Véronique M., an independent real estate agent about to file for bankruptcy, because of a debt of more than €250,000.
When Véronique M. was informed by her bank that her company’s current account did not have the sufficient credit to pay the office rent and the ongoing bills, she initially thought it was an accounting error.
Unfortunately, she then learned that four days earlier, a transfer of €252.000.- was made electronically from her bank account. All her savings were gone and her credit line was completely depleted. The transaction seemed correct from the perspective of the bank and a cancellation was not possible at the time.
Like most merchants, Véronique M. performs her banking operations through a SmartCard. A SmartCard is a plastic card with a microchip and can be used as digital identity.
To use the SmartCard, Véronique M. owns an external card reader that has to be connected to a computer. This way, she can digitally sign messages, documents or transactions, using a security pin code. In fact, the electronically signed documents have the same legal value as a document signed by hand.
Véronique M. is always very cautious with her data. She is the only one to know the password and she never wrote it down or disclosed it to third parties.
How did it happen?
It is hard to imagine that such a professional and cautious person could be the victim of cybercriminals.
In fact, some time ago, she received an email about a very attractive real estate project. A zip file was also attached to it. Out of curiosity for the project that was meant to be really lucrative, she instantly clicked on the attachment and thus, downloaded a malware.
The file in question was actually a banking Trojan horse, which spreads via email with attachments. It was then “patiently awaiting” in the background that Véronique M. connects to do a banking transaction, in order to intercept the login data, including the PIN.
When she tried to check her account balance before the long weekend, a message appeared on the computer indicating that the requested page was not accessible and under maintenance.
As Véronique M. never removes her SmartCard from the reader and leaves it connected to the computer, it was easy for the attacker to take her identity and steal from her bank account.
What does Véronique M. need to do now?
The transaction could have been stopped, using the “Cellule de renseignement financier (CRF)” from Luxembourg’s Prosecutor General in the 24 hours following the attack. Unfortunately Véronique M. noticed the fraud only after the long weekend; the cancellation was no longer possible.
Nevertheless, Véronique M. should:
- Immediately block her SmartCard,
- Request technical analysis of the targeted computer from an expert or CERT (Computer Emergency Response Team), namely: circl.lu,
- And / or initiate legal proceedings for a legal analysis of the hard drive.NB: The last two measures are used to save the proofs and reconstruct the chronology of the events.
How could it be avoided?
Véronique M. should have:
- been more cautious when receiving the incriminated email. The attachments with unusual extensions like zip or exe should have alerted her,
- not left the SmartCard into the card reader connected to the computer. Once a transaction is completed, the card must always be removed from the reader,
- Only use a computer dedicated to banking and never use it for other online or e-mail activities.
- use a computer dedicated exclusively to banking,
- remove the SmartCard card reader when not used,
- perform regular updates of the operating system and browser,
- use an up to date antivirus program,
- use an encrypted SSL connection (indicated by the HTTPS or by a padlock in the address bar),
- do not save PINs, TANs, passwords and access data on the computer and never write them down or disclose to third parties,
- do not use public computers or networks to perform banking and commercial transactions online,
- apply the same rules for banking and commercial transactions via Smartphone.