Getting bank card PIN from phone/wallet theft?

[tom_e]

Read reddit? Yikes Santander are literally the most risk adverse place ever. It won't be as easy to do anything, even if they got into online banking.

Don't Santander use card readers now? If they don't, miles behind everyone else. Surely resolves all of this? I know they are doing huge digital reforms - but assumed this is standard these days.

I stopped banking with them years ago because they were so risk adverse.

A user in this thread has proven it works by switching their SIM out to a spare phone and resetting their details.

They don't use card readers, it's all one time codes...sent to the SIM which is now in a different unsecured phone.

 

[Deleted member 77746]

A user in this thread has proven it works by switching their SIM out to a spare phone and resetting their details.

They don't use card readers, it's all one time codes...sent to the SIM which is now in a different unsecured phone.

A user on reddit has also done it so the security is lacking.

 

[MikeTimbers]

While it doesn't have to Wi-Fi and you are right about it being a Bluetooth connection from phone to PED, doesn't the PED need an internet connection in order to communicate with your bank and complete the transaction?

I remember getting caught out about a year or so ago buying lunch at Tesco. They were having internet problems and couldn't accept contactless payments IIRC. Though whether that meant actual internet trouble or internet trouble as a catch all term for IT problems I don't know.

PED connect to the till either by wire or bluetooth. If the PED can't connect to the web to connect to banks then it can't accept a card either. When your contactless connects to the PED it provides an encrypted blob of data which the PED simply transfers to the payment provider. It contains the same kind of data as a physical card provides and is handled in the exact same way.

If a Tesco was saying it could take physical cards but not contactless they have a very strange implementation that can apparently store the card but not the blob. Stupid if true as more and more payments are being made with contactless.

I've not carried a physical card in and around London for years. My phone even pays for all my transport, and can even work when the phone has run out of power.

 

[Scam]

My phone even pays for all my transport, and can even work when the phone has run out of power.

Apple Pay express transit is awesome. Shame no one knows about it!

 

[Surveyor]

How is a thief taking thousands from London gym-goers?

A serial thief is targeting well-off young women across London's gyms. How is she doing it?

www.bbc.co.uk

 

[GreatAuk]

How is a thief taking thousands from London gym-goers?

A serial thief is targeting well-off young women across London's gyms. How is she doing it?

www.bbc.co.uk

Just read this... Yet another police failure where they seem to have failed to link obviously similar crimes until a journalist points it out. Got to wonder how on earth the thief had got away with it when all these shops should have cctv everywhere... Bizarre.

I bet the banks were aware of the security vulnerabilities too but decided to just hush it all up.

 

[jpaul]

and can even work when the phone has run out of power.

the battery has enough power reserve even when phone will no longer start so it hasn't really run out of power -
company I worked for did nfc tags which genuinely don't need a battery because enough charge is induced by a nearby magnetic field, but for those applications information exchanged is minimal,
(key in lock immobilizer on car or identifying farm animals) versus an online transaction where you need to change the data reply on subsequent uses.

 

[VincentHanna]

How is a thief taking thousands from London gym-goers?

A serial thief is targeting well-off young women across London's gyms. How is she doing it?

www.bbc.co.uk

Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.
That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account.

Any of the people who were clearly blaming the woman, want to comment on that?

 

[Liquid_Entity]

How did thief manage to spend £1000s on the cards, surely it'd be blocked or suspected fraud. Surely a card spend is limited, contactles is £100 and a full purchase surely would send red flag straight away

"One victim, Alina, had her items stolen from a Virgin gym in Finchley Road last month. The thief spent about £10,000 in Harrods, and the Covent Garden Apple store. They tried to spend another £10,000 after Alina had blocked her cards. They used her money for food and taxis and withdrew cash from ATMs and changed the access to her accounts."

My other gripe is a serious lack of security at the gym. My gym you have to get in via reception, through barriers, signed in and face checked. All these high end gyms surely have same protocols. To allow randoms in to wander around.

 

[Chuk_Chuk]

How is a thief taking thousands from London gym-goers?

A serial thief is targeting well-off young women across London's gyms. How is she doing it?

www.bbc.co.uk

So they have a phone that is connected to the banking App. So they can collect location data, the IMEI number and other data about the phone. Which would help to track down the criminals.

As someone has mentioned gyms have security mainly so people aren't getting in for free, so that's another way for them to track these criminals down. Will be interesting to see if they signed up with fake ID. there seems to be so much digital data left lying around in this crime.

