In that case the only bank that actually protects you from this is Starling as they a require a video which means unless you have a twin you don’t know about only you can access your account.
Doing this with Lloyds will make you wait for new internet banking password in the post. Do the thieves also intercept letters?
According to the Lloyds Bank guide to registering for internet and mobile banking they only send you a code by post if you’ve asked them to do so.
I’m almost certain I didn’t have to wait for anything in the post when I first opened my Lloyds Bank account and set up internet banking.
I opened my Lloyds account in 2019 and I remember I got the code in the post, this year I had forgotten details and they had to make me wait for the letter gain to get through.
This is the default on iPhone AFAIK.
I was curious about this too, so decided to delete my Halifax app and see what would be required to get hold of my card’s PIN, imagining I just had my locked phone and wallet.
I took screenshots of the whole “forgotten my details” process here if you’re interested: Halifax Forgotten Details – Google Drive
But in a nutshell, Halifax asked for:
- Sort Code & Account No. (On physical card)
- Full name (On physical card)
- Date of Birth (On ID card in wallet)
- 6 digit code via SMS (iPhone default is to “Show Previews”)
- 4 digit code via phone call (No need to unlock phone to answer)
This allowed me to:
- Retrieve the online banking username
- Reset the online banking password
- Reset the online banking “memorable information”
Which in turn meant I could log into the Halifax app and have full control including displaying the card’s PIN.
I don’t have any active accounts with Santander anymore, but a quick check seems to show the process is similar for them, asking for the card number and verification code, plus full name and DOB.
It’s clear the banks need to beef up their security, to ensure this can’t carry on, but I can see this is easier said than done.
As others mentioned, Starling’s request for video authentication is a good way to protect against this, (and interestingly you need to do this even if you know your login details but are just installing the app on a new device).
Even if other banks implemented this only if you needed to recover/reset your online banking login details (as opposed to every time you installed their app), it would help foil this scam without delaying access to users who already knew their login details.
Thinking about it though, with Starling being primarily an app based bank, they do have an advantage here. What about older customers at other banks without smartphones, who use online banking on their PC with no webcam, how would they reset their details? Maybe this is part of the reason many banks haven’t introduced this security approach yet, as they have some more hurdles to get over compared with app based banks.
Yes people can make their phone messages more secure, but ultimately it needs to be up to the banks, to ensure everyone is protected no matter what phone or phone settings they use.
Great investigative work. Was the SMS check in addition to a phone call or an either/or?
If the former, the quickest way to fix this is simply to move that code to the very end of a long text message as it’ll fall outside the preview window. Some banks have already started doing this in recent months I’ve noticed.
In addition to.
The SMS check was required to reset the password etc.
The phone call check was then required when logging into the app for the first time.
Nice idea, I did notice Santander have the code at the end, however, on an iPhone at least, if you tap and hold the message it will display the whole message! Even if the device is still locked (I just tested this). So it’s not really effective at all!
Ah right! On my Samsung device opening the full message requires authentication.
I wonder if requiring an email as an additional factor might be more useful than a phonecall in the circumstances?
You can turn on notification previews only when unlocked in settings
Yep, you can. The default is set to “Always” show them though and thats what most people will have it set to.
Plus I don’t believe there is a way to keep the initial preview but disable the ability to show the full message while locked, like how it apparently works on Android. Although thinking about it, this would be an odd thing to allow, as the part of the message that gets hidden would vary between screen sizes, font size etc, so it makes sense to be an “all or nothing” setting given the arbitrary cut off point.
Maybe voice recognition could be useful here? Instead of sending a code via SMS/voice, it would call you, and ask you to speak then would verify you based on your voice. Don’t some banks already do voice based identification?
I’ve just looked in my own iPhone settings, Notifications, and the default setting for previews is ‘When unlocked’ which seems contrary to what has been said above, or perhaps I have misunderstood?
My iPhone is 15.6.1 iOS
Yes, mine was the same after a factory reset.
Ah ha. You could be right. Here’s what my Settings > Messages > Notifications > Show Previews looks like:
I’d assumed “(Default)” meant that was the default for everyone, but it seems to actually indicate the more global option in Settings > Notifications > Show Previews.
Although before I looked into this, I seemed to be under the impression that on Face ID iPhones the default was “When Unlocked” (as you only have to look at the phone to unlock it), whereas on Touch ID iPhones the default is “Always” (as it’s tricker to unlock your iPhone using Touch ID without also leaving the lock screen).
One thing that i needed with Santander (and I tried the same thing today) is to enter my phone number.
I have no idea where a thief would get that from as it’s not in my wallet.
Good catch. What happens if you click and follow the “Forgotten My Personal ID” link? (Instead of entering your ID and mobile number.) As initially at least it doesn’t appear to ask for your mobile number.
Correct. You can get your ID by providing info that’s either on your debit card or your driving licence.
But it’s for the password reset that you have to enter your phone number to receive the OTP
If they don’t make this impossible it will just keep happening. They need to do the same sort of thing they did where stealing a phone is completely pointless as you can’t access or reset it.
If this is what happened in the case of Santander then it seems they didn’t even know or think this was possible! More likely as always with big banks they just don’t care which is fine until you have to try and get the money back.
Ok, so maybe the thief is also taking the SIM out of the victims phone and putting it in another (unlocked) phone so they can get the phone number from it?