Swiss Customer looses 30kCHF

Hi

In todays newspaper there is a story about a Swiss Revolut user loosing 30kCHF:
Schweizer Kunde verliert bei Revolut 30’000 Franken

Summarized, there have been multiple top-ups through the Visa card saved in the Revolut account of this user, each 5kCHF up to 30kCHF in short succession.
Next the funds have been converted to Dirham (currency of the UAE) and then sent on to an account in the name of «Anastasja Mihhailova».
This happend until the Revolut account was blocked.

Obviously the user complained about not having any decent contact possibilities other than the in-app chat to Revolut. Questions by the newspaper to Revolut have only vaguely been answered with the emphasis that great security precautions are in place. The user itself claims to be a cyber-security expert and rules out to be a victim of phishing or similar.

To me this sounds like many security precautions failed.

  1. Why did Visa and/or the issuer of this Visa card allow multiple 5kCHF cash transfers through in short succession? For all my cards this would be absolutely unusual behaviour.
  2. Same question to Revolut, why did they not stop the second top-up, latest the third? Same reason as under 1.
  3. Why did Revolut allow the fund transfer to another account just a very short time afterwards? Their AML precautions should have stopped this, definitely. All those points about following the trail of money, esp. if there are bigger sums involved, etc. didn’t seem to count here. Why should this Revolut user transfer such a large sum to an up till then unknown user?

Form the user perspective to protect against this beside strong passwords and the usual precautions to be taken while using any kind of IT devices?
I would never have a credit/debit card saved in the Revolut account for top-ups, use bank transfers. They are slower but for sure much more controlled than what happened here.

For the issuer/acquirer for our benefits, they should introduce 2FA (aka 3D-Secure) for all online transactions as soon as possible, no exceptions!

I know, security and comfort go in different directions, but if it’s about my money and I could opt in, I’d immediately do it.

On the other hand, if that user regularly transfers such large amounts of money, he’s a prime target of a cyber attack. If his mobile device is compromised, even 3DS would not help prevent this if the approval must be given on the same device as the fraud is executed.

@AndreasK: Is there any official statements from Revolut in response to this newspaper article with an explanation of what really happened?

2 Likes

I’ve realized that after being a trusted client / using Revolut for a while or spending quite a bit of money on it, you can top-up money without needing to verify your card with VBV/3D Secure. I believe that was implemented to make the life of a client simpler.

Revolut has a limit on how much you can spend with a card but the attacker could have created a new virtual card, spend till the limit of $5k and destroy it, create new virtual card and repeat which is what he probably did until he reached the limit of creating virtual cards.
5 virtual cards + one physically comes about right to 30k.

I am quite a bit sure that this was somekind of SIM swap attack or something like that.

if that person has a 30k+ limit that does not seem to be “unusual behaviour”

Hi, community!

Any claim that Revolut was subject to a breach of its robust security controls is entirely untrue. We are investigating an isolated incident of a phishing attempt and are in contact with the customer as well as the relevant authorities to resolve the matter, however, we cannot comment on the circumstances of individual cases. Our in-app chat offers 24/7 support to our customers, including a team dedicated to assisting anyone who believes they have fallen victim to cybercrime. We always work quickly to protect a customer’s account, investigate and take the appropriate action.

You strongly advise you to read our blog post:

Best,

Andreas K.

1 Like

maybe if Revolut offered another 2FA than SMS we could avoid SIM swap scams

4 Likes

I’d love to see something like Google Authenticator.

5 Likes

Give the option to sign in with google account

1 Like

Like
Both need sms code and code send in email

1 Like

Hi @AndreasK

SIM Swap has been ruled out by his carrier Swisscom.
But as we know, SMS can easily be intercepted without any SIM swap just by abusing the SS7 inter-carrier protocol to suggest this user is roaming in another network which results in forwarding SMS messages to this network. As nowadays not only the “monopoly national TelCo” can run a mobile network but many small companies do, this is a quite common activity as not all network providers are sound with stringent controls over their networks.

Implementing a 2FA without involving SMS would be very welcome indeed and increase security a lot. If it’s really assumed to be such kind of an attack where intercepting SMS was a part of it to gain access to his Revolut account, this would have helped protecting it.

BTW: Isn’t there an information pop-up message/email when a second device logs in to the same Revolut account?

5 Likes

I 2nd that!
2FA both for outgoing AND incoming money is needed.
For both the security of revolut and the revolut-customers…

2 Likes

Any info what app version did swiss customer used?
5.x , 6.x? Android? iOS?

In the initial news story, there’s no information concerning OS/App Version.

Very interesting story by a “banking news blog” in Switzeland:

According to that, multiple users have been phished by SMS that they should verify their Revolut account by clicking on the included link.
image

Sorry, but if a user clicks on a link to verify any account, he’s simply stupid and didn’t take any of the many messages about how to protect against phishing on board in the last few years. If that users claim to be a cyber-security expert for a big company is true, I would look for a replacement!

Never the less, what is still true, Revoluts abuse system didn’t shut down the account in time, nor did the Visa anti-abuse system work. So it’s not only Revoluts failure but also the Issuer of the Visa card is to blame!
So the assumption made in this second article that the Neo-Banks systems are the only systems that failed to detect irregularity and abuse is simply not true. The issuer of the Visa has the same issue.

The attack looks like SMS phishing.
We will see if Revolut gets stronger with the crisis: Crisis management is very important.

1 Like

I think another weakness of Revolut is that the unlock PIN is the same as the one to confirm transactions - these 2 should be separate

1 Like

Good article, thanks for sharing.

It goes without saying, but adding written notices in all kinds of communications, such as those from Apple, Microsoft and other companies (my bank does that) stating that “we will never ever ask you for your password, login or any other personal details by email, SMS or instant messaging” could help avoiding some of these situations.

I personally would definitely not tap on that link, but when you want to hit a wider market, not so techie savvy, you need to be crystal clear, other than having a blog post somewhere which very few will read (and by the looks of the article, perfectly timed).

2 Likes

@AndreasK is there any specific email address or web form where we could report any of these abuse or spam so you can investigate further or at least, be notified?

2 Likes

I would very much prefer to have a normal multi-device (web included) login / password / 2FA + eventually a phone number as a security in case you lose your 2FA. So that you can log in to your account like in a traditional bank. To me linking your “bank” account to a phone number is creepy. But this is just my humble opinion. This idea pops up here and there from time to time but there is no evidence of Revolut’s willingness to go in this direction.

3 Likes

I cannot imagine how is even someone do SIM phishing, also will know also your unlock PIN for the app…
The other question is what mobile company would allow this by phone, all normal companies I know in mu country will ask you to go to an office and present ID if you want any major changes regarding your phone number?!
Also my bank do not allow auto-top-up for example (without 3D) and always requite 3D for any top-up.
So I think here we are talking a lot more of combination of weaknesses in mobile company + bank company, rather all fault to be in Revolut.

I would be happy, if there would be a two way authentification before top up.
For example something like 3D Secure Code, or verification code per SMS.
So you click on “top up”, and you will get a code via SMS you have to enter, before you get to the top up window, where you could choose the amount, you want to top up.

For sure, it’s more compfortable without and faster, but I’m sure that some customers would be happy to have this function and a little bit more security.

Revolut could implement this function quiet easily(?)
You could also implement it as an option, to enable/disable. So everyone could decide on his own.