At first, scammers began by stealing small sums, as opposed to amounts just under €5,000, which the Tageblatt had previously reported.
One of the victims came forward to criticise the initial report, claiming it was much higher, and highlighted the questions that have yet to be answered.
After contacting RTL and informing our colleagues that he had only recently joined the bank, he went on produce a bank statement revealing clearly just how much had been withdrawn from his account: six transactions of €3,000 and one transaction of €1,900, leaving the man with a total of €19,900 in stolen funds.
Most banks tend to have a three-step security system for clients logging in to their account. The username is usually a mix of letters and digits, the password should have uppercase and lowercase letters, digits, and symbols, and finally users must put in their one-time password from their LuxTrust token.
The man admitted that this process should be safe, but that BGL’s usernames are formed of ten digits without letters, which can easily be discerned by others. The victim added that the LuxTrust token is the ‘second major security flaw’, pointing out that the same one-time password with six digits is available for too long without requiring a refresh.
Rather than just being available for a few seconds, allowing the user to log in or make a transaction, the LuxTrust token keeps the same code for three minutes. These three minutes provided ample time for scammers to make seven transactions on the victim’s account.
The bank has since corrected the flaw, as customers must now put in their code on two occasions.
The man said that because he was a client of the bank’s, he was not suspicious when he received an email addressed to his private email address. This email claimed that he had an important message from BGL on his online-banking account. He explained that as everything was new to him and needed to be set up, he did not question the email. He opened the link in the email, which opened a very accurate imitation of the BGL online banking website. The scammers even included a security captcha in which users must select a pre-selected photograph out of a dozen other images.
Once logged in to online banking, the man felt something was amiss. He immediately contacted his bank adviser by email, but he got no response. Not long after, the hackers transferred the seven sums to a German bank. As is normal with cases such as these, the reason why the fraudsters stuck to several smaller amounts, rather than one large sum is that they knew the bank would automatically carry out stricter checks over €5,000.
Once a transaction hits €20,000, the bank’s alert is set off.
The victim told RTL that BGL BNP Paribas was aware of the potential of fraud as of Friday 21 February. From that point onwards, the online banking website included the warning ‘be careful of phishing’. However, that was insufficient, as the money was taken on 24 February.
The transactions were sent to a German e-bank called N26. BGL contacted the bank, but the German counterparts are yet to respond, another aspect which the victim finds odd.
In the aftermath of the fraud, a number of questions require answers. For one, how exactly did hackers access the man’s private email address? How did they know which identification photograph the man had selected on his online banking page? How come N26 has not reacted to BGL’s requests?
A further question is whether the LuxTrust token is actually valid for three minutes and whether this causes risks with other banks.
Our colleagues at RTL Radio will pursue these questions with the relevant authorities. BGL was contacted for comment, but had not responded by Tuesday at 7 pm.
As a reminder, any victims of phishing attacks feeling that their funds or systems are no longer secure should contact the CSSF, the surveillance body for the financial sector.
The CSSF is available to mediate between customers and banks where necessary.
