Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[Makkar]

I never give access any 3rd party app to read/access my google account. if any case if i have to do I am following one specific way.

Like am using Cred app . To ensure that only your credit card statements are accessed by Cred, you can follow these steps:

1. Create a new Gmail account specifically for your credit card statements. This will be your secondary Gmail account.
2. Set up email forwarding rules in your primary Gmail account to automatically forward your credit card statements to your secondary Gmail account. This way, you will receive all credit card-related emails in one place.
3. Grant access to Cred for your secondary Gmail account. This will allow Cred to securely retrieve and analyze your credit card statements without accessing any other personal data.

By following these steps, you can ensure that Cred only has access to your credit card statements and does not have access to any other sensitive information in your primary Gmail account.

 

[Pankhuri]

I never give access any 3rd party app to read/access my google account. if any case if i have to do I am following one specific way.

Like am using Cred app . To ensure that only your credit card statements are accessed by Cred, you can follow these steps:

1. Create a new Gmail account specifically for your credit card statements. This will be your secondary Gmail account.
2. Set up email forwarding rules in your primary Gmail account to automatically forward your credit card statements to your secondary Gmail account. This way, you will receive all credit card-related emails in one place.
3. Grant access to Cred for your secondary Gmail account. This will allow Cred to securely retrieve and analyze your credit card statements without accessing any other personal data.

By following these steps, you can ensure that Cred only has access to your credit card statements and does not have access to any other sensitive information in your primary Gmail account.

While you should always keep your banking to a separate account, doing this for cred is an overkill. To get access to gmail, cred has to pass some security tests. For example, if I create a similar service tomorrow, I won't even get the access to emails as an option. I would first need to apply for this privilege, then have to explain to Google why I need this, then pass some of the security tests on my end. And even after doing all this, this is not unfettered access to emails, you need to specify the kind of emails you look for(part of the why I need this process) and those are provided to you. There is some grey area here, but cred or any similar app never gets full access to all your emails. And penalty for breaking terms is pretty severe. From banning company accounts to blacklisting individual employees. And this is pretty severe, if you are blacklisted on a private or enterprise account, unless reinstated you won't be able to work meaningfully on anything relating to Google. Even if you change company or change account. And you would lose your personal gmail account too in the process. And same rules apply, won't be allowed to make a new one. And by not allowing, not just as a listed policy but something very actively pursued. Even if you are able to outsmart Google for a few days and create an account, it would get banned in 3-4 days when your usage pattern is similar to a banned account. I have seen people lose their whole android development career over a stupid mistake. All of such cases needed to move to some other platform development.

 

[Makkar]

While you should always keep your banking to a separate account, doing this for cred is an overkill. To get access to gmail, cred has to pass some security tests. For example, if I create a similar service tomorrow, I won't even get the access to emails as an option. I would first need to apply for this privilege, then have to explain to Google why I need this, then pass some of the security tests on my end. And even after doing all this, this is not unfettered access to emails, you need to specify the kind of emails you look for(part of the why I need this process) and those are provided to you. There is some grey area here, but cred or any similar app never gets full access to all your emails. And penalty for breaking terms is pretty severe. From banning company accounts to blacklisting individual employees. And this is pretty severe, if you are blacklisted on a private or enterprise account, unless reinstated you won't be able to work meaningfully on anything relating to Google. Even if you change company or change account. And you would lose your personal gmail account too in the process. And same rules apply, won't be allowed to make a new one. And by not allowing, not just as a listed policy but something very actively pursued. Even if you are able to outsmart Google for a few days and create an account, it would get banned in 3-4 days when your usage pattern is similar to a banned account. I have seen people lose their whole android development career over a stupid mistake. All of such cases needed to move to some other platform development.

I think you went into some other direction, I do understand how backend system works. But here the use-case is to generate the insights over spending without compromising your banking account.

 

[Pankhuri]

I think you went into some other direction, I do understand how backend system works. But here the use-case is to generate the insights over spending without compromising your banking account.

My point is that you are not compromising your banking account by giving cred access to it. So no need to create separate email to forward statement emails to.

