To ask you to take care when using gyms/Apple/Google Pay and debit/credit cards?

[gatehouseoffleet]

I am posting this Twitter thread here as a warning. Charlotte Morgan. a news producer (so fortunately she has the reach to get some decent advice and retweeting to the right people) went to her local Virgin Active gym last week. The security barriers were unmanned. She put her stuff in a locker, went into the gym and returned to find out that her locker and several others had been broken into.

To cut a long story short, the thieves went on a spending spree in various Apple shops etc and Santander, her bank, are blaming her and refusing (currently) to refund. Their app shows the card PIN so if the thieves had bypassed the app security they could get it. It may also be that the thieves used Apple Pay. Either way, she has currently lost a lot of money.

Please make sure your phone security is set up as well as it can be. Consider if you need Apple/Google Pay at all or if you can cap transaction values. And be careful about what you take to the gym!

Here is the thread - apologies if there is another thread somewhere: twitter.com/MorganBroadcast/status/1564178676874448896

@Schoolchoicesucks by banking ap certainly dosen’t show my card pin, can’t imagine why any would that’s a huge security risk!

There's some thing not right here. Assuming she wasn't using an easily guessed password for her phone - 1111, 6666 or her birthday - they would have not only had to break the encryption on her phone but also the security on her banking app. Considering the FBI went to court to get an iPhone unlocked because they couldn't do it, it's not as easy as it sounds.

The banking app also shows the debit card PIN number so they were able to enter that on card machines too.

Is this really true, @Schoolchoicesucks ?? I'm with Santander and I've never seen my PIN on the app - how would Santander know what it was?? And they're always saying not to tell anyone your PIN or write it down.

I read this thread and my jaw dropped with each tweet, then read it to DH and he said there's got to be more, how can she have face ID, multi pins and 2 factor security yet they all got bypassed?!?!?!

The other thing that got me was that she'd gone to the gym and left her phone in the locker (willing to be told otherwise) most people I know, myself included, listen to music when training and generally a phone is the source of that music...

And @Hurdling i bank with Lloyds and the app shows your PIN on there too. It’s very very useful to me as I can never remember the pins for the various cards I have but a security risk if someone can get in to the app and has the physical card

I'm not with Santander, but other people on the twitter thread have confirmed they can get the PIN using their app. I agree it sounds like a big risk.

I agree, from the twitter thread she didn't know her app could do that either. Others on the thread confirm you can. Santander told her she must have written the PIN down in her wallet because the fraudsters had used it. It was someone else on the thread who suggested they could have got it from the app.
If they can access the phone, they can apparently add their fingerprint and bypass the banking security. Makes me very wary of banking apps now.

Yes, I can't remember which bank it is, but I can definitely see my PIN on at least on if the apps, but do have to re-input all of the security.

That said, I still find surprising.

A weak password or PIN was used. She’s covering up for her poor infosec.

Sucks, but that’s the only plausible explanation.

I have a Santander account (it’s empty) but I’ve just tried to log into the internet banking, and because my username and password is saved on my phone and the 2 step authentication is texting my number, if someone managed to unlock my phone (6 digit pin) then they could get into my Santander online banking without any further info. My fault for having info saved. I don’t have the app so can’t test security for that, but Google says once into that you can see PIN for cards, and I assume with access to online banking and my mobile number I could get into the app.

This is different to the main banks I use where the 2 step authentication is a code that I can’t save and need to manually input.

So, although I shouldn’t have the log in details saved, it seems that Santander is easier to “get into” than Halifax, Chase, NatWest and HSBC (the other accounts I use regularly). I wonder if similar has happened here, as a 6 digit phone password wouldn’t be impossible to crack, in particular If you watched the person for a while.

I would stand by this being non refundable by the bank as I will have breached terms my saving the password.

Nothing to do with Apple Pay though, and more to do with Santander’s 2 factor authentication being full password + phone.

The santander app could have still technically been open in another tab. If the phone is android. Not sure about Iphones i never had one.

But i still think they took the pin from her signing up at the gym. If they had her pin and her card, and other details found in her backpack, you can sign up to the santander app on another phone and register the account there to do all the transferring etc.

She said on twitter all codes/pins were not the same.. Ther's no way they 'hacked' into the phone with a passcode and a pin.

Not sure the whole story is being told…. As usual.

Santander don’t show your pin so that’s rubbish for a start as that’s what she says is her bank. I have 3 accounts with them and no pin on the app. If the FBI struggle to open an I-phone then I can’t see a petty criminal being able to do this. There is more to this story and I think the bank feel the same way.

My banking apps require security data to be re input if a new face / fingerprint is added for this reason. Not sure about Santander…

Not what their website says…

You have to provide a fingerprint or the 3 didgits on the back of the card if you haven't set up the basic 2 factor authentication.

The big risk here is based on some twitter profile...

If it was that easy to rinse someones banks it wouldn't be some random on twitter blue tick complaining about it whilst witholding a lot of context.

I have the Santander Apple app and have to use Face ID or so and I’m numbers from a passcode that is different from my pin. I cannot see my pin on the app anywhere.

I believe you can transfer from Santander savings to current account on the Santander ATM machines..

They didn't even get into the phone.. they had her card and pin.. that's all they needed.

@BashfulClam - what’s the process to reset your passcode if you forget it?

Yes, they absolutely do show the PIN. I just looked at mine. It activated Face ID befire showing Thai screen though

@BashfulClam

Got to more, then manage my cards and it gives you a view PIN option there.

Wow re the app knowing your PIN. I didn't know that. I guess Santander didn't think through all the risks/thought it would be safe enough on a phone as the phone has encryption and the app does too?

Just checked and I can see my Santander pins on the app. Didn’t know that.

Did you read it! She didn't, she says at first she was relieved because she knew the account linked to Apple Pay was very limited. They had bypassed her facial recognition and got onto her Santander app and transferred from her savings

On the Santander app you can see you pin, I need to confrim with my fingerprint to see it but it is there. I find it a little hard to believe that they have more than one version of the app. I've just double checked, click manage my card and it's the first option

That said this story seems to have some details missing though, how did they manage to get through all the security?