Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[CardSeeker]

Whic

The reason why I changed the email to a new one for all financial transactions where I don't disclose the email anywhere, and it's not gmail.
Gmail is always monitoring us and I don't trust google at all.
We have many devices or website where we use gmail by default.
So better not to use it.

Which mail?

 

[Pankhuri]

If

I do use apple devices but haven't tried iCloud+ yet...

Gmail also had this feature of delivering emails to joe.rogan+myntra@gmail.com. to the primary inbox - joe.rogan@gmail.com

But i feel the issue will be with outgoing emails... as myntra would have my registered email as joe.rogan+myntra@gmail.com while I would be emailing the support team from joe.rogan@gmail.com.

similarly other websites might have trouble verifying my identity when i approach their support teams.

If you want to use alias, anonaddy has this functionality.

Sending email from an alias and updated replies | AnonAddy

This post gives some more details on the new send from an alias feature and how it works. It also covers the updated email reply functionality which works in the same way. The daily reply limits will now include both replies and send froms.

anonaddy.com

Simplelogin also have similar functionality

Reverse alias - SimpleLogin Docs

Receive and send emails anonymously.

simplelogin.io

However I would avoid using these for financial services. You never know whether these companies would survive next 5 years or not.

 

[Pankhuri]

I knew so many companies which were reading whole of your text messages inbox just for giving the functionality to autofill the OTP in Android (few years back). Now its your Mail. I can't risk it , whether its illegal/ they can't do it. Its not safe to give the access period.

I'll second that !! @knight . I think we can close this discussion, its everyone's personal choice. It hardly takes 5mins to setup a secondary mail account and I don't have a problem with that.

Both android and apple were wild west when it came to sms privacy till 2017/18. However both have developed better system for these. However companies do like to farm data so they don't use the correct functionality many times.

 

[knight]

And this has to be reflected when asking consent of the user too.

I haven't seen this on the consumer side so far.

Restrictions might be there for developers/compliance.
But while asking for email permissions, google only says that Cred will be able to "View your email messages and settings". There's no classification shown to the user..

If restrictions exist in the background, it'd have been good to inform the user about it.. but google usually focuses on simple UX and might have kept theis info private.

 

[COSMOCRAT]

Whic
Which mail?

You can try Protonmail or Tutanota. I'm personally using Proton for 2 years and it's sailing smoothly.

 

[Pankhuri]

I haven't seen this on the consumer side so far.

Restrictions might be there for developers/compliance.
But while asking for email permissions, google only says that Cred will be able to "View your email messages and settings". There's no classification shown to the user..

If restrictions exist in the background, it'd have been good to inform the user about it.. but google usually focuses on simple UX and might have kept theis info private.

It's in the app. Cred shows you a big page and also links to some google documentation. From that you go to google screen. That google screen also goes for maximal usage. But if you read the page before and go through the docs you would find that it is not full access.

 

[John Since]

Proton and Zoho

Whic
Which mail?

 

[Bugs Bunny]

You can try Protonmail or Tutanota. I'm personally using Proton for 2 years and it's sailing smoothly.

Proton is lovee ❤️

 

[beingmohit]

@beingmohit since you mention that you had used your RBL card only 1-2 times in the whole year, did you check which websites/merchants had you used these on?
Its just shocking how someone could access CVVc / 2FA / email password all at the same time !

I have only used it on Flipkart! Nowhere else. But, legally Flipkart is not allowed to store CVV of cards. I don't know what kind of fishy practices they have

 

[VISHESH_BANSAL]

I have only used it on Flipkart! Nowhere else. But, legally Flipkart is not allowed to store CVV of cards. I don't know what kind of fishy practices they have

Your cards are tokenized on Flipkart ?
If yes then CVV authentication is just for name sake.

Flipkart do not store CVV but if card is already Tokenized then any random 3 digit will work for making a successful txn

So do not tokenize your cards at shopping websites.

I do not know if this is the case with every bank or specific Banks, but I faced the same issue with SBI.

 

[arko]

then i think tokenization is bad in a way not helpful. storing complete card number without cvv seems more safe now.atleast they cannot do any transaction without knowing cvv. tokenization is useless then.
so the guys gmail gets hacked .
google login in flipkart and he used it to buy gift cards as cvv is not required.
I think there should be option to send otp only to mobile not on mail. axis bank sends in email but others banks dont, thank god....
my only issue is how he bypassed 2fa protection. Did you give 2fa password in any site in recent times?

