Just curious if anyone saw this:
https://www.google.com/amp/s/www.news.com.au/finance/busines…
Not sure how is it possible to just update phones number. Typically, they first need to confirm pin on old number. It sounds a bit scary given there is no 24 hour support.
Would you still keep your money in ubank?
only via sms though
find a bank that does authentication on their app
it's funny that most banks have fancy app but only do authentication via sms
86400 app did do 2FA not via sms
They used that when calling their service centre
Funny what ubank chose to keep from the neobank acquisition
It's really annoying that no bank does this still, it's pretty much mandatory with how smart thieves are getting, I really want app or physical tokens to become the standard 2FA with banking.
UBank is owned by NAB
So if UBank is not safe then NAB isnt either.
And if thats the case no bank is safe.
Not necessarily.
Typical news.com.au sensationalism IMO - almost 100% sure that this person was victim to a low-skill phishing attack, logged into his account somewhere he shouldn't have, or used a weak password.
100% this. Don't be a dingus with your money.
Ubank sending the person a text but doesnt send him/her a 2FA when a new payee is added? Some parts of the story just doesnt add up.
They've only just enabled the 2FA when a new payee is added. I got the email about it on the 16th and it just says "from this week…". I'm guessing they did it in response to this.
There have been a lot of UBank scam SMS in the past month or so, ever since they've been migrating people to the new app. I received the same "new device added" message a few weeks ago as shown in the news story but there is nowhere you can view, add or remove devices in the app or online. There's probably more to this story on both sides, the victim may well have been phished but I'm not sure about the banks security either given how poor the app is and the online interface. It was far better prior to the migration.
Dont understand how Ubank is not using 2FA when the global banking system has been doing so for at least the past decade. It should be standard. When you set up a bank, customer protection should be on the top of the list, not marketing. This is a big oversight.
Security is something all the Australian banks are bad at. I think it's Westpac that still has a max 6 character password with no special characters allowed. AFAIK the big 4 have no 2FA options other than SMS either.
@apsilon: Business accounts still uses the little keypad token thingy which is the most annoying but secure way unless you (or the finance manager) get mugged and loses that thing. But SMS is already a good 2FA to cover the majority of potential fraud. There is no way to send a message intended for a mobile number to another phone. It should stop these sort of low level crime.
@KaTst3R: Business accounts for which bank? Mine certainly doesn't. SMS is certainly better than nothing but with SIM jacking it's also the least secure IMO.
@KaTst3R: Interesting, quick google says they provide a "security device" for business customers if requested. Why don't they use an authenticator app instead and offer it to every customer? Still, better than other banks efforts.
@apsilon: The idea is that you leave the device locked up in the office because the business phone follows you out of the building. I guess it reduces risk but by not much.
@KaTst3R: Office buildings are very insecure IMO and that's speaking from experience. Most are vacant for 2/3 of the day leaving ample time to be entered and have stuff stolen. Offices, desks and cabinets are all easy to open or bypass even if the owner bothers to lock them. Personally I think a phone that remains close to a person for more of the day and then should also require a password or biometrics to unlock before you can access the authenticator app far more secure but as I said, at least ANZ are doing more than others.
I think it's Westpac that still has a max 6 character password with no special characters allowed
You think that is bad until you look closely at ING.
ING send out their welcome mail (with debit card) which includes the client ID.
They don't allow you to have an access code any longer than 4 digits.
No 2FA or notification if you login via a completely new browser / IP address.
I think they may have followed a link sent in a text, for them to confirm their account. But I see how this has occurred with a rollout of changes that left many confused. Ubank shouldn't have forced the changes, or atleast should've been slower and clearer regarding the changes, how they would communicate with customers and how customers could contact them to confirm their accounts 24hrs (literally just a security confirmation phone number, nothing more). Even now I've received no posted ubank letter to give me peace of mind. Change must be well managed, especially with $$$ and I personally don't feel it was and this has opened the door to people being scammed.
100% agree. First thing I heard about the move was 4 days before they moved me. It was poorly executed and barely communicated and to top it off support is basically impossible to contact. On top of that there's been a massive increase in scam SMS Ubank messages over the same period, no doubt trying to capitalise on the move and confusion.
I've not even received my free pair of socks.
The aim of that article is create sensations.
Things just don’t add up in the article.
I don’t want to get into the details so as to not give ideas to aspiring hackers.
What I believe happened is that the victim here first received a fake email alert, panicked, and then logged in using the fake UBank link (phishing) provided in the email. The hacker then got the victim’s real credentials.
But to answer your question OP
Would you still keep your money in ubank?
Yes I will. In fact my situation is very similar to the victim. CBA is my bouncer. I then distribute the money to other accounts including UBank.
