SMS Phishing Campaign Targets Brazilian Bank Customers

[Lucian Armasu]

A phishing campaign in Brazil was asking bank customers to upload a picture of their token cards, containing all of their hardcoded two-factor authentication codes. The system in place seems to have failed in protecting the users against such attacks.

SMS Phishing Campaign Targets Brazilian Bank Customers : Read more

 

[derekullo]

I can't see any bank you use regularly closing your account due to not updating your "registration details".

Maybe an account with a zero balance that hasn't been using in 10 years, but even then I'm sure they would at least give you a phone call / certified mail before doing so.

An easy way to avoid this would be to simply call your bank and ask if this is real.

Hopefully the banks of the affected customers put a notice on their website warning of the scam.

Assuming the site only recorded numbers and wasn't able to validate your number you probably could have just typed in any number, as long as it was in correct CPF format, 123.456.789-10

If the site accepted that it would be a red flag that it wasn't a legitimate.

 

[Flyingfenix]

The bank in question is SANTANDER (no point in hiding it!). Most brazilian users ALREADY know they should NEVER use more than a single on code from the token card. And, if the associated PIN is incorrect, the bank's systems always request the SAME code.

The banks (Santander, Bradesco, Banco do Brasil and Itaú from my personal experience) all repeatedly warn users to never click links in SMSs, emails, and to always initiate transactions from the bank's website.

Unfortunately, "most users" do not equal to "all users" so there's always someone ready to fall for this scam.

About the CPF format, it is made from 9 digits, plus two checking digits, calculated from the previous ones. The formula is very simple (you could calculate them by hand if you wished to), but again, simply filling in the punctuation for a random number would not work unless by pure luck (1% chance).

About the "token card", if the user keeps it secret, and doesn't do stupid things like taking a freaking photo of the card and sending it to complete strangers, it is a surprisingly rugged, low cost and efficient solution. For customers with higher balances/incomes/investments, most banks operating in Brazil (Santander included) will "upgrade" you to a electronic token, or at least a smartphone token. For a small monthly fee, of course.

Finally, I already lost count of the times similar scam came and went. In the past, they were very easy to spot as scams because of glaring typos, grammar errors, bad imagery, etc. but lately they became much harder to spot.