• Hey there! Welcome to TFC! View fewer ads on the website just by signing up on TF Community.

Data Leaked/ Cards Hacked

Apply For Lifetime Free IDFC First Credit Card
B

beingmohit

TF Premier
I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?
 
Last edited:
Apply For LTF AU LIT Credit Card
Sort by date Sort by votes
Makkar said:
Simple rule : Don't trust anyone.
Click to expand...
agree with you, @Makkar .

@Pankhuri , its not an overkill, trust me.
The list of emails cred accesses is far bigger than you expect.
I had created a dummy email and gave access to cred.. and i was literally 'Manually Forwarding' statements from my primary email.
Cred was able to read and track all my statements despite that the sender was 'myPersonalEmail@xyz.com'.



Mobikwik was not able to read my statements through this setup and eventually i set up an automatic forwarding route like the one @Makkar suggested above. Now the sender stays as the bank email.

And if anyone is setting up auto-forwarding, make sure to add additional filters so that only statements are forwarded and not OTPs.

Technology is there to make our life easier, but safeguarding our data is our responsibility.
 
Last edited:
Upvote 0 Downvote
knight said:
agree with you, @Makkar .

@Pankhuri , its not an overkill, trust me.
The list of emails cred accesses is far bigger than you expect.
I had created a dummy email and gave access to cred.. and i was literally 'Manually Forwarding' statements from my primary email.
Cred was able to read and track all my statements despite that the sender was 'myPersonalEmail@xyz.com'.



Mobikwik was not able to read my statements through this setup and eventually i set up an automatic forwarding route like the one @Makkar suggested above. Now the sender stays as the bank email.

And if anyone is setting up auto-forwarding, make sure to add additional filters so that only statements are forwarded and not OTPs.

Technology is there to make our life easier, but safeguarding our data is our responsibility.
Click to expand...
@Makkar @knight how are you forwarding emails to another account. I tried to forward email with filter from my personal gmail to another gmail but it didn't work. Can you guide?
 
Upvote 0 Downvote
I just dont even understand why people use Cred, its not even that they offer anything useful. They get access to your statements seeing what and where you are spending your money!

All for the "convenience" of paying your credit card bills which i find no incovenience in paying from Billpay through HDFC or other such services.

Guys, most startups in ecom/fintech etc store tons of your data in their DBs and regulatory oversight isnt sophisticated enough yet to enforce any privacy norms on them. I would not use/share any sensitive data with such apps unless its completely necessary and i cannot live without the service !!
 
Upvote 0 Downvote
@beingmohit since you mention that you had used your RBL card only 1-2 times in the whole year, did you check which websites/merchants had you used these on?
Its just shocking how someone could access CVVc / 2FA / email password all at the same time !
 
Upvote 0 Downvote
Poor regulations, mediocre systems/processes and lack of enforcement in many areas facilitates financial crimes, aside from the heavy corruption and do not care attitude most people have around.

I can vouch for many others here, your data is being captured (even when they say they don't) and shared/sold around.

I get lots of unwanted calls/SMS which I'm 100% sure came from giving my phone number to specific restaurants (and I believe it's the app/platform they use), and also lots of spam whenever I sign up or put my contact info in a quite a lot of e-commerce websites around.
I use unique alias emails for each different website or at least the shady ones and I can tell who's selling or sharing my data because I received spam on that alias email which was unique to X website.

My advice:
-2FA everywhere.
-Keep a separate email for your sensible matters like banking, even for government services or other personal matters use a different email. Many data leaks also come from the government entities/platforms.
-Password manager either with 2FA or secret key, even mobile OTP can be dangerous in India as there's lots of insider facilitators in telcos. Print and keep copies of the emergency keys in case you lose your 2FA.
This will help you keep different passwords for everything. Often whenever there's a leak hackers will use the same email and password combination in a lot of sites so if you're reusing it is a matter of time before you get hacked.
1Password is great for this, without the secret key nobody, even 1Password can access your data. It is just required for setting up new devices/sessions.
fl
-Use credit cards. It is often easier to deal with your situation if what got stolen is your credit card info rather than your bank account or debit card. Banks are usually more proactive in solving these issues and often even come with fraud liability waivers or insurance. NEVER use your debit card for the account where your keep money.
-Keep your mobile device safe, don't install apps which haven't been scanned or from unverified or untrustworthy websites where anyone can upload them. Even some Play Store apps later come up with malware or hidden malware. Malware in your phone is among the worst things that could happen to you as they could get access to emails, OTPs, photos, etc.
 
Last edited:
Upvote 0 Downvote
Strange said:
@Makkar @knight how are you forwarding emails to another account. I tried to forward email with filter from my personal gmail to another gmail but it didn't work. Can you guide?
Click to expand...

@Strange
You can go to Gmail Settings (see all settings) --> Forwarding and POP/IMAP.
Add a forwarding address and enter your new email.. it'll ask for verification.

Then click on 3 lines icon in search bar to create a filter. (Above two steps can also be done from this screen)
You can add filters like 'has attachment' and 'has "statement" in subject or body', based on your bank and how they send mails.
New incoming mails will be forwarded.

1685948195646.png
 
Upvote 0 Downvote
beingmohit said:
These were all domestic transactions. I got an SMS for OTP for all the transactions.
Click to expand...
come on man, if you're not in India, you should have disable your domestic transaction and international too unless on one/two card you are using outside India. all app are available it take less than 2 min to configure them at max.
 
