Swiss Customer looses 30kCHF

But you should have this from your underlying card issuer? I have and cannot top-up without every time enter CVV and redirect to 3D code from my local bank.

1 Like

PS in the new beta iOS there is an option “this device is save” toggle. Support told me that when is on it will not requite SMS for transfers on this device. I remember previously I did not have such option? Did somebody else have details on this?

1 Like

@ Vebaev Does it always was like that for you (3DS each time from local bank) or revolut introduced that just recently? For me few times there was 3DS request but after that no 3DS.

Yes always was like that every single time CVV+3D, and I have no option for auto top-up, when asked support told me that my bank and card requires this.

I like your bank already :+1:

1 Like

On Android this option is already released since some time. After an OS update I had to login to Revolut again and was asked if I want to activate it with the text you got from support as explanation. Although SMS is a very insecure 2FA, it’s better than nothing. It still keeps away the less sophisticated phishing attacks.

1 Like

I also have that option after upgrading today to 6.5 on iOS. Some of us were wondering what that feature was for.

Along with a nice banner with “Revolut will never ask for your SMS or PIN code”.

1 Like

I didn’t either, but a recent thread helped me finding that and it does not display because I needed to top up by card a few times before, when I was doing bank transfers for topping up.

Go to in app help and type “auto” or similar on your language, a FAQ article will appear with a link inside, tapping on the link will take you to the feature even if it’s disabled.

Not in my case, I have toping up from 1.5 years and using :r: daily, I asked and they said it is required from my card and bank so anyway I’m not even mad :slight_smile: 3d is more safety anyway :slight_smile:

PS If I do this method of yours I see the feature but is says non of my cards support auto topup

So inconvenient… I realized I could enable it just when I was replying to this thread. Previous time I tried said the “top up from card a few more times” and it was greyed out and I didn’t top up recently.

</ offtopic>

Follow-up article (in German): https://m.tagesanzeiger.ch/articles/24180711

TL;DR:

  • 8 victims known by now; it happened last weekend
  • 6 of which have admitted it was a phishing attack (2 denying it)
  • SMS redirected to a website requesting the Revolut PIN
  • One victim said she has just swapped her SIM card, then received the SMS to confirm her Revolut account. Thought it was standard procedure
  • Money transferred to other Revolut users
  • If a top-up card was registered, they first transferred more money from there. Security systems let it through because Revolut was considered a trusted receiver due to transaction history (issuer bank statement)
  • Revolut confirmed it will reimburse victims

I still don’t understand though how they could pull it off. How did they know all the phone numbers, and how could they get the SIMs or intercept/forward smartphone communication to so many numbers?

Edit 2:
Apparently, the phishing attack has been taking place for weeks, the actual money transfers last Saturday.

5 Likes

N26 had similar “attacks” I think.

Finding phone numbers can be some work but in essence, Revolut helps. If I share my contacts with the App, I see which of these have Revolut. So one way would be harvesting numbers and then check if they have Revolut.

Another attack could be some form of Trojan App (simple game with “added features” which transfers information regarding installed Apps to a server of the attackers) is another method.

Getting the SMS is not so hard as well. If it’s the rough App, simply intercept the SMS and send it to the attackers server.

There is another way to redirect SMS, although it required much more effort and normally requires access to the SS7 network used to interconnect with the home operator of the SIM in question. Has been done in the past.

1 Like

Very simple:
one has to give the revolut-app access to the contact-list if you want to be able to do transfers; the app is able to see from the phonenumber if another person also has revolut or not…

Meaning: someone read the contacts, sent out some phising-sms, and from the first victim they got both money and contacts, and from there, they started all over again…

OR the database storing the phonenumbers was hacked…

A simple “bruteforce” seems unlikely, too many phonenumbers should have been tried - unless the swisscom (the phising-SMS shall have been sent by their system) has a severe sec-breach in its SMS-gateways, it’s undoable.

This is the most plausible explanation in my opinion.

It [visibility on one side without contact entries on both side] also was seen as an issue for quite a while:

2 Likes

Ok, but the phishing attack / Revolut PIN is only one factor. The other is the SMS Revolut sends when you want to pair your app with the account. How did they get past that?

1 Like

Something I haven’t mentioned in my summary above is that the victims are apparently completely frustrated by the lack of communication. Yes, it was their fault, at least in parts – I mean, one would think people would know by now about phishing. (On the other hand, at least in the case mentioned in the article, the attack was perfectly timed.)

But whatever happened exactly, and whoever is at fault, Revolut should at least help sorting everything out, talk to the victims, and hand out whatever information they have in order to file a proper police report.

4 Likes

And help us so it dont happen to someone else

Damn that domain, I think I’d fall for it…

1 Like

Yeah, the real person to blame is the guy who came up with the co.uk domain scheme.:wink: