Phone stolen unlocked but NOT logged in to banking app. How do fraudsters do it?
Posted by Shkyboi@reddit | AskUK | View on Reddit | 182 comments
Hi all,
I’m not asking for advice on next steps as thankfully NatWest, my credit card provider, are refunding me, but I just want to know how the fuck fraudsters are able to do this?
My phone was stolen out of my hand in London, and it was unlocked but I was only texting someone, not on banking apps.
For the few days after, it seemed all they managed to do was get an uber eats order and a taxi. I rang up NatWest to check the day after and I was told no activity to worry about
A few days after that, so today, I had an email saying I’m nearly at my credit limit.
£2.8k was balance transferred out of my account
How the fuck can they do that? There’s no way they’d get in to the NatWest app, I hadn’t even had it set up properly and had to enter the 3rd, 4th and 14th letter of my password and all that jazz
Any ideas? NatWest told me they can see the account details, but for me to have an investigation set up I’d need to wait for the refund. I just want the money back in now, so guess I’ll never find out
Boboshady@reddit
I would assume, with your phone unlocked and the banking app not set up, they've just used your email / SMS to reset access to your banking online and done it that way. They could easily delete those emails and messages so you didn't see them later.
I would also guess that you might have been targeted by someone who saw you enter your pin earlier in the night. Maybe not, but it definitely happens, and iPhones do seem to have a habit of requesting pin entry at annoyingly random times.
For future use, I would swap your pin to something far more complex than just numbers - it's annoying as hell to type in, but far harder to spy when you have to do it. I'd also set up shortcuts so when you're not connected to your home wifi, every time you open certain apps, it automatically locks the phone and requires at least Face ID to get you back in. This is only mildly annoying for you, but shuts down anyone trying to access your banking or mail apps. You can even have it so if they try to put it into airplane mode, it locks the phone first.
New_Line4049@reddit
Id say the biggest thing though is dont walk around with your phone in hand not paying attention to your surroundings. Put your phone, locked, in a zipped pocket. If you have to use it find somewhere out of the way to stop and use it, ideally back against a wall/in a corner to make it very hard for someone to sneak up in the flow of people and swipe it as they pass you. While using the phone make sure you keep looking around you too.
Shkyboi@reddit (OP)
Thanks - have done that with an alphanumeric code. In my mind it happened so quickly I don’t think they’d have my passcode but it’s possible
HumanCStand@reddit
Personally, I’ve :
made my email, messages and 2FA apps require Face ID to open,
‘Hide’ any essential banking apps and delete any unnecessary ones- it means Face ID is needed to view the hidden folder.
Any banking and 2FA app has a unique pin number to open the app, so you need Face ID AND a pin to open.
I’ve also disabled notification viewing without Face ID for texts and emails as well as opening the control centre when locked. So if a thief has my locked phone, they can’t see any password reset messages or turn on airplane mode.
If they get it when it’s unlocked, I don’t think there’s anyway of opening a sensitive app without Face ID and if they do manage to, the pin will be different to my phones password.
It does make mobile banking annoying when I have to switch between the app and safari etc, but I think it’s worth the security.
berbakay@reddit
I’ve also set up a shortcut using the Monzo logo as the app icon. If you click on it, it locks the phone, takes a picture with the front camera and sends the picture via iMessage.
My real Monzo app is in the hidden folder.
appletinicyclone@reddit
What is that icon and how does it lock the phone
Thisisth@reddit
I’ve done the same, all my apps are Face ID protected and all notifications private so codes can’t be automatically copied across apps. Hopefully that’s enough until I realise the phone is missing.
Triquivijate17@reddit
Same. FaceID on every single app, even random ones like Glassdoor 😅. Not having Face ID enabled on apps these days is like keeping your pin on a piece of paper in your wallet 10 years ago
Popular_Sell_8980@reddit
I did this, and made banking notifications locked with Face ID too. Really annoying but also mega secure. I also took my bank apps off the Home Screen, so you have to search for them (and they aren’t standard!)
New_Line4049@reddit
Most places accessed via passwords, including banks, will text or email password reset links if you use the "forgot my password" option. If they have your phone and you keep your emails logged in as most of us do theyve got fucking everything immediately, with almost no effort.
bertiebasit@reddit
Always set up Face ID for your important apps - email, banking, shopping etc
If you’re on Apple, literally long press on the icon and it gives you the option to turn it on
bronekkk@reddit
If that's an iPhone and a Visa card in your Apple Wallet, see this video
Shkyboi@reddit (OP)
It’s a Mastercard credit card. They balance transferred £2.8k out to another credit card
spoo4brains@reddit
This video shows vulnerability of iphones with Visa:
https://youtu.be/PPJ6NJkmDAo
AverageLoz@reddit
People should definitely be more aware of this exploit. Incredibly easy to do and both Apple and Visa seem completely unbothered!
