Overview
While being assisted at Banco de Costa Rica (BCR), a 73-year-old named Jorge (name changed for privacy) was robbed of ¢1.6 million in just seven minutes. Cybercriminals swiftly changed his password, bypassed the dynamic key system, and made two Sinpe transfers of ¢800,000 each.
The Incident
On July 14, Jorge visited BCR’s Curridabat branch due to issues accessing the bank’s online platform. While at the bank, he was informed of unauthorized transactions from his account. In a matter of minutes, hackers changed his password, deleted his dynamic key, set up a virtual code, registered a new login device, and made two Sinpe transfers.
Culprits Traced
The bank provided details of the recipients of the stolen money: accounts belonging to a 22-year-old male, Aguilar, and a 43-year-old female, Navarro. Armed with this information, Jorge immediately reported the crime to the Organismo de Investigación Judicial (OIJ) in San José. The case is being processed under the file number 23-019920-0042-PE for alleged computer fraud.
Concerns Raised
Jorge questioned the bank’s security measures, particularly how the hackers could bypass the dynamic key—a unique verification card only the client possesses. He also mentioned BCR’s password restrictions that don’t allow special characters, potentially making them more susceptible to hacks.
BCR’s Response
BCR emphasized their commitment to security, mentioning their Security Operations Center (SOC) and ongoing coordination with banking, police, and judicial authorities. They also highlighted their communication campaigns to keep customers informed and prevent scams.
A Rising Threat
Cyber scams have surged in Costa Rica. In 2022, 9,292 new cases were reported, a 160% increase from 3,576 in 2021. Due to this, several victims have filed collective lawsuits against major banks, including Banco Popular and Banco Nacional, seeking compensation for their losses.