Man of Honour
Unless she's running an old iPhone it won't have a FPS
Getting bank card PIN from phone/wallet theft?
- Thread starter Tom_ed1987
- Start date
Soldato
If she has a iPhone with a draw a pattern on a grid to unlock the phone, you do see fingermarks of the pattern made on the screen (if not cleaned regularly). Then it’s guessing which order the pattern is made.
I bet she did a square!
Soldato
Sounds like this is the most likely answer. Very worrying if it is, as there's not an awful lot that can be done if someone gets your phone.
Soldato
Oooffff, wtf. If true then that is seriously terrible security from santander.
Billy's method, which he claims to have tested on his account: put the sim in a new phone and download the santander app then apparently it lets you do forgot my 'personal id' using details from say a driving licence you may have nicked in a wallet. Then 'forgot my password' which will send a verification code to the phone number of the phone which you are currently using. Voila.
Surely even using email verification rather than / as well as text message, and requiring extra checks if you're using a new device would be some pretty simple changes which would avoid this particular vulnerability.
Caporegime
Hahaha what the hell?!
retail.santander.co.uk
So you have the card = personal ID
Or if they've changed the personal ID you can do forgotten personal ID process - https://retail.santander.co.uk/RESCUK_NS_ENS/ChannelDriver.ssobto?dse_operationName=mainReaccess
Which only seems to need D.O.B and post code, which as @cheesefest says would be on driving license. Then you've got personal ID,
Then to reset online banking you seemingly just need personal ID and access to SMS for mobile number. There's no additional checks after that - https://retail.santander.co.uk/olb/app/reset/#/pid
Santander Online Banking
retail.santander.co.uk
So you have the card = personal ID
Or if they've changed the personal ID you can do forgotten personal ID process - https://retail.santander.co.uk/RESCUK_NS_ENS/ChannelDriver.ssobto?dse_operationName=mainReaccess
Which only seems to need D.O.B and post code, which as @cheesefest says would be on driving license. Then you've got personal ID,
Then to reset online banking you seemingly just need personal ID and access to SMS for mobile number. There's no additional checks after that - https://retail.santander.co.uk/olb/app/reset/#/pid
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
If this is true (someone confirmed it on reddit) then santandar will need to change the security, fast. 100% for sure. IF they don't there's going to be compromised bank accounts all over once the scammers find out how it's done.
Soldato
Are the other banks apps have similar security issues with their apps? Needs a third layer of security.
One security thing I hate companies use is mothers maiden name. Why?
. Siblings share the same MMN
. As well as children from your mother’s
sister(s)
. Single mothers usually change their children’s surnames to their own. So answer is their surname!
. Can get this from the internet easily.
Also place of birth is not a good security option either esp to those who have families who never moved and live in the same city/town as they were born in.
One security thing I hate companies use is mothers maiden name. Why?
. Siblings share the same MMN
. As well as children from your mother’s
sister(s)
. Single mothers usually change their children’s surnames to their own. So answer is their surname!
. Can get this from the internet easily.
Also place of birth is not a good security option either esp to those who have families who never moved and live in the same city/town as they were born in.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
Haven't heard of other banks having these issues.
Looks like this is not the case. Serious security flaws by the sound of it.
Soldato
The Media reporting has been really terrible... They made it sound like it was essentially a case of santander paying her off to be quiet, but actually there is a pretty massive security hole, and readi g the twitter thread they were very slow to act on her information even after reporting it to them, twice trying to ring her stolen mobile before blocking the card!
I bet there's more to this failure of access control at the gym too - either some kind of insider assistance or poorly thought out design...
I bet there's more to this failure of access control at the gym too - either some kind of insider assistance or poorly thought out design...
Soldato
What are Virgin Active lockers locked with? A key? A personal padlock? Fingerprint?
When I go to my gym, we use lockers which put a pound coin in the back which when unlocks, pound cones out at the bottom. Keep key safety pinned onto t-shirt.
Padlocked can be cut with cutters.
When I go to my gym, we use lockers which put a pound coin in the back which when unlocks, pound cones out at the bottom. Keep key safety pinned onto t-shirt.
Padlocked can be cut with cutters.
Soldato
This wouldn't necessarily work - depending on the banking app/phone at least.
When I've changed the biometrics on my phone (Huawei P30 Pro) - e.g. added a new fingerprint, most of the apps I had set up to use it forced me to re-enter my credentials and re-confirm that I wanted to use fingerprint authentication, I presume for exactly this reason.
Perhaps a flaw in the Santander app that it doesn't do this? Or an Apple/iPhone thing?
Hm. I’m not sure about this bit. How does the Santander app know the phone number of the new SIM card you just put in? Surely they would just message your number in file (also problematic if phone is 100% in the thief’s control)
A seemingly valid hack was described in earlier post .. courtesy of transplanting the sim.
would be interesting to see the Which report
Banking security put to the test: could your bank be doing more to stop fraud? - Which? News
A Which? Money investigation has identified weaknesses in some banks' online and mobile banking security, which could be exploited by criminals
Sim-swap fraud: how criminals hijack your number to get into your bank accounts - Which? News
Reports of Sim-swap fraud have gone up by 400% in five years
e: not exactly same kind of sim swap - but similar implication
Soldato
If you have taken the sim out of the original phone and out it in your new phone then your new phone will now have the same number that they have on file.
I thought they put a new SIM in her phone. (IE a new number). I guess I must have misread.
Yep, I tested it yesterday with my Satander account and had found my ID, reset the password and got on to the app to view my PIN in under 5 minutes. All you need is the SIM card, bank card and ID with date of birth on, which presumably, were stolen along with her phone. Pretty shocking security wise! It never occurred to me before and I was wondering how they'd got around the iPhone lock/biometrics etc.
But how did they? This is what we dont know, right?
Man of Honour
By the sounds of it you don't, you drop the existing SIM into a new phone and reset everything using that phone as it's all done with texts to the existing number
Man of Honour
Indeed, sounds like I might need to backtrack on that one!
Too many years of dealing with the end users has made me jaded