 

[Makkar]

My point is that you are not compromising your banking account by giving cred access to it. So no need to create separate email to forward statement emails to.

Simple rule : Don't trust anyone.

 

[beingmohit]

While you should always keep your banking to a separate account, doing this for cred is an overkill. To get access to gmail, cred has to pass some security tests. For example, if I create a similar service tomorrow, I won't even get the access to emails as an option. I would first need to apply for this privilege, then have to explain to Google why I need this, then pass some of the security tests on my end. And even after doing all this, this is not unfettered access to emails, you need to specify the kind of emails you look for(part of the why I need this process) and those are provided to you. There is some grey area here, but cred or any similar app never gets full access to all your emails. And penalty for breaking terms is pretty severe. From banning company accounts to blacklisting individual employees. And this is pretty severe, if you are blacklisted on a private or enterprise account, unless reinstated you won't be able to work meaningfully on anything relating to Google. Even if you change company or change account. And you would lose your personal gmail account too in the process. And same rules apply, won't be allowed to make a new one. And by not allowing, not just as a listed policy but something very actively pursued. Even if you are able to outsmart Google for a few days and create an account, it would get banned in 3-4 days when your usage pattern is similar to a banned account. I have seen people lose their whole android development career over a stupid mistake. All of such cases needed to move to some other platform development.

On the one hand, what you say is absolutely true. However, being Indian citizens, it is better to be extra cautious. You mention that there are laws to prevent misuse, but we know how well our laws are implemented.
A few years back, my friend, who worked with Grab Cyber security team told me how all Indian e-com websites store unauthorized data in their DBs. He had a bunch of colleagues who had worked with many ecom giants in India. They told him how they were encouraged to store all kinds of data by these Indian companies, but Grab, being a Singapore-based company, would focus on being compliant with the laws.
I choose not to name the ecom companies that my friend alleges sabotage our data or mention the kind of data they store as I have absolutely no proof of this. But, all of this just makes me wonder how we are just a hack away from potentially getting our lives ruined.

 

[John Since]

Update: I talked to Flipkart customer care and they said that all the gift card orders are on hold. They have assured me they will provide a resolution within the next 2 days. I do not have high hopes as Flipkart is known for terrible customer service.
I will ask one of my family members to lodge an FIR.
I am still confused as to how my Gmail account (with 2FA enabled) was hacked. If Gmail accounts can be hacked with this ease, I don't know how to keep my data safe.

The reason why I changed the email to a new one for all financial transactions where I don't disclose the email anywhere, and it's not gmail.
Gmail is always monitoring us and I don't trust google at all.
We have many devices or website where we use gmail by default.
So better not to use it.

 

[beingmohit]

Update: The hacker used my Axis Magnus to purchase Google Play Store vouchers worth around 50k. After that, he tried to use the card to purchase 50k worth of Flipkart gift cards. But, by then, I had already blocked my card. After that, the hacker used my RBL Shoprite card to purchase Flipkart GV worth 50k. I was able to block my card before he could purchase another GV.
For the Google Play store voucher, the hackers chose to get them delivered over their email (I can see the email id in my orders). But, for the Flipkart GV, although they must have chosen to get them delivered over email, I got the option to add them to my Flipkart account and I did that. I thought if I can add it to my account, I can at least minimize the damages.
I have updated my email passwords, Amazon, Flipkart, Myntra accounts, and bank accounts, and disabled all transactions on all my cards (except for a couple that I may need to use offline). I have the 50k Flipkart GV in my account. I have lodged a complaint with Axis, RBL and Flipkart. Axis and RBL have mentioned a TAT of 120 days. But they assured me I will not be billed for any of these transactions until their investigation is complete (I have the call recordings). Flipkart has promised to provide an update by tomorrow (7 June). I have requested my family members to lodge an FIR as well as a complaint with the cyber security department.
I do not have high hopes. I would be extremely happy if they could identify the hacker and punish him. I care more about punishing the culprit than getting back my money.
I am going to purge all my accounts today, and unlink Gmail to all apps/services that I cannot trust. I will deploy all the security measures some of my fellow members here have suggested.
I want to thank all of you for responding with your suggestions. I hope people can go through this thread and take measures to improve the security of all their accounts.
I want to thank @Deathsnatcher specifically as he was the first to point out that my email may have been compromised, which turned out to be the case. Without his timely suggestion, I might very well have been staring at a loss of lacs of rupees as a few of my cards have quite a high limit.
I am a software developer and I never imagined I would be at the receiving end of such a hack. Maybe, I got complacent and used some service/website/app without thinking much. But, this is an eye-opener for me. I hope it is for others too. I urge everyone to try and secure all their accounts. Adopt whatever means necessary. All it would have taken was for my phone to have been on silent mode for the hacker to have cleaned up lacs and lacs of rupees last night.

