Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[vaibhav111vaibhav111 is verified member.]

After reading almost all the comments, some of which were very long, I skimmed through them. Also, I disabled everything on the card that was eating dust. Duh! I set limits according to usage.

 

[Makkar]

After reading almost all the comments, some of which were very long, I skimmed through them. Also, I disabled everything on the card that was eating dust. Duh! I set limits according to usage.

Dito !! Checked my Google account security, changed limits for my cards. Happy to spend extra 5 mins for big transactions.

दुर्घटना से देर भली​

 

[Makkar]

"I feel into the drain but the dogs didn't have the guts to pee on me." Over confidence and arrogance at its best.

EPIC !! Gonna use this in future 😉

 

[Strange]

This will not work for existing mails, only new mails will be forwarded.

right but it didn't work for New mails.

 

[sauravkumar]

the arrogance is astonishing.

financial frauds are way more common than you seem to believe. my friend got 20k stolen from both his debit and credit cards as soon as salary was credited.
The acct was barely 3 months old and he hadn't used both cards on any platform.bank later returned most of the money after FIR and complaints after 90 days.

Bro this is not the arrogance!!

This is the confidence when you follow necessary measures and proper security!!
One is the custodian of his own money!! It's upto him how securely and better he can manage..
Otherwise no one else in this world gives a damn!!

And I have in the very first line said. But it is also important to say hard things also.

In last line I just wanted to say keep your financial data in such a way that even your account is hacked no one should be able to get hold of anything.

And in your friends case may I know the final outcome?? Was the fault from bank side?
This is a new type of case.. if you haven't used your CC/DC ever then this is quite strange!!🤔🤔

 

[sauravkumar]

I am not sure what you're trying to say here. First of you don't need to save details of websites in your email for bad actors to get access. If you keep yourself logged through chrome or any browser and happen to run any malware by accident, the cookies can be used by the bad actors to get access to your accounts.

I loved the last line. It is like saying "I feel into the drain but the dogs didn't have the guts to pee on me." Over confidence and arrogance at its best.

Bro this shows your character!!
I think last line better suits you!!😂😂

Everyone is free in this forum to express their opinions.

Don't say this gutter and 3rd class word. Otherwise you will also get same type of reply with same bad words.😡😡

I am showing maturity here and not replying in your language!!😤😤

 

[hks789]

If it was a trial and error, then they must have made an incorrect try on at least one of the two cards, but they did not. - damn how did he knew your cvv that very dangerous, he didn't need to guess he already had the data it seem.

You dont need correct cvv in flipkart, myntra etc for atleast axis cards. Even if you enter wrong one, transaction will go through. They are not verifying cvv.
🥲

 

[knight]

You dont need correct cvv in flipkart, myntra etc for atleast axis cards. Even if you enter wrong one transaction will go through. They are not verifying cvv.
🥲

dafuq..
is this for real?

 

[VISHESH_BANSAL]

You dont need correct cvv in flipkart, myntra etc for atleast axis cards. Even if you enter wrong one transaction will go through. They are not verifying cvv.
🥲

I think , for tokenized card only.

When you input Complete Card details at the time of making Payment,then also wrong CVV is working?

Have you verified it ?

 

[hks789]

I think , for tokenized card only.

When you input Complete Card details at the time of making Payment,then also wrong CVV is working?

Have you verified it ?

I tested only for already saved cards.

dafuq..
is this for real?

Yep. Been doing purchases that way only on swiggy and flipkart 😅

 

[VISHESH_BANSAL]

I tested only for already saved cards.

Yep. Been doing purchases that way only on swiggy and flipkart 😅

For tokenized card CVV is for name sake only.
I learned it hardway.

My simply Click and Cashback SBI both are saved on Amazon.

By mistake I selected Simply Click but Entered CVV of Cashback SBI, since I thought I selected Cashback SBI.
Txn Becomes successful and I lost 5% CashBack 😥

Then I again tested but this time I entered Complete card details and Wrong CVV. This time txn declined.

