{"id":7454,"date":"2024-02-19T11:41:06","date_gmt":"2024-02-19T11:41:06","guid":{"rendered":"https:\/\/newmoneyreview.com\/?p=7454"},"modified":"2024-04-12T09:57:56","modified_gmt":"2024-04-12T09:57:56","slug":"keep-your-phone-id-and-payment-card-separate","status":"publish","type":"post","link":"https:\/\/newmoneyreview.com\/index.php\/2024\/02\/19\/keep-your-phone-id-and-payment-card-separate\/","title":{"rendered":"Keep your phone, ID and payment card separate!"},"content":{"rendered":"

A recent payment fraud started from a gym theft. The story contains valuable lessons about mobile security.<\/p>\n

In an article I wrote for New Money Review<\/em> last year<\/a>, I uncovered some alarming vulnerabilities in mobile phone security\u2013specifically, regarding the safety of the money in the mobile banking apps that most of us now use.<\/p>\n

Testing an iPhone with different apps, I showed that a criminal with knowledge of someone\u2019s phone PIN and in possession of that person\u2019s phone could reset security steps like Face ID and the account password quite easily, then loot the unfortunate victim\u2019s bank accounts.<\/p>\n

It\u2019s not that difficult to \u201cshoulder surf\u201d someone\u2019s PIN and then take their mobile phone, especially in a crowded place like a bar or club.<\/p>\n

It\u2019s not that difficult to \u201cshoulder surf\u201d someone\u2019s PIN<\/p><\/blockquote>\n

And, I showed, some apps posed more risks to users than others. There is no single standard in this relatively new technology of phone-based biometric security. This unevenness makes the job of app developers, security experts and law enforcement harder, and it throws up new opportunities for resourceful criminals.<\/p>\n

Recent evidence suggests the mobile phone firms are aware of the problem, and are trying to deal with it.<\/p>\n

In the latest version of its iPhone software, called \u201ciOS 17.3\u201d, Apple has included something called \u201cStolen Device Protection\u201d<\/a>.<\/p>\n

It requires biometric authentication (a face or fingerprint scan) to access the phone when you are away from trusted places like home and work. And it includes a time delay for a second biometric authentication if you are taking certain actions that are particularly risky or sensitive (like changing your Apple ID password, changing the passcode for Face ID or Touch ID or seeing saved passwords).<\/p>\n

Will this new security step prevent thieves in possession of your phone from emptying your bank or payment account? To answer this question, I updated my phone to iOS 17.3 Beta and reviewed the apps I had studied in my last article.<\/p>\n

But first, a recent criminal case helped me decide what checks to include in my investigation.<\/p>\n

New modus operandi<\/strong><\/p>\n

A few weeks ago, the Daily Mail published a story<\/a> about a couple who stole gym members\u2019 bank cards from their lockers and used \u00a3250,000 of stolen money to go on expensive shopping holidays to Dubai.<\/p>\n

\u201cAshley Singh, 39, and Sophie Bruyea, 20, targeted 18 victims as they worked their way through lockers at several gyms across London and the south-east in a year-long crime spree,\u201d the Mail reported.<\/p>\n

This story caught my attention, as I spend my life studying cards and their vulnerabilities. It\u2019s not so easy to exploit card thefts to that kind of total. Clearly, the stolen \u00a3250,000 was not spent in one go.<\/p>\n

First of all, a large volume and number of unusual transactions, especially halfway around the world from where the victim lives, would probably be blocked by a bank. Second, if a thief had taken a card, surely the cardholder would report it as stolen and ask for it to be blocked and replaced. Finally, few people usually keep thousands of pounds in a card account.<\/p>\n

So there was probably more to the story than the opening paragraph suggested. And, further down its article, the Mail gives a clue as to what might have happened.<\/p>\n

\u201cThe couple would visit the gyms and rifle through lockers where gym goers\u2019 bank cards and even SIM cards were stolen while the unassuming victims were exercising,\u201d the newspaper reported.<\/p>\n

\u201cThey may have been able to empty accounts because the swiped SIM cards gave them a way to request password resets on the stolen cards,\u201d it went on.<\/p>\n

\u201cIn addition, many phones are now set up to pay cardless for items, meaning the SIM may have allowed them to set up the system on a new handset.\u201d<\/p>\n

Let\u2019s imagine what a thief could find in a gym locker<\/p><\/blockquote>\n

Now, that\u2019s the kind of thing I investigated in my last New Money Review article\u2013payment apps on phones.<\/p>\n

Let\u2019s imagine what a thief could find in a gym locker. Most of the keys to cracking your digital life are probably there: your driving licence, containing your name, date of birth and home address; your bank card; and a SIM card, together with your phone.<\/p>\n

If the locker thief hits the jackpot, he or she might even find your phone passcode written somewhere in your notepad or on a piece of paper stored in your wallet.<\/p>\n

Is this collection of your personal information really enough to steal all your savings? Pretty much so!<\/p>\n

Revisiting payment apps for vulnerabilities<\/strong><\/p>\n

I revisited the mobile payment apps I had surveyed in last year\u2019s article to see what the requirements were for getting access to a victim\u2019s funds, assuming I had possession of certain types of personal information.<\/p>\n