 

[gurbina]

then i think tokenization is bad in a way not helpful. storing complete card number without cvv seems more safe now.atleast they cannot do any transaction without knowing cvv. tokenization is useless then.
so the guys gmail gets hacked .
google login in flipkart and he used it to buy gift cards as cvv is not required.
I think there should be option to send otp only to mobile not on mail. axis bank sends in email but others banks dont, thank god....
my only issue is how he bypassed 2fa protection. Did you give 2fa password in any site in recent times?

Problem is when you're traveling overseas you need an alternate method to receive OTPs as you cannot rely solely on your phone number, also not everywhere you'll get phone reception or coverage from Airtel in India and overseas.
But yes, they need a way to opt in and out, for all the banks.

 

[beingmohit]

Update: Flipkart has already initiated a refund for the 50k worth of Flipkart vouchers the hacker had purchased. For the 45k worth of Google Play vouchers, I am in touch with the banks, Google and the police.

 

[Bugs Bunny]

Update: Flipkart has already initiated a refund for the 50k worth of Flipkart vouchers the hacker had purchased. For the 45k worth of Google Play vouchers, I am in touch with the banks, Google and the police.

Glad to hear Mohit. Do update the initial post after all the refunds on how did you proceed and what all security measures are you taking right now to protect yourself.

Thankyou

 

[dhiraz]

 

[harsh2807]

Hello Everyone,

I am new to this forum, as I got to know about it after searching for a similar problem I faced yesterday.

The same incident happened to me. Yesterday someone used my FLIPKART account and bought Google Play vouchers worth around 30K from my RBL Bank card, whereas I immediately called the bank and told them about the incident and reported the same to FLIPKART. I don't think they used my Gmail in this case, as I was doing some work on my mobile while all this happened and there was no trace of any OTP on my email.

I am told to register a complaint with Cybercrime, but I am not able to do it because they require a transaction ID, which has not yet been generated by the bank as of now they are giving the same answer that the transaction is still. in process while Flipkart is investigating the issue from their end.

Still waiting to get resolution on the same.

 

[beingmohit]

Proton is lovee ❤️

Do note Proton isn't all that private anymore. Do you use the paid version of Proton?

 

[beingmohit]

Hello Everyone,

I am new to this forum, as I got to know about it after searching for a similar problem I faced yesterday.

The same incident happened to me. Yesterday someone used my FLIPKART account and bought Google Play vouchers worth around 30K from my RBL Bank card, whereas I immediately called the bank and told them about the incident and reported the same to FLIPKART. I don't think they used my Gmail in this case, as I was doing some work on my mobile while all this happened and there was no trace of any OTP on my email.

I am told to register a complaint with Cybercrime, but I am not able to do it because they require a transaction ID, which has not yet been generated by the bank as of now they are giving the same answer that the transaction is still. in process while Flipkart is investigating the issue from their end.

Still waiting to get resolution on the same.

There was no trace of OTP on my email either. This is because they delete all the emails after they are done.
Please remove all your saved cards from all ecom websites. That is the only way to remain safe as of now. Disable transactions on all your cards, change your email password, activate 2FA, activate passkeys, and change all your banking passwords. These are some short-term measures.
I will share long-term measures soon.

 

[Pankhuri]

There was no trace of OTP on my email either. This is because they delete all the emails after they are done.
Please remove all your saved cards from all ecom websites. That is the only way to remain safe as of now. Disable transactions on all your cards, change your email password, activate 2FA, activate passkeys, and change all your banking passwords. These are some short-term measures.
I will share long-term measures soon.

You figured out where the breach was on your end?

 

[Deleted member 9785]

Hello Everyone,

I am new to this forum, as I got to know about it after searching for a similar problem I faced yesterday.

The same incident happened to me. Yesterday someone used my FLIPKART account and bought Google Play vouchers worth around 30K from my RBL Bank card, whereas I immediately called the bank and told them about the incident and reported the same to FLIPKART. I don't think they used my Gmail in this case, as I was doing some work on my mobile while all this happened and there was no trace of any OTP on my email.

I am told to register a complaint with Cybercrime, but I am not able to do it because they require a transaction ID, which has not yet been generated by the bank as of now they are giving the same answer that the transaction is still. in process while Flipkart is investigating the issue from their end.

Still waiting to get resolution on the same.

does dlipkart not have 2FA?