To ask you to take care when using gyms/Apple/Google Pay and debit/credit cards?

[gatehouseoffleet]

I am posting this Twitter thread here as a warning. Charlotte Morgan. a news producer (so fortunately she has the reach to get some decent advice and retweeting to the right people) went to her local Virgin Active gym last week. The security barriers were unmanned. She put her stuff in a locker, went into the gym and returned to find out that her locker and several others had been broken into.

To cut a long story short, the thieves went on a spending spree in various Apple shops etc and Santander, her bank, are blaming her and refusing (currently) to refund. Their app shows the card PIN so if the thieves had bypassed the app security they could get it. It may also be that the thieves used Apple Pay. Either way, she has currently lost a lot of money.

Please make sure your phone security is set up as well as it can be. Consider if you need Apple/Google Pay at all or if you can cap transaction values. And be careful about what you take to the gym!

Here is the thread - apologies if there is another thread somewhere: twitter.com/MorganBroadcast/status/1564178676874448896

Put a pin on your SIM. And turn your phone off. That's only way to keep it secure. Other than bringing it with you.

Happened to someone I know. Horrible experience

How could they bypass the phone security? Is that an Apple thing? I use Android and everytime I open any banking app I have enter my pin or the fingerprint security I have set up.

To access my Apple Pay, you need face recognition or know my phone pin.
To access my banking app, you need face recognition or certain characters of a password chosen when I set up the account.

So there must've been no security measure on the phone itself for them to even get into Apple Pay.

(I haven't read the link)

She says she has a pin and face recognition on her phone so somehow those were bypassed. Sounds horrific!

I'm presuming she didn't set up the face or pin security measures

Hence why the bank are saying it's her issue to solve

And I agree

She does state that she used all
sec measures on her phone due to working in this industry for a time.

sounds absolutely hideous. Poor woman.

She did set them up but they were hacked. The thief managed to get into the apps and change the security, suggesting that there was something wrong with the software security I guess. Then her bank kept calling her on the mobile number despite her asking them not to and providing alternatives. They also didn't stop transactions that were unlikely to have been genuine (2 different Apple stores within a short time, thousands of pounds). Also, it happened to other people at the same gym.

Read the Twitter thread on the link

Is this what the most recent Apple s/w upgrade was supposed to fix? It was on the news.

Not surprised re locker break ins, they're incredibly common in gyms. Seen it happen time and time again when I worked in a gym. It's common in the changing room lockers more so as there's no CCTV (obviously).

This all could have been caused by an easily guessable passcode. It’s the most simple explanation. 4 digit…1234 or 2580 or 1111 or something. Easily guessed, even with locking time.

the level of skill needed to bypass Face ID would not be wasted on a woman’s gym locker and £7k or savings.

advice- change your passcodes to longer than 4 digits, and make sure it’s random.

I don’t understand this. The phone is probably more secure than a card. The phone would need to be unlocked via Face ID/ thumb print or pin. I don’t think phones old enough to not heavily push for a pin have Apple Pay on.

Plus (can’t speak for google pay), Apple Pay doesn’t have my pin accessible to me. I can’t even see my whole card number and I put it in.

Banking apps may show your PIN but they always need security to get into. Again PIN (but set independently of phone so could be different) or Face ID. So I can’t see how it’s possible.

I don’t understand how people keep all their money in one account with contactless/Apple Pay set up on. Keep what you need in your account with AP etc and keep the rest in a secure one with no contactless and no Apple Pay set up

Most of the money stolen was from a savings account. The fraudsters transferred it from there to her current account using the banking app. The banking app also shows the debit card PIN number so they were able to enter that on card machines too.

There is a lot more to this story that will come out eventually, but even if you impliment basic apple/andriod pay facilities they would need to bio hack the phone. Which if there was a hack that could do this so quickly they would rinse your account instead of just going on a buying spree.

What you should be alerting people to is implimenting basic security protocols, the person involved didn't even set up basic security protocls on her own phone...

It’s awful

an inside job I reckon from virgin active

People also need to be extremely wary of social engineering which can be used to target individuals. I’ve tried to warn people about it on MN and Facebook over and over again but the majority of people don’t get it.

I bet Charlotte Morgan would have the same liberal lefty guardian reading woke views and replied the same 😂

She won't get the money back. The police don't have the resources to chase something that happens 100 times a day in a shi*thole city.

My guess is it was an employee. They broke into the locker with the master code.. and probably remembered the pin number of her card when she paid for membership.. or something along those lines.

What makes it a shithole city, out of interest?

I don't understand?

Use a PIN rather than a swipe pattern. When looking at phone screens in some lights and some angles it is extremely easy to see a smear mark on the screen (ie the unlock pattern). Any thief then only has to try it in both directions and they are in.