 

[Deleted member 9785]

Now that I see it, my email inbox does not have OTPs for any of the Axis or RBL emails. So, I guess whoever got access to my email must have deleted the emails.
All the emails are in Trash. So, it is clear that my email was compromised.

Always have 2FA in email accounts

 

[beingmohit]

Always have 2FA in email accounts

I already have 2FA enabled. The hacker was clearly able to bypass it (not sure how). After getting access to my email, the hacker was able to login to my Flipkart account and access my saved cards. What I do not understand is how did they get my CVV. If it was a trial and error, then they must have made an incorrect try on at least one of the two cards, but they did not.
So, it is clear that some app/service with access to my card data leaked it, along with my Gmail.

 

[hariselio]

I'm confused, how it's possible when 2FA is enabled and Gmail was accessible from somewhere else? And that even with CVV?

Is there a possibility of malpractice by your close ones?

 

[beingmohit]

I'm confused, how it's possible when 2FA is enabled and Gmail was accessible from somewhere else? And that even with CVV?

Is there a possibility of malpractice by your close ones?

All my cards are with me and I have never shared the details of my RBL card with anyone as I have only used it once or twice in 2 years. So, even if some closed one with malicious intent tried to do this, they would never have had access to the RBL card.
When I see my Gmail login history, it shows that there was a session from Ukraine around the time this incident happened. But, I cannot trust them because according to them, my current session was from Peshawar, Pakistan while I was logged in from Gyeonggi-do, South Korea. In case you are wondering, I did not have any VPN enabled when Gmail was showing this location.

 

[Pankhuri]

For the Google Play store voucher, the hackers chose to get them delivered over their email (I can see the email id in my orders).

Try contacting someone at playstore India and inform them of the fraud. They have the authority to block the GV. Don't think they would be refunding money without involvement of the bank though. But at least the hacker won't have the money too.

 

[bonheur]

@beingmohit Are you by any chance using some 3p password manager for your Gmail that also keeps your 2FA codes?

While you should always keep your banking to a separate account, doing this for cred is an overkill. To get access to gmail, cred has to pass some security tests. For example, if I create a similar service tomorrow, I won't even get the access to emails as an option. I would first need to apply for this privilege, then have to explain to Google why I need this, then pass some of the security tests on my end. And even after doing all this, this is not unfettered access to emails, you need to specify the kind of emails you look for(part of the why I need this process) and those are provided to you. There is some grey area here, but cred or any similar app never gets full access to all your emails. And penalty for breaking terms is pretty severe. From banning company accounts to blacklisting individual employees. And this is pretty severe, if you are blacklisted on a private or enterprise account, unless reinstated you won't be able to work meaningfully on anything relating to Google. Even if you change company or change account. And you would lose your personal gmail account too in the process. And same rules apply, won't be allowed to make a new one. And by not allowing, not just as a listed policy but something very actively pursued. Even if you are able to outsmart Google for a few days and create an account, it would get banned in 3-4 days when your usage pattern is similar to a banned account. I have seen people lose their whole android development career over a stupid mistake. All of such cases needed to move to some other platform development.

