SIM hijacking, security measures and bank’s liability

Threats change, but security measures to protect account holders do not. Can banks still blame users in case of frauds? by Andrea Monti – Originally published in Italian by Infosec News

One of the many recent cases reported by the press in Italy accounts for the umpteenth fraud committed against a bank account holder exploiting a SIM hijacking attack. Not even a week ago, I had to deal with a similar case, where through a social engineering attack, the scammers mislead the customer into giving them by telephone the OTP to finalise the fraudulent transaction.

In many cases, the victim manages to obtain a refund of the stolen amount, but in others the bank refuses, claiming the client’s negligence for not recognising the fraudulent nature of the criminal behaviour. In other words and rough terms: the bank does not pay for the outcomes of the stupidity or ignorance of the victim.

However, is that so? Continue reading “SIM hijacking, security measures and bank’s liability”

How Linkedin Helped to Fight a Possible Scam

Among the usual daily flow of e-mails that submerges me, today I’ve spotted a request for contact coming from a North-European research firm active in the healthcare sector. Its CFO asked for information about a possible breach of contract litigation.

I didn’t have any reason to think of this e-mail as a scam, but there was “something” definitely odd in the message. So I checked both the person and the company name on the Internet and they were real. Still, I wasn’t convinced and decided to have a look at the message header: again, I got contradictory results. The mail server used to send the message was in a remote part of the US, belonging to a local ISP with no apparent connection with both Europe and the Healthcare industry the message was (apparently) coming from.

This couldn’t be a coincidence so I’ve searched the Linkedin profile of the manager that allegedly sent me the message and dropped him an in-mail (so to be sure about his identity and affiliation) and… gotcha! He replied confirming that it wasn’t him the sender of the message.

To put it short, it was a scam and being on Linkedin helped both me to avoid a fraud and this company to discover that it is targeted by an identity theft.