What if your phone gets an SMS from your bank with a one-time password or OTP? You click on the OTP, your phone gets reset and during the reset period, unauthorised transactions happen on your bank account. Well, this is exactly what is puzzling the police in Trashigang as an investigation is ongoing after several people had their phones hacked and money deposited and withdrawn from their bank accounts without the account holder’s knowledge.
In mid-February, Jigme Dorji, a corporate employee in Trashigang saw that about Nu 40,000 was debited from his Bank of Bhutan account.
Jigme found out that the amount was divided and sent to three different accounts.
Similarly, Sangay Rinchen from Kanglung saw Nu 285,000 credited and immediately debited from his T-Bank account within a span of three minutes.
The duo reported the suspicious activity, a case of deceptive practice, to the police.
Upon investigation, the police found that the victims received text messages containing OTP, which when clicked, automatically put their phones in factory reset process that lasted about four to five hours.
“I received a message from BOB with an OTP and a default PIN. I used the default PIN to open my mBoB app. My old PIN did not work but the default PIN worked. When I opened it, my previous balance was visible. I put my phone on charge and went to toilet. When I came back, my phone was on auto factory reset mode. My mobile was reset in about five to six hours. After reset, I received a message from BOB stating that my account had been debited,” said Jigme Dorji, a corporate employee.
“I received an OTP on my phone and it automatically got on factory reset mode when I saw the OTP message. It was about 20 days ago. In between, I had to create a new email ID. After that, I received a message from T-Bank that Nu 285,000 was credited to my savings account. Within two minutes the amount was debited from my account,” said Sangay Rinchen from Kanglung.
Police investigation found that numerous accounts, without the knowledge of account holders, had credited money into one particular account number.
According to the police, the suspected account holder, who is currently residing outside Bhutan, is into buying and selling cryptocurrency on the Binance platform.
The suspect reportedly told the police that another individual, whom he met on Facebook, allegedly sold Bitcoins and received payments into his BOB account.
The suspect also told the police that the individual might have hacked into victims’ phones to transfer the amount into his account.
The police investigation also found that emails of the victims were also hacked to gain access to their bank account details. The emails were then also used to obtain the OTP messages.
Banks send OTP messages to both registered mobile numbers and email accounts if enabled.
While the case is currently under investigation, police are alerting public to refrain from sharing personal details with strangers and keep email and other online accounts secure by using two-factor authentication.
Sonam Darjay, Trashigang
Edited by Sherub Dorji