Simple fraud

[swill453]

As per You & Yours on radio 4, be careful if you allow notifications to appear on your phone screen when locked.

If a theif gets hold of your credit card and your phone (by stealing a handbag or something), all they need to do is:

1. Install your bank's app on another phone.
2. Register your details using what's on your credit card.
3. Your bank sends a One Time PIN (OTP) to your registered mobile number.
4. Crucially, this OTP will appear on the screen of many/most phones even when locked.
5. They enter the OTP into the app on their phone.

Voilà, they're into your bank. And some banks, eg Santander, have an option to display your card's PIN within the app.

With this, they can go on a mega shopping spree, and your bank will try to deny responsibility because you've revealed your PIN.

Scott.

[Arborbridge]

I heaard this too, and found it pretty shocking. Particularly the part where the bank said she "must" have" given the PIN away or written it down. Presumably, banks should already know about this weakness but choose to think it does not exist, or the account holder is more likely to be negligent.

This type of crime, it could be argued, is falling harder on women, too. The reason being that women are more likely to keep their phones and credit cards in a handbag or shoulder bag due to the much lamented inadequacy of pockets in female garments. This lack of decent sized pockets is something women are often complaining about (certainly, my wife, anyway) but designers rarely do anything about it.

I've never kept a banking app on my phone until this summer. It was the only way I could get a PIN reminder when I was on holiday, without which I could not use my credit card, because they won't email it and there was no way I could get home to pick up the post.

BTW, I don't think notifications appear in full like that on my phone, but they do on my wife's. On mine, you need to log in to open the message and the notification is just an icon.

Arb.

[AF62]

Voilà, they're into your bank.

Not with any of the banks I have accounts with they are not - because all those banks require a username and password as well to log into the account.

In addition, with the main accounts I use, First Direct and HSBC, they both use a 'digital secure key' that has to be removed from one phone before you are able to install and use the app on a new phone - and if you don't and wipe the phone before doing so (don't ask...) then you need to phone them up and speak to them to get it reset.

Frankly this sounds like a poorly researched piece by the BBC who are just taking guesses about what may or may not have happened.

[Arborbridge]

Voilà, they're into your bank.

Not with any of the banks I have accounts with they are not - because all those banks require a username and password as well to log into the account.

In addition, with the main accounts I use, First Direct and HSBC, they both use a 'digital secure key' that has to be removed from one phone before you are able to install and use the app on a new phone - and if you don't and wipe the phone before doing so (don't ask...) then you need to phone them up and speak to them to get it reset.

Frankly this sounds like a poorly researched piece by the BBC who are just taking guesses about what may or may not have happened.

Some people have a knee jerk reaction to blaming the messenger, especially if that messenger is the BBC.

It happened: they demonstrated how it happened. The BBC researchers are not fools and just because First Direct has a difference system does not undermine the case. I'm wondering if in this case her system was also made vulnerable because her savings account was linked directly to her current account, so it was easy to suck money from one to the other.

And what happened to the bank's system for spotting unusual activities? The fraudster spent £850 three times in an Apple shop, which does not sound like the type of spending this woman would have been doing.

Then, to blame the woman herself was the pits, when the case revolved round a theft and fraud which happened to several people at the same time.

Arb.

[AF62]

Voilà, they're into your bank.

Not with any of the banks I have accounts with they are not - because all those banks require a username and password as well to log into the account.

In addition, with the main accounts I use, First Direct and HSBC, they both use a 'digital secure key' that has to be removed from one phone before you are able to install and use the app on a new phone - and if you don't and wipe the phone before doing so (don't ask...) then you need to phone them up and speak to them to get it reset.

Frankly this sounds like a poorly researched piece by the BBC who are just taking guesses about what may or may not have happened.

Some people have a knee jerk reaction to blaming the messenger, especially if that messenger is the BBC.

I expect the messenger to check the story if it is a national public broadcaster funded by a mandatory licence fee.

It happened: they demonstrated how it happened.

Something happened - did the bank explain how the fraudster bypassed the username and password requirement that every banking app requires?

