Ghost hand scam: test sees apps failing; what to do – 10/02/2023 – Market

Three of the four largest private Brazilian banks fail due to the presence of remote access programs used in the ghost hand scam, points out Idec in a report released this Monday (2).

In this scam, criminals pose as technicians or customer service professionals to convince the victim to install software used to clean their bank account. Thus, they spy on the person to steal username and passwords and then transfer the money.

In the first stage, still in 2022, Idec states that it questioned the procedures adopted by the country’s largest private banks after identifying customer complaints: Nubank, Bradesco, Itaú and Santander.

Itaú stated, at the time, that it blocked cell phone operations on which remote access applications were installed, a protocol that came to be considered by Idec as the reference standard for increasing security. “If a bank blocked remote access, for Idec it was a sign that all others should also have this technology”, says the report Hacked cell phone scam: security is our right.

In the second stage, the defense entity tested vulnerabilities in each financial institution’s application. Volunteers simulated the invasion of their cell phones using a remote access program. The objective was to test whether the bank’s application continued to work while this spy program was in place.

According to Idec, the test confirmed that only Itaú blocked this remote access program, which would prevent the scam.

In the opinion of Idec economist, Ione Marcondes, the test highlights the banks’ weaknesses and that they have the option of blocking the phantom hand scam, but choose not to reduce the convenience of using the application. “The risk falls on the customer,” she says.

What the banks say

When contacted by the report, the banks stated that they use other forms of defense, such as artificial intelligence, to identify suspicious financial movements and block them.

Nubank states that, as stated in the institute’s report, the defense mechanisms already implemented by the company made it difficult to carry out the improper transaction. According to the bank, these mechanisms were already capable of preventing the operation from taking place, since the situation in which the test occurred differs, in a series of factors, from a real situation of an attempted coup.

“Nubank customers who have their applications updated already have additional layers of protection, including mechanisms that effectively block the use of the Nubank application via remote access”, says the digital bank.

Bradesco states that it frequently implements security devices to combat the most diverse fraud/scam attempts, to mitigate the risk of transactions carried out across all service channels.

Customers can send suspicious messages to the reporting channel: [email protected]. “These messages are evaluated, fake websites are taken down daily and telephone companies are contacted to disable phone numbers used for fraud.”

Santander states that it has effective protection mechanisms to ensure the safe operation of its application by customers. “The institution highlights its confidence in the integrity and efficiency of its protection mechanisms and systems, as well as in the operational security of its channels, products and services, providing protection and security to customers.”

Itaú confirms that it prohibits customers from accessing the bank’s app while the remote access program is active. “The customer can, for example, use some remote access software to do what needs to be done in other applications or resources, but not in the bank.”

---

What to do if you fell victim to the ghost hand scam

To try to recover the money lost in the ghost hand scam, the person must:

• Register a police report at the virtual police station
• Dispute transactions with the bank
• If you are unsuccessful in suspending transactions, the client can seek legal action

“The bank that causes damage due to a proven security breach must repair it, even in fortuitous cases of fraud or acts carried out by other people through banking operations, as per the understanding pacified by the STJ [Superior Tribunal de Justiça]”, says the Idec report. According to the Consumer Protection Code, the person who must prove responsibility for the failure is the supplier of the service under dispute.

According to the security company for digital platforms, AllowMe, the most skilled fraudsters are able to bypass the blocking of remote software programs using vulnerabilities. “It is essential to keep your cell phone and applications up to date”, recommends the chief executive of AllowMe, Gustavo Monteiro.

Financial institutions do not reach out to customers to ask for personal information, which may enable banking operations.