OkSun8521@reddit
Why should people be aware of it?
In the extremely unlikely event that it actually happened to someone in real life, they would just call their bank and get it refunded immediately.
AverageLoz@reddit
Is this a real question?
While unlikely, it does happen every single day as shown by posts like this. Not sure about you but I'd rather not have to go through the stress of having to potentially get a refund for ££££'s and also have the slim chance of the bank saying no.
This exploit is easily fixed and the more people are aware the greater chance of it being fixed!
OkSun8521@reddit
It absolutely does not happen every single day. I doubt it has ever happened in the real world, even once.
This post is not an example of that exploit.
bronekkk@reddit
I just have to ask : are you associated with Visa ?
Asking because your point, repeated on this thread several times, seems to be parroting the exact same line which Visa has put forward, which is that "this type of attack was impractical" (BBC News, 30 Sep 2021)
Trouble is, the researchers have demonstrated that it is, indeed, practical while Visa has failed to demonstrated why they think it is "impractical". Here's a practical example of an attack:
Criminal would use a small, programmable microcontroller (e.g. Flipper Zero) that is small enough to hide in a pocket. It can run the bit-flipping logic and relay the data to a phone via Bluetooth, removing the need for a bulky laptop entirely.
This makes the attack highly portable.
Alternatively the attacker can have two parties. One with a laptop or other device outside of brick-and-mortar shop, communicating via bluetooth with a burner phone used by the second party inside the shop.
In luxury shops, terminals may force the asymmetric encryption thus failing the attack, however (since the iPhone was stolen) the criminals have hours to try the attack at various stores - and likely know already where the attack might succeed.
OkSun8521@reddit
No.
You seem to be confusing "technically possible" with "something that a criminal would actually do".
bronekkk@reddit
That's the simplest thing in the world, one that criminals have been doing for centuries: sell the stuff purchased with your victim's money. Same as with stolen goods, except in this case the goods are genuinely new and unused. For example, jewelry, watches, phones, computer equipment, sport equipment etc. Not all shops have terminals enforcing asymmetric encryption and the criminals would know which ones do and which don't.
OkSun8521@reddit
You think criminals are stealing phones, leaving them switched on, and going to shops with a laptop to make fraudulent purchases, then selling the items?
bronekkk@reddit
Yes. Otherwise how do you explain four figures worth of purchases made with a stolen phone ?
OkSun8521@reddit
You don't even know the difference between a bank transfer and a card payment?
bronekkk@reddit
I assume the OP meant unauthorized purchases.
bronekkk@reddit
I disagree on the "extremely unlikely" part.
OkSun8521@reddit
Is there any evidence that it has ever been used in real life?
bronekkk@reddit
You seem to be under the impression that there is something extremely difficult about this hack. There isn't. It's not like trying to crack a password (where you need extreme compute power or lots of luck).
It's a man-in-the-middle attack, i.e. same type of attack when stealing a car from a driveway, except in this type of attack the criminal will use second terminal rather than an antenna. There is no guessing of password, no significant compute needed, just a small Python script flipping few bits in the communication. This attack has been published in 2021 https://youtu.be/PPJ6NJkmDAo?si=05M64ExS-xgfUoeS
If you want the full video you will learn that Visa has no interest in publishing how many of these happened or any other details - i.e. the proof you are asking for is their proprietary information.
OkSun8521@reddit
Getting the money is the hard part.
bronekkk@reddit
It's not, criminals have been selling stolen goods for centuries https://www.reddit.com/r/AskUK/s/oBXjvZsrWp
spoo4brains@reddit
It could explain what happened to the OP, and if I were an iPhone user I would want to know that.
OkSun8521@reddit
It is a theoretical attack that has never actually been used in the real world.
g33ksc13nt1st@reddit
Definitely "immediately", because I can think of quite a few unpleasant bits to go through before the bank even considers a refund.
jimicus@reddit
I'm nearly sure more than a few people have had their bank basically turn around and say "it was authorised with your device; tough shit".
OkSun8521@reddit
Except there's no evidence of this exploit ever having been used in real life.
livedrag@reddit
Could they have done "forgot your password" then got the emails that way.
Shkyboi@reddit (OP)
Just had a look. Had no emails about forgetting password. The only other point is that the card was saved in my apple wallet?
VolcanicBear@reddit
If it was me, I'd delete any emails I'm using to reset passwords to hide the fact that I have access to your email, as having access to someone's email can give you access to near enough anything.
Shkyboi@reddit (OP)
Yeah I mean it’s possible, but when they’re working as fast as they can before the phone/account is blocked, I doubt they’d really care
Scary-Try3023@reddit
This is their business though they have done it so many times it’s second nature, I’ve seen the footage of them speeding down the road while also navigating through the phone, they’ve got it down to a tee. You gotta remember also no one really has a backup phone which means you need to get somewhere to access a phone or computer to block your accounts. All that time it’s taken you to even contact your bank they’ve already rinsed you.
ShadowPanda987@reddit
👀👀 Me with a Backup Phone.
Upgraded and it wasn't worth selling my old phone.
Plus it's basically a work phone now. All work communication happens on it.
Scary-Try3023@reddit
I always think it’s best to keep your old phone as backup, mine have always come in clutch, sometimes it’s great as a holiday phone where you can use it for maps, browsing, camera etc and if it gets lost or stolen it’s no biggy (well it is, but not as bad as losing your new phone).
ShadowPanda987@reddit
Yup if someone points a knife at me and asks for my phone I'm pulling out my old one.
uberduck@reddit
They don't care long term. Just need to delay you finding out. In this case it evidently worked.
SilverstoneMonzaSpa@reddit
Deleting emails is absolutely a normal step, so you don't log into outlook and see your banking password was changed.
QAnonomnomnom@reddit
Change all your email passwords
VolcanicBear@reddit
Maybe, but pressing delete on an email after following a link or copying a code really isn't much effort.
Plus if the email address is tied to the same phone number for recovery, I could then reset the password, sign in elsewhere and keep access to an email address to continue getting into other important accounts after the victim thinks they're fine, and before they realise they need to actively recover their email account.
doepfersdungeon@reddit
They care. What you doubt or don't is irrelevant. This isn't their first time.
belu_belu@reddit
Or they set up an email rule to move the emails as soon as they hit the inbox.
SINCLAIRCOOL@reddit
Apple wallet requires verification via pin or biometrics
bronekkk@reddit
Not always. https://youtu.be/PPJ6NJkmDAo?si=05M64ExS-xgfUoeS
throaway_247@reddit
Transport mode. See the veritasium video about it link in the thread here
Boboshady@reddit
That would need either your passcode or your Face ID to confirm a payment, is it possible that they know your pin? BTW, this question is actually "had you typed in your pin at any point during the night before you had your phone stolen?" because if so, that's it.
Shkyboi@reddit (OP)
I doubt I did to be fair. I’d only briefly left where I was and then started texting my girlfriend to meet again before it was snatched, was only outside for 10 mins! I don’t use this card, if that’s what you mean?
Boboshady@reddit
No, I mean that Apple Pay usually doesn't let you confirm a payment without Face ID or entering the PIN.
spoo4brains@reddit
https://youtu.be/PPJ6NJkmDAo
Darnit_the_other_one@reddit
Watch this. Hack is explained really well.
nihilistkitty@reddit
I would check to make sure that there is not an auto-forward set up on any of your email accounts. Hackers like to do this.
Which-World-6533@reddit
The thief probably setup a Natwest Banking App on a different phone using your SIM card to receive OTPs before you were able block the SIM card. The card in your wallet would give your name and account details.
ENTPrick@reddit
You need to enter pin / ID to facilitate payments anyway.
They could have 2FAd / recovered it via phone number? Odd that there’s no emails, but those could have very well been deleted
spoo4brains@reddit
https://youtu.be/PPJ6NJkmDAo
SpaceMonkeyAttack@reddit
I'm not sure if this is still the case, but most banks won't let you reset your password just using email, they'll physically post you something. I don't know if this is true for NatWest.
livedrag@reddit
I think they text you too.
BTZ-25@reddit
They Do!
Expensive_Peace8153@reddit
In my experience you can't usually reset a banking password by email. It usually requires waiting for a printed letter to be sent to your physical address.
HandGrindMonkey@reddit
I'd go for updating the Biometric login on the phone. Banking app would probably then use that.
QuentinUK@reddit
Forget password. Get new password. Open email. With password open a new account on another phone and the biometric data is only stored on the old phone and not transferred to the new phone which will use new biometric data from that phone.
Royal_Scribblz@reddit
You can't do that without the device password though?
bronekkk@reddit
Below is a summary written by Gemini of the video referenced in this thread. I know AI posts are frowned upon, but I think this summary is genuinely useful here and so decided to copy&paste it. Actual Gemini conversation for anyone who wants to dig deeper is here.
The video describes a Man-in-the-Middle (MitM) attack developed by cybersecurity researchers to bypass iPhone security and steal funds from a locked device. This hack specifically exploits the "Express Transit" feature combined with a Visa card.
Between minutes 04:00 and 20:00, the process is broken down into three main "lies" told to the hardware:
1. The Setup: Man-in-the-Middle
The attackers place two devices between the victim's iPhone and the real payment terminal.
2. The Three Lies
To make the transaction work, the attackers modify the unencrypted data bits being exchanged:
0to1in the transaction data, they trick the iPhone into thinking it is at a transit terminal, causing it to authorize a payment while locked [00:08:06].0(low value), so the phone authorizes a $10,000 charge without asking for a fingerprint or FaceID [00:10:04].Why It Works (and Its Limitations)
How to stay safe: The video suggests turning off "Express Transit" mode in your Apple Wallet settings or not using a Visa card for that specific feature [00:21:44].
