Simple fraud

[Steveam]

This, from the BBC, describes …

https://www.bbc.co.uk/news/uk-england-london-62809151

Best wishes,

Steve

[Infrasonic]

In Android you can also set app icons to show a dot when new messages/email at al come in...Settings / Notifications / Notification dot on app icon.

Arrange your home screen so that all sms / messaging / email app icons are are on it and use groups if short on screen real estate.

[Infrasonic]

This, from the BBC, describes …

https://www.bbc.co.uk/news/uk-england-london-62809151

Best wishes,

Steve

...Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account...

But as AF62 has already highlighted up thread in order to register a new phone with banking apps you'd have to enter account details /passwords which only the victim should know - so there must be something else going on in this scam that we aren't being told (maybe intentionally to stop others copying the MO).

I recently had to do this on my upgrade from a Pixel 3a to 6a - I couldn't just get a passcode and start accessing the bank accounts via the apps, I have to go through a whole security procedure to set them all up on the new phone. 4 high street banks/BS all with similar security checks.

When I registered my CC's with Google Wallet (aka Pay) I had to jump through several security hoops as well.

[swill453]

But as AF62 has already highlighted up thread in order to register a new phone with banking apps you'd have to enter account details /passwords which only the victim should know - so there must be something else going on in this scam that we aren't being told (maybe intentionally to stop others copying the MO).

As I mentioned upthread, the Santander banking app can be cracked with (card numbers + name + address + date of birth + ability to read One Time PIN). A handbag containing phone (with lockscreen notifications enabled), the card and, say, a driving licence would give all this.

Scott.

[Infrasonic]

But as AF62 has already highlighted up thread in order to register a new phone with banking apps you'd have to enter account details /passwords which only the victim should know - so there must be something else going on in this scam that we aren't being told (maybe intentionally to stop others copying the MO).

As I mentioned upthread, the Santander banking app can be cracked with (card numbers + name + address + date of birth + ability to read One Time PIN). A handbag containing phone (with lockscreen notifications enabled), the card and, say, a driving licence would give all this.

Scott.

Are all the victims exclusively Santander customers then?

I don't use them so have no idea about their security procedures, but it seems extremely remiss if the accounts can be accessed without unique passwords / secret questions being in place.

If they are using the account details forgotten route there should be a 'secret' detail like first school / birthplace / football team that wouldn't appear anywhere on documentation like driver's license as ID confirmation (again that's how all my banks work if you forget login details...).

If victims have had ID or password information phished from database hacks etc. then it would be possible to achieve the fraud, but from what has been reported it doesn't look like these people have been targeted, it appears to be random thefts that have struck lucky. The OTP SMS message visible aspect is the least of the worries here if other banks have the Santander approach to security...

[swill453]

Are all the victims exclusively Santander customers then?

I don't know, but as I recall it was the only bank mentioned in the You & Yours feature.

Scott.

[AF62]

But as AF62 has already highlighted up thread in order to register a new phone with banking apps you'd have to enter account details /passwords which only the victim should know - so there must be something else going on in this scam that we aren't being told (maybe intentionally to stop others copying the MO).

As I mentioned upthread, the Santander banking app can be cracked with (card numbers + name + address + date of birth + ability to read One Time PIN). A handbag containing phone (with lockscreen notifications enabled), the card and, say, a driving licence would give all this.

Scott.

Are all the victims exclusively Santander customers then?

I don't use them so have no idea about their security procedures, but it seems extremely remiss if the accounts can be accessed without unique passwords / secret questions being in place.

If they are using the account details forgotten route there should be a 'secret' detail like first school / birthplace / football team that wouldn't appear anywhere on documentation like driver's license as ID confirmation (again that's how all my banks work if you forget login details...).

If victims have had ID or password information phished from database hacks etc. then it would be possible to achieve the fraud, but from what has been reported it doesn't look like these people have been targeted, it appears to be random thefts that have struck lucky. The OTP SMS message visible aspect is the least of the worries here if other banks have the Santander approach to security...

