Many Payoneer users in Argentina claim that after receiving SMS OTP codes while they were sleeping, their 2FA-protected accounts were compromised and money was stolen.
A financial services platform called Payoneer offers digital payment and online money transfer services. It is well-liked in Argentina because it enables individuals to make money abroad while evading local banking laws.
Beginning last weekend, many Payoneer users in Argentina, whose accounts were protected by two-factor authentication ( 2FA ), reported , and logged in with empty wallets, lost “years of work” worth of money ranging from$ 5, 000 to$ 60,000, or suddenly lost access to their accounts.
The users claim that prior to this, they received an SMS asking for permission to reset their Payoneer password, but they refused. Some claim they did n’t even see the SMS after the heist was finished, while others assert they never clicked on the URLs.
Many victims claimed that their stolen money was delivered to an unidentified email address using the 163.com domain.
Local journalists who were interviewing the victims and monitoring the hacks found that the majority of affected users were Movistar and Tuenti mobile service customers, with the vast majority doing so.
This has raised concerns that a recent Movistar data leak might be responsible for the account hacks, but the leak did not reveal users ‘ email addresses, which are needed to reset Payoneer account passwords.
Source: BleepingComputer
Another theory holds that the  , an SMS provider used to deliver OTP codes, was compromised, allowing Payoneer-sent codes to be accessed by threat actors.
Unfortunately, Julio Ernesto Lopez, a journalist andnbsp, shared an official statement from Movistar that simply states that the telecom provider is not accountable for messages sent through its network. Movistar claimed that they had taken action to stop the smishing campaign’s numbers, though.
The statement reads,” We inform you that Movistar is not accountable for the messages ( or their content ) sent by third parties using its network. ( machine translation )
Despite the aforementioned, we have taken precautions with the numbers from which some customers have claimed to have received such communications.
Although Payoneer has not yet given specific responses regarding the attack, it has acknowledged the problem and stated that it is collaborating with authorities to address the fraud, which it believes is the result of phishing.
According to a statement from Payoneer that tech reporter Juan Brodersen received, the users clicked on the URLs in the SMS phishing texts before entering their login information.
However, many people who have been impacted by the account hacks claim that they did not click on phishing links, blaming Payoneer for trying to shift blame and failing to recognize a potential flaw or vulnerability in the platform.
Additionally, Lopez informed BleepingComputer that Payoneer needs a new SMS OTP code to be entered both when wire money is wired and when you add new destination addresses. The threat actors should n’t have had access to later OTP codes needed for these transactions if this was a phishing attack that stole the password reset codes.
Other nations would probably be impacted by the attacks, even though the hacks might be permitted by a 2FA bypass bug, like we  saw last year with Comcast.
As a result, there are many theories at play, making it difficult to pinpoint the exact mechanism of the attack. The system of Payoneer has a serious flaw in its reliance on SMS-based 2FA, which is further exacerbated by the platform’s password recovery process, where an SMS code is all that is needed.
Payoneer has been contacted by BleepingComputer with a request for comment on the above, the status of their investigation, and whether they intend to provide restitution in the event that the hacks are found to be the result of system flaws, but we have not yet heard back from them.
Payoneer users in Argentina are advised to withdraw money from their accounts, disable SMS-based 2FA, and reset their account passwords until the situation is resolved and it is clear who is to blame and what specifically happened.