Jump to content

Mother of all scams thread

Windwaver

By Windwaver,
in Lite & EZ

 Share

Recommended Posts

Meanmachine

Meanmachine

Supercharged

@Inlinefour The TRUTH is SYT and MILS are simply trained songstress who serenades men's heart whispering sweet nothing & delicate to touch that cajole men's heart, their words are always flattery . . .

↡ Advertisement
  • Haha! 1
Link to post
Share on other sites
Karoon

Karoon

Turbocharged
  On 1/10/2022 at 10:47 PM, Rayleigh said:

In the recent OCBC case, victims were misled to believe that the fake OCBC website was the genuine OCBC website. The scammers were simply relying on victims to feed them with username, password and OTP. Hence regardless of app base token or physical token, victims would still have fed them the necessary info to be robbed. The scammers were simply transferring the info from their fake website and input directly into genuine OCBC. They are like a proxy. 

Expand  

What is worrying is some victims say they didn't key in otp. Others say they received otp to increase transfer limit which they didn't ask for, so didn't key in, and yet accounts cleaned out.

 

  • Praise 1
Link to post
Share on other sites
BanCoe

BanCoe

Hypersonic
  On 1/11/2022 at 12:28 AM, Voodooman said:

Thanks for sharing. I understand this part but will digital token help?

Expand  

When you say digital token- you’re talking about the small calculator type right ?? ….. it just creates random numbers which the scammer can still access since they do it parallel from the fake website and onto the real website simultaneously 

  • Praise 2
Link to post
Share on other sites
Stratovarius

Stratovarius

Turbocharged
  On 1/11/2022 at 1:12 AM, Karoon said:

What is worrying is some victims say they didn't key in otp. Others say they received otp to increase transfer limit which they didn't ask for, so didn't key in, and yet accounts cleaned out.

 

Expand  

Ya. That's the scary part. The SMS OTP was intercepted. In this case, im not sure if DBS digital token is better it is linked to your mobile device. 

  • Praise 1
Link to post
Share on other sites
Fcw75

Fcw75

Hypersonic
(edited)
  On 1/11/2022 at 1:35 AM, BanCoe said:

When you say digital token- you’re talking about the small calculator type right ?? ….. it just creates random numbers which the scammer can still access since they do it parallel from the fake website and onto the real website simultaneously 

Expand  

No la, that’s the physical token.

Digital token is linked to your mobile phone.

Eh bro, your Bank of COE like cannot make it leh. Got what security features ah? Milo tin with scotch tape on the lid? 🤣

Edited by Fcw75
  • Praise 2
  • Haha! 2
Link to post
Share on other sites
Karoon

Karoon

Turbocharged

Try accessing Gmail from random laptops and phones. You'd face hurdles as they'd keep trying to verify if it's you. That's what the scammers are doing, so at the very least the banks should have flagged that.

 

  • Praise 1
Link to post
Share on other sites
Voodooman

Voodooman

Supersonic
  On 1/11/2022 at 1:35 AM, BanCoe said:

When you say digital token- you’re talking about the small calculator type right ?? ….. it just creates random numbers which the scammer can still access since they do it parallel from the fake website and onto the real website simultaneously 

Expand  

Digital tokens are embedded in the mobile apps, the 2FA is a seamless process, I read. 

To register digital token to your phone for the first time, you need to fill up a physical form, use your ATM pin or visit a branch, at least that is UOB protocol. Not foolproof but there are safeguards. 

But i am quite an IT idiot, hence my question. It is important to know its vulnerability. Experts, please share.

  • Praise 2
Link to post
Share on other sites
Voodooman

Voodooman

Supersonic
  On 1/11/2022 at 1:53 AM, Karoon said:

Try accessing Gmail from random laptops and phones. You'd face hurdles as they'd keep trying to verify if it's you. That's what the scammers are doing, so at the very least the banks should have flagged that.

 

Expand  

Some banks moving to use singpass.  