Santander was the only bank mentioned, and it appears with Santander the user ID can be reset just with the card number, the password can be reset with the just the account number, date of birth, and the OTP delivered by text, and there is no additional check when the app is installed on a new device (as there is with HSBC / First Direct).

With HSBC / First Direct if you don’t uninstall the app correctly on the original device then you have to phone them to get it reset to install again - don’t ask how I know this…

Also with HSBC / First Direct you need a code to install the app and part of the code is only delivered by post or email (your choice) so is less susceptible to this fraud.

So it looks like just a spectacularly poor implementation by Santander, with the thieves either striking lucky finding their customers, or more likely specifically targeting them - I can think of several ways I would do that.

[Infrasonic]

Searching 'Santander database hacks' brings up several hits - as is standard practise they don't really reveal how severe they are in terms of encrypted (good) versus plain text data (bad) but it does show that Santander as a group aren't that great at security.

I think the conclusion is to avoid using Santander at all until they improve their security infrastructure...

[Arborbridge]

This, from the BBC, describes …

https://www.bbc.co.uk/news/uk-england-london-62809151

Best wishes,

Steve

I'm not sure whether this link contains a further link to the latest broadcast - I didn't notice it on a quick trawl.

However, just in case this hasn't been mentioned already, there was a longish update in Wednesday's Your and Yours. It's the first item and last about a quarter of an hour, with some more cases whch have come to light.
One women found they had spent about £10,000, another around £25,000. Much of it in Apple stores, but also coffee shops etc. Something like eleven people (I believe, all women?) have come forward and contributed their experience, and as a result of some good journalism by the BBC which shows a connection between these cases, the police are now taking it more seriously. When it was just the occasional unconnected crime, it was easier to give it low priority, but it is clearly much bigger now.

The feeling from the BBC is that this is probably a single perpetrator who has access to Virgin gyms via an entry pass, since so far it is only those gyms which have been used in this fraud. Hopefully, gyms will now look to their security too. It seems, standard lockers are not particularly safe.

As regards the banks: I got the impression there could be more than just Santander. I can't be sure of that and I don't think another bank was mentioned specifically.

This is an excellent piece of consumer journalism by the BBC, and exactly what they are good at. Now, a wider group of people will know about this and take simple steps to prevent it. Who knows, maybe even fashion designers will listen as they are sketching away at their lates creation and promote a trend for more sensible pockets in women's clothing which is also attractive. I did meet one woman a while back who had a quite attractive summer skirt with a large hidden zip pocket - you wouldn't have known it was there.


Arb.

[Arborbridge]

I'm showing my ignorance here, but if the phone has been stolen, can't the fraudster remove the SIM card and use it in another phone of their own?

Arb.

[Infrasonic]

I'm showing my ignorance here, but if the phone has been stolen, can't the fraudster remove the SIM card and use it in another phone of their own?

Arb.

Not if you use a SIM lock code, as referenced by AF62 upthread. I've used them for years. Likewise you can lock out many laptops / PC's with BIOS level lock codes or USB hardware keys so it won't even boot without it.

If you are very technically adept you could possibly get around them, but that really is a tiny minority of the criminal pool doing basic fraud stuff.

Edit. Everything is moving towards eSIM phones now, eventually physical SIM cards may be consigned to history (already happening in the USA).

[Urbandreamer]

I'm showing my ignorance here, but if the phone has been stolen, can't the fraudster remove the SIM card and use it in another phone of their own?

Arb.

I have enabled the PIN lock upon the SIM.
AF62 provided links earlier in the thread on how to set up a PIN lock on your phone for some of the providers. https://lemonfool.co.uk/viewtopic.php?p=527878#p527878
I'm with giffgaff, messed up and had to use my account on the website to unlock the SIM before managing to set a PIN.

