Free data leak: here is a concrete example of a banking scam with your IBAN

The data leak that followed the cyberattack against the operator Free leaked millions of IBANs. Collections can be made without your knowledge by unscrupulous companies.

Since it was made public, the data leak from the Free operator has been widely reported in the media. The French Internet service provider informed its subscribers on October 28 that a list containing surnames, first names, dates and places of birth, telephone numbers, subscriber identifiers and IBANs had been stolen by a cybercriminal.

The database was put up for sale on a famous hacker forum. Remember that identification information (name, email address) can be reused for phishing campaigns, by impersonating a bank or Netflix.

The IBAN is perhaps even more interesting if it is combined with other information. In a previous article, Benoit Grunemwald, cybersecurity expert at ESET, explained to us that “ unscrupulous companies engage in embezzlement to subscribe to fraudulent subscriptions using this IBAN. »

How would she go about it? Jonathan, photographer and tech enthusiast, presented the maneuver on the social network X (formerly Twitter) and explained it to us.

How can a company take money from you with your IBAN?

If we had to summarize the manipulation in one sentence: a company can automate direct debits from your account, via the professional payment platform Stripe (the example used here), and from a simple IBAN.

Some conditions naturally exist:

  • the Stripe customer must provide a Siret number, but this first measure is easily circumvented since anyone can create their company or enter into an agreement with an already existing company. In this specific case, Jonathan used his company’s one.

The second step is probably the simplest:

  • The Stripe customer creates a payment link on Stripe, integrates the IBAN number and carries out the debit. It’s that easy. The person concerned tested with his own bank account, initiating payments of 90 cents.
All you have to do is provide the IBAN of the “target” on Stripe. // Source: Jonathan / PhotographerAll you have to do is provide the IBAN of the “target” on Stripe. // Source: Jonathan / Photographer
All you have to do is provide the IBAN of the “target” on Stripe. // Source: Zojo

As soon as the bank is informed of the direct debit mandate, a payment will be made from your bank account. Concretely, the money will be withdrawn, but the company will not be able to touch it until the debtor has accepted the direct debit mandate. Note that there is a period of seven days to confirm or not the authenticity of the payment.

In Jonathan’s case, 90 cents were indeed taken from his account.

The withdrawal of 90 cents from the bank account. // Source: ZojoThe withdrawal of 90 cents from the bank account. // Source: Zojo
The withdrawal of 90 cents from the bank account. // Source: Zojo

A priori, you are therefore informed that money is being withdrawn from you. But once again there are ways to camouflage the procedure. “ You can give any identity information on Stripe. It is not possible to impersonate another company directly, but a malicious organization may very well give another similar name », Jonathan explains to us.

A cybercriminal could present himself as the company “Freee” to trap careless Internet users.

Victims of illegal withdrawals from an IBAN

This operating mode has already been used, notably in a famous case involving the SFAMtoday called Indexia. This insurance company takes out direct debits without the knowledge of people who have recently purchased technological products.

A malicious organization seeking to steal funds in the same way could easily automate thousands of payments, and bank on the few victims who were not vigilant.

Depending on the banking applications, it is possible to configure and block direct debit mandates. Be careful and suspicious of notifications of withdrawals, it is often at these moments when we are least careful that we are trapped.

Remember also that the hacker kept the entire database secret from malicious buyers. You will therefore not know if you are affected by the leak on sites like haveibeenpwnedbut you will normally be notified by Free.

To go further

Passports have leaked on the internet. // Source: NumeramaPassports have leaked on the internet. // Source: Numerama


All the news from free

Source: www.numerama.com