With financial apps, always err on the side of caution rather than trust. My recent experience with CRED: I got a new card that I hadn't added to CRED yet. But since I'm forwarding all of my card statements to another email account that's visible to CRED, they parsed the statement from that new card account as well and offered me to add to their app. This isn't hard for them to do, but it also clearly proves that they don't just read emails/statements I've authorised them to read.

 

[hariselio]

@beingmohit any idea where's the 2FA backup codes are stored?

Also still no clue on how CVV is accessible?

any key loggers/malwares or something in your phone or laptop?

 

[beingmohit]

@beingmohit Are you by any chance using some 3p password manager for your Gmail that also keeps your 2FA codes?


With financial apps, always err on the side of caution rather than trust. My recent experience with CRED: I got a new card that I hadn't added to CRED yet. But since I'm forwarding all of my card statements to another email account that's visible to CRED, they parsed the statement from that new card account as well and offered me to add to their app. This isn't hard for them to do, but it also clearly proves that they don't just read emails/statements I've authorised them to read.

Nope, I am not

@beingmohit any idea where's the 2FA backup codes are stored?

Also still no clue on how CVV is accessible?

any key loggers/malwares or something in your phone or laptop?

I am not really sure where the 2FA backup codes are stored. Let me try and find it out.
I am clueless about the CVV. I don't see any malicious apps on my phone, or laptop. But, it is kind of difficult to identify what could have caused this issue.

 

[beingmohit]

Try contacting someone at playstore India and inform them of the fraud. They have the authority to block the GV. Don't think they would be refunding money without involvement of the bank though. But at least the hacker won't have the money too.

Try contacting someone at playstore India and inform them of the fraud. They have the authority to block the GV. Don't think they would be refunding money without involvement of the bank though. But at least the hacker won't have the money too.

I have mailed them about the incident. I hope they can cancel the GVs on time

 

[Bugs Bunny]

Are

Later in the thread you mention that email was the culprit. First thing you need to do is start using a password manager. I would recommend bitwarden. Next step should be to enable two factor authentication, I don't know about ios but on android authy is pretty good. Now you need to create a strong password using Bitwarden's password generator and change the password to that.

After these immediate steps, you need to take care of your account. Go to this https://myaccount.google.com/security and start reviewing your activities and third party access. Any app or website you don't recognize, you should remove it's access. Then you need to review your signed in devices. I would suggest to log out from all other devices just to be on the safe side. But before doing that, thoroughly review the devices you are signed on, as one or more of the devices might belong to attacker. Take screenshots of every device, when you see a device name clicking on it would take you to a screen which would show device model, sign in date and some other info, you need to take screenshots of that. Next review your activities, and look for something you don't recognize. Chances of finding fault here are low but you need to be through.

Now for long term, you need to make a new account and update that on all your credit card issuers. And you need to use password manager and 2 factor authentication on it from the start. And use this account strictly for banking and credit cards.

Another thing, if you dont find any suspecious device on your signed on device list, then most likely scenario is that attacker stole a session key from one of your devices. This is harder to do on mobile or tablets compared to laptops. So if that is the case, then you need to wipe your laptop and start with a fresh install of windows or mac. I know this sounds a bit much but if this is the case then you are vulnerable to future attacks.


Less likely scenario is that one of the apps on your mobile went rogue and copied notification data and send it to attacker. Combatting this would require you to again go through your installed apps and remove any you don't recognize or don't use.

Ask any questions you have about this or anything cyber security related. This is my day job, so I think I can contribute a bit here. Sorry this happened to you.

Also at start, password manager or authenticator might seem like a lot but trust me, it makes things so much easier and safer. If you have lots of passwords saved up in google, then you can export them to bitwarden too. Plus bitwarden has apps for every platform and website too. So you can access your passwords from any device you choose, as long as you remember master password.

are password Managers safe?

 

[4uziaul]

Are

are password Managers safe?

Of course they are safe, but not foolproof. 😉

 

[Bugs Bunny]

Of course they are safe, but not foolproof. 😉

ummm then I'd prefer remembering my passwords instead of trusting a password manager. I use several unique combinations for each account.