Mobile Banking - how safe is it?

[pallys]

Hi folks,

So I came across this article in the BBC below. What surprised me is that the victim said he had face id and passworded protected his banking apps.

So how did fraudsters bypass this? Is this a known issue?
How are we supposed to take steps to prevent against this?

Thoughts welcome.

'Train phone snatcher stole £21,000 from my bank apps'

Niall fell victim to theft while on a train and police data shows a rise in reports of these crimes.

www.bbc.co.uk

 

[smokedog]

Once they have your phone unlocked, they can use 'forgotten password' to get access using your email or phone number.

On android, there is a theft protection feature

Android’s theft protection features keep your device and data safe

Android rolls out theft protection features to safeguard your data before, during and after a theft incident.

blog.google

 

[Raymond Lin]

Hi folks,

So I came across this article in the BBC below. What surprised me is that the victim said he had face id and passworded protected his banking apps.

So how did fraudsters bypass this? Is this a known issue?
How are we supposed to take steps to prevent against this?

Thoughts welcome.

'Train phone snatcher stole £21,000 from my bank apps'

Niall fell victim to theft while on a train and police data shows a rise in reports of these crimes.

www.bbc.co.uk

They probably watched him or filmed him from afar unlocking it. Or snatched it when he is browsing so it's unlocked.

If someone snatch my phone like that, I would get on iCloud at the first opportunity and then remote wipe.

 

[Street]

I'm not sure if they've updated it since, but you used to be able to reset your Santander details via text message. I tested it by putting my SIM into a spare phone and downloading the app. From there, I could request my customer number over text and then use that to reset my password. After realising how easy it was to reset my login with just access to the SIM, I enabled the SIM PIN! I've also since added any banking apps to a secure folder on my phone with separate PIN access. It means it's a bit more faffy to access, but is a lot more secure.

 

[Raymond Lin]

With the new iOS you can set any app to require FaceID to unlock, and only FaceID. With Banking Apps it is essentially doing 2 layers of unlocking. One is the FaceID, and then the banking app's own unlocking with either FaceID or Passcode.

So they might have access to your phone and able to unlock it, but without FaceID they can't get in.

 

[GGizmo]

Banks probably need to create a hotline so you can deactivate online/mobile banking within minutes.

 

[Diddums]

You're not an Aussie are you?

 

[shifty_uk]

Curious, when they drain the account, surely the police can see the destination bank account?

 

[ElliorR]

Curious, when they drain the account, surely the police can see the destination bank account?

You asking for a friend shifty?

 

[Malevolence]

If they manage open my phone which is set up for biometrics, and if that fails it requires a 5 digit PIN, my banking apps are biometrics too. If fingerprints fail on my Halifax app I have to enter random characters from a security phrase. Chase has a 5 digit PIN if the fingerprint fails.

 

[Efour]

Curious, when they drain the account, surely the police can see the destination bank account?

I know.... I find stuff like this so dumb.

 

[MissChief]

My banking apps are all set up with fingerprint access, as is my phone. It will also ask for a 12 digit password after so many unlocks.

 

[throwaway4372]

I don't do money stuff on my phone.
In security it's always been the case that once someone has physical access it's game over.
I haven't missed it tbh, pc is better anyway.

 

[Malevolence]

I haven't missed it tbh, pc is better anyway.

Doesn't it get tiresome dragging your PC around everywhere though?

 

[413x]

I use my phone for everything now. Barely use the pc
Don't like face unlock. Everything is finger

 

[julianhj]

Curious, when they drain the account, surely the police can see the destination bank account?

If the offender transfers money to a UK account, that's generally fairly easy to follow. There are a number of difficulties that can arise in this types of crime:
- Banks usually require a court order to compel them to provide customer details. This is a time consuming process.
- 'Mule' accounts are fairly common. Account holders may not necessarily have much of a UK footprint, or may be naive about the use of their account for criminal purposes.
- The offender can purchase assets that are harder to trace (myriad options here).
- The offender can transfer funds to non-UK accounts or use money transfer services. Once it's out of the UK, there are usually no options to pursue.

In addition the volume of offences is such that there aren't enough police to investigate them all. Over 40% of recorded crime in the UK is fraud-related.

 

[Hagar]

I have a debit card and a dumb phone.

 

[Joeyuk]

My iPhone is Face ID or 4 digit code. As for my bank Nationwide is Face ID or 3 number of my 6 digit code. To reset it they would need my card for the card reader or by calling Nationwide. Moneys fairly safe in my account I reckon but if they get my phone open then apps like Amazon they could have a field day I guess but I would be able to cancel that stuff fairly quickly.

 

[200sols]

People saying they have face id and passwords yes, but the guy in the article is saying the same thing. So how did they get the funds?

 

[tlrBeta]

I previously had some software on my phone where one text would lock it (free from the bank) it may have been Kaspersky which I see Barclays don't offer anymore. I must add, I don't use it now either