Before I did this, nothing prevented someone doing as you suggest with my phone.

There ARE things that we can all do. I.E take steps to avoid theft, don't store phone, cards, possibly and driving licence together, configure the phone to not display the SMS while locked and set a PIN on the SIM. I suspect that many people don't do these things.

I'd also caution that you consider how you are going to recover the situation if your phone is lost (ie falls off the Mersey ferry). I have a set of codes recorded so that I can identify myself to google and replace google authenticator. I can also access my phone account without my phone, meaning that I can replace the phone and transfer the number to the new phone without access to the old one. I could go on, but you get the point.

[Arborbridge]

I'm showing my ignorance here, but if the phone has been stolen, can't the fraudster remove the SIM card and use it in another phone of their own?

Arb.

I have enabled the PIN lock upon the SIM.
AF62 provided links earlier in the thread on how to set up a PIN lock on your phone for some of the providers. https://lemonfool.co.uk/viewtopic.php?p=527878#p527878
I'm with giffgaff, messed up and had to use my account on the website to unlock the SIM before managing to set a PIN.

Before I did this, nothing prevented someone doing as you suggest with my phone.

There ARE things that we can all do. I.E take steps to avoid theft, don't store phone, cards, possibly and driving licence together, configure the phone to not display the SMS while locked and set a PIN on the SIM. I suspect that many people don't do these things.

I'd also caution that you consider how you are going to recover the situation if your phone is lost (ie falls off the Mersey ferry). I have a set of codes recorded so that I can identify myself to google and replace google authenticator. I can also access my phone account without my phone, meaning that I can replace the phone and transfer the number to the new phone without access to the old one. I could go on, but you get the point.

Thanks for the above, and Infrasonic too. More things to take on board!

I started off being reasonably computerate - enough to get by, and even knew more than most of my contemporaries, and still do. But technology is getting more complex at the same time as my brain is getting older, and less complex. There will be a cross-over point sometime soon when the old brain is swamped by the rising tide.

Never saw the point of a lock on the SIM, though I do now! As I happens, I'm with giff-gaff, so any specific help there would be useful (about the "mess up" perhaps?)


Arb.

[Urbandreamer]

Never saw the point of a lock on the SIM, though I do now! As I happens, I'm with giff-gaff, so any specific help there would be useful (about the "mess up" perhaps?)


Arb.

I'm not exactly sure how I messed up, I'd had a few glasses of wine.

I believe that when you "change" the pin or how it operates, you need the existing pin. What I did was enter the same (new) pin each time that I was asked a question. The actual default code is here.
https://www.giffgaff.com/help/articles/ ... ffgaff-sim
I believe that's how I locked the phone.
I logged onto the website and unlocked the phone. I believe that they sent me an email for 2F, though you can request that they do so when it asks for the code.
I then managed to set the pin correctly.

The key thing is to start with access to your account on their website. With that you can do all sorts of useful things like unblock your sim, report a theft and order a new sim etc. You will need to set up the pin for the sim on the actual device that it's plugged into though.

[Arborbridge]

Never saw the point of a lock on the SIM, though I do now! As I happens, I'm with giff-gaff, so any specific help there would be useful (about the "mess up" perhaps?)


Arb.

I'm not exactly sure how I messed up, I'd had a few glasses of wine.

I believe that when you "change" the pin or how it operates, you need the existing pin. What I did was enter the same (new) pin each time that I was asked a question. The actual default code is here.
https://www.giffgaff.com/help/articles/ ... ffgaff-sim
I believe that's how I locked the phone.
I logged onto the website and unlocked the phone. I believe that they sent me an email for 2F, though you can request that they do so when it asks for the code.
I then managed to set the pin correctly.

The key thing is to start with access to your account on their website. With that you can do all sorts of useful things like unblock your sim, report a theft and order a new sim etc. You will need to set up the pin for the sim on the actual device that it's plugged into though.

sounds a bit daunting, but perhaps I should give it a go. Not until I don't need the phone for something critical, which is more often these days.

