Data Leaked/ Cards Hacked

[beingmohit]

I randomly started getting SMSs regarding OTPs and transaction alerts. As I was already asleep, I did not bother. But, my wife checked it and to our horror, we were getting OTPs for random transactions on Flipkart, and all of them were getting successful. I immediately disabled online transactions on my card. Just then, I started getting OTPs on my RBL card. By the time I was able to disable transactions on my RBL card, another transaction went through successfully. I am confused and unable to understand how this can happen. How can someone hack the OTPs on my phone? Please let me know what I should do now.
Update: The hacker used my RBL card to purchase Flipkart GVs worth 50k. Fortunately, I could add these GVs to my Flipkart account before the hacker could. I discussed the incident with Flipkart and they have initiated a refund for these 50k.
The hacker used my Axis card to purchase 45k worth of Google Play vouchers. As the voucher codes were delivered to the hacker's email, I could not do anything about it. I am in discussions with Google Play support, but the conversations so far don't give me much confidence. I have also registered a complaint with the Cyber Crime Division of Bengaluru Police. They have not yet registered an FIR (only a complaint) as they want us to try and get out money back (You won't be wrong if you are wondering why we pay taxes to fund their salaries). Axis Bank has denied any responsibility as the payments were authorized using OTP.
Please let me know if anyone here has any suggestions about how to get my money back. Should I try to register an FIR? Should I try mailing Axis again?

 

[RkrRkr is verified member.]

The cybercrime portal does not even open outside India!
These people got access to my Flipkart account and made all these transactions. So, I guess I am screwed here. Let me try to reach out to Flipkart Support.

If they have accessed you flipkart account then all the order details are supposed to be there in your order section....Cancel all orders to get back the amount...

 

[plastikman]

Any opinion about CPP ? I have it and pay 449 / Yr ? Has anyone used it successfully ?

 

[Strange]

Any opinion about CPP ? I have it and pay 449 / Yr ? Has anyone used it successfully ?

CPP in which bank and how much amount is insured?

 

[RkrRkr is verified member.]

Any opinion about CPP ? I have it and pay 449 / Yr ? Has anyone used it successfully ?

No body/plan can help if you will give/compromised your otp for card transaction....

 

[plastikman]

No body/plan can help if you will give/compromised your otp for card transaction....

But they claim this...

 

[plastikman]

CPP in which bank and how much amount is insured?

CPP via Kotak Bank

 

[RkrRkr is verified member.]

CPP via Kotak Bank

These plans will help you to recover they money in case of fraud as per banking terminology...Like if you have used your card at mall and they they have copied/skimmed your card and enterd pin and based on the detail they have created duplicate card and done transaction ...these type of frauds can be curtailed via CPP again you have to raise alarm to bank and CPP issuer intime to get most benifit of the CPP plan..CPP issuer will do all the formalities on your behalf to card issuing bank and involved parties...But if you have shared the OTP then case is different..

 

[plastikman]

These plans will help you to recover they money in case of fraud as per banking terminology...Like if you have used your card at mall and they they have copied/skimmed your card and enterd pin and based on the detail they have created duplicate card and done transaction ...these type of frauds can be curtailed via CPP agian you have to raise alarm to bank and CPP issuer intime to get most benifit of the CPP plan..CPP issuer will do all the formalities on your behalf to card issuing bank and invilved parties...But if you have shared the OTP then case is different..

If one shares the OTP knowing that it is a fraud then one probably needs to learn the lesson. But for other purposes it is good. That too for 449 only. This is in addition to 500000 insurance that most of premium cards come with.

 

[beingmohit]

Update: I talked to Flipkart customer care and they said that all the gift card orders are on hold. They have assured me they will provide a resolution within the next 2 days. I do not have high hopes as Flipkart is known for terrible customer service.
I will ask one of my family members to lodge an FIR.
I am still confused as to how my Gmail account (with 2FA enabled) was hacked. If Gmail accounts can be hacked with this ease, I don't know how to keep my data safe.

 

[RkrRkr is verified member.]