Chemical_Ad_1618@reddit
Don’t do mobile banking. Do it on a computer or tablet at home.
EccentricDyslexic@reddit
If you had had a banking app open recently and the thief swiped up, saw it there and reopened it, and app was not set to immediately log out on it's settings, they could have got in like that.
FallowfieldPark@reddit
Still wouldn’t work, the app will detect it’s been inactive for a while and will require ID to enter back in
EccentricDyslexic@reddit
not necessarily, my Lloyds's app has options to sign out immediately or at certain intervals ie 2 min s 10 mins etc. if it signs out immediately, swiping quickly to another app for bank details etc is not possible but if set to 2 mins, it is. However, to make transactions it needs your password pin or face, but there must be some way they do it.
FallowfieldPark@reddit
TIL different apps works different and not all work the same
Shkyboi@reddit (OP)
Nah, I never use this NatWest account. So wouldn’t have been in it
Delicious-Pop-7019@reddit
What else was on your phone? Access to e-mails? Access to any cloud storage providers where you keep documents? Anything useful in notes?
If they were able to gather enough info about you from your phone then they could have done this via social engineering. Just calling up Natwest and having enough info to convince them they were you.
Or assuming texts and e-mails were still going to the phone they could have gained access using some kind of "forgotten password" process.
Always make sure your "key" apps, like email and SMS are pin-protected (or facetime). They are potentially back doors to all of your other accounts.
Shkyboi@reddit (OP)
Yep. I do that now, having access to emails and texts seems like a doorway to do whatever you like. I just can’t believe they are able to transfer that amount of money out without access to the app, my card or my pin
spammmmmmmmy@reddit
They can scan your apps to know where you have an account. Then telephone the bank, request a change of email which is probably verified by a text message.
I've protected the "messages" app with FaceID to dissuade an attack like this... but putting my SIM into another phone would probably circumvent that.
NaveedQ@reddit
Add a SIM lock
leofoxx@reddit
They can know the bank looking at the cards in apple pay. At least my google pay clearly shows the bank of my two cards added. That's a huge security flaw.
livedrag@reddit
Also, if you use faceid and they saw you use a pin, the pin will work if faceid fails.
spammmmmmmmy@reddit
For some things, and not for others. Now that I've long-pressed the Messages app and chosen to protect it with FaceID, it can't be opened with my device unlock password anymore.
spammmmmmmmy@reddit
Ok come to think of it, the default Vodafone pin was 0000. I just changed it to an eight digit pin... good luck phone thieves!
Ok_Ocelot7985@reddit
check they haven’t set up email forwarding so they can still receive emails even after you’ve changed the password.
yes1402@reddit
How do you do this please. Educate me like I am 5 years old please
minibones@reddit
Long press the app on the Home Screen (if apple) and then there is an option to enable Face ID
I have done text and emails as that is what 2FA usually uses
yes1402@reddit
Android user here. Unfortunately
WaitProtein@reddit
Isn't there a hidden sub folder on android these days that requires a password?
EuphoricCover8449@reddit
If I set up a new payee on NatWest, the app won't agree to it unless I take a picture of my face.
CasualNormalRedditor@reddit
Other than having two phones where one lives at home and has payment linked to it. What can be done to prevent shit like this?
g33ksc13nt1st@reddit
Protect the SIM with a PIN. If fraudsters swap phones to get OTP details from anfaceID-protrcted app, it can only work if your SIM is not protected.
BmuthafuckinMagic@reddit
Get a SIM PIN set up on your phone.
So if the phone does get locked when someone nicks it, they can't just remove the SIM and use it in another phone.
UnfairlyBanned1l@reddit
I need to enter a password or fingerprint to open any app on my phone (android, can be done in settings) - I hope that would be enough to stop them
coomzee@reddit
Different profiles on the device to do different things. I have one for: banking & email, work and everyday. If my phone is taken in every day mode privalage can't be escalated beyond messaging.
felt-mound@reddit
You can pair your phone messaging app to your desktop/laptop using an app like Beeper, so you see all the traffic in a second place.
A bit more of a techie solution but actually very useful to have beyond security.
Da5ren@reddit
Honestly, these guys are constantly finding new ways to get in and there’s no real way to completely stop them. An unlocked phone with access to emails or text, can reset iCloud, faceID, access password apps, then they’re in everything.
All you can really do it make it difficult like someone else said, long hold and require Face ID for most apps, use a pass phrase rather than numbers, and report it as soon as it happens. All you can really do.
Karen_Is_ASlur@reddit
Be careful about getting your phone out.
g33ksc13nt1st@reddit
Would puttin a PIN on the SIM card (not just the phone) have helped this? Taking out the SIM to put it in a different phone would have not been possible - in theory - since it'd ask for a SIM to have phone/data signal.
EndPsychological2541@reddit
Not a clue, honestly it's pretty impressive to be fair.
What phone was it?
Shkyboi@reddit (OP)
They’d tried on my Monzo by transferred to “transfer go” but it was declined for security reasons. NatWest seem like it’s been a wotsit door lock situation
iPhone 15pro
According-Log-8982@reddit
There's your issue. iPhones have poor bank security.
jimicus@reddit
Care to explain exactly what or why this is the case?
According-Log-8982@reddit
https://youtu.be/PPJ6NJkmDAo?si=bpZYHOCg3INoxyWg
The issue was discovered years ago. Nothing has been done to solve it.
EndPsychological2541@reddit
That's insane.. It's even more insane that this isn't talked about more often.
fjallpen@reddit
So sorry to hear that's happened to you OP. I did a write up about a year ago to prep for the worst:
https://www.reddit.com/r/london/s/mi6BE8Fkfq
I'd also now add a free app called "Screen Time Control" and block my banking apps when they're outside the radius of my home. It makes them look like they're deleted.
BTZ-25@reddit
Reset password then receive OTP passode.
MidsummerMidnight@reddit
My phone automatically locks when someone steals it lol
Apprehensive_Car7786@reddit
When I got my banking apps hacked into I realised what they had done was log into my 02 account (they didn't have my phone) to add a new E sim to my account which routed all the texts to that new sim on their phone. From their they did forgot my password on my email account (same email as the 02 account) and then found all the banking app emails I had on there. From there the world was their oyster they had a phone and my email to reset all passwords and gain access to my PayPal and bank accounts.
Manatsuu@reddit
Is the pin for your banking app the same as the one you use to unlock your phone? Or very similar because I know some banking apps are 5 characters for example.
Interesting_iidea@reddit
Emails and phone number I’d say. Did you block the sim too?
EuphoricCover8449@reddit
Android has introduced a "Theft Detection Lock" feature that uses AI and motion sensors to detect if the phone is suddenly grabbed from your hand and carried away.
If the phone detects this kind of motion, it instantly locks the screen.
Source Google.
No_Donkey_3761@reddit
Yep, I have this switched on. Android also has a cool hidden folder setting where you can hide all your banking apps (or any app your ashamed of) and they only show up when you dial a #yourpin# on the phone keypad.
JohnInBrazil@reddit
After reading a similar thread a few months back, one of the commenters advised setting up a secure folder (on samsung device, not sure what's it's called on others) and installing all email and banking apps into that. It requires a second set of unlock auth to access.
I keep a sacrificial email account and a bank account with £100 in on the open part of the phone, everything else, including my common browser, email, banking apps, car app, google drive etc is inside the secure folder.
It took a couple of weeks to set it all up but now I feel more secure if someone snatches the phone. Risk reduced to one single card to block on the open google pay and £100 max from my sacrificial current account.
Velobiblio@reddit
Not sure if this has been posted yet, but on an iPhone you can make any app require face ID - just hold down on the icon on the home screen and choose ‘require face ID’. I do this for all my messaging and email apps, and a few others. It also stops any preview of the contents appearing on the notification center. This should help prevent someone with your phone from reading 2fa codes texted to you!
livedrag@reddit
Try getting a friend to see if face id fails if they get asked the pin. Often phone thieves see you use pin to unlock.
YoghurtFlan@reddit
IIRC you can also move the apps to a hidden folder that requires face ID.
That way, they can't find your bank apps in the first place.
montyb752@reddit
I just tried setting up Face ID, you can then hold the app to removed the Face ID requirement. I would guess the thief would already know this work around.
Macaroni_pies@reddit
It uses Face ID to confirm your identify before you can remove Face ID so it’s secure
Velobiblio@reddit
Just tested this and confirmed. Face ID is required to change the setting.
Flipmode45@reddit
Assuming iPhone, you need to do this
Enable SIM passcode
Turn on stolen phone protection
Enable required faceid on SMS, email apps
Lower-Ad-2082@reddit
I have an extra lock on my Google pay for this exact reason, the only thing I can pay for without unlocking it is tapping in at train stations.
Alert_Mine7067@reddit
I'd hazard a guess that they used SMS or email to reset your login details, possibly using emails from third parties to retrieve your information.
My friend at work previously worked for Ulster Bank (NatWest in Northern Ireland) in a call centre, and also handled calls for NatWest and RBS. He mentioned fraudulent calls regarding account access (including transfers) how he explained it to me if the agent handled the call correctly and someone impersonated the customer successfully this was green fraud (agent done what they should have and customer was successfully impersonated and fraud inevitable) and red fraud (if agent was more diligent, then fraud could help been stopped) either way the bank refunds, red fraud means the agent is reprimanded. How it was explained to me, so I'm not entirely sure on the accuracy, but if someone had access to everything, then I'd say this is possible.
I'd also take another guess, if security on phone was really bulletproof, then there wouldn't be a motivation to steal phone, perhaps someone somewhere can access something within the phone to reveal your passcode.
OptimistIndya@reddit
Is it e sim? Or they can remove and use sim in another phone?
Impossible_Volume811@reddit
Seems like we need a security device like a ring or bracelet which pairs with our phone so that if the phone is snatched from our hand it activates a factory reset wiping all our personal data off the phone.
axelzr@reddit
If you use sms messages to reset accounts then if you haven’t got setup to hide messages unless unlocked then you’re at risk of that vulnerability. Could also be case for emails.
ItGoesUpItGoesDown@reddit
Could they not just be using your phone for contactless payments if you have that set up? They would only need to log into your bank if they were doing a money transfer as opposed to just buying things.
MintberryCrunch____@reddit
When you open apple wallet it needs your Face ID no?
ItGoesUpItGoesDown@reddit
Not sure about apple wallet. I know with Google wallet your phone just needs to be unlocked but it might be something you can adjust in the settings.
CasualNormalRedditor@reddit
You should read the whole post before commenting
adeeb458@reddit
So I was watching this video on youtube by MKBHD and apparently if you have express travel enabled and a card linked then they can use a middle man device between the compromised phone and a contactless terminal to take any amount of money.
Link to video: https://youtu.be/PPJ6NJkmDAo?si=2dHqQK5PLjxTDdSC
apple_kicks@reddit
If you haven’t updated the sms passcode from default this can be hackable or spoofed
South_Leek_5730@reddit
They had your phone and access to your email. That covers authentication for the banking app when changing the password. They had your 2FA.
Clearly criminals are aware of this and work very fast with stolen phones before you get a chance to lock it and block it. They could even change the phone number and email address on accounts to keep access where possible. At the end of the day your phone is unlocked so they can plug it into a computer and do all sorts with it.
It's all about cost vs convenience vs security in that order.
Melodicmat@reddit
Absolutely no idea! I feel bad for you, mate! That's annoying. I had my card cloned a few years ago and they wiped my account out. (luckily got my money back)
They are horrible people!
FPLAlexa@reddit
Seems highly unlikely they kept your phone unlocked for days. So maybe you had a passcode that was easy to guess given the details they could find on your phone?
Once they have that the rest is easy
Martipar@reddit
I don't know but in the past whenever I tell people I don't do banking on my phone they tll me it's impossible to get in if the phone is stolen. I carry a card and my phone, if I lose my phone I can pay to get home and sort out a new one, if I lose my walle I can call ofr help. With neither I am screwed.
ShortGuitar7207@reddit
I used to work at Barclays: the classic fraud was to set up a direct debit mandate in PayPal. PayPal validates this by sending you 2 small payments and you have to input the amounts into PayPal thereby proving you have access to the account. If you have notifications enabled on your phone (default settings on iPhone), the notification tells you the amount even if the phone is locked. The PayPal account can then pull money from your account. Configure notifications to not show you the detail unless the phone is unlocked!
Aurora-ADHD-dyslexia@reddit
Any chance you had screen shots of band card numbers ect ?
Ecstatic-Ad-4861@reddit
If you have an iPhone, you can make it so the ‘apple account’ is greyed out so they can’t change the person (you have to go through a wierd way & enter your screen time password to be able to make changes) & I have Face ID for emails, WhatsApp’s, text messages (as well as banking apps as standard) so even if they grab it out your hand unlocked they can’t access the apps needed. I actually saw the advice on Reddit & I live in London so it’s quite common for phones to be stolen though I’ve been lucky so far.
Maximum-Day-8121@reddit
As well as your phone being locked, which doesn't help if its taken from your hand.
You should also app lock all sensitive apps and taxt messages.
The text being locked is a tiny bit of a pain but I'm happy to have a little extra protection.
Also if android these is a setting that locks your phone if a sudden movement, which on occasion could be useful.
Ravvick@reddit
They can get your bank details from your internet browser if you have them saved there.
moistpishflaps@reddit
I recommend setting messages, WhatsApp, and emails to require Face ID and set each app to never show previews (they will also need to use Face ID to access the settings to change this once set)
Yes it requires a bit more effort day to day using them, but if you’re commonly walking through busy cities etc, then it’s a really strong layer of protection to avoid banking apps being accessed etc
tommycahil1995@reddit
People reading this post make sure to take your banking apps of your phone. Just use them on your PC, I have them on my Ipad that never leaves the house.
Almost zero reason to have them on your beyond convenience. You can still have your cards in your phone wallet which are easy to set limits on and easy to freeze if your phone gets stolen
Negative-Net-4416@reddit
I help people recover sentimental stuff from phones after a bereavement. And, often help with the discovery process to track down online accounts. There are a few ways of doing this, and I'd imagine the criminals know them all too.
Someone may have shoulder surfed you (not necessarily the same person who got your phone) - to find out the PIN.
With a PIN, it's often possible to add another Face ID or fingerprint, change Apple/Google logins, disable tracking, change important details. Many apps will allow logins with your PIN or the new Face ID, you can make payments. Consider switching on stolen phone protection, to limit the risk.
With access to the phone, it's possible to send OTPs via text or WhatsApp, emails. With access to emails, almost anything can be reset, and OTPs can be deleted. Secret keys can be copied from Authentication apps. Saved passwords and card numbers can be copied and used.
Certain apps and scripts can quickly identify many accounts and try to access them. Unlocked phones can be plugged into 'recovery' tools to extract data.
Physical SIMs can be ejected, and put in other devices to get OTPs and to stop the phone receiving commands to lock and wipe it.
You can make things harder by: - Only unlocking your phone in public with Biometrics - Using eSims - Switching on Stolen Phone protection - Turning off notification previews - Requiring Face ID for control centre - Requiring Face ID for messages, emails, WhatsApp, banking etc (part of iOS, not sure about Android). - Hide 2FA apps - Use a Safe type app for any passwords you must keep on device, and use a fake/different PIN if it has the feature - Consider using 2FA methods that aren't immediately accessible from your phone (eg apps on a second device at home) - Using different passwords for everything
Obviously, making accounts secure may make it harder for you to access them after a theft. You could improve your chances of recovering your accounts by adding 2FA apps to a secondary device, having those emails NOT go to your phone.
If you want to give loved ones access to your digital legacy, set them up as recovery contacts - but let them know if your device is stolen, to avoid social engineering attacks. Write those passwords and reset details down, keep them safe at home.
I've also got all my emails forwarded to a second 'archive' email address that I access elsewhere (my domain provider). This serves as a full record of every email I've ever received, even if the main email address is accessed and tampered with.
JWK3@reddit
I know the horse has already bolted, but smartphones (at least the modern Androids I've had) often have theft-detection locks that will lock the screen etc. if it detects a snatch and grab. When you do get your new phone, make sure to enable it 🙂
You can also report your SIM as stolen to your phone provider, to stop them having any SMS-based account/password reset options.
Shkyboi@reddit (OP)
Hi - not sure this is a feature on iPhone. Would be great…
I did all that the day after it happened (last Sunday) when I could contact my network provider. All seemed sorted and barely any impact until it came to light they’d transferred £2.8k out of my credit card…
New_Libran@reddit
That's too much time for them to figure out something
Festegios@reddit
Yes you can remotely lock your iPhone via ICloud.com
Terr0rBytes@reddit
I came here to say this.
Android users, you can search for Theft Protection or it's Settings > Security > Device Unlock > Theft Protection
In there is protection from phone snatching, going offline and remote wiping.
Well worth checking these settings.
FlyingRo@reddit
Was the card on apple / google pay?
billy_tables@reddit
Password reset text?
Shkyboi@reddit (OP)
Can’t see texts, but that seems really fucking weak if they can gain enough access to my account via a text. When I log in I get asked all sorts of questions anyway, so unsure
billy_tables@reddit
Yea. Similar happened when someone’s locked phone was stolen from a gym - the thieves popped the sim out into their own phone and went through a recovery flow which was text based
You could rule it out if you grab a full statement from your phone network - even when you have free texts, all your incoming and outgoing text times and contact numbers are listed
doepfersdungeon@reddit
Not really. Within minutes of having your phone stolen you should have informed Natwest. Frozen your account and your card. Why are you wating until the evening?
MattOG81@reddit
Yes, they should have phoned straight away using their mobile.....
(/s just in case)
No_Space_9324@reddit
If you saved your passwords then they probably logged in online using your phone.
MrHankMardukas_@reddit
I haven’t had this happen to me but I have set my iPhone up to lock when it is put on aeroplane mode. I imagine that’s the first thing they’d do to stop any tracking, unless they’ve caught onto this trick now. But might be worth setting up if you haven’t already. I also set it to lower the screen brightness to 0% just to fuck with them a bit more.
Pocket_Aces1@reddit
Easiest way to access any account of someone is having access to their email and phone number.
Not many people use 2FA. And when they do, it's usually through a code texted or emailed to you.
Additional apps like Microsoft authenticator (screw you), or Google authenticator, work well in mitigating it more - shorter reset periods before a new code is generated, additional password/pin protection's on the app itself, etc.
It's one of the many reasons I've told my mum when she signs up to a new account on anything, it doesn't matter if you forget the password. Just remember your email password and it will be alright.
So to answer your question, potentially they reset the password using your email (which I assume isn't app protected) on your phone, and your phone number, for 1 time codes. It's pretty quick and simple to do, especially on a "trusted" device (which you usually accept on your phone).
Smart_Addendum@reddit
I'm wondering to and the comments are wrong. It's not as simple as forgetting password. You need other details to reset password with a. Bank like your bank card, sort code/account number. Date of birth, customer number.
