Fongo Mobile App Hacked

[william lawes]

My (free) fongo mobile account and app were hacked on Fri Sept 20th, 2023, and it appears both the password and email associated with the account were changed. Saturday morning when I went to make a call, I could not login.

It appears to have been malware on my computer that allowed the hackers to access my BMO bank account here in Canada and e-transfer 1400CAD out of my account. At that time, a pin was sent to my Fongo mobile number, but I didn't realize what it was for or where it came from.

The hackers must also have had access to my fongo mobile app on my ipad. I don't know how they could have accessed that, and so I am posting here to try to find some answers as to what might have happened.

My original thought was that through the malware they gained access to my google account and accessed my passwords. But if they got into my fongo mobile account through a desktop, that would not give them access to my text messages, as far as I know. They would have had to gain access to the app on my ipad.

I have sent 5 messages to support now, but they have not replied to address the issue. They did reply once and reset my fongo WORKS account, although I did not report my fongo works account! They did not even mention or address the issue of my fongo mobile account being hacked and compromised. And no one has replied to my follow ups in over a week now.

Any help figuring this out would be much appreciated!

[Liptonbrisk]

Fri Sept 20th, 2023

September 20, 2023 isn't Friday.

(free) fongo mobile account

access my BMO bank account

Can BMO 2FA texts be received by free Fongo Mobile accounts without paying for a texting add-on?
https://support.fongo.com/hc/en-us/arti ... ort-codes-

The hackers must also have had access to my fongo mobile app on my ipad.

If someone has your Fongo Mobile username and password then any device that runs Fongo Mobile can be used to log into your Fongo Mobile account.

But if they got into my fongo mobile account through a desktop

Anything that runs Fongo Mobile can be used; it doesn't have to be your device. By the way, Fongo Mobile does work on Windows 11: https://www.fongo.com/services/fongo-mobile/.

"Fongo Mobile is available for download on iOS, MacOS, Android, Windows 11, and ChromeOS devices."


Speculation, to me, is pointless. I believe Fongo admin (same goes for most services in general) should have access to IP addresses and any device's OS that was used to access your Fongo Mobile account.
If money were stolen from me, I would be filing a police report. It may be possible through law enforcement requests to obtain that information, regardless of how useless logged IP addresses may be.

I have sent 5 messages to support now, but they have not replied to address the issue. They did reply once and reset my fongo WORKS account, although I did not report my fongo works account! They did not even mention or address the issue of my fongo mobile account being hacked and compromised. And no one has replied to my follow ups in over a week now.

None of the volunteer moderators here work for Fongo. We don't have access to your account. These are user-to-user support forums. Fongo Support staff is not obliged to respond here.

Visit https://status.fongo.com/.
If "Support System" indicates "Degraded Performance", ticket response time
can take up to a week (or longer).

Visit
https://support.fongo.com/hc/en-us/arti ... -Complaint
for information on ticket escalation. CCTS complaints can be submitted at https://www.ccts-cprst.ca/for-consumers ... aint-form/.


Fongo Support tickets can be submitted at
https://support.fongo.com/hc/en-us/requests/new

You can check your ticket status by logging in at
https://support.fongo.com/hc/requests. That's an account for tickets
(zendesk) only and is completely separate from your Fongo Mobile account or
any other Fongo account you may have. Use the same email address that you
use to submit tickets. Do not use the same password as your Fongo Mobile
account. Again, these two accounts are unrelated.

Support staff does not respond to tickets on weekends or Canadian holidays.
Support hours are 9 a.m. until 4 p.m. EST. They are not obliged to respond
on the these user-to-user forums.


Fongo does have https://twitter.com/Fongo_Support. I'm not sure if anyone
there responds to direct messages.
Similarly, they appear to be on Facebook:
https://www.facebook.com/FongoMobile/. I don't know whether they'll respond to you there.

[william lawes]

Thank you for your reply, that is much appreciated!

The day after I submitted this post, I realized what happened as you already pointed out. Of course! The hackers got into my google account through malware, accessed my passwords, and were then able to access both the desktop AND the Fongo app as they both use the same login details.

I checked the support status and it does indicate 'degraded performance', although it has been 10 days since I first contacted them, and I have since sent about 5 follow ups.

Re the bank issue: I managed to intercept the hacker and stop the e-transfers from my bank account on Friday Sept 22nd, arround 11pm PST, they got away with 5 etransfers before the fraud department at BMO froze my account. But later in the night they changed my fongo email and password as I could not login to my account in the morning.

The next night, there was a login attempt to another one of my gmail accounts, again they would have got the password from my google account. But the system stopped them and I received the following notification: "Suspicious activity in your account: Someone might have accessed your Google Account using harmful malware on one of your devices. You’ve been signed out on that device for your protection."

And my linkedIn and Instagram acounts were also hacked, they changed the lanaguage on my LinkedIn account to Chinese...

It will be essential for Fongo to recover my account, and inform me as to what happened - providing IP address and the email they used.

I already filed a police report, and submitted that to my bank on Mon Sept 25th. The bank has now started the escalation process, although at present, they told me last Friday that without evidence of a malicious attack, they cannot return the money to me because I received the security code to my fongo number. But I see now how the hackers got into my fongo phone app and intercepted the security code.

I believe if Fongo can provide all of the details about what happened, that should be suffient to provide evidence to my bank of a malicious attack. This is why it has been frustrating that Fongo has not responded to my support request. Would you recommend submitting a complaint with the CCTS at this point?

[Liptonbrisk]

I believe if Fongo can provide all of the details about what happened

I question whether service providers, in general, will give that information to end users without law enforcement (police) making a request.

Would you recommend submitting a complaint with the CCTS at this point?

I can't recommend you do anything, legally.

I can say that if my money were stolen, I would discuss my options with police and, if left with no other avenues, a lawyer.

If money were stolen from me, I would find out, exactly, what information my financial institution requires. I would ask for that to be sent to me in writing. I would ask for permission to forward that information to Fongo along with a copy of a police report.
If Fongo were not willing to provide requested information, I would ask police to make the request and show them a copy of what my financial institution requires. If I were repeatedly stonewalled by police, my financial institution, and Fongo, I would talk to a lawyer.

I would expect a delay in support ticket responses, for every single response Fongo support sends.
If I were unsatisfied with the response(s) I received from Fongo, or if I believed Fongo wasn't communicating with me in a timely fashion over a very serious matter, I would certainly consider pursuing CCTS.

Everything I've written here is merely my opinion. What you do is, of course, up to you.

[william lawes]

I spoke with BMO again and they are not going to reimbuse the funds on the basis that the malware malicious attack was 'beyond their control.' And while I thought showing that the hackers had accessed my fongo app to intercept the passcode, as evidence of the malicious attack, BMO used this as evidence of factors 'beyond their control.'

So, just to clarify, while I have always been logged into my fongo app, it is possible for someone to login to my app from another device at the same time?

Also, Fongo has not yet responded to any of my inquiries. I will elaborate a bit later, I just wanted to make sure that it is possible to login to the phone app from two devices at the same time.

[Liptonbrisk]

Only one login can be active at any time. The most recent login is the active one.

https://support.fongo.com/hc/en-us/arti ... n%20device.

“While you can install Fongo on multiple devices, an active login is limited to one device at a time. For example, if you are currently logged in on your iPhone and then you log in on your Android phone, you will be logged out on your iPhone. All incoming calls and texts will always arrive on the last logged in device.”

In the above example, afterwards, if you login into Fongo Mobile on the iPhone again, Fongo Mobile on the Android phone will not be active.

[william lawes]

Thank you that's good to know. It does mean that during the attack itself I was not logged out of my phone, and therefore they could not have intercepted the code by logging into the app from their device. I was logged out of my phone app for the first time in 6 years in the morning, and the email and password appear to have been changed.

Which raises the question again, how did they intercept the code to login...

[Liptonbrisk]

It does mean that during the attack itself I was not logged out of my phone, and therefore they could not have intercepted the code by logging into the app from their device.

I find the wording on the Fongo site somewhat misleading, insofar as I can sign into the same Fongo Mobile account on two iPhones and not be signed out automatically from one of the apps. That doesn’t matter. What matters is that only one device works with the same Fongo Mobile account at any given moment.

If someone did login to your Fongo Mobile account on another device, then the login on your device wasn't active. You aren't actually logged out of your Fongo Mobile app, which would require you to log in again. It's just that your Fongo Mobile device wouldn't have the active, working SIP registration. Fongo Mobile uses SIP protocol. Whoever runs the app last, and successfully logged in, has the active Fongo Mobile SIP registration that works.

In other words, the most recent (or last) device that has run the Fongo Mobile app with your credentials is the only active, working Fongo Mobile device using your credentials at any given moment. Every time the Fongo Mobile app is run, it attempts to register using your Fongo Mobile credentials.

If criminals were to see that a code was required that never arrived on their device (if your Fongo Mobile username and password were stolen by them) it would be trivial for the criminals to login using your Fongo Mobile credentials and immediately request a new code at that point to be sent to the Fongo Mobile app running on their device. It’s not as though old codes are required (and don't expire) and new ones can’t be sent or generated after the initial failure.

So, to speculate (which, I again, feel is useless), here's a possible scenario:

1. The criminal tries to login to the BMO account.
2. Code gets sent to the original Fongo Mobile user, who, later, mistakenly believes that code was intercepted by the criminal in order to access the BMO account.
3. Instead of receiving that code, the criminal thinks, "Oh, I need a code. I just need to access the phone number tied to the BMO account." Then the criminal logins to the Fongo Mobile account on the criminal's device.
4. Criminal tries to login to the BMO account again.
5. Old code is expired automatically. A new code now gets sent to the criminal using Fongo Mobile on the criminal's device. Original Fongo Mobile user never receives the new code. It's only sent to the criminal's device.
6. If the original user decides to run the Fongo Mobile app before the criminal changes the Fongo Mobile password, Fongo Mobile still works on the original user's device at the time the app is run by the original user.

The single, active Fongo Mobile login can change back and forth between the criminal and the original user, depending on who runs the app last.

The original user is never forced to sign in again to the Fongo Mobile device until the account password is changed.

That's one possibility. Another is having an insecure LAN, but a lot more work is involved for the criminal. Again, I feel speculation is pointless.

When Fongo Mobile credentials are changed, to me, is of lesser significance than when another party has accessed or registered successfully using the Fongo Mobile account in question.

I do wonder about the following:

1. Does BMO require two factor authentication with SMS codes in order to login to BMO banking accounts? Many financial institutions do. I've read that BMO InvestorLine uses 2FA.

2. Can unpaid (free) Fongo Mobile accounts actually receive those short code SMS texts from BMO without paying for a texting package, Fongo Plus, or porting a number into Fongo Mobile?

My (free) fongo mobile account and app

https://support.fongo.com/hc/en-us/arti ... ort-codes-

"If the short-code is supported by our system, and the user does not have an active Unlimited Texting package, an active Fongo Plus package or has not transferred their number to Fongo, they will receive this message:

"Your Fongo number has received a verification code message from: [NUMBER] - To receive verification code messages, please subscribe to an Unlimited Texting package or Fongo Plus, available for purchase in the add-ons section of this app."


That is, unless the Fongo Mobile user pays in some manner (porting into Fongo Mobile isn't free), SMS short codes can't be received.

And even if the user pays, there's no guarantee an SMS short code can be received:

"Users who have an active Unlimited Texting package, an active Fongo Plus package or have transferred their existing number to Fongo are not blocked from receiving SMS short codes, but as mentioned previously, some short codes do not currently work with Fongo (regardless if you are subscribed).

