Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Someone tried to take £33,000 from my account

RedTomato

RedTomato

macrumors 601
Original poster
Mar 4, 2005
4,155
442
.. London ..
Hello guys.

Just had an interesting phone call with Santander, a UK bank. Someone tried to transfer £33,000 (about $50,000) from my bank account on the 26th January.

:eek:

Luckily the bank caught it and blocked the transfer. (I have nowhere near that much in the account!) After speaking with the Fraud Dept, it appears that someone was able to copy my internet banking logon, logged onto my account and tried to do the transfer to another UK account.

I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)
 
SilentPanda

SilentPanda

Moderator emeritus
Oct 8, 2002
9,992
31
The Bamboo Forest
There have been java exploits for the past several months off and on. But there's really no way to know the culprit. At least your bank caught it so you don't have to deal with being broke while they figure it out.
 
daneoni

daneoni

macrumors G4
Mar 24, 2006
11,601
1,147
Could be an inside job or key-logging software.
 
Last edited:
Shrink

Shrink

macrumors G3
Feb 26, 2011
8,929
1,727
New England, USA
RedTomato said:
Hello guys.

Just had an interesting phone call with Santander, a UK bank. Someone tried to transfer £33,000 (about $50,000) from my bank account on the 26th January.

:eek:

Luckily the bank caught it and blocked the transfer. (I have nowhere near that much in the account!) After speaking with the Fraud Dept, it appears that someone was able to copy my internet banking logon, logged onto my account and tried to do the transfer to another UK account.

I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)
Click to expand...

Now, about that loan I've been seeking...;)

:D
 
Macky-Mac

Macky-Mac

macrumors 68040
May 18, 2004
3,501
2,552
Zombie Acorn said:
There must be some rich people who don't miss 50k when it comes out of their bank, not sure why they would try for such a large amount
Click to expand...

probably the crooks expect to get the money transferred, withdrawn the cash and then disappear before the money is missed
 
twietee

twietee

macrumors 603
Jan 24, 2012
5,300
1,675
Don't you need some sort of additional and unique Tan number (not sure how you call it) or other pin to confirm any transaction?
 
shinji

shinji

macrumors 65816
Mar 18, 2007
1,329
1,515
RedTomato said:
Hello guys.

Just had an interesting phone call with Santander, a UK bank. Someone tried to transfer £33,000 (about $50,000) from my bank account on the 26th January.

:eek:

Luckily the bank caught it and blocked the transfer. (I have nowhere near that much in the account!) After speaking with the Fraud Dept, it appears that someone was able to copy my internet banking logon, logged onto my account and tried to do the transfer to another UK account.

I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)
Click to expand...

Anyone else have physical access to your laptop at home or work?
 
0098386

0098386

Suspended
Jan 18, 2005
21,574
2,908
I've had the opposite problem. Tried to buy 2 return tickets to LA and an EOS 60D camera in the same month. Had both declined and my card cancelled, had to get a new card!
(I have a debit card, don't know if the rules are different)

But I'd rather that happen than someone else taking my money.
 
RedTomato

RedTomato

macrumors 601
Original poster
Mar 4, 2005
4,155
442
.. London ..
SilentPanda said:
There have been java exploits for the past several months off and on. But there's really no way to know the culprit. At least your bank caught it so you don't have to deal with being broke while they figure it out.
Click to expand...

Santander website doesn't use java. Chrome is set for all plug-ins to ask for a click to run (does wonders for disabling annoying adverts).

I never bothered to install java 7 for Mountain Lion. (upgraded to Mountain Lion 2 months ago)

Thanks for the hint though - I just now tested for java. No pref-panel, no java utility. After a search, seems I still have java 6 left over from Snow Leopard (never installed Lion). As far as I know, java 6 does not run in Mountain Lion without a bit of tweaking (which I haven't done). Tested in browsers and downloaded a couple of .jar apps. No functionality here.

daneoni said:
Could be an inside job or key-logging software.
Click to expand...

Inside.. hmm. Key-logging - not sure how on OSX - my macbook is pw-protected.

Mercer said:
They are a spanish bank but they also have banks in England..
Click to expand...

Santander took over a british bank, Abbey, a few years ago. I had an account with Abbey, which then became a Santander account.

twietee said:
Don't you need some sort of additional and unique Tan number (not sure how you call it) or other pin to confirm any transaction?
Click to expand...

Yup, a OTP, One Time Password. If I transfer money via the website, it texts my phone with a passcode, which I need to enter on the website. Thanks for reminding me. I didn't get any passcode text linked to this fraudulent transfer. I'll bring that up next time I talk to them, if I get a chance.

shinji said:
Anyone else have physical access to your laptop at home or work?
Click to expand...

Nope. It's my baby and only I use it :) Belongs to me, not to work. Has a login password and a wake from sleep password (if sleep for more than 1 hour)

Demonface said:
The people who tried to take your money probably tried it on more than one account and they probably got through with one of them .
Click to expand...

:( if they had bothered to try a transfer for an amount that I actually had, they might have succeeded. Not sure how without activating an OTP request though.
 
SilentPanda

SilentPanda

Moderator emeritus
Oct 8, 2002
9,992
31
The Bamboo Forest
RedTomato said:
Santander website doesn't use java. Chrome is set for all plug-ins to ask for a click to run (does wonders for disabling annoying adverts).
Click to expand...