OrangeBeast01@reddit
Is your password a word? If it is, given enough time any word will be cracked, even words with numbers within them. Especially if they only need certain letters within it.
Something like John the Ripper and similar software packages are often used.
spudd01@reddit
banking apps have restrictions in place to stop this - and to do that in the first place you'd need to be able to jailbreak the device and hook in to the app (after bypassing and obfuscation and detection built in) with something like Frida.
OrangeBeast01@reddit
A lot is possible, especially as this happened over a period of days.
Just throwing out options.
my-comp-tips@reddit
Feel sorry for the OP. Really wish we were not so tied to smartphones in the first place. So much information on the things these days.
dbxp@reddit
Saved passwords on the browser would be my instinct
Shkyboi@reddit (OP)
I did think this today, but NatWest ask for the 3,4,6th digits of your password, or whatever. Also, they’d need Face ID or my pass code to fill the password - which I’m sure they didn’t have
Minimum_Airline3657@reddit
do u have this info saved in ur notes?
mturner1993@reddit
I think you can setup automations like once put on airplane mode (which they often do instantly) it locks the phone.
Usually they airplane mode it then use WiFi.
ouzo84@reddit
Is it a visa card and was it an iphone?
If so watch this video about how that combination can be hacked
Scot_Survivor@reddit
as far as I know NatWest moved all their card products to Mastercard after VISA increased their prices a few years back
ldn-ldn@reddit
Banking apps are inherently insecure as they don't use industry standard MFA validations through TOTP. They are using SMS messages instead, so anyone with your unlocked phone can do whatever the fuck they want. And they fight tooth and nail to avoid proper MFA implement.
Shkyboi@reddit (OP)
Yeah, it’s a joke really. So basically having access to a phone can allow this without actually having access to the banking app? Someone in another sub mentioned they’d basically paid off another credit card account, which seems so easy to do
ldn-ldn@reddit
Yep. Using SMS messages for MFA is insecure in general since 2017 https://www.eset.com/uk/about/newsroom/blog/hackers-exploit-banking-app-2-factor-authentication/ In the worst case scenario, criminals don't even have to have access to your phone at all. They only need to be in your vicinity.
Every time you see some app or web site trying to send you an SMS with a code, it should be a red flag that such app or web site is insecure.
My advice would be to contact your bank, send them some links about SMS (plenty security articles can be found online) and tell them that their authentication is insecure and you want them to implement TOTP instead with a total removal of SMS and phone call codes.
If we as consumers don't tell them that and don't complain - they won't do shit about it. Complain yourself and ask your friends to do so too.
FallowfieldPark@reddit
Too late now but I always have my photos, notes, emails, text apps on password protected incase something like this happens. So when someone snatches it, they won’t be able to get into any important apps
EccentricDyslexic@reddit
Passwords app? Have you your passwords written in notes? So many variables
LJ161@reddit
Do you have your bank details/ card details saved to auto-fill?
Shkyboi@reddit (OP)
Nope, don’t use this account
doepfersdungeon@reddit
You need to find my phone setup so you can wipe the phone.
If you lost your phone and setup a new one , hiw would out the natwest app back on it and login.
You would do a reset of the password. Where does that reset go. Your phone. Who had your phone. They do.
Joshthenosh77@reddit
Password reset which goes to your text or email , are they protected ? I have my bank app hidden , with obviously Face ID , my emails texts what’s app all Face ID I also have phone stolen setting activated which means if it goes paces you don’t normally go it thinks it’s stolen , I also have a limit on how much can be transferred per day on my account at £1000
Shkyboi@reddit (OP)
Yeah I do this now for key apps. I don’t use this account, it’s a credit card I’ve got some money to pay off on for some flights, but that’s it. Balance transfer isn’t a cash transfer either, it’s been sent to another credit account
theabominablewonder@reddit
Well they have access to any text messages and emails. That probably also gives them access to a lot of personal information like date of birth, address etc. So they can probably get quite far with all that, maybe NatWest email forgotten login details and text the authentication codes etc.
PenneTracheotomy@reddit
Could any of your bank details be anywhere else on your phone like in a note, in a message you sent or received, in a document you’ve taken a photo of, a statement downloaded?
Shkyboi@reddit (OP)
Not that I’m aware of. Got my account number but that’s it, and it’s not labelled - I just know where it is. Still have to get past password screens and, I’d hope, even more security questions when balance transferring
AutoModerator@reddit
Please help keep AskUK welcoming!
When replying to submission/post please make genuine efforts to answer the question given. Please no jokes, judgements, etc. If a post is marked 'Serious Answers Only' you may receive a ban for violating this rule.
Don't be a dick to each other. If getting heated, just block and move on.
This is a strictly no-politics subreddit!
Please help us by reporting comments that break these rules.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.