Banking apps store your card's PIN number on your phone

[David Clapson]

R4 had a bit about this today. You and Yours - Gym Locker Theft Update; Disappearing Discounts; Recruiting Carers on Social Media - BBC Sounds I only half listened, but apparently the apps store the PIN numbers for your cards. So if your phone's stolen and unlocked the thief can drain your account. It happened to a listener and the bank refused to accept the possibility that it wasn't the victim's fault. So i'm thinking about uninstalling the apps.

 

[moochedit]

Which banks? All of them?

 

[David Clapson]

Dunno. Have a listen.

 

[quimcunx]

Everyone wants you to use their app instead of their website. I can't see any advantage and I don't want even more fucking apps hogging my phone storage/memory so I've always ignored their wheedling. Same with Gmail etc. Fuck 'em.

 

[moochedit]

The gym locker story appears to be about halifax.

How is a thief taking thousands from London gym-goers?

A serial thief is targeting well-off young women across London's gyms. How is she doing it?

www.bbc.com

 

[souljacker]

Which banks? All of them?

Virgin money do for my credit card. You need to get past my phone login then the fingerprint login to the app but it is there.

I couldn't really tell from that news story how the thieves unlocked her phone though.

 

[moochedit]

Virgin money do for my credit card. You need to get past my phone login then the fingerprint login to the app but it is there.

I couldn't really tell from that news story how the thieves unlocked her phone though.

Yeah my barclays app has a card pin reminder function but you'd need to enter my phone password to unlock the phone and then enter the banking apps 5 digit pin (which you would need to know already and is not same as 4 digit card pin).

I don't know if the card pin is stored in the app in phones memory or if it gets if from barclays server when you request it.

Also iirc correctly to register on a new device you either use the "pin sentory" device with your card (which requires you to already know the card pin) or you can take card to a cashpoint to verify (again you need to know card pin already) or you can log into the app on old phone and get a code to move to new device (you need to know the app pin).

Obviously each bank has its own app software and security procedures and maybe the thief has some technical knowledge and has found a flaw in one or more of the banks apps they can exploit.

It may simply be people with no phone password and 12345 as their app pin though.

 

[liquidindian]

AFAI can tell it's not the app that's the problem. At least not directly.

The thief installs the app on their own device, using the stolen card details. A code is sent to the victim's phone to confirm that they are doing this. This wouldn't be a problem except the default is to show SMS messages on the phone screen, unlocked or not. So the thief doesn't need to unlock the device, they have the code and the app is transferred.

It's not clear if uninstalling the app would help.

 

[moochedit]

AFAI can tell it's not the app that's the problem. At least not directly.

The thief installs the app on their own device, using the stolen card details. A code is sent to the victim's phone to confirm that they are doing this. This wouldn't be a problem except the default is to show SMS messages on the phone screen, unlocked or not. So the thief doesn't need to unlock the device, they have the code and the app is transferred.

It's not clear if uninstalling the app would help.

If the only security check is an sms code then that needs fixing by the banks concerned.

 

[souljacker]

AFAI can tell it's not the app that's the problem. At least not directly.

The thief installs the app on their own device, using the stolen card details. A code is sent to the victim's phone to confirm that they are doing this. This wouldn't be a problem except the default is to show SMS messages on the phone screen, unlocked or not. So the thief doesn't need to unlock the device, they have the code and the app is transferred.

It's not clear if uninstalling the app would help.

But when you get a message notification on the lock screen, it doesn't actually show the message does it? I don't know as I have always switched that off on phones.

 

[liquidindian]

I've checked and I was writing for a client about how SMS wasn't good enough for 2FA/MFA at least as far back as 2013.

 

[moochedit]

But when you get a message notification on the lock screen, it doesn't actually show the message does it? I don't know as I have always switched that off on phones.

Depends on your settings.

 

[souljacker]

I've checked and I was writing for a client about how SMS wasn't good enough for 2FA/MFA at least as far back as 2013.

SMS has been hackable/cloneable since it started. Probably the least trustworthy authentication system there is.

