In todays newspaper there is a story about a Swiss Revolut user loosing 30kCHF:
Schweizer Kunde verliert bei Revolut 30’000 Franken
Summarized, there have been multiple top-ups through the Visa card saved in the Revolut account of this user, each 5kCHF up to 30kCHF in short succession.
Next the funds have been converted to Dirham (currency of the UAE) and then sent on to an account in the name of «Anastasja Mihhailova».
This happend until the Revolut account was blocked.
Obviously the user complained about not having any decent contact possibilities other than the in-app chat to Revolut. Questions by the newspaper to Revolut have only vaguely been answered with the emphasis that great security precautions are in place. The user itself claims to be a cyber-security expert and rules out to be a victim of phishing or similar.
To me this sounds like many security precautions failed.
- Why did Visa and/or the issuer of this Visa card allow multiple 5kCHF cash transfers through in short succession? For all my cards this would be absolutely unusual behaviour.
- Same question to Revolut, why did they not stop the second top-up, latest the third? Same reason as under 1.
- Why did Revolut allow the fund transfer to another account just a very short time afterwards? Their AML precautions should have stopped this, definitely. All those points about following the trail of money, esp. if there are bigger sums involved, etc. didn’t seem to count here. Why should this Revolut user transfer such a large sum to an up till then unknown user?
Form the user perspective to protect against this beside strong passwords and the usual precautions to be taken while using any kind of IT devices?
I would never have a credit/debit card saved in the Revolut account for top-ups, use bank transfers. They are slower but for sure much more controlled than what happened here.
For the issuer/acquirer for our benefits, they should introduce 2FA (aka 3D-Secure) for all online transactions as soon as possible, no exceptions!
I know, security and comfort go in different directions, but if it’s about my money and I could opt in, I’d immediately do it.
On the other hand, if that user regularly transfers such large amounts of money, he’s a prime target of a cyber attack. If his mobile device is compromised, even 3DS would not help prevent this if the approval must be given on the same device as the fraud is executed.
@AndreasK: Is there any official statements from Revolut in response to this newspaper article with an explanation of what really happened?