How is a thief taking thousands from London gym-goers?

I was curious about this too, so decided to delete my Halifax app and see what would be required to get hold of my card’s PIN, imagining I just had my locked phone and wallet.

I took screenshots of the whole “forgotten my details” process here if you’re interested: Halifax Forgotten Details – Google Drive

But in a nutshell, Halifax asked for:

• Sort Code & Account No. (On physical card)
• Full name (On physical card)
• Date of Birth (On ID card in wallet)
• 6 digit code via SMS (iPhone default is to “Show Previews”)
• 4 digit code via phone call (No need to unlock phone to answer)

This allowed me to:

• Retrieve the online banking username
• Reset the online banking password
• Reset the online banking “memorable information”

Which in turn meant I could log into the Halifax app and have full control including displaying the card’s PIN.

I don’t have any active accounts with Santander anymore, but a quick check seems to show the process is similar for them, asking for the card number and verification code, plus full name and DOB.

It’s clear the banks need to beef up their security, to ensure this can’t carry on, but I can see this is easier said than done.

As others mentioned, Starling’s request for video authentication is a good way to protect against this, (and interestingly you need to do this even if you know your login details but are just installing the app on a new device).

Even if other banks implemented this only if you needed to recover/reset your online banking login details (as opposed to every time you installed their app), it would help foil this scam without delaying access to users who already knew their login details.

Thinking about it though, with Starling being primarily an app based bank, they do have an advantage here. What about older customers at other banks without smartphones, who use online banking on their PC with no webcam, how would they reset their details? Maybe this is part of the reason many banks haven’t introduced this security approach yet, as they have some more hurdles to get over compared with app based banks.

Yes people can make their phone messages more secure, but ultimately it needs to be up to the banks, to ensure everyone is protected no matter what phone or phone settings they use.

Great investigative work. Was the SMS check in addition to a phone call or an either/or?

If the former, the quickest way to fix this is simply to move that code to the very end of a long text message as it’ll fall outside the preview window. Some banks have already started doing this in recent months I’ve noticed.

In addition to.

The SMS check was required to reset the password etc.
The phone call check was then required when logging into the app for the first time.

Nice idea, I did notice Santander have the code at the end, however, on an iPhone at least, if you tap and hold the message it will display the whole message! Even if the device is still locked (I just tested this). So it’s not really effective at all!

IMG_0653.PNG1170×2532 163 KB

IMG_0654.PNG1170×2532 95.7 KB

Ah right! On my Samsung device opening the full message requires authentication.

I wonder if requiring an email as an additional factor might be more useful than a phonecall in the circumstances?

You can turn on notification previews only when unlocked in settings

Yep, you can. The default is set to “Always” show them though and thats what most people will have it set to.

Plus I don’t believe there is a way to keep the initial preview but disable the ability to show the full message while locked, like how it apparently works on Android. Although thinking about it, this would be an odd thing to allow, as the part of the message that gets hidden would vary between screen sizes, font size etc, so it makes sense to be an “all or nothing” setting given the arbitrary cut off point.

Maybe voice recognition could be useful here? Instead of sending a code via SMS/voice, it would call you, and ask you to speak then would verify you based on your voice. Don’t some banks already do voice based identification?

I’ve just looked in my own iPhone settings, Notifications, and the default setting for previews is ‘When unlocked’ which seems contrary to what has been said above, or perhaps I have misunderstood?

My iPhone is 15.6.1 iOS

Yes, mine was the same after a factory reset.

Ah ha. You could be right. Here’s what my Settings > Messages > Notifications > Show Previews looks like:

IMG_0655.PNG1170×2532 85.3 KB

I’d assumed “(Default)” meant that was the default for everyone, but it seems to actually indicate the more global option in Settings > Notifications > Show Previews.

Although before I looked into this, I seemed to be under the impression that on Face ID iPhones the default was “When Unlocked” (as you only have to look at the phone to unlock it), whereas on Touch ID iPhones the default is “Always” (as it’s tricker to unlock your iPhone using Touch ID without also leaving the lock screen).

One thing that i needed with Santander (and I tried the same thing today) is to enter my phone number.

I have no idea where a thief would get that from as it’s not in my wallet.

Good catch. What happens if you click and follow the “Forgotten My Personal ID” link? (Instead of entering your ID and mobile number.) As initially at least it doesn’t appear to ask for your mobile number.

Correct. You can get your ID by providing info that’s either on your debit card or your driving licence.

But it’s for the password reset that you have to enter your phone number to receive the OTP

If they don’t make this impossible it will just keep happening. They need to do the same sort of thing they did where stealing a phone is completely pointless as you can’t access or reset it.

If this is what happened in the case of Santander then it seems they didn’t even know or think this was possible! More likely as always with big banks they just don’t care which is fine until you have to try and get the money back.

Ok, so maybe the thief is also taking the SIM out of the victims phone and putting it in another (unlocked) phone so they can get the phone number from it?

How often is the phone number stored on the SIM accurate? I don’t think it updates after porting.

I was mostly just thinking they’d make a phone call to another number and look at the caller ID.

ah yes, that’d work so long as the SIM didn’t have a PIN.

If it’s an iPhone and owner hasn’t restricted Siri on lockscreen, you can just say “Hey Siri, what’s my number” and you’ll be told

I tried this yesterday actually, but even when Siri is allowed when locked, it still requires you to unlock before it will show you your number.