 

[DaphneM]

SMS has been hackable/cloneable since it started. Probably the least trustworthy authentication system there is.

Yeah, always use an Authenticator

 

[liquidindian]

The gym locker story appears to be about halifax.

Other stories mention Santander too.

 

[David Clapson]

AFAI can tell it's not the app that's the problem. At least not directly.

The thief installs the app on their own device, using the stolen card details. A code is sent to the victim's phone to confirm that they are doing this. This wouldn't be a problem except the default is to show SMS messages on the phone screen, unlocked or not. So the thief doesn't need to unlock the device, they have the code and the app is transferred.

It's not clear if uninstalling the app would help.

Are you saying that having your cards stolen is the risk, not having your phone stolen?

 

[liquidindian]

I couldn't really tell from that news story how the thieves unlocked her phone though.

Charles Arthur, previously tech ed at the Guardian, here saying that it's a simple as putting the SIM card in an unlocked phone.

 

[David Clapson]

The full story of the gym theft is here https://www.ftadviser.com/your-indu...agrees-to-reimburse-customer-after-gym-theft/ The victim says she's been contacted by many other victims who have been blamed by other banks, not just Santander, when a thief gets the PIN.

The story seems to be growing, so we'll probably get some proper coverage of it soon, by a specialist journalist in the banking or IT press.

 

[StoneRoad]

This story does nothing to improve my opinion of modern technology / on-line banking / security.

 

[liquidindian]

Are you saying that having your cards stolen is the risk, not having your phone stolen?

More that having both stolen together is a problem if your bank uses SMS in this way, and that uninstalling the app may not completely solve it. I'm not a security expert, I just don't want you to uninstall the app and think "job done" when it may not be the solution.

 

[quimcunx]

I've noticed some organisations have taken to putting the code at the end of the sms so it can't be previewed.

 

[David Clapson]

This story does nothing to improve my opinion of modern technology / on-line banking / security.

Push payment fraud turned out to be so laughably easy that it proved we should never have any confidence in banks. I still find it hard to believe that they didn't prevent it decades ago. They knew the risk but kept quiet and did nothing, until there'd been a spree of thefts. Then they blamed the victims (of course). They're an embarrassment.

 

[souljacker]

Charles Arthur, previously tech ed at the Guardian, here saying that it's a simple as putting the SIM card in an unlocked phone.

So simple. You can pin protect sims iirc. Never done it though.

 

[liquidindian]

So simple. You can pin protect sims iirc. Never done it though.

Same. I was looking at SIM PINs but it looks like a right guddle.

 

[moochedit]

Yeah i have a sim pim as well as the phone password. I only have to enter the sim pin when i switch the phone on though (and i rarely turn it off). If unlocking the screen i only need the phone password. I assume sms can't be received without the sim pin if sim is put in another phone but i may be wrong about that.

 

[kalmatthew]

Part of the problem is that SMS isn't massively secure even before it gets to your phone although a sim pin should help make it harder to move the sim about

 

[skyscraper101]

I'm guessing an eSIM would prevent this happening?

 

[kalmatthew]

The sim swapping, sure the lack of security in the S7 protocol that is used to send SMS not really

 

[farmerbarleymow]

Yeah my barclays app has a card pin reminder function but you'd need to enter my phone password to unlock the phone and then enter the banking apps 5 digit pin (which you would need to know already and is not same as 4 digit card pin).

I saw the original thread about this gym theft on twitter and had no idea you could access the PIN via the app. Went into mine and after I'd logged on with the thumbprint, it didn't ask for further verification before it showed the PIN which seems a bit lax. I've always had previews on the lock screen turned off though.

 

[moochedit]

I saw the original thread about this gym theft on twitter and had no idea you could access the PIN via the app. Went into mine and after I'd logged on with the thumbprint, it didn't ask for further verification before it showed the PIN which seems a bit lax. I've always had previews on the lock screen turned off though.

my phone doesn't have a thumbprint scanner. I logon with a 5 digit pin. Never actually used the pin reminder function before as i know it but i know the function is there. Must admit i did have sms showing on lock screen but i've changed that now.