“I got hacked 80,000 euros”… LCL customers victims of a security breach?

Since November, several dozen LCL customers have been hacked. In total, more than 360,000 euros were allegedly stolen. Were they the victims of an elaborate phishing or rather a fault in the bank’s computer systems?

January 1st, zeldus (1) post one call for help on the MoneyVox forum. His parents, customers at LCL, have just had their bank account siphoned off. Amount of damage: €3,000. The hackers managed to add a new beneficiary and transfer the money to a foreign account. All without the account holders being notified, because unlike almost all banks today, LCL does not require strong authentication to validate the addition of a beneficiary.

Very quickly, the family lodged a complaint, then went to the nearest LCL agency to obtain the repayment funds. But there, surprise: their adviser informs them that the operation has been validated by means of personalized security data. However, according to him, if the pirates hold this data, it is because the customers have shown neglect.

The days pass, and the bank does not reimburse. “It makes 1 month that the hack took place. Despite the complaint lodged and provided to the bank, nothing has changed and the money has not been refunded,” laments zeldus. ” I have the feeling that the bank tries to put the responsibility on the customers “, continues the Internet user.

Serial hacks

New twist on January 21, 2022. Clo, another LCL customer joins the discussion and claims to have also been the victim of a hack. the modus operandi is identical: adding a beneficiary and transferring funds to an account abroad.

Over the weeks, new testimonies are pouring in: Bbaj declares that he was robbed €4,350 on his professional LCL account on January 12. EGOhe lost €6,000 March 23.

But when they contact the sign, everyone hits a wall. “The only answer that LCL answers me is, quite simply, that it was I who disclosed the online access identifiers”, explains Bbaj. Results ? The bank refuses to refund the stolen money.

However, the victims maintain that they did not communicate their identifiers. “I can tell you that I never divulged my access codes to no one. I am a computer engineer and I apply security measures very strictly”, writes for example Bbaj.

Bank card hacking: beware of this new fraud

More than 360,000 euros stolen

But then, how to explain these chain hacks? In total, RTL identified at least 25 victims between November 2021 and April 2022, for damages for a total amount of more than 360,000 euros. And some have lost big. This is for example the case of Loïc. “I got hacked 80,000 euros, the bank does not want to reimburse me”, explains the craftsman, questioned by the station.

What is most surprising are the dates, oddly close together. And the fact that all the victims are customers of the same bank. “I notice that visibly there have been many bank account hacks on LCL between the end of November and the end of December”, notes Clo on the MoneyVox forum.

Have these customers all been victims of phishing, an elaborate phishing, which would have allowed the crooks to extract their personal identifiers without their being aware of it? Or should we rather look for the problem on the side of the computer systems of the bank? Asked by the MoneyVox editorial staff about a possible security breachLCL has not provided an answer to date.

For Michel Guillaud, Chairman of France Conso Banque, “thehe responsibility of the LCL is clearly established, even if for the moment the brand is striving to blame its customers”. The consumer association plans to bring the victims together in a collective to take LCL to court. To date, “nearly a hundred” victims have already come forward, according to Michel Guillaud.

Credit card fraud: the bank must reimburse its client victim of phishing

Misleading commercial practices

The case of the LCL hacks echoes another ongoing procedure. On May 28, the UFC-Que Choisir has filed a complaint against 12 banks (among which we also find LCL) for “misleading commercial practices”.

According to the association, the banks would refuse systematically to reimburse their customers when they indicate that they have been victims of fraud. However, as a reminder, Article L133-18 of the Monetary and Financial Code provides that, when a customer notifies his bank of “an unauthorized payment transaction”, the latter must reimburse him “ immediately “.

The only exception: if you have shown ” gross negligence », by communicating for example your personal identifiers to a malicious person, the bank is not responsible. Therefore, the first reflex banks often consists of accusing their customers of “negligence” to avoid reimbursing them, denounces UFC-Que Choisir.

But even if this were really the case, the case law is clear: it is up to the bank to prove that the customer has committed gross negligence. If the latter is unable to provide proof, it must reimburse the stolen funds, as well as any bank charges incurred (in the event of an unauthorized overdraft, for example).

On the MoneyVox forum, several hacked LCL customers also indicate that they have won. But for the bank to reimburse them, they often had to multiply reminders and insist for long weeks with the fraud department.

Best bank 2022: discover our comparison

source site-96