ING Remote Access Scammer Alert - Lost $2000 to Scammer

WARNING: Scammer is able to mask their text messages as coming from an ING phone number.

This morning I was on my usual day of work. Received a text message saying "someone logged into your account. If this is not you. Visit link."

ACTUAL MESSAGE:

You just logged in on a NEW device. If you did NOT login, go to: login.au-my-acc.net to cancel.

I use an iPhone, so the messages come in a conversation. The above message is in the same thread as the one that ING uses to send me update messages. Unsupecting anything I clicked on the link in a frenzy in fear of someone taking my money, without realising it's a dodgy link.

Entered my client and access number. Shortly after, 2k money was transferred out. They were even able to register their phone for mobile banking (ING sent me a verify message) and somehow able to bypass this 2FA.

Significant security features issues I found with ING are:

  • NO 2FA once you log in with client number and access code. That's it. They have full control. Even for new payee Pay ID or account number, no PayCode or 2FA verification like Commbank does. Straight to the scammer account via Osko. Edit: 2FA is only enabled for new payee/edit payee if you are on desktop/laptop. No 2FA if the scammer successfully bypassed the 2FA for the first mobile banking registration.

  • Scammer somehow able to mask their sender end into ING's number or conversation.

  • Scammer able to bypass the new phone for mobile registration 2FA (text sent to my phone, I did not give anyone the code).

Edit: The link that I posted is now shown as under Google review and flagged as "suspicious". When I first clicked on it, it took me straight to an ING looking webpage.

Any ING account holders beware. The scam team is saying a lot of people are falling for it.

TLDR: ING account scam going on, do not click on any suspicious links. ING never asks you to put in client number and pass code via SMS.

I have learned my lesson, so please don't victim blame. I am setting this thread up as a support thread for (I suspect) many more victims to come. ING themselves have acknowledged their scam team is very very busy today.

Update 29/10/22:
- Orange Everyday Terms and Conditions states:
"You are liable for the loss if: the security of one or more Codes has been breached and if the breach of the Codes are more than 50% responsible for the loss"
Called their scam team today and basically told "you deliberately gave away the Client Number and Access Code. That's on you." So ING will absolutely not reimburse me if the recall fails.
- I am going to now finally let go. Not helpful for my mental health ruminating on this other than learning my lesson to never click any links.
- Hope no OzB members fell for this like I did.

Update 21/11/22:
- VicPol actually contacted me and filed a report. Detective said she is looking at multiple similar cases, said ING is very slow with responses, so anything that I can supply will be very helpful. Another reason to never bank with them.
- Contacted by ING's complaints team today. Hoping for good news.

Update 22/11/22:
- Goodwill payment of the total amount credited to my account.
- Said they are reviewing the security breaches that I raised but remained that 'the four-digit access codes are secure and you can change it anytime according to our clause X of blah blah blah'
- Key point is that I have evidence that ING does send genuine text messages with link asking their customers to log-in via the link provided to open the account. Initially they claimed that ING never sends text messages with links.

Related Stores

ING
ING

Comments

  • +1

    A very good defence for account phishing is using a password manager. Chrome/Safari will offer to record it against the website, and other standalone ones should do too.

    A spoofed website will never ever pop up a prompt to auto-fill your login because the domain will never match, no matter how visually convincing it is.

    If you're vigilant, and all your accounts are in a password manager and domain set correctly, you'll know that no auto-fill means something's wrong.

    • not entirely true, if DNS poisoning has occurred or your local machine compromised then your Chrome/Safari will happily dish up all your passwords to everything. password managers are better for people that can't remember complex passwords, but they are a single point of failure for everything.

      • +2

        Maybe 'never' was too strong. But don't let perfect be the enemy of the good. A password manager, a good one (supported by a reputable company), will raise the security level for the lay person by orders of magnitude.

        DNS spoofing is a real attack but it requires an additional vector to be pulled off so it's less phishing than borderline spearphishing.

        I never want to remember my passwords. They're as long and complex as the site/app supports and are randomly generated with maximum entropy. I become the weakest link if it needs to be recalled.