The message here is that, only login to online banking by writing the URL on your own. Never click any login link from an email.
It just goes to show that the weakest link is still the person.
The fact is, a bank need to assume the person is prone to be phished, and should actually adopt methods to prevent phishing, such as 2FA (not SMS). If you fake login, the 2FA will prevent stolen credentials from getting used.
The other is transaction confirmation via 2FA - so even if your browser is hijacked, the physical 2FA prevents fraudulent transaction.
Saw link to news dot com article, moved onto next forum post
Saw link to news dot com article, moved onto nextcommented on forum post
FTFY
The fact that news.com.au tried to pass off a hacked paypal account as a problem with UBank says it all. Which is more likely, there’s a problem with UBank or one dude had his account compromised?
I've been with Ubank for the better part of 2 years,
Been a great trouble free experience.
Pity the same can't be said for certain other banks…
How do you think the mobile phone number might be updated? Do you think there is a gap somewhere where it is possible for someone to update your mobile number?
I recall I had to call them up to update the mobile. They ask the usual ID check questions and send you a code in the app.
+1 you have to call and speak to a staff member to change your mobile number - then give an additional passwrd and pass the 2FA. So not easy to bodgy.
I've never had a Ubank account but I've had several texts telling me someone has accessed my nonexistent account and would I update my details.
You could ask that same question about most financial institutions, insurance companies, gov departments etc….
FTX FTW!
I got a scam text message saying it was from ubank, I contacted ubank immedaitely by email. They didn't respond but sent out a blanket email. I was more concerned with how someone knew my phone number + that I'm a ubank customer.
I feel like there’s been more issues since they acquired 86sh*thundred and the merge happened.
I much prefer legacy ubank. No frills, plain and boring black and white UI (which I actually preferred over the new colourful fancy crap).
No worries with UBank. Had them for years. Authentication via the app, not sms. Regulated exactly the same as all of the bricks and mortar banks.
I've been with Ubank for a very long time. If anything I find them too cautious with security. Even when I transfer between different account I hold WITH THEM in my own name, they require 2FA for everything.
I think users want the banks etc to be 100% responsible for their security but the reality is it's SHARED RESPONSIBILITY. So I am sure most people break many of the cardinal rules with security e.g not changing passwords regularly, not having unique passwords for each site, not having easy to guess passwords containing personal info, keeping your devices secure , not clicking on comms from unconfirmed sources claiming to be your bank.
If people want to be lazy, naive & simple with their security - sadly there are jerks out there waiting to prey upon them. Pretending otherwise & blaming the banks but not taking basic steps yourself is asking for trouble.
I'm sure Ubank can do better - but have little doubt in both these instances the vast majority of the blame rests with the account holders.
Use a good password manager - makes things a LOT easier. :-)
If anything I find them too cautious with security
+100
They also send you a SMS for each DEBIT and CREDIT.
Still concerning. I’ve only recently opened account. Strong Bitwarden password, fingerprint login, 2FA BUT their daily limits are TOO high. $20,000 payment to a BSB Account and PayId and $10,000 for BPAY. Most banks have $5k daily limit. There is no way to reduce limit in the app or online and to call is extraordinarily long wait time.
@Essem
This is simply untrue - your daily transfer limit is UP TO $20,000 for ''unlinked' accounts (10 days linked+) - but I am on desktop site now and using a slider you can reduce the transfer limit down to $0 if you so desire.
Is in the 'Admin & Security' option.
No idea about the app or call times, as when I've had to call (which is a few times in near a decade with Ubank) I did at offpeak times & just popped on speaker and did something else.
You can set SMS &/or email alerts when new payees or any withdrawal at all comes from your account - there's honestly so much you can do to make the accounts more secure.
If banks made the accounts to a level that people agreed they were 'very safe' they'd then likely find them inflexible and restrictive - it's a balancing act - the account holder has to do their bit, banks theirs. As stated by others Ubank are as good as the industry average - they can definitely improve some things (2FA via 3rd party token or authenticator app etc) but overall you'd need a very skilled and determined thief or a very stupid customer to be robbed.
The problem is, you can only go to Admin & Security in the old UBank view. Whoever got transferred to 86400 (new UBank view), they don't have their money "in the old view". I can not even receive 2FA sms to change anything in the old view security settings :-(
And the new UBank UI doesn't have settings at all, which is frustrating!
Thank you, exactly
The new app and new web interface are terrible. I just realised there's no way to change your password via either the web or app interfaces. WTF?
Msg back from Ubank
At present it is not possible to change the limits on the 2.0 UBank app limits. Your feedback has been noted and it is something our team are looking into. Once the migration is completed a range of features are being looked at being added to the app to help all of our customers with their online banking needs.
I wonder if these people had 2FA?
https://www.ubank.com.au/security