CPP via Kotak Bank

Just go through the top first para...you will come to know ,what they are offering...In my opinion even without having CPP ,you can protect your card from fraud...like
1.Disable international transactions..
2.set transaction limit as per your spending patterns...You can modify anytime if you want to do higher transaction.
3.Never use you Banking Emails to login on public PCs.
4.Always use trusted websites to do online transactions.
5.If you are not using your card just switch off your card.it will disable all transactions temporarily. Most issuers giving this facilities.
6.Always do POS transations in your prensence only.Be careful for camera views on POS terminal at shops/mall to avoid capturing card detils and pin.
7.Even disable Tap and pay and enable once if required and then disable it.
8.I personally using samsung Pay for all POS and tap and pay transactions via cards.Never carrying any physical card so no headache for loss or skimming.(Now only i care is my phone )

Hope it helps..to save you from CPP..

 

[plastikman]

Just go through the top first para...you will come to know ,what they are offering...In my opinion even without having CPP ,you can protect your card from fraud...like
1.Disable international transactions..
2.set transaction limit as per your spending patterns...You can modify anytime if you want to do higher transaction.
3.Never use you Banking Emails to login on public PCs.
4.Always use trusted webaites to do online transactions.
5.If you are not uaing your card just switch off your card.it will disable all transactions temporarily. Most issuers giving this facilities.
6.Always do POS transations in your prensence only.Be careful for camera views on POS terminal at shops/mall to avoid calturing card detils and pin.
7.Even disable Tap and pay and enable once if required and then disable it.
8.I peraonally using samsung Pay for all POS and tap and pay transactions via cards.Never carrying any physical card so no headache for loss or skimming.(Now only i care is my phone )

Hope it helps..to save you from CPP..

Now a days, the emails and passwords that we use to login to access banking data cannot be used to access other services, as well. In 2021 there was a data breach due to hacking of Dominos servers due to which my email appeared in a breach. I have been using a separate email for banking services since then, which I don't use for other purposes. Also, CPP is in addition to what the bank already provides.

 

[varun__goel_]

Update: I talked to Flipkart customer care and they said that all the gift card orders are on hold. They have assured me they will provide a resolution within the next 2 days. I do not have high hopes as Flipkart is known for terrible customer service.
I will ask one of my family members to lodge an FIR.
I am still confused as to how my Gmail account (with 2FA enabled) was hacked. If Gmail accounts can be hacked with this ease, I don't know how to keep my data safe.

What would have happened is:-
You might have logged in a site where they ask permission to view and edit email messages. The hacker or what so person must have found some loophole and got to read your messages.
The same happened with my one youtuber friend, who is well known. But that hacker was a legit person, who first hacked and helped him to prevent it from happening again. My friend gave permission to streamlabs, a streaming platform to view and edit google account data. The hacker even told him his account balances😶.
So just before logging into any site using google, first see what kind of permission it is asking for.
And better is to use different gmail acc for banking purpose, this is what I am doing right now.

 

[beingmohit]

What would have happened is:-
You might have logged in a site where they ask permission to view and edit email messages. The hacker or what so person must have found some loophole and got to read your messages.
The same happened with my one youtuber friend, who is well known. But that hacker was a legit person, who first hacked and helped him to prevent it from happening again. My friend gave permission to streamlabs, a streaming platform to view and edit google account data. The hacker even told him his account balances😶.
So just before logging into any site using google, first see what kind of permission it is asking for.
And better is to use different gmail acc for banking purpose, this is what I am doing right now.

I am confident this happened by hacking my Gmail account. The Flipkart account they logged in to is linked to a different phone number, which is not even on my phone. So, I am confident they did not hack my phone. It has to be my Gmail. I see that 2FA has been enabled on my account for years, but somehow the hackers were able to bypass that.

 

[beingmohit]

Update: I talked to Flipkart customer care and they said that all the gift card orders are on hold. They have assured me they will provide a resolution within the next 2 days. I do not have high hopes as Flipkart is known for terrible customer service.
I will ask one of my family members to lodge an FIR.
I am still confused as to how my Gmail account (with 2FA enabled) was hacked. If Gmail accounts can be hacked with this ease, I don't know how to keep my data safe.

Update: All the transactions were for Flipkart or Google Play GVs. All of them were on hold and the Flipkart CC executive told me that they will remain that way. But, now the order statuses are changing to delivered one by one.

 

[Pankhuri]

How can someone hack the OTPs on my phone? Please let me know what I should do now.

