Alfa Bank (Russia) in bed with con artists?

 

#AlfaBankFraud

[Originally published in Russian as "Альфа-банк в сговоре с мошенниками?" here]

This is the next instalment in my series of posts about the bank fraud I fell victim to. My last post is here.

 As I already reported, on 30 June 2020 I got a call on my mobile, whose number is linked to my Alfa Bank account. The caller addressed me by my first name and patronymic, having introduced himself as a member of Alfa Bank's Financial Monitoring Department, and asked me whether I had made a transfer of 1200-plus roubles to a certain person (whom he named but whose name I don't recall). I naturally said no because I don't make transfers to anybody other than my wife. Then he told me this meant that my account was compromised and invited me to undergo an ID verification procedure using the number of my Alfa bank account contract or the number of my “plastic product”, ending in 5413, in order to install “two-factor protection” for my accounts.

Everything that followed and led to my losing RUR176k [$2500 at the exchange rate for that date], I described in my first and subsequent posts on the subject, which, however, assumed that the swindlers had no connection to Alfa Bank and acted completely independently, having bought Alfa Bank's customer database on the dark web, as was reported by the media (and discussed by me in my last post).

But what if it's a totally different ballgame, and the money was STOLEN BY ALFA BANK ITSELF? Or, say, by a criminal gang at Alfa Bank (I don't think that Pyotr Aven has anything to do with it)?

Let's see what I have to back up my claim.

1. The fraudsters spoke and behaved like banking professionals, exhibiting a knowledge of financial and technical aspects of banking and the ins and outs of the mobile app, and insider information about Alfa Bank. To paraphrase Walter Reuther, if it looks like a duck, walks like a duck and talks like a duck, then it must be … an AB banker. I for one failed to find the full name of the Head of Financial Monitoring and Analysis at Alfa Bank when I tried googling for it.

2. Data leak – the theft of Alfa Bank's customer database. As was reported, the database was offered for sale on the dark web. This is the handiwork of professionals, an inside job rather than hacking, as disclosed by Alfa Bank itself to the media (“Достоверно установлено, что возникновение данной ситуациине является следствием нарушения защиты корпоративной информационной системыбанка [It has been ascertained that the situation is not the result of a security breach in the bank's corporate information system]”). To download the database without leaving fingerprints, and openly sell it online with impunity - this is something that only high-ranking and highly skilled Alfa Bank officers can pull off, obviously. It stands to reason that as a result of dealings between the sellers and buyers, they partnered up, with the criminals at Alfa Bank providing financial and IT information and giving the green light to fraudulent debits to Alfa Bank's retail accounts.

3. Concealment of this fact by Alfa Bank – a key factor in the success of fraudsters. If I had just known, for example, that the database had been leaked from Alfa Bank, that somebody could phone me like this, address me by my name and patronymic, pretending to be from Alfa Bank, give my card number and in so doing worm their way into my confidence, I would never have let the fraudsters lead me by the nose.

4. No mention of such fraud. Sberbank has a page warning of this scam; AB does not (there is only this warning about phishing).

5. Knowledge of my account balance: the con men targeted me specifically and used the ploy of a fake debit of RUR53k to my account. Such information is not in the database. Alfa Bank is a cheap bank (e.g., I pay no fees on my accounts or cards), and it presumably has quite a few customers with low account balances (my wife, for example, has no savings account with Alfa Bank), and some have nothing but debts to the bank. It does not seem a stretch that the swindlers find their marks on a tip-off from the bank.

6. Failure of all security and anti-fraud features – disabled or reconfigured manually. (One or two could have malfunctioned, but not all of them, given that in my case I transferred my professional income for a year and a half using only the templates I created for my savings account with Alfa Bank and for my wife's account, also with Alfa Bank).

7. Awareness of the Fast Payment System (FPS) of the RF CB. As it turns out, this innovation is an effective tool for stealing any amount (up to RUR100k per transaction?), and the swindlers knew how to use it in Alfa Bank's mobile app, though there is no such menu item there. Such transactions become available in the To Another Bank section by default when you choose “By Phone Number” from the menu.

8. The Alfa Mobile app has been hacked or compromised. It displayed all attempts to debit my accounts that the swindlers talked about, which is hardly possible to achieve without the involvement of its developers (“The easiest and safestway to access your accounts and cards”, according to the claim on Alfa Bank's website).

9. The bank denied compensation to all victims – even when it admitted its responsibility for what happened, as was the case with Maria Komandnaya, to name but one.

10. The bank uses trolls to drown out the complaints from victimized customers (as evidenced by comments on Maria's post and in the topic started by me on the banki.ru forum, which is where I was enlightened on such trolling). The user kamo, for example, wrote: “An interesting position, that of the topic starter [he means me]: -he wired the bread himself to his homies /aided and abetted them in the theft/ , and now the bank should make him whole again??”. To give credit where credit is due, it was such freewheeling by kamo that gave wing to my own imagination.

11. AB has no channels or mechanisms in place to request a reversal of such fraudulent transactions. They are available only for Visa/MasterCard transactions as part of MPS [Russian for (international) payment processing networks], with forms to be completed in parallel Russian and English, on this page.

12. No warning in the mobile app about the fast payment system and the instantaneous and irreversible nature of transfers made through it. Had I been warned of the extraordinary nature of the transaction I was choosing for a funds transfer through the fast payment system (I, in fact, assumed that “SBP” meant payments through the Sberbank system), I would quite possibly have paused to look for alternatives – for example, a transfer to my wife's account with Alfa Bank or Sberbank.

13. Alfa Bank has stonewalled me. Call centre operators refuse to patch me through to any banker. My email enquiries are ignored. The swindlers asked me to keep mum for two days “for a police investigation to be carried out”. The bank took a whole week to respond to my SOS, advising me that it was misdirected (though I used the email address given in the text from the bank following my fraud report), but gave no alternative email address to sort out the issue.

14. Alfa Bank refused to do anything to delay the withdrawal of the funds fraudulently transferred to Gazprombank, although it had all the information it needed to do so.

15. Plausible deniability for AB. Everything has been organized so that the transfer is made by the victim “voluntarily” - with no liability for Alfa Bank.

16. Cui bono? Who benefits from Alfa Bank's refusal to do anything to recover the money? Clearly not I as an Alfa Bank customer, nor Alfa Bank shareholders or the bank itself as a financial institution because every universal bank seeks to attract deposits from the general public rather than lose them. So the bottom line is that such passivity from Alfa Bank benefits only fraudsters – those outside and/or within the Bank.

17. Alfa Bank lied to me and the Bank of Russia—see my post “The path of lies of Alfa Bank (Russia)”.

The scam has been masterminded as ingeniously as in any of the best Hollywood con movies. The criminals, however, made two mistakes, in my opinion, because of their greed: 1) They decided to have two transfers made of RUR88k each (below the threshold set at RUR100k by their partners in crime at Alfa Bank?), being most likely aware that the anti-fraud system was disabled or reconfigured on this channel. But for that "double whammy", I wouldn't have thought of any collusion between Alfa Bank and the swindlers because one payment could indeed have been greenlighted by the system quite innocently, but not two of exactly the same amount within minutes of each other. 2) The scammers did not return the stolen money immediately upon my call to the bank, which, however, is just human nature: they spent so much time and effort extracting RUR176k from me that they naturally hated to part with that money, earned as it were, “in the sweat of their brows”.

The scale of the criminal scheme is revealed by the long list that was displayed on the phone screen and featured many dozens of banks with accounts linked to each of the two numbers used to make the transfers, and by the noisy room from which I was called and in which I could hear many voices and the sound of keyboards clicking.

To be sure, I made the transfers myself, and I'm willing to accept some of the responsibility, but not all of it, not by a long shot. I made the transfers not “voluntarily”, not because I wanted to help “a child in need of treatment” or “a cash-strapped friend”, but in an attempt to save my money from the clutches of alleged fraudsters, unable to think of other avenues of escape, being under extreme stress as I was in that situation. I would also just as “voluntarily” surrender all my money if a gun was put to my head and I was given a choice: “Your wallet or your life!”. So what if it later turned out, for example, that the gun was not loaded, the safety was on or it was but a replica (which an expert wouldn't have missed), and there never was any real threat to my life. How does this change the situation for me as a victim who didn't know that?

The situation with responsibly changes most radically, however, when it turns out that the gun to the head of depositors is pointed by Alfa Bank itself.

When we deposit our money with a bank, we think we entrust it to professionals who will keep it safe, but this appears not to be the case: in a best-case scenario, making sure our money is safe in the bank is part of our job description as depositors, and in a worst-case scenario, bankers use their expertise to steal rather than protect it.

My next article will look into the role of RF CB Fast Payment System, without which such fraud would be impossible.

Links to all my posts on this subject are also published in my comments on Maria Komandnaya's post.

#AlfaBankFraud