The results are in the table below: the aliases in the left-hand column are for apps offered by traditional, high street banks (labelled \u201cHS\u201d) and those offered by newer, \u201cneo-banks\u201d like Revolut or Wise (these are labelled \u201cN\u201d).<\/p>\n

\"\"<\/p>\n

It\u2019s worth noting that most neo-banks are not banks.<\/a> This means that your money\u00a0is not covered by state deposit insurance<\/a>.<\/p>\n

What do the results in the table mean? Let\u2019s examine the colour coding in the middle column.<\/p>\n

If a cell is formatted in red<\/strong>, my research suggests you can get access to the whole bank account with everything the Daily Mail criminals likely found in the gym locker.<\/p>\n

Everything starts with a stolen card, like the article suggested. But the criminal would not just go and tap that card in a supermarket (or, more ambitiously, try to use the card in a store to buy a laptop or a car).<\/p>\n

Instead, the criminal would use the card to find out the victim\u2019s bank or neo-bank. Then the criminal would likely remove the SIM from the victim\u2019s phone and insert it into their own phone (there is a security step here, called a SIM PIN, which should stop anyone doing this, but no-one uses it anymore, or the SIM PIN is set to a default 0000).<\/p>\n

Finally, a driving licence containing a valid date of birth and a postcode is very helpful for banks that ask for these pieces of information during an account reset.<\/p>\n

This attack is extremely easy and fast to execute<\/p><\/blockquote>\n

This attack is extremely easy and fast to execute and poses a serious threat to a phone owner, whether you have an iPhone, Android or even an old-fashioned Nokia.<\/p>\n

We were able to execute the attack against at least three banks. Surprisingly, we even found a neo-bank that did not ask for biometric verification during the registration of the PIN on a new device.<\/p>\n

Once the criminal has logged into your bank account, you can expect him to empty it.<\/p>\n

A second scenario applies to the cells formatted in yellow<\/strong>.<\/p>\n

In this case, thieves enrol in an Apple Pay or Google Pay (GPay) wallet on their own phones using your card details, so conveniently left in the gym locker.<\/p>\n

This turns out to be great for the criminals, though not for you<\/p><\/blockquote>\n

This turns out to be great for the criminals, though not for you. First, payment apps like Apple Pay and GPay have no transaction limits at all (whereas contactless payment card transactions in the UK carry a \u00a3100 per transaction limit).<\/p>\n

Worse, if anyone uses Apple Pay or GPay for a scam, it\u2019s more difficult to get your money back than if the criminal were draining your bank account directly.<\/p>\n

First, there’s the absence of transaction limits, meaning that any fraud could be substantially more costly.<\/p>\n

Also, the bank or neo-bank whose payment card is enrolled in Apple Pay or GPay often has insufficient information to create an effective set of anti-fraud rules<\/a>. This is because banks\u2019 anti-fraud algorithms rely on access to granular information on individual transactions. But if you\u2019re using Apple Pay or GPay for payment, those tech firms may keep the most important transaction details to themselves.<\/p>\n

Further, if a criminal can enrol an Apple Pay or GPay wallet on their phone that\u2019s linked to a stolen card, the victims won\u2019t get any notification of transactions. One day, someone, somewhere, will make a \u00a310,000 payment that the victim will find hard to claim back.<\/p>\n

Finally, to add a card to Apple Pay or GPay wallet, a lot of banks like to send a one-time SMS with a code to validate the card\u2019s ownership. We are assuming that the thief has got your phone and can put your SIM card into another handset, so this doesn\u2019t present a real obstacle.<\/p>\n

Cells in the table highlighted in green<\/strong> indicate that the payment app provider was doing its job, and it wasn\u2019t possible to bypass biometric verification checks, even with stolen ID documents, cards and a stolen phone.<\/p>\n

Thinking through defences<\/strong><\/p>\n

Our research has shown that payment apps\u2019 defences against theft and potential fraud are uneven and, in some cases, full of holes. Assuming that the criminal has access to your phone and some other personal data, at least 60% of the apps we investigated could leave you with an emptied account.<\/p>\n

At least 60% of the apps we investigated could leave you with an emptied account<\/p><\/blockquote>\n

So let\u2019s reconsider some basic security principles to think how we might protect ourselves.<\/p>\n

A simple and very helpful maxim tells us not to put all our eggs in one basket. Let\u2019s look at the examples we\u2019ve shown you and think how we might protect ourselves better.<\/p>\n

First, let\u2019s revisit how banks handle requests by clients to reset access to their accounts. Ten years ago (and this is still the case with some high street banks), it would tell you to go to a branch. Once someone could validate your ID face-to-face at the branch, you would regain account access easily.<\/p>\n

But this is increasingly difficult to do with high-street banks, given the progressive disappearance of bank branches. And physical ID verification is impossible at neo-banks\u2013they simply can\u2019t offer this service.<\/p>\n

Instead, your identity verification will probably consist of some or all of the following steps, carried out remotely. It will involve the provision of:<\/p>\n