Later in the thread you mention that email was the culprit. First thing you need to do is start using a password manager. I would recommend bitwarden. Next step should be to enable two factor authentication, I don't know about ios but on android authy is pretty good. Now you need to create a strong password using Bitwarden's password generator and change the password to that.

After these immediate steps, you need to take care of your account. Go to this https://myaccount.google.com/security and start reviewing your activities and third party access. Any app or website you don't recognize, you should remove it's access. Then you need to review your signed in devices. I would suggest to log out from all other devices just to be on the safe side. But before doing that, thoroughly review the devices you are signed on, as one or more of the devices might belong to attacker. Take screenshots of every device, when you see a device name clicking on it would take you to a screen which would show device model, sign in date and some other info, you need to take screenshots of that. Next review your activities, and look for something you don't recognize. Chances of finding fault here are low but you need to be through.

Now for long term, you need to make a new account and update that on all your credit card issuers. And you need to use password manager and 2 factor authentication on it from the start. And use this account strictly for banking and credit cards.

Another thing, if you dont find any suspecious device on your signed on device list, then most likely scenario is that attacker stole a session key from one of your devices. This is harder to do on mobile or tablets compared to laptops. So if that is the case, then you need to wipe your laptop and start with a fresh install of windows or mac. I know this sounds a bit much but if this is the case then you are vulnerable to future attacks.


Less likely scenario is that one of the apps on your mobile went rogue and copied notification data and send it to attacker. Combatting this would require you to again go through your installed apps and remove any you don't recognize or don't use.

Ask any questions you have about this or anything cyber security related. This is my day job, so I think I can contribute a bit here. Sorry this happened to you.

Also at start, password manager or authenticator might seem like a lot but trust me, it makes things so much easier and safer. If you have lots of passwords saved up in google, then you can export them to bitwarden too. Plus bitwarden has apps for every platform and website too. So you can access your passwords from any device you choose, as long as you remember master password.

 

[4uziaul]

I am confident this happened by hacking my Gmail account. The Flipkart account they logged in to is linked to a different phone number, which is not even on my phone. So, I am confident they did not hack my phone. It has to be my Gmail. I see that 2FA has been enabled on my account for years, but somehow the hackers were able to bypass that.

If you are confident that your Gmail was hacked, then watch this video because 2FA is not as secure as people make it out to be.



You will find similar videos on YouTube and also how to prevent this in the future.

 

[Tosh]

This is why I usually keep the transaction limits set to 1000 for all cards that I don't use very often. Also make sure to never login to Gmail or any other personal mailbox with sensitive information through hyperlinks. It's very easy to phish credentials through such means.

If inbox is compromised change the password and sign out all the devices including your own. I know people who have sold then old devices and forgot to log out one of their accounts.

 

[Pankhuri]

I am confident this happened by hacking my Gmail account. The Flipkart account they logged in to is linked to a different phone number, which is not even on my phone. So, I am confident they did not hack my phone. It has to be my Gmail. I see that 2FA has been enabled on my account for years, but somehow the hackers were able to bypass that.

I think it is your flipkart account. In another comment I mentioned about session data, same could be done to your flipkart login too. This also tracks as if they had access to gmail, then why would they use your gmail for their flipkart orders, as that would mean you can cancel some of their orders.

But there is also the issue of you finding emails in deleted section of your gmail. So this points to them having access to your gmail too.

Imo what has happened is that your session data from one of your laptops or computers got compromised. But they don't have your credit card numbers, so they used your own flipkart account. Your other social media and e-commerce accounts are at risk too. Gmail is probably safe for now as you changed password.

 

[reeshi]

Update: All the transactions were for Flipkart or Google Play GVs. All of them were on hold and the Flipkart CC executive told me that they will remain that way. But, now the order statuses are changing to delivered one by one.

Wtf

It's Flipkart responsibility to keep it on hold until verification, you had already informed them still they are getting it delivered.

Must keep all the voice recordings with you, it will might help you getting your amount (as after informing Flipkart still they didn't put the orders on hold even after assuring for the same)

 

[kochiro]

During the day I get random sms like
"[#] is your Onetime password (OTP) to view your Axis Bank Credit details. Please do not share this."
It's from axis but I own 3 CC but it's hard to know how this sms is getting generated. I do use axis ace anywhere because of 2% cb and sometimes Flipkart.