Iti Itaú scam makes improper card transactions and registration changes

Clients of Itaú’s Iti digital wallet report that their accounts were improperly used. Two cases were brought to the Techblog by email and dozens more were shared in website comments and complaint services.

Iti Itaú Application (Image: Lucas Lima/Tecnoblog)

Cases began to appear in the last week of July. In practically all of them, history repeats itself: customers notice strange movements on their credit cards registered in their wallet, such as transfers to unknown people. When trying to enter the app to check, however, fail to enter.

Here appears a very peculiar trait, but common to all: when they try to regain access to the account, customers realize that the cell phone number registered is no longer theirs. In many cases, the area code is not even where the consumer lives. Area codes are from different regions in the different accounts.

Improper transactions, password changed and number changed

In one of the cases presented to the Techblog, a customer who asked not to identify herself says that, last week, she tried to make a purchase with the Iti virtual card and couldn’t – this is normal, since the application deletes virtual cards after 24 hours.

When trying to enter the Iti app to generate a new one, she came across her account blocked. During the procedure to reset the password, an SMS was sent to confirm the transaction, but the customer realized that the message had been destined for a phone number that was not her own.

“At this moment I realized that something was very wrong and I was also surprised by the fact that, a few minutes ago, I had received an SMS warning me about my denied purchase”, says the consumer.

When contacting the bank to regain access, he asked the attendant about the latest transactions. “I found out that on July 31, a third party changed the phone number of my account, generated a virtual card, had access to my password for this card and made a transfer of R$1,000 to someone else.”

She says that the attendant then blocked the account and made the first challenge to the amount. The next day, when contacting again to unlock the account, the consumer says that she was able to make the exchange and put her phone back in the register. This generated an email warning. “I don’t know how third parties managed to make this switch so easily”, he commented.

Lucas client screen showing unknown moves

Lucas client screen showing unknown movements (Image: Reproduction)

Another affected client was Lucas, who told his case to Techblog by email. He says that his Iti had improper movements: using an Itaucard card registered in his virtual wallet, someone made transfers to a person he doesn’t know. Lucas’ password and registration number were also reset.

Lucas says that, when reporting the case to the card’s administrator to contest the transactions, he was not even questioned. The client of the first case also comments that the central seemed to be well aware of what had happened.

Lucas customer screen shows overpayment under review

Lucas client screen shows overpayment under review (Image: Reproduction)

Iti blocked card transactions last week

Last week, some sites that give tips on how to earn miles and points using credit cards reported that Iti was blocking transfers with this form of payment.

At the time, the company was contacted and said it was a “maintenance to add improvements and new features to the service”. The note sent to the First passenger and to Points to fly also says that “your customers can count on Itaú’s security to carry out transactions and other operations available on the app”.

In the comments of both posts, there are more reports of improper transactions and phone numbers exchanged — one customer says that they even asked for a duplicate of the physical card to be delivered in São Paulo, since he lives in Belo Horizonte.

At the forum Hardmob, a topic about what happened was created. In the website Complain here, O Techblog found at least 13 other similar cases, with improper movements and altered telephone number.

How the attack could have occurred

To better understand the case, the Techblog spoke with Daniel Barbosa, an information security specialist at ESET. Analyzing the reports, he considers two hypotheses as the most likely:

  • Criminals took advantage of some leak to clone cell phone chips, with the help of an operator employee, and reset passwords, or even discover passwords from personal information. Thus, they were able to gain access to the accounts and change the registered phone numbers.
  • Some employee within Itaú itself has been enticed or is acting in bad faith to give criminals this access.

Barbosa emphasizes that this second hypothesis is not an accusation and that an internal audit could resolve this, if that were the case.

The client Lucas, who sought the Techblog, also says that he considers that those responsible for the attack may have contacted the Iti call center and, in possession of leaked data, managed to confirm the information and, thus, make the registration changes. In fact, there were many leaks in 2021 alone.

Barbosa says this is possible, but a little more difficult, as criminals would need a large amount of information from each customer to confirm an agent’s requests.

The expert also says that it is less likely to be an attack using malware that, for example, logs information entered into devices. Barbosa assesses that the reports are from different regions of Brazil, which clashes with cases of this type. As malware tends to spread through networks of contacts, scams using tools like this end up more restricted to one region, he explains.

What Iti Itaú says

O Techblog contacted Iti to find out if the company was aware of the facts reported in this article and what its position was. The company sent the following note:

iti Itaú continually invests in the security of its products and services to ensure the best experience for its customers, who can use the service channels to verify and resolve specific cases of suspicion or problems with their accounts. iti also reinforces that, as always, its customers have the security of Itaú Unibanco to carry out transactions and other operations available on the app. In addition, it emphasizes the importance of customer care to protect their information when setting strong passwords, as well as paying attention to suspicious links received by email or SMS.

Collaborated: Felipe Ventura

Leave a Comment