Cyber fraud unearths potential loophole at Vietnamese bank's security system

By Thanh Thanh Lan   August 13, 2016 | 12:00 am PT
$22,400 disappeared from a client's bank account. Investigation is ongoing.

A client of Vietnam’s state-run bank on August 5 has reported that VND500 million ($22,400) was debited from her account without her knowledge.

Seven transactions totaling $22,400 were made during the night of August 4 from the account of Hoang Thi Na Huong, a client of Bank for Foreign Trade of Vietnam JSC., Vietcombank. Huong claims she did not conduct any relevant transactions or receive any confirmation of such. 

She said she still had the bank card with her at the time of the transactions and said to have not received any OTP (one-time password) confirmation code the bank normally sends her after a transaction is made.

The bank was able to hold back VND300 million ($13,455) in the system. The rest of the money, according to Vietcombank, was withdrawn through an ATM in Malaysia.

Based on the information provided by Huong, Vietcombank confirmed in a statement August 12 that the client has accessed a fake website on July 28 using her mobile phone, which led to her account information and internet banking password being stolen. The link was found by the bank in the browsing history of Huong’s phone on August 11. 

On August 4, the hackers logged in to Huong’ account to transfer money to various accounts at three banks in Vietnam.

That Huong had not received any confirmation code of the transactions was explained by the fact her account setting was changed to receive the confirmation code through an OTP-generating smartphone app instead of the traditional SMS. Huong dismissed this change, saying she's unfamiliar with such technology. 

Huong agreed to leave the phone containing the fake link to the authorities for further investigation.

Vietcombank has sent a text message to all its clients warning against providing bank account information via email, social networks and strange websites following the incident and suspended online registration for the OTP-generating app.

The hijacking was a shock to bank account owners in Vietnam, where annual average income was around $2,100 last year, according to the World Bank.

In May, Vietnam’s Tien Phong Bank nearly fell victim of a massive cyber attack using fraudulent SWIFT messages. TPBank said that the attack might have been facilitated using malware installed on a software application used by the third-party vendor. The servers of the third-party vendor were based overseas, but did not say where.

Related news:

Vietnam bank nearly falls victim of massive cyber theft like Bangladesh central bank

Hackers attack Vietnamese cyber security company

Vietnam Airlines under cyber-attack since 2014: security group

go to top