Free data leak: what are you at risk if your IBAN is affected?
The Free operator recently press release on the massive cyberattack of which he was the victim. The provider's subscribers did not all receive the same email: some users, fewer in number, also had their IBAN stolen in the battle. What are the risks incurred by the user if their IBAN is stolen by a hacker?
IBAN theft: what are you risking?
The IBAN (International Bank Account Number) represents the identifier of an international bank account. It is thanks to this that creditors can deduct sums due from a bank account, as part of a telephone subscription or a subscription to a gym, for example. However, the IBAN can also be used to repay the monthly annuities of a financial loan from an approved organization, such as a bank. The mere possession of an IBAN does not offer much leeway for malicious acts. However, holding information associated with an IBAN, such as the individual's first name, last name, city of birth and postal address, can cause more problems.
Among the fraudulent acts on the rise in recent years, we have noted in particular the opening of loans using IBANs and stolen information. To do this, hackers generally turn to online banks, which are often less careful when it comes to identity verification. The process is made easier since no physical meeting with an advisor is required. By forging a signature and using a false proof of address corresponding to the real address of the individual concerned by the leak, the crooks can try to subscribe to different financial products using the IBAN of the victim.
However, aware that most banks have a high level of security to counter fake SEPA direct debit mandates and secure the funds in the bank account, hackers have other cards in hand. Given the rather large portfolio of stolen data as part of the Free cyberattack, “SIM Swap” type scams should be closely monitored. SIM Swapping consists of the theft of your telephone SIM card. To steal it discreetly, the hacker uses hacking methods in the branch of social engineering. Generally, he fools a telephone advisor from the operator – in this context, Free – by explaining that he has lost his SIM card and is absolutely necessary to use his phone since he is abroad. He asks the telephone advisor to provide him with an eSIM card. As eSIM cards are dematerialized, they can be activated remotely, without inserting a physical card. Once the scammer is in possession of the eSIM corresponding to the victim's telephone number, access and modification of numerous passwords is facilitated since he can receive his SMS… including those which contain the identifiers of the hacked individual's banking application.
Protecting yourself from fraudulent direct debits: the white list
A solution exists to protect against IBAN fraud attempts. Individuals concerned about the repercussions of a leak of their confidential data can ask their bank to set up a whitelist. In other words, each new debtor will have to be added manually in order to be able to withdraw sums from the bank account concerned. Although this system is somewhat restrictive – since it requires a little more attention from the beneficiary in managing their accounts – it appears to be the most effective solution to date to counter any fraudulent withdrawal.
