Depends on your credit card I guess, with the cumulus it doesn’t ask for anything and you don’t notice it when it happens as well so it can be pretty bad.
so it seems they hacked his sim card, thus where able to login to revolut on his behalf. once that is done the rest is peanuts. they saw the ubs credit card registered for auto topup. then removed the 15000 limit (they had full revolut access). then started transferring money (dirham apparently) to some other place: perhaps a bank account somewhere or used the revolut credit card number (which is shown in the app, including cvv) to upload another service who knows.
i guess the key takeaway is: getting your sim card hacked is horrible. and ok, registering another credit card for auto topup is not the best idea either…
So from a security point of view is seems important to avoid any sim hacks. which might be resolved by having (a) dedicated sim card(s) for any (each?) of these online services…?!
re sim card hacks: these phishing attacks only really work if they have your sim number, right? so why do they have it? because either someone of your contacts gave app permissions to access their contacts/phonebook where you where listed - or they hacked a web service where you gave your sim number. in both cases having dedicated separate sim cards only for the purpose of 1 or a few services and without sharing the number with anyone would help.
except if revolut itself would have a security leak indeed…
That’s a good reminder that we should never save our credit card into the app. I just removed mine and I will add it / remove it every time I need. Since it’s once or twice a month, it’s not a big deal.
Isn’t it possible that some malware spied on the guy when he typed his revolut password and then they remote controlled his phone? Swisscom says the SIM wasn’t hacked and I believe it is a 1000 times easier to make people download malware than to hack a SIM…
Wow, this is interesting. I was on the opinion that hijacking a sim card is mostly a US thing, that can not happen in CH, because people ask for ID. And Swisscom is saying it didn’t happen.
I use a corporate phone, that is technically registered in the name of my employer, which I am not sure if it is easier or harder to hijack.
I don’t know exactly how sim hacking works, but IMHO it’s not easily doable. Also I have no idea which service might ask for your SIM information. Maybe all that dumb app that ask for “telephone permission”.
(I might start to rant how f$# the permissions on Android/iOS are both from the technical point (storage? why not more fine grained?) and from the way it is used (you can’t use the flashlight app if you don’t give contact permissions…)
One thing it’s not clear is if the guy had a second sim linked to the first one. For example in his car. I don’t know exactly how it works and how Android/iOS identify phones, The only thing I know is that swisscom can give you a second SIM card that will answer to the same phone number of the main one.
Even if the sim card was hacked as @male described. You need a password (or fingerprint) to access the Revolut app.
On my knowledge, a hacked sim card can’t control an application on the phone.
Is it known which OS did the guy use? Because many people have their credit cards added to Apple Pay on iOS. For example, I added my Revolut Card, although I never even used it like this, paying with the phone. Theoretically, Apple Pay requires you to use Face ID and double click the button, but I wonder what else can be hacked…
Seriously, the tech World we live in makes me really anxious, most of my possessions seem so virtual.
Second that. I got myself SMS asking to login to my account via url which looked quite compelling and have to admit it takes few seconds to start questioning if this is legit… sad for other people are not aware of that.
So dude puts his revolut credentials into some random link he got via sms and then blames revolut for loosing his data?
If this was actually a SIM-Swap this would have been pretty worying since that would be the first one I have seen in the wild in switzerland. But as it looks this was just a regular old phishing attack.
Cyber-security is a big field, maybe his company specializes in foresics or wireless or something completely unrelated from phishing (or he is some kind of non technical manager or something).
By reading and partipating to this forum, you confirm you have read and agree with the disclaimer presented on http://www.mustachianpost.com/
En lisant et participant à ce forum, tu confirmes avoir lu et être d'accord avec l'avis de dégagement de responsabilité présenté sur http://www.mustachianpost.com/fr/
Durch das Lesen und die Teilnahme an diesem Forum bestätigst du, dass du den auf http://www.mustachianpost.com/de/ dargestellten Haftungsausschluss gelesen hast und damit einverstanden bist.