Upvote 0 Downvote
vaibhav111 said:
come on man, if you're not in India, you should have disable your domestic transaction and international too unless on one/two card you are using outside India. all app are available it take less than 2 min to configure them at max.
Click to expand...
Realistically there's no point on disabling domestic transactions for the cards you use often even you travel overseas. You still need to shop, pay bills and others in India while you're overseas.

The only caveat of international transactions is that most do not require OTP which is the biggest risk here.
 
Upvote 0 Downvote
vaibhav111 said:
come on man, if you're not in India, you should have disable your domestic transaction and international too unless on one/two card you are using outside India. all app are available it take less than 2 min to configure them at max.
Click to expand...
I think it's not fair to blame him, at least right now. It could happen to anyone of us, as these things are getting sophisticated day by day.
 
Upvote 0 Downvote
@gurbina , when using alias emails ( i hope you're talking about realEmail+site@gmail), do you face issues while talking to customer care of these sites?
they mihgt not be able to verify your mail since the registered email would be realEmail+site@gmail while you'd be mailing the support from RealEmail@gmail.

Ever tried this?
 
Upvote 0 Downvote
vaibhav111 said:
come on man, if you're not in India, you should have disable your domestic transaction and international too unless on one/two card you are using outside India. all app are available it take less than 2 min to configure them at max.
Click to expand...
sometime's it's not really feasible to keep changing limits and enabling cards before txns..

even the bank sites can be down and you end up getting embarrassed at a store or waiting much longer to buy something online.
we can only put our best effort.
 
Upvote 0 Downvote
sauravkumar said:
Bro I have full sympathy for you ..

But my view is quite different here... Ye kuch jada nhi ho gya.... Aur RBL card ka access kaise mila??
Saala itna bada ch***** kon hoga jo apne saare details kisi website ya mail me store karke rakhega!!😑😑

Jitne der me aap yaha par comments kar rhe ho... Utne me toh aap saare cards ko reissue karwa sakte ho!!

Wase by the way mera bhi Gmail account hack hua tha par kisi ki himaat nhi hui koi transaction karne ki!!😤😤
Click to expand...
the arrogance is astonishing.

financial frauds are way more common than you seem to believe. my friend got 20k stolen from both his debit and credit cards as soon as salary was credited.
The acct was barely 3 months old and he hadn't used both cards on any platform.bank later returned most of the money after FIR and complaints after 90 days.
 
Upvote 0 Downvote
knight said:
@gurbina , when using alias emails ( i hope you're talking about realEmail+site@gmail), do you face issues while talking to customer care of these sites?
they mihgt not be able to verify your mail since the registered email would be realEmail+site@gmail while you'd be mailing the support from RealEmail@gmail.

Ever tried this?
Click to expand...
Never had issues, you can actually create email addresses under your own or fastmail domain, or just aliases. I do have a mix of both for no reason but they're not so different from each other for practical purposes when using FastMail

For aliases I hope this answers your questions:
When replying to a message that was sent to a Masked Email address, the Masked Email address will be used by default to reply. Other email addresses can be selected on the Compose screen when replying.
Click to expand...
 
Upvote 0 Downvote
knight said:
the arrogance is astonishing.

financial frauds are way more common than you seem to believe. my friend got 20k stolen from both his debit and credit cards as soon as salary was credited.
The acct was barely 3 months old and he hadn't used both cards on any platform.bank later returned most of the money after FIR and complaints after 90 days.
Click to expand...
And based on that incident also i can vouch that credit cards are safer..

all txns on debit card went through, even though they were unusual.
But bank blocked credit card txns after a few and called to confirm if he was using the card since the txns were unusual.
 
Apply For LTF HDFC Swiggy Credit Card
Upvote 0 Downvote
If it was a trial and error, then they must have made an incorrect try on at least one of the two cards, but they did not. - damn how did he knew your cvv that very dangerous, he didn't need to guess he already had the data it seem.
beingmohit said:
I already have 2FA enabled. The hacker was clearly able to bypass it (not sure how). After getting access to my email, the hacker was able to login to my Flipkart account and access my saved cards. What I do not understand is how did they get my CVV. If it was a trial and error, then they must have made an incorrect try on at least one of the two cards, but they did not.
So, it is clear that some app/service with access to my card data leaked it, along with my Gmail.
Click to expand...
 
Upvote 0 Downvote
oh yeah i did not considered that.
gurbina said:
Realistically there's no point on disabling domestic transactions for the cards you use often even you travel overseas. You still need to shop, pay bills and others in India while you're overseas.

The only caveat of international transactions is that most do not require OTP which is the biggest risk here.
Click to expand...
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

ImKushal
Serious Concern: ICICI Credit Card Data Leak & Fraud Attempt
Replies
2
Views
59
ImKushal
ImKushal
A
  • Question Question
OneCard data leak & fraud attempt!
Replies
7
Views
870
praful47
praful47
D
  • Question Question
ICICI Customers Data Leaked
Replies
3
Views
879
technom
T
D₹V
  • Question Question
ICICI Cards Getting Replaced as a Precautionary Measure or Data Leak?
2
Replies
21
Views
2K
D₹V
D₹V
Back
Top