 

[cheesefest]

How did thief manage to spend £1000s on the cards, surely it'd be blocked or suspected fraud. Surely a card spend is limited, contactles is £100 and a full purchase surely would send red flag straight away

"One victim, Alina, had her items stolen from a Virgin gym in Finchley Road last month. The thief spent about £10,000 in Harrods, and the Covent Garden Apple store. They tried to spend another £10,000 after Alina had blocked her cards. They used her money for food and taxis and withdrew cash from ATMs and changed the access to her accounts."

My other gripe is a serious lack of security at the gym. My gym you have to get in via reception, through barriers, signed in and face checked. All these high end gyms surely have same protocols. To allow randoms in to wander around.

Exactly, the fraudsters are doing this at gyms, nowhere else. But then again, how many other places do you leave your bag, phone etc in a locker? I have a locker at work. Easy to spot someone who isn't a colleague or a contractor.

 

[cheesefest]

Also need to question the security of the lockers.

 

[MonkeyBasher]

So they have a phone that is connected to the banking App. So they can collect location data, the IMEI number and other data about the phone. Which would help to track down the criminals.

As someone has mentioned gyms have security mainly so people aren't getting in for free, so that's another way for them to track these criminals down. Will be interesting to see if they signed up with fake ID. there seems to be so much digital data left lying around in this crime.

Not if they are using a different phone each time. If they are having a shopping spree at the Apple store every `job` they will just be buying new phones.
I imagine its a group of ladies and they are signed up at different gyms using the bank details and driving licenses they took from other gyms.
I dont expect there are many people signed up at multiple gyms.

From the BBC artilce the security on the device is easy to circumnavigate once you put the SIM into another device and have the bank card and driving license.
So the only bit of the endevour with any real risk is breaking into the locker. Which by all acounts is easy.
I also expect that gyms within a certain radius have the same support staff companies. Vending machines, cleaners, etc etc. For plenty of inside info.

 

[Azza]

How is a thief taking thousands from London gym-goers?

A serial thief is targeting well-off young women across London's gyms. How is she doing it?

www.bbc.co.uk

Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account.

The article doesn't actually mention any specific bank - which I think is a bit silly. They should name and shame / ask for comment from banks.

Not all banks just require a OTP to register a new device.

Starling - I had to record a video of myself for them to verify yesterday to register a new device
First Direct - You need to go into the existing app and Deactivate Digital Secure Key if you don't you have to ring them up to register the new device.
Nationwide - You need to know customer number (I think this can be found from form online), date of birth and a passcode that's used for all general 'online banking'.


As we (the internet collective) know Santander seems very easy obtaining the required info to log into the app on a new device. They also have 'view pin' functionality which allows them to spend bookoo bucks with the stolen card.

 

[Alex_6n2]

Having your 2FA code pop up in an email notification that can be read on your phone whilst it's locked seems to be root cause

Android has the ability to remove content from selected notifications

Turn this on for Gmail/Outlook. Job done.

 

[MikeTimbers]

Apple Pay has no limit. i.e. if the phone is unlocked, the biometric 2fa e.g. fingerprint or faceid after double-clicking the side button.

 

[Itchytrigg]

It’s not 2fa, they sent a text/email without a valid login. For a reset like this where you’ve not passed the 1st factor (valid login) then you need something else on top of the text/email.

First direct require you deactivate the old device first by logging in first or you have to call them. Lloyds send you a letter in the post.

It appears Santander has gone for convenience over security.

 

[jpaul]

would be interesting to know if you could detect which lockers have smart phones that are using Apple pay protocol or might make them more susceptible to hacks ..
(perhaps turn off the lockered phone, faraday gym bag)
... how many lockers were broken into that didn't have phones.

 

[MonkeyBasher]

would be interesting to know if you could detect which lockers have smart phones that are using Apple pay protocol or might make them more susceptible to hacks ..
(perhaps turn off the lockered phone, faraday gym bag)
... how many lockers were broken into that didn't have phones.

Not much point in any of this if the thief is sat there in her gym gear next to you as you get changed and watches you put an iphone into your locker.

 

[arknor]

A user in this thread has proven it works by switching their SIM out to a spare phone and resetting their details.

They don't use card readers, it's all one time codes...sent to the SIM which is now in a different unsecured phone.

Sims have pincodes why she turn it off or not set it up