Payoneer Accounts In Argentina Hacked In 2fa Bypass Attacks
Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping.
Payoneer is a financial services platform providing online money transfer and digital payment services. It is popular in Argentina because it allows people to earn in foreign currencies while bypassing local banking regulations.
Starting last weekend, many Payoneer users in Argentina, whose accounts were protected by two-factor authentication (2FA), reported suddenly losing access to their accounts or simply logging in to empty wallets, losing “years of work” worth in money ranging from $5,000 to $60,000.
The users report that right before this happened, they received an SMS requesting approval from a password reset on Payoneer, which they didn’t grant. Many say they didn’t click on the URLs, and some claim not even seeing the SMS until after the heist had been completed.
Many impacted said their stolen funds were sent to an unknown email address at the 163.com domain.
Local journalists have been interviewing victims and tracking the hacks and discovered that most affected users were customers of the mobile service providers Movistar and Tuenti, with the majority using Movistar.
This has raised suspicions that a recent Movistar data leak may be behind the account hacks, but the data leak did not expose users’ email addresses, which are required to reset passwords on Payoneer accounts.
Another theory is that the SMS provider used to deliver OTP codes was breached, allowing the threat actors to access codes sent by Payoneer.
Unfortunately, an official statement from Movistar shared by journalist Julio Ernesto Lopez does not address this theory, simply stating that the telecom provider is not responsible for messages sent through its network. However, Movistar said they have taken action to block the numbers used in the smishing campaign.
“We inform you that Movistar is not responsible for the messages (or their content) that third parties send using its network,” reads the statement. (machine translated)
“Notwithstanding the above, we have taken preventive measures with those numbers from which some customers have reported receiving such communications.”
Payoneer has not provided specific answers about the attack yet but acknowledged the issue and mentioned it is working with authorities to address the fraud, which it believes is the result of phishing.
Tech reporter Juan Brodersen received a statement from Payoneer that puts the blame on the users, alleging that they clicked on the URLs in the SMS phishing texts and then entered their login details on phishing pages.
However, many affected by the account hacks state that they did not click on phishing links, accusing Payoneer of attempting to deflect responsibility and failing to acknowledge a potential error or vulnerability within the platform.
Furthermore, Lopez told BleepingComputer that Payoneer requires a new SMS OTP code to be entered when you add a new destination address and then again when you wire money. If this was a phishing attack stealing OTP codes for the password reset, the threat actors should not have had access to later OTP codes required for these transactions.
While the hacks may be allowed by a 2FA bypass bug, like we saw last year with Comcast, other countries would likely be affected by the attacks.
Due to this, the attack’s precise mechanism remains unclear, with various hypotheses at play. A significant weakness in Payoneer’s system is its reliance on SMS-based 2FA, further compounded by the platform’s password recovery process, which only requires an SMS code.
BleepingComputer has contacted Payoneer with a request for a comment on the above, the status of their investigation, and whether they plan to offer restitution in the case that a weakness in its system is discovered to be the source of the hacks, but we have not heard back yet.
Until the situation clears up on who’s to blame and what exactly happened, Payoneer users in Argentina are advised to withdraw funds from their accounts or disable SMS-based 2FA and reset their account password.