We do not make any guarantee that you will receive activation codes if you have subscribed to a texting package, this is often beyond our control."


So, generally speaking, how does a Fongo Mobile user receive 2FA short codes from anywhere without paying for a Fongo Mobile texting package, Fongo Plus, or porting a phone number into Fongo Mobile (all of which cost money) in the first place?

[william lawes]

Thank you for your detailed response and insights into how the Fongo Mobile app works. Your explanation provides valuable context, especially regarding the SIP registration and how the active Fongo Mobile login can switch between devices.

To answer your question, yes, BMO does utilize two-factor authentication (2FA) for logging into their banking accounts. When suspicious or uncommon activity is detected, or when logging in from a new device, they send a verification code to the registered phone number or email, which indeed acts as a form of 2FA.

However, what is perplexing is the discrepancy in BMO's security protocol between personal and business accounts. My business account, after receiving the 2FA code, also prompts me to answer one of the three security questions. However, this dual layer of protection is absent on personal accounts. Upon discussing this with BMO, they confirmed that the security questions feature is not active for personal accounts, despite having three similar questions set up.

Comparing BMO's approach to Google's security measures, I found Google's system far more robust. After the unauthorized access to my Gmail account, Google immediately alerted me about suspicious activity. Not only did they identify the breach, but their system could even discern that the intrusion was due to malware on my computer. In stark contrast, BMO's system neither sent alerts nor locked access from a suspicious foreign IP.

This casts doubt on BMO's assertion that they've taken all necessary precautions on their end to safeguard accounts. Their stance that breaches stemming from malware or compromised devices fall squarely 'outside their control' seems to be at odds with the level of proactive security measures adopted by companies like Google.

Is the protection offered by a single 2FA code really sufficient given the complexity of today's cyber attacks? Given BMO's understanding of these threats, one must question the adequacy of their security protocols. The fact that the majority of the claims they receive revolve around this specific loophole suggests that their policies are designed to exclude the majority of such cases. The comment from the BMO representative I spoke with on Friday is revealing: "If we had to refund every attack, we would be out of business in a year." This statement suggests the magnitude of the problem and implies two potential outcomes: either they continually face a threat to their business, or bolster their security measures to genuinely protect their clients.

Your speculation about the potential scenario of how a hacker might have gained access aligns with the sequence of events. I'll be reaching out to BMO for further clarification and more specific details about the timeline of events, particularly the exact times of my call to the fraud center.

Furthermore, according to BMO's policy, clients are not held accountable for unauthorized transactions once they report suspicious activity. Given that I promptly reported the incident to BMO's fraud center after the second etransfer, I'm hopeful that I will be reimbursed for the last three transactions, which occurred after my report.

Your insights have been invaluable, and I would appreciate any further thoughts you might have.

[Liptonbrisk]

To answer your question, yes, BMO does utilize two-factor authentication (2FA) for logging into their banking accounts. When suspicious or uncommon activity is detected, or when logging in from a new device, they send a verification code to the registered phone number or email, which indeed acts as a form of 2FA.

Okay, if the BMO verification text is coming from SMS short codes (5 or 6 digit numbers), as opposed to a regular 10 digit telephone number, it doesn't make sense that you received 2FA codes from BMO to your Fongo Mobile account, unless you paid for a Fongo Mobile text messaging package, Fongo Plus, or porting a phone number into Fongo Mobile: https://support.fongo.com/hc/en-us/arti ... ort-codes-.

Regardless, I don't work for Fongo, don't have access to any information regarding your Fongo account, and am not privy to anything else involving this matter.
Consequently, I have no further thoughts on this situation at this time, other than you can try filing a complaint with OBSI, which is the Ombudsman for Banking Services and Investments: https://www.obsi.ca/en/index.aspx.