        • I use a combination. Password manager for less important sites. complex passphrases and MFA for anything important. Even the most reputable password managers have exploits and weaknesses, they are after all just software and it becomes an all your eggs in one basket which is never good security wise. however as you say for the average layperson that uses 123456 or password1 as a password it is exponentially more secure, for someone that uses good pass phrases a password manager is significantly weaker.

      • Assuming the computer isn't already infected in which case DNS poisoning means very little, DNS poisoning on a public wifi or by a rouge AP is a very sophisticated and risky attack and the general public won't be targeted by this.

    • password alone is not secure full stop!, it can easily be brute force with latest video card in matters of hours
      if you care about your financial security don't comprise on this front, do not do any business with financial institution that don't offer app based 2FA

      • not really true at all, even a 8 GPU 4090 rig can't crack complex long passwords in any reasonable amount of time. basically 8 chars you are looking at under an hour, 9 chars that blows out to 3 days. 10 characters is a little under a year. Anything above 10 is not really brute forcable except by luck. go 14 characters above complex and you are safe from brute force. however you are right, anything financial should include a MFA and I would NEVER put a financial based password into a password manager.

  • +2

    Had this message from ING today… guessed it was a fake as I don't bank with them.

    But first thought was to check OzB as I figured that it would have been talked about here.

  • I'd just like to point out, this type of scam is made successful due to data leaks from Optus etc.

    Scammers can easily see what bank you use and what your mobile number is, based on data leaks. They can then use that information to send targetted spoof messages like this.
    Scammers will be cleaning up, thanks to these unsecure big corporation leaks. We all need to be extra careful.

  • Have you file a police report?
    File it, get a copy of the police report number and details of the constable.
    Then lodge a transaction dispute with ING.
    There should be a dispute area to handle this issue, emphasise that you were afraid not to provide your details as the othwe partner force you. Do what it takes to get your hard earned money back.

    • Constable, I clicked on a nasty link and lost all my money! Never fear my dear! I've just booked the next flight to Nigeria, and I'm going to spend the next six months hunting down those bad guys for you!

    • +1

      I filed it and just got a contact from a detective at VicPol

  • +3

    OP, this seems to be a common issue with ING because their 2FA system is so horribly broken.

    LINK: https://apple.news/AiWbaz_bQSQ2iqsjmCpk6NQ

    I have called ING a number of times to at least allow the use of a 6-digit access code, or the use of alphanumeric characters. They never get back to me.

  • I think that anyone who gives someone else their login information to any service, including banking, should wear the consequences of what happens after they do so. ING did nothing wrong here.

    If you don't link ING's security protocol to access your account and transfer funds is good enough for you, change banks.

    • My understanding is that the OP says he did not give the login details to anyone.

      • go to: login.au-my-acc.net
        I clicked on the link
        Entered my client and access number.

        Yes he did. He provided it to the webmasters of the au-my-acc.net website.

        • Yes you are correct. Apologies. Bur how did they set up a new payee without the SMS code?

          • @Yola: I suspect the OP did more to assist them that he is letting on.
            I would have thought a new device would need 2fa mobile code to the existing registered number would be needed but haven't set up a new app or phone recently.

            • @Mr BoMBAStiG: I just reinstalled the app. Needs 2fa mobile otp. There is an option to call ING if the number is wrong. If op had all his details leaked in Optus or Medibank, maybe the scammer was able to call, verify with personal identity answers and update mobile number?

  • +1

    One of the key questions that needs to be clarified is whether a scammer can update the existing payees, by changing the BSB and account numbers, and initiating a transfer to this modified payee without needing to re-authorise the account details using 2FA. If this is the case, then effectively they do not have 2FA, as all that is needed to send a transfer to a new account is the client number and access code. I surely hope this is not the case, as it appears nothing short of stupid and negligent of the bank.

    • On ING website, when you logged in, 2FA is prompted for adding new payee or updating payees.
      No 2FA if you use ING app on iOS.
      I sent them screenshots of the security breaches.

Login or Join to leave a comment