I'm still not blaming Java but both Java 7 and 6 had recent security holes. Just because Santander doesn't use Java doesn't mean another site you visited wasn't and then installed something which monitored your logins on other sites.
 
Renzatic

Renzatic

Suspended
Aug 3, 2011
9,561
10,118
Gramps, what the hell am I paying you for?
RedTomato said:
I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)
Click to expand...

How complicated is your password? If it's something relatively simple, whoever did it could've brute forced it by trying to log in once or twice a day over a month or two. Just hitting it up enough to keep the failed logins to a bare minimum so as not to raise suspicion.
 
D

Demonface

macrumors 6502a
Mar 13, 2012
696
71
Jersey/Miami
RedTomato said:
Santander website doesn't use java. Chrome is set for all plug-ins to ask for a click to run (does wonders for disabling annoying adverts).

I never bothered to install java 7 for Mountain Lion. (upgraded to Mountain Lion 2 months ago)

Thanks for the hint though - I just now tested for java. No pref-panel, no java utility. After a search, seems I still have java 6 left over from Snow Leopard (never installed Lion). As far as I know, java 6 does not run in Mountain Lion without a bit of tweaking (which I haven't done). Tested in browsers and downloaded a couple of .jar apps. No functionality here.



Inside.. hmm. Key-logging - not sure how on OSX - my macbook is pw-protected.



Santander took over a british bank, Abbey, a few years ago. I had an account with Abbey, which then became a Santander account.



Yup, a OTP, One Time Password. If I transfer money via the website, it texts my phone with a passcode, which I need to enter on the website. Thanks for reminding me. I didn't get any passcode text linked to this fraudulent transfer. I'll bring that up next time I talk to them, if I get a chance.



Nope. It's my baby and only I use it :) Belongs to me, not to work. Has a login password and a wake from sleep password (if sleep for more than 1 hour)



:( if they had bothered to try a transfer for an amount that I actually had, they might have succeeded. Not sure how without activating an OTP request though.
Click to expand...

They probably hacked the banks system also. Who knows what they did ?
 
RedTomato

RedTomato

macrumors 601
Original poster
Mar 4, 2005
4,155
442
.. London ..
SilentPanda said:
I'm still not blaming Java but both Java 7 and 6 had recent security holes. Just because Santander doesn't use Java doesn't mean another site you visited wasn't and then installed something which monitored your logins on other sites.
Click to expand...

Java isn't working on my laptop. You cut out this bit :

never bothered to install java 7 for Mountain Lion. (upgraded to Mountain Lion 2 months ago)

Thanks for the hint though - I just now tested for java. No pref-panel, no java utility. After a search, seems I still have java 6 left over from Snow Leopard (never installed Lion). As far as I know, java 6 does not run in Mountain Lion without a bit of tweaking (which I haven't done). Tested in browsers and downloaded a couple of .jar apps. No functionality here.
Click to expand...

However they could have captured the login from back when I had Mountain Lion & functioning Java, then not used it for a month or two.

Renzatic said:
How complicated is your password? If it's something relatively simple, whoever did it could've brute forced it by trying to log in once or twice a day over a month or two. Just hitting it up enough to keep the failed logins to a bare minimum so as not to raise suspicion.
Click to expand...

It's more like three passwords. First page - a personal ID which is user definable, alphanumberic. If I understand the code (I don't really), the ID is sent in the clear, but the page itself is sent over HTTPS.

Code: 
https://retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto?dse_operationName=LOGON

<form method="post" action="ChannelDriver.ssobto?dse_operationName=LOGON" name="formCustomerID_1" id="formCustomerID_1">

Get this wrong, and you never see the second page, so it's a bit hard to cycle through password attempts. The second page requires two passwords (?), both sent encrypted. (I won't post code from the second page).

The guy from Santander Fraud suggested I might have entered Santander in Google then clicked on whatever came up and thus gone through a man-in-the-middle attack. I try to avoid doing this but it is possible I might have gone through Google in a distracted moment. Both Chrome and Google have their own malicious website blacklist but it's possible I got taken in in that span between setting up a MITM attack and having it blacklisted.
 
Macky-Mac

Macky-Mac

macrumors 68040
May 18, 2004
3,501
2,552
If you said, I missed it, but have you ever logged on to your bank from somewhere other than your own secure wifi? A friend had a password hijacked when he was using public wifi while on a trip
 
S

snberk103

macrumors 603
Oct 22, 2007
5,503
91
An Island in the Salish Sea
Check the phone# listed on your account that they send the OTP to. If it is correct then the bank itself was hacked and/or it's an internal job.

You said you needed an OTP to transfer these kinds of funds. If the bank intercepted the transfer, it means someone had the OTP. And if it wasn't actually sent to you then it was internal. And if it was internal then there was nothing you could have done to prevent it.

A bank will never admit it was internally compromised. Which means that they have to make you believe it was something to do with you, without maybe ever actually accusing you of negligence. But if someone got your OTP, then it was internal.

I assume the bank will send an email to you when it detects a change in your security settings? One of those "If you did this, then you need do nothing - and if you didn't do this then someone else has on your behalf..." Then you sign in to check the security settings *not* using the link provided of course.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom