Alfa Bank (Russia): Sink or swim - we don't give a f*ck. Part 1

 

Alfa Bank customers left to fend for themselves #AlfaBankFraud

[Originally published as “Альфа-банк: Спасение утопающих - дело рук самих утопающих?” here.]

(This post was originally written as a comment on a post by Maria Komandnaya here [translated by me here and here], but it turned out to be too long for a comment, so I publish it here.) 

My friends, I invite you to take a look at the progress made by con artists in their line of work, admittedly a tough row to hoe, and at how effectively Alfa Bank deals with them after what happened to Maria, and to consider what you would have done in my shoes.

On 30 June 2020, I got a call on my mobile, whose number is linked to my Alfa Bank account. The caller addressed me by my first name and patronymic, having introduced himself (I only recall his first name and patronymic: Sergey Vladimirovich) as a member of Alfa Bank’s Financial Monitoring Department, and asked me whether I had made a transfer of 1200-plus roubles to a certain person (whom he named but whose name I don't recall). I naturally said no, because I don't make transfers to anybody other than my wife. Then he told me this meant that my account was compromised and invited me to undergo an ID verification procedure using the number of my AB account contract or the number of my “plastic product”, ending in 5413, in order to install “two-factor protection” for my accounts. I chose the second option because I had my card at hand. He asked me to give him its full number to prove that I did have it in hand.

The caller conducted himself as a consummate professional, and I found no reason to distrust him. Then he asked me to open my AB mobile app and check if the transaction was recorded there. When I complied, I noticed that it displayed an incoming push notification with a transaction authentication number, and the caller said that yet another attempt had been made to debit my account. By that time, however, the push had already disappeared, as usually happens when you open it in the app. He explained to me that another phone had been linked to my account, whose number he gave me and asked if it was mine. I said no. Then he said that my account was under a determined attack, that we no longer had the luxury of time to install two-factor protection and that the money must be withdrawn from it for a couple of hours to a temporary deposit account with another bank until Alfa Bank technicians found a way to secure my account because at that juncture it was only his manual cancellation of the fraudulent transaction that was preventing my account from being debited automatically as a result through the system.

The whole thing smelled fishy to me, and I started pushing back, coming up with various reasons for my unwillingness to cooperate with him, but he had a pat answer to all my objections. For example, when I said that my account was insured, he responded that it certainly was, but it was an extreme situation, with many of Alfa Bank's accounts in Moscow being already under attack; they couldn't spare resources to deal with each incident for longer than a short time; the call was being recorded, and my refusal to follow his instructions would void my insurance.

But I still wasn't buying it, was still putting up resistance. Then he said he was calling me from his own landline at the office, but by way of exception he can ask his boss to call me through the AB call centre. I agreed and answered the call that came next from a number that was indeed identified by my phone as Alfa Bank’s.

The “head of financial monitoring and analysis at Alfa Bank” (as he introduced himself) took a different tack. While the first “banker” was polite, accommodating and anxious to be of service, his “boss” was rude and aggressive, obviously following the “good cop/bad cop” routine. He said he had no time to waste on me, that it was not his money, that he couldn't care less if I lost it, and that they had already spent too much time on me as it was.  When I said something about getting additional confirmation of the official nature of our interaction in my chat feed, he answered that he advised against it because they suspected that AB operators were involved in the crime - that was the reason why the money had to be wired to another bank.

At that precise moment he informed me that another debit was being attempted, this time in the amount of RUR53k, and I again saw a push with a transaction authentication number, which is what finally persuaded me to cooperate with the fraudsters after the “boss” patched me back to his “subordinate”, who then walked me through all the steps that it took to move RUR145k from my Alfa (savings) account to my checking account, and to make two wire transfers from there, RUR88k each, plus a fee for the second in the amount of RUR380, totalling RUR176,380 [$2500 at the exchange rate for that date].

I called Alfa Bank within five minutes [actually, it was closer to ten as I found out after checking my call history] of hanging up with the con men, who asked me to keep schtum about what happened for two days so that “the police could complete their investigation”. Having promised that, I turned around and reported it, and did everything the bank told me to do. Specifically, I called the police right away and, while waiting for the response team, I emailed a transaction reversal request to 911@alfabank.ru, as directed by Alfa Bank. When they arrived, the police officers took me in their cruiser to the station within half an hour of my calling 911, where I reported the crime, and then went and got the evidence requested by the police.

And what did Alfa Bank do? It cancelled my card despite my protests that the card had not been compromised, which put a spoke in my wheel because I couldn’t use the 1000+ roubles left in the account and couldn't even pay the fare to go from the police station to the bank to get a statement of the account (I had to explain my situation and ask the metro employees to do me a favour, which they did the first time but refused the next, and I was forced to go by foot). The second consequence of the bank's response action was the freezing of RUR223 on my card, which is what I paid at the corner shop the day prior. The entire amount stolen, as I was informed by the bankers, was irrevocably lost, however. My card is not what the fraudsters were after – they sought access to my Alfa Bank accounts and to SBP (Sistema Bystrykh Platezhey, or Fast Payment System (FPS), of the CB) to have me withdraw money from my current account at no risk to them, which is what they succeeded in doing through an unparalleled combination of their organization, social engineering skills and expertise in communications, IT and banking.

As for Alfa Bank, it has yet to respond to my email, though it is supposed to do so, according to an AB operator, within three days.

The Alfa Bank mobile app displayed not a single message to warn me of the extraordinary nature of the transfer I was setting up through the FPS in the To Another Bank section when choosing the By Phone Number menu item (I, in fact, assumed that “SBP” meant payments through the Sberbank system). Having entered the numbers given to me, I chose Gazprombank each time from the list of banks, as I was told, and saw the full names of the payees displayed, as they had been given to me by the fraudster who called himself Sergey Vladimirovich. I expected that because of the amounts involved (transfers under RUR15k would have set my alarm bells ringing, and I would have refused to make the transactions, aware as I am that these can be received anonymously through the Qiwi Wallet and Yandex.Money systems), and because of my prompt report to the bank, the funds transfers could be put on hold – at least, at Gazprombank when an attempt was made to withdraw the funds there, but as was said by the operator (and the banker when I was getting a statement of my account at the branch for the police), the bank had no way of doing that. And that's the long and short of it: it looks like we are left to sink or swim on our own - the bank doesn't give a f*ck.

To be continued.

#AlfaBankFraud