I’m gonna yap about losing some money from my e-banking app. (Spoiler warning: I lost ~P60)
This morning, I woke up to text notifications from Maya declaring THREE successful payments of P19.91 to a certain Google Step Drop. These purchases were made at 02:41 in the morning, when I was sound asleep.
Fearing for my finances, I immediately opened the app and found my Maya Wallet drained to a single peso. Thankfully, my Maya Savings were still intact.
Still confused about the rogue transactions, I checked my google purchase history. A hacked google account is more damaging to me than my Maya account, to be honest. There were no corresponding purchases in my transaction history so I can say that my account is still secure. It seems that the payments were made under a different google account, but using my Maya wallet’s credentials.
I assumed that the only way to get my credentials is from my physical Maya card (because I never activated an online card). The said card was still inside my wallet and I never used it for online purchases that weren’t secured by a payment portal.
After verifying that my Maya account is linked only to my phone (always has been), I deactivated my physical Maya card. That way, there will be no way to purchase anything using my credentials anymore…
…is what I thought, until a few days later when I received another text message that a purchase was attempted, this time for Amazon.com.
How is this hacker still using my Wallet without any working credentials??? After a day, another text. This time, an incomplete payment for Google Temporary Hold. 3 hours later, another one for Amazon.com. Crazy. I’m glad I didn’t put any amount in my wallet after deactivating my card, because that apparently didn’t solve anything.
I already submitted a fraud report to Maya, but I doubt they will put any importance to a <P60 concern. Reading online, I’ve seen others affected similarly, but losing far bigger amounts than I. This is a common occurrence and the best way to recover some (if any) of the money is to escalate the issue by involving BSP (consumeraffairs@bsp.gov.ph) in the email exchanges.
I also learned about BIN attacks which seemed to be what happened to me.
A BIN (Bank Information Number) attack is an act of guessing an accurate combination of a debit or credit card number, Card Verification Value (CVV), and expiry date using brute-force computing. Once this has been completed and the fraudster acquires the right information, they use the card to commit fraudulent transactions.
After generating a number of card combinations, the fraudster then tests them by using them on online merchants and payment gateways. At this point, they are verifying that they have a legitimate card number, and the related information they need to use it (the CVV, the expiry date, and any other information about the cardholder they can garner or guess).
This might explain how they were able to make the initial payments using my wallet, but I’m still at a loss on how the additional transactions were made even after my card was already deactivated.
This just goes to show that you can be victimized no matter how careful you are. I’m just going to wait this out and see if the hacker gets bored and lists my Maya account as empty and moves on to other victims. I’ve also started migrating my savings out of Maya anyway. With how easy their system can be compromised, I’m better off moving my assets somewhere else.
This was a light ordeal that could have gone horribly wrong had I stored a different amount in my Maya wallet. Let this serve as a reminder to be absolutely vigilant and not put all your eggs in one basket. Because nowadays, you can’t even trust the baskets to hold your eggs correctly.
Stay uncompromised!
-jgzn
