How a hacker can drain your account and bank: step by step

Good idea until the “hacker” in said scenario is using your phone. The authentication code will be delivered to the device (s)he is using.

Added email authentication sent to the address you used when signing up would solve the issue or having new cards added or old cards removed.

Granted it’s not as secure as requiring email authentication on every withdrawal, but in my scenario, the worst that can happen is the hacker withdraws money back into your own bank account. Perhaps at a loss, yes, but my personal risk tolerance wouldn’t mind that. I’d feel it a bit of a nuisance having to check my email every time I withdraw.

@Vedran i’ve noticed your anti-security discussions/comments in other threads including this one and they leave me shocked/perplexed…

Most of our clients(enterprises) use 2FA at all levels and depending on their roles and access 2FA is mandatory/required, some even with multiple conditional access requirements. Based on my experience i would say it reduced exposure by at least 90%, easily.

Moving on, I’m not sure about this case scenario OG mentioned but 2FA “IS” long due and @Team212 knows this. It reduces exposure by a lot and builds confidence in the crowds. Not only in the scenario where your password is compromised but the actual servers are (even if you say they are 99.99% secure because of XYZ).

Long story short, we need the option of opting in/out instead of no option.

4 Likes

For Cryptocurrency

I use an email generated code, and 2FA, when I simply log in!

There should be a wealth of options available, to everyones tolerance.

Crypto is another beast though. It’s too complicated.

  • I log in with 2fa to my platform of choice (Bitstamp) to buy Bitcoin.
  • If I want Alt coins, I then log into Binance with a captcha and 2fa and move my Bitcoin from BitStamp to Binance, again with 2fa from Bitstamp’s side to confirm the send.
  • Then to store crypto in my wallet I have to enter a 6 digit code on my ledger and log into my ledger app, and send the crypto from Binance to that, with yet again 2fa from Binance to confirm the send.

Then more or less the reverse if I want to send the money back to fiat currency.

Overkill if you ask me. And crypto advocates wonder why it hasn’t taken off!

I suppose that you got notification (e-mail) when account is funded, so only thing that could happen is that you get free money from the “hacker”. :grinning:

It’s even a good thing, for example my mother wants to put some money in her granddaughter pie, but she lives on small island without bank branch so she has to go to local post and withdraw money and send it to me so I told her keep money in her bank account. I planned to help her open her account at t212, maybe it’s better long term solution.

1 Like

Indeed, I have contrary opinion. That is shocking. We should all think alike. :trolleybus:

Instead of selling products, folks should get proper education and common sense. 2fa used by uneducated person has same strengths if not less then educated person with passphrase.

It is basically similar to door locks, you can buy the best one, if someone wants to rob your home badly and he is skilled he will probably break in. No matter what you have as home security.

But anyway this topic is getting chewed over and over.

When t212 release 2fa, you use it, I won’t. Will feel safe nonetheless.

:partying_face:

1 Like

I must admit, the more and more funds I lump into T212, the more concerned I get that no 2FA is available. I use Face ID to log into the app, which I know is fairly secure but obviously if my login details are comprised via a hacker attack of some kind, having that 2FA either via Google Authentication App or via text / email is just another layer of security. I would prefer a combination. So Face ID / password plus google auth code plus the option of either email / text OTPC on top… just to add several levels of extra security.
This should be on log in and on any withdrawals when already in the app or website.

Would be nice for T2T to issue a response on this once they have had the time to look into it.

I tried to fund $1 with other card (different person), didn’t work, funding failed.

1 Like

Johnny did you do it the way the OP on a different PC and replicating a stolen password then saved the credit card to deposit etc?

Col.

Yet another proof that 83% of statistics are made on the spot (<- including this one)
So from the 1000 clients you have, before 2FA 300 were getting hacked after 2FA only 30 are getting hacked.

Nothing improves security more than education of your users, that is why ISMS (iso 27001) does not mandate anything like 2FA instead it enforces education about security most notably for social engineering and phishing.

I got nothing against 2FA, its great and I use it when available but for an attackers point of view it is another layer of obscurity and yeah security through obscurity works up until a point.

It is shown in quite a few studies, some of the industry wide “security features” does not improve but actually hurt security. (not talking about 2FA) For example forcing users to change passwords periodically, or coming up with a pseudo secure limitation like “no dates, at least one number, 1 special character, lower and upper case characters”

How many of those users than go for “Passw0rd_1” next month “Passw0rd_2” Having a password like “icannotdancewithunderwear” beats the above 2 strategies

but… I digress… what were we talking about on this soggy saturday?

1 Like

Very worrying if this happens to be true. Whilst funding from other card should be fine, any withdrawals should generate a OTP to Phone/email to confirm withdrawal in addition to account password. This may add another layer of security IMHO!

1 Like

It’s not true, don’t worry.

Edit: This has actually been discussed to death:


It would be interesting to get a response from @team212 on this on Monday, even if it was just done with 10 GBP (it might not work for larger amounts as pointed out above). A message from them clarifying this for everyone’s peace of mind. :slight_smile:

A couple of weeks ago I withdrew £16k from my account.

I’d recently added a new card, but had only used that card to add a relatively small amount. The system wouldn’t let me withdraw to the newer card on that occasion. However it has subsequently.

There clearly are some fairly good systems in place but soon the better on Multi factor authentication :slight_smile:

Maybe having you authicate the payment with a PIN Number after you selected the amount would be better?

It is really easy to put funds in your account and an accidental 0 could make all the difference.

2 Likes

Sorry, although I agree, but it’s a big fallacy.

Users never were proper educated and won’t be ever, so relying on this is a big mistake.

If even a well educated Twitter employee were hacked, so image the average dude used to Facebook and Instagram only.

“Nothing improves security more than education of your users,”

Oh God no, if you’ve ever worked in anything that required health and safety you’d have come across the least effective solutions are education and behaviour modification. Literally anything that doesnt rely on the user/operator, is safer.

Robin Hood has been hacked now too

They don’t!
Users are having their accounts “hacked”, probably their emails are compromised (pretty easy to happen if you use gmail and chrome) and they do not have 2FA enabled.
As far as I managed to read, Robinhood servers were not affected, it’s really focused on users.

Hello,

So in regards to the question about the account funds, I believe that I covered most of the part in the following:

Along with that:

7 Likes