My bitcoin was stolen from my luno account! Luno is not safe .

LD50

Senior Member
Joined
Mar 25, 2019
Messages
667
You would not randomly entertain someone phoning and claiming they are from your bank and asking you to do something for them relating to your own account.

You would not click a random link that is apparently send out by your bank.

Just follow the same security rules you would treat your online banking with when dealing with crypto and you would be more secure than what you did here.
Basics

and 2fa authentication is a must
 

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,363
These are the messages we as Luno clients keep receiving...
No, those are the messages you and others receive and not specifically because you are a luno user and only luno users will receive them. it is typical phishing sms's and if they happen to hit someone who is gullible enough and have a luno account then they might get a victim. I often get phishing scams relating to ABSA online banking pop up and I don't even have any ABSA account.

Think of these phishing scams in a different way. I could send out different templates relating to all online banks/crypto exchanges etc. to the same user and the chances of the user having one or more of the templates I send out is pretty good if not guaranteed then its just a matter of hoping the receiving user is silly enough to go ahead with the instructions.

Anyone could be getting these sms'd just install truecaller or similar app as I notice you already did and most if not all of these blatant scams will get blocked/filtered out without you ever seeing them.

I have had similar but different worded phishing blocked msgs in the past.
 

CT_Biker

Expert Member
Joined
Sep 10, 2016
Messages
1,505
These are the messages we as Luno clients keep receiving...
You have fallen victim to the following from what I can observe from your posts:

- Man in the middle/Spoofing.
Your details were gleaned using a fake email which you responded too.
The person who did this(assuming Two-Factor Authentication is not being used on your account), would have everything the needed to access your account. Namely: Your username and password.

- Social Engineering
This would explain why you were getting phone calls specifically asking you for your OTP, and this is also why it would have sounded legitimate to you as the person in question knew everything regarding your account and could validate security questions with you under some guise of needing the OTP security reasons.

- Phishing
Those SMS' you received, you can easily phone Luno to verify those SMS' were sent by them

This breech of security manipulated the weakest link in Luno's security, you the customer - sorry, not sorry.

Luno, from what I have read do not store all of the private keys for your account and it is split into shards, so they do not even have the whole key. Only apart of it.
Secondly, Luno make use of Bitgo as an extra measure to store and hash private keys, Bitgo is as secure as Luno.

IMHO this is where Luno fall on their face, they claim to be a customer obsessed company, however they provide no training on their product, and there is not enough information about the mechanisms they provide to protect you. They assume you will know what the exact risks are, and be able to protect yourself.

Not exactly the attitude you should have if your ultimate goal is to take a finance system to the moon. Not knocking Luno on what their current product offers as is - the issue is twofold, you having the necessary information and my personal opinion that there is not enough information being publicized by Luno.
 
Last edited:

John Tempus

Expert Member
Joined
Aug 8, 2017
Messages
2,363
face, they claim to be a customer obsessed company, however they provide no training on their product, and there is not enough information about the mechanisms they provide to protect you. They assume you will know what the exact risks are, and be able to protect yourself.

Not exactly the attitude you should have if your ultimate goal is to take a finance system to the moon. Not knocking Luno on what their current product offers as is - the issue is twofold, you having the necessary information and my personal opinion that there is not enough information being publicized by Luno.

I would agree with most of what you said if it wasnt for the following and there is no way to protect a client against this.

1. The spoof website the user went to, was warned not to click and agreed to still go ahead. It had the most random url, 99% of people should immediately know its fake.

2. After he went there, he received sms's that requested him to confirm/authorize disabling his 2fa on luno. For some reason this user yet again thought this is normal that luno just suddenly ask him to disable security measures put in place and he went ahead and confirmed.

3. The scams then transfered out all his coins.


Step 1 should be sufficient for 99% of users to notice but then step 2 should cover the other 1% oblivious users.

So I am certain no amount of extra training would have prevented this, the user just kept confirming every security put in place. If there is anything to be learned from any of this is that USERS need to actually read what they are confirming ie. user probably didn't even bother or care to read the site url and warnings put in place by browser and then also didnt bother to read the authorization sms luno send out to realize what he is actually confirming for.

So the sad part is that really at the end users got to take responsibility, you can only put so many security measures in front of user or force so many security measures in front of users until it becomes cumbersome for the majority while the minority still just ignore all of them.


Anyone interested in how that phishing site work well its pretty damn basic.

1. they ask user to go to the spoof site, that email/user/password info on spoof site doesn't go anywhere other than directly being captured and spit out for the scammer and depending on how sophisticated the spoof site is it could get relayed instantly to the real site without manually entering it.

2. Scammer now need a confirmation token assuming the user had that enabled at least. This is where the scammer informs the user that they will be sending a token the user need to either click or provide back to them.

3. Scammer get access now thanks to user clicking link or providing code.

4. Scammer goes to security options and request to disable 2fa methods so that if they do get locked out they dont have to possibly run into stone wall the second time around when they ask user to confirm tokens/click links.

5. Scammer now goes and request withdrawal. This withdrawal might get confirmed instantly or if there is withdrawal confirmation needed this is where scammer tells user that one more link/code need to be clicked.

6. all funds stolen.
 
Last edited:

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
38,493
These are the messages we as Luno clients keep receiving...
We all receive those, Luno clients or not. They don't care whether you're a luno client or not, they care that at least one luno client will see it and tap the link.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
20,790
What's so amazing is that it's not a duplicate site but a simple proxy so it even includes the part warning you to check the url of the site. But people thinking that a scam site wouldn't include this just go ahead and enter their details.
 
Top