Beware of Concurrent Online Backing Account Hack & Mobile Phone Service Hack - Real RM10,000 Online Theft Incident in Malaysia

#1

Hackers Spent All The Money In This Man’s Maybank Account In Just One Night

Netizens were alarmed to learn how criminals are becoming more sophisticated when Facebook user Eric Chua posted a detailed account of how he lost RM11,000 overnight from both his current and savings accounts.

He began his post by saying that the incident happened one month ago when his Maybank online banking account was hacked two days after he received his salary before he went on to explain what happened.

Eric’s post went viral on social media, gaining thousands of shares and likes before it was removed from public viewing on his profile.

Although he is not entirely sure about what actually transpired but he made a calculative guess based on the clues he gathered from the incident

HOW DID THEY DO IT?

Eric suspects that the culprits hacked into his secondary email address and used it to change the password, to eventually gain access to his primary email address. By gaining access to his primary email address, the culprits were able to gain access to his online banking account.

He also thinks that someone had impersonated him and went to a Digi dealer late at night before it closes to request for a sim card replacement for his phone number.

Later, the criminals used his online banking account to purchase four Samsung handphones and accessories from Mobile 88, an online shopping website.

Payment was made using his online banking account and Transaction Authorisation Code (TAC) was directly sent to them as they have a new sim card which they have just obtained.

Unfortunately, Eric was completely oblivious as to what was happening to his hard-earned savings. When he finally realised, it was too late.
“I only realised something was amiss the following morning. While I was driving to work, I noticed my phone had ‘No Service’,” he said.

“When I got into office, tried to access my email but failed because the password had been changed. I checked my online banking account and realised it had been emptied. Luckily my credit cards weren’t affected.”

Following his shocking discovery, Eric tried to stay calm and think of ways to rectify the situation

He called the bank to freeze his online banking account and credit cards.

“I also asked them to reverse the transactions if possible.”

However, after corresponding with the bank officers, Eric was told that “nothing can be done” to reverse the payment as unlike credit card payments, online banking transactions will go through once a valid TAC number is received.

Eric also called up his telco to find out what happened and realised that his sim-card was “cloned” the night before. He asked for the sim card to be suspended.

He made a police report and handed Maybank and Digi a copy of the police report so that they will open investigations on the incident, though their responses were fair but less than satisfactory on the matter.

Eric went on to pen down some of the lessons and tips on online banking safety from his nightmarish experience

“This might seem obvious, but keep different login names and passwords for accounts and change them regularly,” he wrote.

He also urged the public to be alert to phishing scams.

Additionally, he also said that people should be alert and respond quickly when they see red flags such as a notification of change in password or unusual usage patterns in their email account or ‘No Service’ in your sim card.

“Someone could be trying to hack into your account and in my case, it was the first sign that someone had replaced my sim card.”

“Financial planners aren’t going to teach this but keep some of your cash reserves in a separate bank account, preferably non-online or fixed deposit (FD). I managed to pull through the past month because some of my savings were in another account,” he added.

Eric stressed that his anger from the whole experience was more than the money that he lost
“I guess I’m angry not only because of the money lost. My own carelessness that was a factor in it but also because technology and corporate institutions I had come to rely on have seemed to fail me in the past month,” he said.

“Whatever happens after this, I will vote with my feet but my hope is that the banking and telco players, as well as regulators, take note and make improvements to safeguard the system.”

Though he is frustrated, Eric came up with a few points as feedback and suggestions for improvements, especially for banks and telcos in Malaysia
He noted that “online banking security is one-size-fits-all based on ‘general’ customer requirements” while highlighting the fact that he could not “customise safe-guard settings such as disallowing changes in transaction limit online with a TAC”.

He said that telcos are a weak link in online banking saying that “TACs as a two-factor authentification system is flawed if a stranger can walk up to a dealer and clone a sim card”. He added that telcos should step up and implement a minimum verification process of scanning or reading identification cards.

Eric also proposed that Maybank and more banks in Malaysia should adopt the usage of security token device instead of using a mobile phone to receive TAC in their online banking services. Additionally, he also suggested that banks make it compulsory for users to change their passwords periodically.

#2

Maybank: #mbbalert It has come to our attention that there has been a message circulating relating to a report in online website, on a customer’s Maybank2u account purportedly being hacked and his money being withdrawn. This incident which occurred in 2016, was a result of the username and password of the customer being compromised at his end and his SIM card being hijacked. At no time was our Internet banking system hacked.

Maybank would like to remind our customers never to respond to emails requesting you to update your banking details including providing your Maybank2u credentials. Please also keep your email accounts safe and be wary of SIM cards being hijacked.

You can refer to Security Alert: Don’t be a victim of email or SMS fraud! (Maybank Fraud hotline: +603-58914744) for our regular security updates or contact us anytime for advice or clarification.