Link to post
Share on other sites
Kb27

Kb27

Supersonic
  On 1/10/2022 at 2:35 AM, BanCoe said:

Does this mean that they can clone a phone ??? or is it when the Victim keys in the USER ID n PW /PIN to a fake website (which they can already see all the alphanumeric keys they can likewise also see when they key in OTP in the fake website ........ and on the parallel the scammers are using the real OCBC website to key in immediately

OCBC must come clean and openly say which country is the funds going to and all that kind of details..(of course the criminals will be using 3rd party accounts to recieve funds - just the same way Ah Loongs use innocent victims accounts ).... and rope in INTERPOL    

 

Expand  

Once they get your user ID and PW, they can log into your account, change phone number to the one they use, change withdrawal limits, etc. Maybe OCBC is lacking in the 2nd layer of security.

Link to post
Share on other sites
BanCoe

BanCoe

Hypersonic
  On 1/11/2022 at 1:42 AM, Fcw75 said:

No la, that’s the physical token.

Digital token is linked to your mobile phone.

Eh bro, your Bank of COE like cannot make it leh. Got what security features ah? Milo tin with scotch tape on the lid? 🤣

Expand  

eh eh u dun anyhow say my BankCoe liddat hor , no make fun my preambree Tree Education hor , Newspaper got say anything about my Bank or not??? , I sue until no tomorrow hor ; Mine is Lunch Coporal Bank hor lagi atas than Private Bank🤣...... no Milo Tin only use Chubb 💪      

  • Haha! 1
Link to post
Share on other sites
BanCoe

BanCoe

Hypersonic
  On 1/11/2022 at 2:29 AM, Kb27 said:

Once they get your user ID and PW, they can log into your account, change phone number to the one they use, change withdrawal limits, etc. Maybe OCBC is lacking in the 2nd layer of security.

Expand  

Wow! so easy to change phone number for the link for 2FA  

Link to post
Share on other sites
Jellandross

Jellandross

Supersonic
  On 1/10/2022 at 2:25 PM, Voodooman said:

Can you elaborate why physical or digital token would've made no difference to the outcome? Especially digital token embedded in the banking apps that is tied to your phone?

Expand  

In most phishing attacks, the victims would've clicked the phishing link in panic and enter all the details including the OTP generated from token - so having the token as physical or in phone would not have mattered.

Despite popular belief, hacking the banking token is actually not the objective of most scammers because it is highly complex, time consuming and no guaranteed returns. In short, the scammers would have to hack into the bank's internal network to get the public key and hack into one victim's phone to get the unique private key in order to "clone the token". Even assuming the hacks were successful after all the trouble and time, the victim may only have few dollars in his account which doesn't justify the effort. And then, the scammers have to repeat the whole process from scratch again for the next victim because each user's token is unique so its simply too much effort for little gain.

Imagine if you're running a scamming syndicate, your objective would be to use the simplest, fastest and replicable method to attack as many targets as possible - minimum effort for fastest and maximum gain. A phishing SMS is simple, repeatable and able to scale as many targets as possible. In OCBC case, blast the SMS to maybe 100k people and all you need is for 400+ consumers to fall for it and already huat $8.5M liao. 

That's why hacking human psychology is easier than hacking technology as fear and greed are guaranteed to exists in most of us.

  • Praise 5
Link to post
Share on other sites
Rayleigh

Rayleigh

6th Gear
  On 1/11/2022 at 2:28 AM, Voodooman said:

Some banks moving to use singpass.  

Expand  

@Voodooman Even using SingPass would not be helpful for OCBC case. Scammer will be using PC A to access a victim account using victim Username and Password. At the same time, victim will be using SingPass as 2FA on his/her mobile. Upon positively authenticated by victim, scammer who is stationing himself infront of PC A would be granted access to victim account immediately. 

  • Praise 2
Link to post
Share on other sites
Meanmachine

Meanmachine

Supercharged

After reading all the above sharing by IT savvy brothers, I reckon it is best not to respond or do anything once citizens receives a SMS notification, or calls fm +65 . . . Unknown calls et cetc. Literally we can forget about 5G

Cyber crime criminals are working hard  . . . we are NO longer SAFE.

↡ Advertisement
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...