WARNING: Scammer is able to mask their text messages as coming from an ING phone number.
This morning I was on my usual day of work. Received a text message saying "someone logged into your account. If this is not you. Visit link."
ACTUAL MESSAGE:
You just logged in on a NEW device. If you did NOT login, go to: login.au-my-acc.net to cancel.
I use an iPhone, so the messages come in a conversation. The above message is in the same thread as the one that ING uses to send me update messages. Unsupecting anything I clicked on the link in a frenzy in fear of someone taking my money, without realising it's a dodgy link.
Entered my client and access number. Shortly after, 2k money was transferred out. They were even able to register their phone for mobile banking (ING sent me a verify message) and somehow able to bypass this 2FA.
Significant security features issues I found with ING are:
NO 2FA once you log in with client number and access code. That's it. They have full control. Even for new payee Pay ID or account number, no PayCode or 2FA verification like Commbank does. Straight to the scammer account via Osko. Edit: 2FA is only enabled for new payee/edit payee if you are on desktop/laptop. No 2FA if the scammer successfully bypassed the 2FA for the first mobile banking registration.
Scammer somehow able to mask their sender end into ING's number or conversation.
Scammer able to bypass the new phone for mobile registration 2FA (text sent to my phone, I did not give anyone the code).
Edit: The link that I posted is now shown as under Google review and flagged as "suspicious". When I first clicked on it, it took me straight to an ING looking webpage.
Any ING account holders beware. The scam team is saying a lot of people are falling for it.
TLDR: ING account scam going on, do not click on any suspicious links. ING never asks you to put in client number and pass code via SMS.
I have learned my lesson, so please don't victim blame. I am setting this thread up as a support thread for (I suspect) many more victims to come. ING themselves have acknowledged their scam team is very very busy today.
Update 29/10/22:
- Orange Everyday Terms and Conditions states:
"You are liable for the loss if: the security of one or more Codes has been breached and if the breach of the Codes are more than 50% responsible for the loss"
Called their scam team today and basically told "you deliberately gave away the Client Number and Access Code. That's on you." So ING will absolutely not reimburse me if the recall fails.
- I am going to now finally let go. Not helpful for my mental health ruminating on this other than learning my lesson to never click any links.
- Hope no OzB members fell for this like I did.
Update 21/11/22:
- VicPol actually contacted me and filed a report. Detective said she is looking at multiple similar cases, said ING is very slow with responses, so anything that I can supply will be very helpful. Another reason to never bank with them.
- Contacted by ING's complaints team today. Hoping for good news.
Update 22/11/22:
- Goodwill payment of the total amount credited to my account.
- Said they are reviewing the security breaches that I raised but remained that 'the four-digit access codes are secure and you can change it anytime according to our clause X of blah blah blah'
- Key point is that I have evidence that ING does send genuine text messages with link asking their customers to log-in via the link provided to open the account. Initially they claimed that ING never sends text messages with links.
A very good defence for account phishing is using a password manager. Chrome/Safari will offer to record it against the website, and other standalone ones should do too.
A spoofed website will never ever pop up a prompt to auto-fill your login because the domain will never match, no matter how visually convincing it is.
If you're vigilant, and all your accounts are in a password manager and domain set correctly, you'll know that no auto-fill means something's wrong.