Revolut - Fraudulent Transactions

So what is the most likely thing happening here?

1) People are clicking on some link and their phone is compromised.
2) They don't realise that their phone has been compromised.
3) The scammers are in control of the phone.
4) They find the credit card details on the phone (?)
5) They apply to add them to Apple Pay or Google Pay on their own phone.
6) Revolut sends a code to the compromised phone which the scammers have access to.
7) They complete the addition of the card to Apple Pay and then spend the money.
8) They do this during the night so that the victim is asleep and does not notice it.

In the morning they see that their Revolut account has been cleaned out.
They complain to Revolut but Revolut tells them that they authorised the addition of their phone to Apple Pay which their phone did.
 
How could I tell if my phone is compromised?

Why is it only Revolut which is being reported? Is it also happening to BoI and AIB customers? We would expect to hear from BoI and AIB customers to say "My account was cleared out while I slept but when I phoned AIB the next morning, they refunded me the money in full."
 
but it claims Ireland is the most phished country in the world
It wouldn’t surprise me. Ireland is at the centre of the Venn diagram:
1. English speaking - much easier for the organised crime groups as no language barrier
2. Spoofing numbers for calls and SMS seems very easy for Ireland. There seems to be no real action from regulator/industry yet
3. Member of Single Euro Payments Area (SEPA) means very easy to wire funds to another bank in another jurisdiction. Makes detection much more difficult
4. Increasing preference of merchants for card payments over direct debit/credit transfer/cash
 
In one case I heard on the radio, the person who was defrauded received a call from the scammers, purporting to be their bank (Revolut). They said they trusted the caller because they were able to list their last few transactions. They then went on to describe how they were scammed out of the money in their account. Not one person on the radio segment referred to the fraudsters knowing the transactions. To me it appears that the account was already compromised, and all the fraudsters needed to do was to scam the user into approving a fake transaction.
It appears to me that the only ways they could have known the transactions are :

(1) User's account was already compromised via phishing (or device hack)
(2) Family or friend had access to the account
(3) Fraud within Revolut
(4) Technical "hack" of Revolut

(IMO - listed in order of likelihood)
Without knowing the details it is very hard to say. But if they had access to their account already and were able to see transactions why would they even need to call the person to steal money from them. It is possible the scammers just guessed. Maybe the didn't mention values of transactions and just said they can see a transaction from Tesco and a transaction from Amazon. That won't fool everyone but with these scammers it is a numbers game. You ring a load of people and hit them with this type of thing and a few bite. It doesn't have to be incredibly plausible and fool proof.

I actually remember reading a few years ago that these scams usually are delibritely a bit dodgy sounding because they don't want to waste time of the person who is hard to scam. You make it sound a bit dodgy or not stand up to too much scrutiny and the people that are hard to scam will just hang up and the people who stay on the phone are the people that are more likely to fall for it.
 
So what is the most likely thing happening here?

1) People are clicking on some link and their phone is compromised.
2) They don't realise that their phone has been compromised.
3) The scammers are in control of the phone.
4) They find the credit card details on the phone (?)
5) They apply to add them to Apple Pay or Google Pay on their own phone.
6) Revolut sends a code to the compromised phone which the scammers have access to.
7) They complete the addition of the card to Apple Pay and then spend the money.
8) They do this during the night so that the victim is asleep and does not notice it.

In the morning they see that their Revolut account has been cleaned out.
They complain to Revolut but Revolut tells them that they authorised the addition of their phone to Apple Pay which their phone did.
It is probably the calls that say you have been charged for amazon prime on your Revolut account and ask is it authorised. Those people hang on the phone then get put through to what they are told is revolut support. The scammers tell them they will block the card and refund the payment but they need some details first. Maybe even scare them a little bit and say there are transactions for hundreds or thousands coming through.

Then I imagine they give out their card details, scammer adds it to apple pay or google pay and gets the 6 digit code from the person which the scammers tell them they need to reverse the transactions.
How could I tell if my phone is compromised?

Why is it only Revolut which is being reported? Is it also happening to BoI and AIB customers? We would expect to hear from BoI and AIB customers to say "My account was cleared out while I slept but when I phoned AIB the next morning, they refunded me the money in full."
I imagine it is mainly Revolut being reported because they are targetted more and also they seem to say tough luck to most people getting scammed. It happens to other banks as well but those banks are more likely to suck it up and give the person their money back. You are less likely to go to the papers and the story is less likely to get published if the person got their money back.
 
