Swiss Customer looses 30kCHF

So inconvenient… I realized I could enable it just when I was replying to this thread. Previous time I tried said the “top up from card a few more times” and it was greyed out and I didn’t top up recently.

</ offtopic>

Follow-up article (in German): https://m.tagesanzeiger.ch/articles/24180711

TL;DR:

  • 8 victims known by now; it happened last weekend
  • 6 of which have admitted it was a phishing attack (2 denying it)
  • SMS redirected to a website requesting the Revolut PIN
  • One victim said she has just swapped her SIM card, then received the SMS to confirm her Revolut account. Thought it was standard procedure
  • Money transferred to other Revolut users
  • If a top-up card was registered, they first transferred more money from there. Security systems let it through because Revolut was considered a trusted receiver due to transaction history (issuer bank statement)
  • Revolut confirmed it will reimburse victims

I still don’t understand though how they could pull it off. How did they know all the phone numbers, and how could they get the SIMs or intercept/forward smartphone communication to so many numbers?

Edit 2:
Apparently, the phishing attack has been taking place for weeks, the actual money transfers last Saturday.

5 Likes

N26 had similar “attacks” I think.

Finding phone numbers can be some work but in essence, Revolut helps. If I share my contacts with the App, I see which of these have Revolut. So one way would be harvesting numbers and then check if they have Revolut.

Another attack could be some form of Trojan App (simple game with “added features” which transfers information regarding installed Apps to a server of the attackers) is another method.

Getting the SMS is not so hard as well. If it’s the rough App, simply intercept the SMS and send it to the attackers server.

There is another way to redirect SMS, although it required much more effort and normally requires access to the SS7 network used to interconnect with the home operator of the SIM in question. Has been done in the past.

1 Like

Very simple:
one has to give the revolut-app access to the contact-list if you want to be able to do transfers; the app is able to see from the phonenumber if another person also has revolut or not…

Meaning: someone read the contacts, sent out some phising-sms, and from the first victim they got both money and contacts, and from there, they started all over again…

OR the database storing the phonenumbers was hacked…

A simple “bruteforce” seems unlikely, too many phonenumbers should have been tried - unless the swisscom (the phising-SMS shall have been sent by their system) has a severe sec-breach in its SMS-gateways, it’s undoable.

This is the most plausible explanation in my opinion.

It [visibility on one side without contact entries on both side] also was seen as an issue for quite a while:


2 Likes

Ok, but the phishing attack / Revolut PIN is only one factor. The other is the SMS Revolut sends when you want to pair your app with the account. How did they get past that?

1 Like

Something I haven’t mentioned in my summary above is that the victims are apparently completely frustrated by the lack of communication. Yes, it was their fault, at least in parts – I mean, one would think people would know by now about phishing. (On the other hand, at least in the case mentioned in the article, the attack was perfectly timed.)

But whatever happened exactly, and whoever is at fault, Revolut should at least help sorting everything out, talk to the victims, and hand out whatever information they have in order to file a proper police report.

3 Likes

And help us so it dont happen to someone else

Damn that domain, I think I’d fall for it…

1 Like

Yeah, the real person to blame is the guy who came up with the co.uk domain scheme.:wink:

Well, I did fall for it. The link I got via SMS was revolutapp.co.uk/login. I even googled it to see if it was a scam or fraud, and googled “revolut login” and was shown this very domain as one of the first results (bookmarks and printscreens as proof). Luckily, my account got blocked almost instantly and no money was charged on my credit card. After reading this, I’m trying to get ahold of support staff to help me unblock my account for hours now in the in-app chat. So far, no answer.

1 Like

All these neo-banking apps are being targeted. A very similar case is happening with bunq users - they get a SMS saying they need to unblock their account, people go to the link and it’s obviously a fake login screen.

I’ve also seen phishing with the payment links - they get one of your contacts, and send a fake payment link that looks like the actual payment link from this contact but the transfer in the end goes to another account.

2 Likes

I was one of the customers being targeted with this Phishing attempt.
After reading this thread, I decide to take the following measures

  • remove linked credit card for and use just bank transfer for topups
  • deactivate contact authorization, so I’m not in anybody’s account listed as Revolut user
  • set a limit for each credit card
  • keep the amount of money as low as possible

These are only my personal measures and are not to be understood as recommendations.

What are your actions?

1 Like

sadly it doesn’t work like this.
If your number is in a person’s contact list you will show up as a :r: user no matter if you gave permission to your contact list or not.

2 Likes

I use vaults because it allows to separate money in two parts: one which is accessble from cards and one which is not. When I need more money I simply release more money from the vault. For my physical cards I have deactivated magnatic band and online transactions. I have set limits to my virtual cards and I use only disposable cards to pay on the internet.

1 Like

I can confirm this (not happy with this). :neutral_face:

3 Likes

That privacy option would be a good one, but keep in mind you’re mixing concepts.

Allowing the share of your contact list is not intended to enable/avoid your status as :r: user for other people, but the opposite.

You’re not enabling your own status to others but the status of your contacts in your own listing so you can see who can receive your payments/requests.

ah right - I remember reading in the community that this has been criticized.

i even linked it in this thread