The BBC researchers are not fools and just because First Direct has a difference system does not undermine the case. I'm wondering if in this case her system was also made vulnerable because her savings account was linked directly to her current account, so it was easy to suck money from one to the other.

And what happened to the bank's system for spotting unusual activities? The fraudster spent £850 three times in an Apple shop, which does not sound like the type of spending this woman would have been doing.

Then, to blame the woman herself was the pits, when the case revolved round a theft and fraud which happened to several people at the same time.

Arb.

And from the details you describe (I haven't listened to the radio episode) then it sounds rather like this story also reported on the BBC where there is a lot more uncertainty about what actually happened - https://www.bbc.co.uk/news/uk-england-london-62767659

And in that story the person defrauded doesn't explain how the fraudsters got past the biometric or PIN security on her phone.

[Urbandreamer]

Voilà, they're into your bank.

Not with any of the banks I have accounts with they are not - because all those banks require a username and password as well to log into the account.

In addition, with the main accounts I use, First Direct and HSBC, they both use a 'digital secure key' that has to be removed from one phone before you are able to install and use the app on a new phone - and if you don't and wipe the phone before doing so (don't ask...) then you need to phone them up and speak to them to get it reset.

Frankly this sounds like a poorly researched piece by the BBC who are just taking guesses about what may or may not have happened.

Possibly just poorly reported. I do see it as a security flaw that needs addressing. Just not as bad as represented.
I can't check Santander (I can't remember my ID) but do recall that their OPT is at the very end of the SMS, ie too far down to be displayed in the notification that you have had a txt. I'll try it out when I get home. This is not the case with II or Aviva who put it at the start of the txt and repeat with a copy button.

I confess that I DO find it irritating that Santander,Aviva and II rely on SMS and provide no other options. I use google authenticator with A J Bell and FTX, though that's only as secure as your phone's password.
I am aware that Nationwide and some other banks use card readers to produce OPT codes as an option.

Ps, if I turn my SMS notifications off then I never know that I get ANY txt, which means that I'll get no communications from my kids.

[AF62]

I confess that I DO find it irritating that Santander, Aviva and II rely on SMS and provide no other options.

But it the secondary security, so they must have your primary security as well.

I use google authenticator with A J Bell and FTX, though that's only as secure as your phone's password.

Pretty sure nobody is going to guess the six digit pin on my phone that increases the delay time for each incorrect entry.

Ps, if I turn my SMS notifications off then I never know that I get ANY txt, which means that I'll get no communications from my kids.

On iPhones it is quite easy to only display the detail of the notification if the phone is unlocked.

[DrFfybes]

Presumably this is OTP sent to your phone to verify a large or online purchase..

It is how you set your alerts up, at least on an Android phone anyway.

You can set it so it tells you there is an alert - eg "new text message", or you can set it so it shows the first line of the message.

For some banks this is fine, so Santander OTP says "your OTP for payment to xx-xx-xx xxxxxxxx for the amount of... is NNNNNN" and consequently the OTP itself doesn't appear on the alert screen. However most banks say "Your OTP is NNNNNN" which doesn't require the phone to be unlocked to reveal it.

I have commented on this to a couple of banks, and their response (if they bothered to give one) is that is wasn't their role to police how you secure your phone.

Paul

[Lootman]

This type of crime, it could be argued, is falling harder on women, too. The reason being that women are more likely to keep their phones and credit cards in a handbag or shoulder bag due to the much lamented inadequacy of pockets in female garments. This lack of decent sized pockets is something women are often complaining about (certainly, my wife, anyway) but designers rarely do anything about it.

I was thinking the same thing. I always keep my phone separate from my cards for this very reason. But like most women my wife just puts everything in her bag so if it got stolen she has no cash, no cards, no keys, no ID and no phone.

I've never kept a banking app on my phone until this summer. It was the only way I could get a PIN reminder when I was on holiday, without which I could not use my credit card, because they won't email it and there was no way I could get home to pick up the post.

I don't do any financial business on my phone, simply because I cannot predict all the ways that it could potentially be compromised.

