Hackers bypass 2FA to breach and steal funds from Payoneer accounts in Argentina

Last week, multiple Payoneer account holders were shocked to find that their accounts had been emptied by unknown hackers. This is despite the fact that they had two-factor authentication (2FA) enabled. The victims reported suddenly losing access to their accounts or logging in only to find empty wallets.

What’s surprising is that the hackers didn’t usual the usual 2FA fatigue method in which they repeatedly push 2FA authentication requests to the target victim's device in the hope that the target accidentally clicks on it.

The users report that before getting compromised, they received an SMS requesting password reset approval but they didn’t grant it. Most of them didn’t click on the link while others didn’t even see the SMS until after the attack had been completed.

While interviewing those affected, journalists discovered that the common factor was that most of them were customers of the mobile service providers Movistar and Tuenti.

This led them to believe that the Payoneer hack could be related to a recent data breach affecting Movistar. However, the telecommunication company said that customer email addresses – which are required to rest Payoneer accounts –  were not exposed in the breach.

The other possibility is that the SMS provider used to deliver OTP codes was breached, allowing the hackers to access codes sent by Payoneer.

Payoneer is yet to release further details about the attack but it has acknowledged the issue noting that it’s working with relevant authorities to mitigate the damages.

Affected victims are demanding that the company pay back their lost money, but we are not sure how that will play out seeing as the payment processing company is convinced that the customers clicked on the phishing link. 

According to the victims, the stolen funds were sent to an unknown email address at the 163.com domain.