How is a thief taking thousands from London gym-goers?

I know the existing thread was locked but this is quite interesting as it does explain how someone can get your pin once they have your phone and card.

“Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer”

But it’s not as simple as that. You can’t register a card without opening the bank’s app first, and it wouldn’t let you register an existing card as a new one anyway.

I presume what the article means is that the thief is setting up the app on a new phone, but you’d still need the existing online banking login details, you can’t do it just with the debit card.

1 Like

I think in the case of LBG if you re-register it verifies you using a OTP then gives you your (existing) details.

A quick and easy way banks can stop this sort of fraud is to put the code on the end of a very long message so it doesn’t appear in the preview box.

1 Like

Another quick and easy thing to do is only allow previews of notifications in general (and messages especially) when the phone is unlocked. This means nobody can read OTP codes unless they can also unlock your phone which, provided you use a decent passcode, shouldn’t be easy to do.

Theoretically, they could still steal your SIM card and combine the original fraud with a SIM-swap fraud as well - but even this could be quite easily defeated through use of an eSIM (so they can’t take the physical SIM and simply put it in another phone) and adequate security at the mobile network (like not setting your memorable answers to things people can easily find out about you).

Not something the banks can insist on.

I agree it’d make sense for Apple and Android to activate that setting by default however.

2 Likes

I know, but it’s something people can personally do!

Banks are obviously aware of it, as they increasingly use in-app confirmation prompts instead of OTPs, so the notification itself is useless as you still have to authorise the app login before you can respond to the prompt (and the prompt itself contains no code).

Apple do/have done with all Face ID iPhones (since the iPhone X in 2017). I don’t know if they do on Touch ID phones (I think they don’t) but I suspect the Android default is always to show everything.

People tend to become aware after the point the fraud takes place tho, this is my point. Most people will have their phones on the default settings, +/- changing the font to something awful.

1 Like

This still doesn’t make sense. You can’t do this with Starling. You can’t even do it with Santander as it requires a personal ID which you can only get if you know personal details.

So which bank is this actually possible with?

3 Likes

Probably a few high street banks would be my guess?

1 Like

Some of those details are printed on debit cards aren’t they? Note none of these are Natwest Group cards…

If you have forgotten your personal ID with Santander you need your date of birth. Starling needs a video to register. I can’t believe that the details on the card and a text are all that are needed to access a bank account.

Credit cards might be different though. Once you’re in the app Amex only requires a number on the card and a code from a text to view the pin. MBNA doesn’t require anything so I presume that’s the same for Lloyds.

1 Like

Not unusual for people to carry an ID with their DOB in the same container as their debit card.

1 Like

My driving licence is with my bank cards, when I do take them out the house, which is rare tbh.

It sends you a OTP to register your phone yes, but it certainly doesn’t give you your login details.
It asks you to login with your existing internet banking details, i.e. username, password and random characters from your memorable information, none of which are on your debit card.

If you’re not already registered for internet banking, or if you’ve forgotten your login details, you’d need your postcode and date of birth, as well as your account details. Maybe the thieves are getting these details from a driving licence that they’ve also stolen?

Yes, I think this is it.

In that case the only bank that actually protects you from this is Starling as they a require a video which means unless you have a twin you don’t know about only you can access your account.

Doing this with Lloyds will make you wait for new internet banking password in the post. Do the thieves also intercept letters?

According to the Lloyds Bank guide to registering for internet and mobile banking they only send you a code by post if you’ve asked them to do so.

I’m almost certain I didn’t have to wait for anything in the post when I first opened my Lloyds Bank account and set up internet banking.

I opened my Lloyds account in 2019 and I remember I got the code in the post, this year I had forgotten details and they had to make me wait for the letter gain to get through.

This is the default on iPhone AFAIK.