Forgetting PINs is a problem so I do have a written list of them all on a piece of paper, carefully disquised in case it falls into the wrong hands. Again, kept very separate from my cards!

[AF62]

Some people have a knee jerk reaction to blaming the messenger, especially if that messenger is the BBC.

It happened: they demonstrated how it happened.

Having now listened to the episode, they didn't.

It was Santander, and this is the app setup guide - https://www.santander.co.uk/csdlvlr/Blo ... isposition

The guide says you need your Personal ID and security details to hand before even getting to the registering the device with the OTP sent by text.

The BBC researcher did not explain how they managed to bypass that security step, which to be frank, would be a much bigger story than someone having their handbag stolen.

And I particularly noticed that the BBC interviewer *did not* ask the person defrauded whether they had reused their card PIN as their mobile phone PIN - a common mistake. If they had, then simple 'shoulder surfing' not only gets the fraudsters the card PIN to make the purchases in the Apple store but also gets the fraudsters into the phone without any of the complications described - and although banking apps then require another PIN or biometric security, if they have reused their card PIN as their phone PIN, then chances are they have reused it as their Banking App PIN as well.

[Urbandreamer]

I have now changed my (Android) phone settings. Thanks Paul.

I do a limited amount of financial transactions on my phone, so security is paramount.
As has been suggested, I have a 6 (Digit) code required to gain access. NFC is currently turned off, I'll use a card for "contact less" thank you very much.

The main trouble with this type of story is that ways to avoid the issue are seldom reported.

BTW, another method to obtain SMS OTP codes is the well known "SIM swap". Hence, why I dislike SMS as the only option for 2F.

I do recommend that folks spend some time playing with their phone to find out how to disable SMS message preview. It wasn't obvious with Android, but not difficult once you know that it's possible. We also know that it's possible with Apple, so spend the time. If you chose to use NCF, Apple or Google pay, find out the risks and settings to help protect yourself.

[AF62]

As has been suggested, I have a 6 (Digit) code required to gain access. NFC is currently turned off, I'll use a card for "contact less" thank you very much.

So you would sooner carry a card, which if stolen and then simply 'tapped' on a shop terminal allows the thief to pay, but not use your phone which would require the thief to know your six digit code to unlock it to pay - not sure I understand the logic of that.

[Urbandreamer]

As has been suggested, I have a 6 (Digit) code required to gain access. NFC is currently turned off, I'll use a card for "contact less" thank you very much.

So you would sooner carry a card, which if stolen and then simply 'tapped' on a shop terminal allows the thief to pay, but not use your phone which would require the thief to know your six digit code to unlock it to pay - not sure I understand the logic of that.

No I'd sooner carry a card that has a contactless purchase limit than use a phone with no limit and no requirement to enter that 6 digit code.

I don't know if you noticed, but my post WAS about putting the effort in to both set up your phone AND know about what you are using.

Is there a limit with Apple pay (NO).
https://www.pocket-lint.com/phones/news ... support-it

How to arrange things so that the phone doesn't need unlocking to drain your accounts.
https://www.idownloadblog.com/2015/10/0 ... ck-screen/

It sure makes things easy, doesn't it. No need to fiddle when you get on or off a train, or when you buy large items.

[Lootman]

As has been suggested, I have a 6 (Digit) code required to gain access. NFC is currently turned off, I'll use a card for "contact less" thank you very much.

So you would sooner carry a card, which if stolen and then simply 'tapped' on a shop terminal allows the thief to pay, but not use your phone which would require the thief to know your six digit code to unlock it to pay - not sure I understand the logic of that.

With a stolen card, you are not liable for any charges that happen, as long as you notify the bank of the loss in a timely manner.

Whereas as Scott pointed out, with a stolen PIN, "your bank will try to deny responsibility because you've revealed your PIN".

Like Urban, I would never use a phone for a transaction that I can perform with a card. And I would have to really trust my phone to not even carry a card with me, which is the only way you can avoid the risk of losing it.

