Forum: Scammed of $100,000, but fault is not mine alone

sted.

Arch-Supremacy Member
Joined
Jan 1, 2000
Messages
17,409
Reaction score
569
these customers really take things for granted ... due diligence should be checked before clicking rather than blaming OCBC for it ... period
 

occifer

High Supremacy Member
Joined
Mar 9, 2018
Messages
35,876
Reaction score
2,644
The Sms protocol needs to be changed to prevent fake header, not url from being unclickable.

Currently you can put anything in the header and it need not be validated as per the existing SMS protocol.

For unclickable, you can use firewall

Url being clickable would be a great option to have.
Accidental click sending one to a website with virus or trojans isnt fun.
 

Sammychan

Arch-Supremacy Member
Joined
Oct 11, 2007
Messages
19,172
Reaction score
2,289
If it is software, anything is possible. It is just that whether they are willing to provide this feature.
In fact, for stolen phones, telco can track who has the stolen phones by tracking the IMEI. But they don’t provide this feature because MHA acts blur and don’t mandate that they provide this feature.
That one i know and can understand. Only for serious cases like need to solve crimes. Why provide for goondus who dont take care of their phone?
 

tanakow

Supremacy Member
Joined
Jan 3, 2004
Messages
8,843
Reaction score
856
Url being clickable would be a great option to have.
Accidental click sending one to a website with virus or trojans isnt fun.
I think in some browsers you can blacklist certain web site. So dont even need to touch the firewall.
 

Alphas

High Supremacy Member
Joined
Oct 6, 2004
Messages
32,687
Reaction score
1,519
The whole chain of actions from changing limit and transferring money out of country are red flags of fraud. What kind of fraud detection system they have that didn't stop this? :s14: :s11: :vijayadmin:
OCBC is the world's strongest bank, never say never.
 

frigatex

Member
Joined
Mar 13, 2007
Messages
248
Reaction score
32
Don’t know lei.. that’s their reply that they will change it from 5 Jan 2022.
Maybe you try transfer someone money >200 see if got a not.

“The PayNow Authorisation Limit will be reduced from S$1000 to S$200 with effect from 05 Jan 2022.
Paynow transactions above S$200 will require transaction signing via Hardware Token or Elevated OneToken. This applies to both OCBC Digital and Pay Anyone App as well as Internet Banking”

The paynow minimum daily limit was only reduced below $5k after 10th Jan. It was still 5k for me on 10th Jan.

Edit: Sorry misread that you're talking about authorisation limit. But as I said in a previous post, there were some strange inconsistencies between my experience on 10th Jan and when I tried it again today.
 

123456tw

Master Member
Joined
Apr 3, 2008
Messages
4,796
Reaction score
23
Did eveyone who get the message on their phone same inbox as the official ocbc one? Mine was (ocbc) so I knew it was a scam.
 

occifer

High Supremacy Member
Joined
Mar 9, 2018
Messages
35,876
Reaction score
2,644
I think in some browsers you can blacklist certain web site. So dont even need to touch the firewall.

Better to blacklist from SMS to prevent accidental clicks.
Too easy to create new URLs and websites.
 

DragonFire

Arch-Supremacy Member
Joined
Jan 1, 2000
Messages
17,859
Reaction score
1,452
You mean all that was needed is a single OTP? Additional high risk transactions didn’t require another OTP?

Sounds like poor security to me
Actually no OTP is needed if the target is in a specific list.

Now that it has come out that these are very sophisticated hackers who compromised telco systems in a foreign country, some things are more clear.

If you have access to certain telco systems to do with the global SMS routing network, it is possible to redirect all messages directed at a target number that transverse a pre-compromised network. This is network/telecommunications engineer land, so it is a bit difficult to dumb down what is happening.

The key takeaway is that this can be done in a foreign land, away from local jurisdiction. Who knows... the telco engineers maintaining the system might even be on the take.

If your number is already on a list for this to be done, all they need is your login information and a pin.
It is difficult to brute force bank systems for this data since banks lock out accounts the moment 3 pins are wrong.

Social engineering is thus the best means to get valid account login information. SMS validation? Don't need that.
 
Last edited:

DragonFire

Arch-Supremacy Member
Joined
Jan 1, 2000
Messages
17,859
Reaction score
1,452
How do you re-route the SMS?
At the most basic.

1. You know what system the SMS is originating from. You know what gateways they use.
2. You know how the SMS messages are routed from the source network (SMS messenger service) to the destination (Singapore telco)
3. You compromise one of the carriers between source and destination.
4. You set up a redirection instruction in the handling systems to shunt messages for specific numbers to another number (kinda like telephone number redirection)
5. Win.

SMS is not secure. It could be said that it is IMPOSSIBLE to secure because it take MANY MANY hands to clap.
When the weakest link is not within your area of control, there really isn't very much you can do.
 

Adonai.avatar

Master Member
Joined
Aug 17, 2018
Messages
3,515
Reaction score
1,044
bit.ly/3q**** webby address don't look suspicious to her?
She does accept that she was at fault. But what she is saying that once she realized her mistake, there was no mechanism for her to reach bank immediately and block the transactions.
 

DragonFire

Arch-Supremacy Member
Joined
Jan 1, 2000
Messages
17,859
Reaction score
1,452
I think in some browsers you can blacklist certain web site. So dont even need to touch the firewall.
Use Cisco Umbrella or OpenDNS DNS servers. They block known dangerous domains.
 

Adonai.avatar

Master Member
Joined
Aug 17, 2018
Messages
3,515
Reaction score
1,044
Heng my $500,000 bank account got no online access set-up.
Only thru ATM and bank book.
You can still be scammed. Scammers can set up online access for your bank (with their mobile)…you won’t even know thay someone else can access your account online. But this is more difficult for scammers to do so.
 

DragonFire

Arch-Supremacy Member
Joined
Jan 1, 2000
Messages
17,859
Reaction score
1,452
She does accept that she was at fault. But what she is saying that once she realized her mistake, there was no mechanism for her to reach bank immediately and block the transactions.
I agree that the bank frontline staff could have been more helpful. There should be an express queue for those who suspect their accounts have been compromised to request an immediate freeze on the account.

The bank should be liable for losses taken AFTER the staff were notified of the breach since they failed to take immediate priority action.
 

semiret

Supremacy Member
Joined
Nov 4, 2018
Messages
5,231
Reaction score
2,796
Here also can happen what. Why must USA lol. Just need someone to lead. And a lawyer to take it on. The cost of it needs to be ironed out.
I think in US the customers not only can claims back their losses. They also entitled to claim emotional suffering by large amounts of compensations. If they wins their law suit legal fees are base on % of the courts awarded compensation's. So in US they don't need to fork out the legal fees upfront. Here most victims already lost most of their life savings. Now still have raise the money required for the law suit is quite jialat lor.
 

Sammychan

Arch-Supremacy Member
Joined
Oct 11, 2007
Messages
19,172
Reaction score
2,289
I think in US the customers not only can claims back their losses. They also entitled to claim emotional suffering by large amounts of compensations. If they wins their law suit legal fees are base on % of the courts awarded compensation's. So in US they don't to fork out the legal fees upfront. Here most victims already lost most of their life savings. Now still have raise the money required for the law suit is quite jialat lor.
Pro bono lor
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.
Top