About this subject generally, I feel quite alone if I mislay my phone, but it's just as bad with my wallet when I mislay it. This is my life! Phone and wallet - cards, senior rail card etc plus contacts and window on the world. Sad. really.

Arb.

[swill453]

I though most gym bods took their phone in with them anyway (social media pictures, music etc)

Many will use a smart watch for that.

Scott.

[Urbandreamer]

sounds a bit daunting, but perhaps I should give it a go. Not until I don't need the phone for something critical, which is more often these days.

About this subject generally, I feel quite alone if I mislay my phone, but it's just as bad with my wallet when I mislay it. This is my life! Phone and wallet - cards, senior rail card etc plus contacts and window on the world. Sad. really.

Arb.

Well you could get giff-gaff to send you a free SIM and practice on that.
https://www.giffgaff.com/freesim-international

I'm fortunate in that I never mislay my wallet, phone or keys. I do however suffer panic attacks every time I blow my nose while the car is being serviced. This is because I've obviously lost my car keys, until I remember that they are with the garage.

Back in the 90's a friend had his Filofax stolen. He described it as having his life stolen. All contacts and addresses GONE. I've had a smartphone for decades and would really struggle without. I know I could cope, but I would certainly be sad.

Re Gym: You can get arm bands to contain your phone while exercising (moving about). I got the wife one to ware while gardening, as she wanted to garden while listening to an audiobook and expecting a phone call. She found a handbag to get in the way during such activity.

[Infrasonic]

...Re Gym: You can get arm bands to contain your phone while exercising (moving about). I got the wife one to ware while gardening, as she wanted to garden while listening to an audiobook and expecting a phone call. She found a handbag to get in the way during such activity.

Just about to suggest this. You can also get gym friendly lycra stretch money belts and running vests with stretch pockets to keep phone, keys, cards in.

I've never used gym lockers in the 35+ years I've been using them - they've always been a security risk and I know several people who've had theft issues from them.

[Arborbridge]

...Re Gym: You can get arm bands to contain your phone while exercising (moving about). I got the wife one to ware while gardening, as she wanted to garden while listening to an audiobook and expecting a phone call. She found a handbag to get in the way during such activity.

Just about to suggest this. You can also get gym friendly lycra stretch money belts and running vests with stretch pockets to keep phone, keys, cards in.

I've never used gym lockers in the 35+ years I've been using them - they've always been a security risk and I know several people who've had theft issues from them.

The last time I used a gym, there were no smart phones! By coincidence, I went down to look at joining our local leisure centre/gym. Quite impressive, and when they said it was only £75 to join up as a couple, we were going to join - until I realised that was monthly, not an annual amount. I feel out of my time!

Arb.

PS smart watches? Only know two people with them and they can never really explain why they bought them. Who wants to know their blood pressure all the time?

[Urbandreamer]

PS smart watches? Only know two people with them and they can never really explain why they bought them. Who wants to know their blood pressure all the time?

I think that you are confusing fitness measurements, which smartwatches can often do, with their other functions. Though, I think many might understand tracking heart rate and blood pressure while exercising at a Gym.

I don't use a smartwatch, but you know how it's possible to tap in and tap out while travelling with your rail card. Well, young people use a device on their wrist* for the same function charging their bank account. Or to buy coffee or crushed avocado on brioche.

They can also use it to read SMS messages or receive diary alarms. It means that for many things, they can use their phones while their phone is in a handbag or pocket.

I do actually have a smartwatch, but unfortunately it acts as the phone's speaker and mic during calls, like Dick Tracy. The quality was so bad I refuse to use it.

*Coincidentally, you can buy wristbands that will hold keys and/or cards intended for running. It achieves the same purpose. They just look like the rest of your outfit should be spandex.