 

[bonheur]

@gurbina , when using alias emails ( i hope you're talking about realEmail+site@gmail), do you face issues while talking to customer care of these sites?
they mihgt not be able to verify your mail since the registered email would be realEmail+site@gmail while you'd be mailing the support from RealEmail@gmail.

Ever tried this?

If you are in the Apple ecosystem, iCloud+/Apple One (paid services) have hide my email built into the offering. You can auto-generate any number of email aliases that will forward all emails to your primary email account.

 

[Pankhuri]

Cred was able to read and track all my statements despite that the sender was 'myPersonalEmail@xyz.com'.

Email access is not limited to just sender, its mostly based on contents. So if the content matches the description of what the service provider explained to google, they allow it.

 

[COSMOCRAT]

@Makkar @knight how are you forwarding emails to another account. I tried to forward email with filter from my personal gmail to another gmail but it didn't work. Can you guide?

You will have to first validate a forwarding mail(to whom you want to auto-send) of your choice first before you can register a filter.

 

[Pankhuri]

दुर्घटना से देर भली​

This. I make it a point to check my emails regularly for breach. You guys can check on haveibeenpawned.com too. This website is run by maker of 1password password manager, a very well known name in cybersecurity world. There is an option of subscribing too, that way if your phone or email are found in a future data breach, you will get a mail from them. I don't use this as it makes you complacent, but it is better than nothing.

 

[Pankhuri]

If you are in the Apple ecosystem, iCloud+/Apple One (paid services) have hide my email built into the offering. You can auto-generate any number of email aliases that will forward all emails to your primary email account.

This is a good functionality too but never use it for banking. Apple has serious flaw where it won't allow you to mail from these accounts.


Also similar functionality is present in Bitwarden password manager. There are individual services too anonaddy and simplelogin. Iirc even firefox provides something similar.

 

[knight]

Email access is not limited to just sender, its mostly based on contents. So if the content matches the description of what the service provider explained to google, they allow it.

How smart would that be...

that means for 'statement', they'll read your bank statements, CC statements, NPS, CAS, stocks, MF.. basically your entire financial life.
Mobikwik also reads all these emails.. there was a thread on TFC where all emails read by Mobikwik are listed.


You're free to have your own opinion, but i disagree with it. I'd prefer to go through the extra hassle to safeguard my data.

 

[knight]

If you are in the Apple ecosystem, iCloud+/Apple One (paid services) have hide my email built into the offering. You can auto-generate any number of email aliases that will forward all emails to your primary email account.

I do use apple devices but haven't tried iCloud+ yet...

Gmail also had this feature of delivering emails to joe.rogan+myntra@gmail.com. to the primary inbox - joe.rogan@gmail.com

But i feel the issue will be with outgoing emails... as myntra would have my registered email as joe.rogan+myntra@gmail.com while I would be emailing the support team from joe.rogan@gmail.com.

similarly other websites might have trouble verifying my identity when i approach their support teams.

 

[Pankhuri]

I'd prefer to go through the extra hassle to safeguard my data.

Completely agree with this part. One should always take the extra step to keep data safe.



On the terms of how smart that system is, in my experience is quite smart. And google have regular reviews too. I have first hand experience on dealing with google on this. For example, unless the app has requested to be one stop financial solution, they won't be having access to all your financial emails. And this has to be reflected when asking consent of the user too. I can't apply for access to be one stop financial solution and then show user that I am only requesting credit card data from gmail.

However, no system is 100%, so always take the extra step to safeguard your data.

 

[Makkar]

How smart would that be...

that means for 'statement', they'll read your bank statements, CC statements, NPS, CAS, stocks, MF.. basically your entire financial life.
Mobikwik also reads all these emails.. there was a thread on TFC where all emails read by Mobikwik are listed.


You're free to have your own opinion, but i disagree with it. I'd prefer to go through the extra hassle to safeguard my data.

I knew so many companies which were reading whole of your text messages inbox just for giving the functionality to autofill the OTP in Android (few years back). Now its your Mail. I can't risk it , whether its illegal/ they can't do it. Its not safe to give the access period.

I'll second that !! @knight . I think we can close this discussion, its everyone's personal choice. It hardly takes 5mins to setup a secondary mail account and I don't have a problem with that.