It's almost impossible to say what's going on with these anecdotal reports of "hacks" without specific details or a forensic analysis of specific cases. Ultimately everybody is guessing about what might've happened with little or no hard evidence to go on. And, as such, most of the resulting discussion is pointless other than to reiterate the usual advice regarding how best to maintain online/phone/banking security/safety. For example...
 
Last edited:
Without knowing the details it is very hard to say. But if they had access to their account already and were able to see transactions why would they even need to call the person to steal money from them.
My assumption is that, in this case, the account was compromised, but not the phone/device. So, they could initiate a transaction, but needed the customers unwitting cooperation to authorise any codes sent to their phone. Obviously this is just a guess on my part, but is definitely one way to successfully scam someone !
I was surprised that no one noted that they knew the transactions, or enquired any further into this (on the radio).
As others have said, some detailed investigation of actual cases is needed to discover the actual issues.
 
One potential security weakness with Revolut I just noticed. When users log in with their passcode, each digit briefly lights up when being tapped. This means that anyone able to capture & record what's happening on someone's screen knows their Revolut passcode. None of the other banking apps I use do this. Maybe one reason Revolut accounts seem to get hacked so much.
 
One potential security weakness with Revolut I just noticed. When users log in with their passcode, each digit briefly lights up when being tapped. This means that anyone able to capture & record what's happening on someone's screen knows their Revolut passcode. None of the other banking apps I use do this. Maybe one reason Revolut accounts seem to get hacked so much.
That's a good point. What annoys me with N26 is that the log in is a saved password (biometric is the only other alternative) so if I had that app on the phone I walk around with and someone had access to my phone they'd be in to the app (although to do transfers etc would have to use a pin). Hence I don't.
 
How could I tell if my phone is compromised?

Why is it only Revolut which is being reported? Is it also happening to BoI and AIB customers? We would expect to hear from BoI and AIB customers to say "My account was cleared out while I slept but when I phoned AIB the next morning, they refunded me the money in full."
One of the classic examples of fraud is the "Evil Twin" fraud. This is where someone sets up a near duplicate (In terms of look and address) of a publically available wi fi system. Often done at airports where tourists coming in are perhaps nervous around data usage. Person clicks on the link and then thinks they are added to a legitimate wi-fi system when in reality they are on the fraudulent "evil twin". If they then carry out a transaction using Revolut, the fraudsters will capture the details and that should be enough. If they've not used any other financial apps, then the fraudsters may not have got those log ins.

I can't say what happened here but if someones account is cleaned out because they carried out financial transactions whilst attached to a public wi-fi, then the banks should not be liable for a persons gross stupidity.
 
It's correct to assume that encryption should be in place but there are ways around it. For example, in a lot of public wifi's they ask for an email address and password and a lot of people are lazy and will just use their standard password. Secondly, once that is done, you may get asked to tick a box and unknown to yourself, download a rogue cert etc. Suddenly the fraudster may have your core details, a rogue cert on your phone and an ability to perform as a "man in the middle" and intercept your data. How many of us have ignored an SSL certificate warning. ?

Most attempts will fail, but they only need a handful to make a very good living for the fraudsters
 
It's correct to assume that encryption should be in place but there are ways around it. For example, in a lot of public wifi's they ask for an email address and password and a lot of people are lazy and will just use their standard password. Secondly, once that is done, you may get asked to tick a box and unknown to yourself, download a rogue cert etc. Suddenly the fraudster may have your core details, a rogue cert on your phone and an ability to perform as a "man in the middle" and intercept your data. How many of us have ignored an SSL certificate warning. ?

Most attempts will fail, but they only need a handful to make a very good living for the fraudsters
Every site uses TLS encryption these days. Just look at the URL for this site. It begins with https. So there's no way for the Wi-Fi hotspot to snoop on the traffic. And if they tried to spoof the website (man in the middle attack), then they wouldn't have a valid TLS cert, so it would fail. And if they tried to downgrade the traffic to plain http, the browser would flash a warning.

If you ever try to install a new root certificate on your device you will get a big warning about whether to trust this, so I don't see how the operator of a malicious WiFi hotspot could get a user to download a rogue root cert without big warnings flashing up either.

That's not to say that there aren't other dangers with using public WiFi. But I think the danger of your passwords being snooped is minimal nowadays due to almost universal adoption of TLS for websites and browser warnings when anything unusual with TLS is happening. The exception is if the WiFi provider itself asks you to sign up to it's service with an email address and password and you re-use your existing password that you also use for your email account or anything else.
 
Back
Top