In fact prior to last year my phone had never been involved in a financial transaction. But now 2FA has made it impossible to not have a phone for online transactions. Even so receiving 2FA codes are the only time my phone is involved. I don't even like having rail or air tickets on my phone, in case it freezes, runs out of charge or I can't get a signal. Or I lose or brake the phone of course.

[AF62]

How to arrange things so that the phone doesn't need unlocking to drain your accounts.
https://www.idownloadblog.com/2015/10/0 ... ck-screen/

Did you miss the bit that mentions that when you have brought up the card with a double click that you still need authenticate your purchase via Touch ID or Face ID.

And I would have to really trust my phone to not even carry a card with me, which is the only way you can avoid the risk of losing it.

The solution I use to not losing my phone is not to take it with me. I just use my watch to pay - far harder to lose that. Although as the watch has a sim card and can make and receive calls, then is it a phone...

[swill453]

Frankly this sounds like a poorly researched piece by the BBC who are just taking guesses about what may or may not have happened.

Other banks' security may vary, but with Santander if you click "forgotten details" you can get a reminder of your user id if you know name/address/DoB plus credit card numbers. This may be available within a handbag.

The password can then be reset on receipt of an OTP.

Scott.

[AF62]

Frankly this sounds like a poorly researched piece by the BBC who are just taking guesses about what may or may not have happened.

Other banks' security may vary, but with Santander if you click "forgotten details" you can get a reminder of your user id if you know name/address/DoB plus credit card numbers.

According to the Santander website you need all of those items.

This may be available within a handbag.

They might be, but most likely are not.

The password can then be reset on receipt of an OTP.

Assuming the thieves also know the phone number of the phone they have stolen to enter it into the Santander website, and yes it might be in the handbag, but most likely is not.

As before, the interviewer avoiding asking the simple question about reuse of PINs overlooked the common method thieves use.

[Dod101]

I do nor like the idea of spraying banking apps all over the place and certainly not on my phone where there is absolutely no need for it. If I wanted to I could access my bank via safari just as I do on my desktop or ipad but I never do as I find it too fiddly. Why anyone wants to use their phone for paying anything I know not. A credit card works fine.

I will though warn a female friend because she keeps credit cards in the same wallet as her phone and if she has an app on the phone...........so thanks.

Dod

[Arborbridge]

Presumably this is OTP sent to your phone to verify a large or online purchase..

It is how you set your alerts up, at least on an Android phone anyway.

You can set it so it tells you there is an alert - eg "new text message", or you can set it so it shows the first line of the message.

For some banks this is fine, so Santander OTP says "your OTP for payment to xx-xx-xx xxxxxxxx for the amount of... is NNNNNN" and consequently the OTP itself doesn't appear on the alert screen. However most banks say "Your OTP is NNNNNN" which doesn't require the phone to be unlocked to reveal it.

I have commented on this to a couple of banks, and their response (if they bothered to give one) is that is wasn't their role to police how you secure your phone.

Paul

I complained to my bank too. I was horrified to find they are using SMS messages, which are known to be vulnerable, for security things. Why did they choose a known weak means of communication like SMS for something this sensitive?

In most dealings, I have the First Direct widget thing (they try to wheen you off it!) or an Authenticator for A J Bell.

Almost everything I buy on credit card now needs an OTP sent to my phone. I don't know what the alternative is, supposing I don't have a phone.

[Lootman]

I do nor like the idea of spraying banking apps all over the place and certainly not on my phone where there is absolutely no need for it. If I wanted to I could access my bank via safari just as I do on my desktop or ipad but I never do as I find it too fiddly. Why anyone wants to use their phone for paying anything I know not. A credit card works fine.

I will though warn a female friend because she keeps credit cards in the same wallet as her phone and if she has an app on the phone...........so thanks.

Yes, the fact that people here who obviously know a great deal about phones are disagreeing with each other in their assessment of the risks of using phones for financial transactions does not inspire confidence in me that I should change what has successfully and safely worked for me for decades - using cards (and even the odd cheque, still).

I have twice had my card used by a thief - once when they had the physical card and another time when they evidently had the digits. Both times the bank reimbursed me in full with no question or delay. Works for me.