, PIN, security code, whatever. Generally, I berate any outbound telemarketing. It is just bad security. If you want people to have secure practices, they should not be responding to outbound telemarketing.
Before delving into too much as to how they got your username, my first question is how did they get your phone number? They had to know the phone number was connected to your account or make a really lucky guess.
From what you describe, they needed to know three things - your bank, your username, and your phone number. Obviously, they could have stolen it from the bank, but we'll put that aside and ask could that data have been shared with other parties (credit agencies, other financial institutions) who have since been compromised. The other possibility is data aggregation (do you use that username elsewhere and looking up a phone number is fairly easy these days) or is the username easily guessed?
I'm not a fan of two-step authentication because I have to give up more data that can be leveraged against me (e.g. my cellphone number) or my family. I assume that number will be traded with all my other data, constantly expanding my attackable footprint. As such, the only number I give out if I have to is my landline (which is basically my spam box these days). In most cases, I'd rather rely on a good password and practices than give someone more data about me.
@JoePete wrote:
I'm not a fan of two-step authentication because I have to give up more data that can be leveraged against me (e.g. my cellphone number) or my family.
SMS and Voice-calls are not the only form of two-step authentication and in fact are not very well liked by NIST (800-63B §5.1.5.1) nor other parties. Much better are things like TOTP. Really wish I could convince my bank of that.
@denbesten wrote:
SMS and Voice-calls are not the only form of two-step authentication and in fact are not very well liked by NIST (800-63B §5.1.5.1) nor other parties. Much better are things like TOTP. Really wish I could convince my bank of that.
It sounds like in this case they may have been using some form of TOTP. The attacker contacts the victim, convinces the victim they are legit, meanwhile requests a reset, bank generates a TOTP that it sends to victim, attacker says "OK, we just sent you a code, tell us what it is to verify your identity." Attacker then gets the code and carries out the reset.
Those codes/TOTP should be treated just like a password. Don't share them, and be suspicious if someone asks for them. If your bank calls you, the only words the person should say is, "there's a problem, flip over your credit card, call the 1-800 number you see there." Never, ever, respond to outbound telemarketing. Always initiate the transaction.