Error message, then $13,000 vanishes from his Internet banking account
Info-stealing malware on laptop was culprit
He lost $13,325 merely by logging into his internet banking account on his laptop at his office.
Mr Mark Lim, 47, thought he could keep his online banking safe by using the two-factor authentication - passwords generated by a security token given to each user by the bank.
On May 18, he intended to make a bank transfer from his locally based corporate bank account to the account of his business headquarters in Hong Kong.
But when the project manager keyed in the one-time password (OTP), a strange error page appeared on his screen.
A note on the page said that the website was unavailable and that he should try logging in again in a few hours.
Mr Lim, who works in forensic equipment sales, told The New Paper: "I didn't think anything of the error message at first, but an hour later, I received a message saying that $13,325 has been transferred out of the account." (See picture at right.)
Alarmed by the SMS, he immediately used another computer to log into his bank account again and made the shocking discovery that the money had been transferred to an unknown individual in Hong Kong.
"I thought I had lost the money, which is about three times my monthly salary," said the father of two, who lives in a five-room flat.
He quickly phoned the bank to request that it recalled the money. He also made a police report.
"I was very frustrated because the bank could not recall the money until they had a response from the recipient's bank. If I had lost the money, I would need to pay it back from my own pocket," he said.
Over the course of the week, he made six calls to request for updates, but there were none.
"I was so anxious I couldn't sleep. I didn't tell anyone, not even my wife, as I didn't want people to worry," he said.
He only received e-mails from the local bank, which assured him that the portal was secure and suggested that Mr Lim's computer may have been infected by malware. It also advised him to stay vigilant while banking online.
He was initially angry because he assumed that the problem was with the bank's security, rather than his computer.
But after running a malware-checking software, Mr Lim found out that there was indeed malware on his laptop. He has since updated his antivirus system.
Internet security experts contacted by TNP agreed that Mr Lim's situation looks to be a case of information-stealing malware.
INFO-STEALING
Mr David Siah, Trend Micro Incorporated's Singapore country manager, said: "Typical info-stealing malware has the capability to monitor websites a victim visits, and if a banking website is accessed, it proceeds to steal information by logging keystrokes or taking screenshots.
"The information is then sent to a remote malicious user or hacker."
There are also other ways in which a hacker can access a user's bank account by stealing their OTP. (See above.)
Lawyer Gloria James has seen previous cases of bank customers losing money due to malware.
"The customer should get a screening of their computer and get an expert to check for malware," she said.
Taking these steps will help the customer get his money back from the bank, which is obliged to return the money, added Ms James.
In the end, the $13,325 was returned to Mr Lim on Tuesday.
After his experience, Mr Lim feels that banks should be doing more to inform customers about how thieves can get around the two-step verification and how to prevent such abuse.
"Only someone who is IT literate would be able to know that they have been attacked by malware."
It is not known if any action was taken against the individual in Hong Kong whose account the $13,325 landed in.
Only someone who is IT literate would be able to know that they have been attacked by malware
- Mr Mark Lim, who lost $13,325 during i-banking due to a malware in his laptop.
BE SAFE FROM ONLINE THIEVES
Two-factor authentication can be compromised through malware on your computer or a man-in-the-middle attack, which is done through unsecured networks, said Mr Julian Ho, director at THINKSECURE(r).
He gave these three tips to protect yourself.
1) When surfing the Internet, make sure you only allow Flash and Javascript for content that you can trust, by using browser plugins such as Flashblock and NoScript.
2) When using e-mail: Before opening any attachment, even those from people you know, scan it for viruses and malware using a more comprehensive anti-virus scanner such as https://www.virustotal.com.
3) When surfing in public using unsecured networks, do not perform sensitive work such as internet banking, share-trading or anything involving confidential credentials such as SingPass. These include wi-fi hotspots at cafes and public places.
To be even more secure, set aside a computer for sensitive work. This computer should not be used for any other purpose, for example, e-mail, gaming, or downloading files from the Internet.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now