A significant data breach at French ISP Free has resulted in the theft of subscriber information, including names, birthdates, and IBANs, which is now being sold on a hacker forum. Security expert Benoit Grunemwald warns that such data can be exploited for phishing and fraudulent subscriptions. Additionally, Jonathan, a tech enthusiast, explains how cybercriminals can misuse IBANs for unauthorized direct debits. Free subscribers should remain vigilant against potential scams and direct debit notifications.
Free’s recent data breach has garnered significant attention across various media outlets. On October 28, the French internet service provider alerted its users about a theft involving sensitive information, including names, birthdates, phone numbers, subscriber IDs, and IBANs, all pilfered by a cybercriminal.
This database has appeared for sale on a notorious hacker forum, raising alarms about potential misuse of personal information such as names and email addresses, which can be exploited for phishing schemes or impersonation scams, including those targeting banking services.
The IBAN, in particular, becomes a prime target when combined with other personal data. Benoit Grunemwald, a cybersecurity expert at ESET, previously warned that “dishonest companies may resort to malvertising to trick individuals into fraudulent subscriptions using their IBAN.“
How could this manipulation unfold? A tech enthusiast named Jonathan recently described the tactic on X (formerly Twitter) and kindly shared insights with us.
Understanding IBAN Manipulation: How Criminals Might Access Your Funds
To simplify the method, a company can initiate automated direct debits from your account using a payment platform like Stripe, relying solely on your IBAN.
Several factors play a role in this process:
The next stage is arguably the simplest:
Once your bank receives the notice for the direct debit mandate, funds will begin to flow out of your account. In practice, while the company can’t access these funds until you consent to the direct debit, Jonathan experienced a charge of 90 cents from his account.
Generally, you would be aware of the transactions occurring. However, deceivers can cleverly mask their actions. “On Stripe, you can input any identification details. While it’s not feasible to directly impersonate a company, a malicious entity could adopt a name that closely resembles another,” Jonathan explains.
For example, a cybercriminal might pose as the fake company “Freee” to mislead unsuspecting online users.
The Risk of Unauthorized Direct Debits from an IBAN
This tactic isn’t new, as seen in the notorious case involving SFAM, now rebranded as Indexia, where the insurance company facilitated direct debits without informing individuals who had recently bought tech items.
A malicious group intent on misappropriating funds could automate numerous payments and take advantage of those few individuals who are not attentive.
Many banking apps allow users to manage and disable direct debit mandates. Always exercise caution and stay alert for any direct debit alerts; it’s often during moments of inattention that we may fall prey to such scams.
Moreover, the hacker has retained confidentiality over the entire database, meaning you may not be able to verify if your information has been compromised through platforms like Have I Been Pwned. Typically, users would receive notifications directly from Free.