To ask you to take care when using gyms/Apple/Google Pay and debit/credit cards?

[gatehouseoffleet]

I am posting this Twitter thread here as a warning. Charlotte Morgan. a news producer (so fortunately she has the reach to get some decent advice and retweeting to the right people) went to her local Virgin Active gym last week. The security barriers were unmanned. She put her stuff in a locker, went into the gym and returned to find out that her locker and several others had been broken into.

To cut a long story short, the thieves went on a spending spree in various Apple shops etc and Santander, her bank, are blaming her and refusing (currently) to refund. Their app shows the card PIN so if the thieves had bypassed the app security they could get it. It may also be that the thieves used Apple Pay. Either way, she has currently lost a lot of money.

Please make sure your phone security is set up as well as it can be. Consider if you need Apple/Google Pay at all or if you can cap transaction values. And be careful about what you take to the gym!

Here is the thread - apologies if there is another thread somewhere: twitter.com/MorganBroadcast/status/1564178676874448896

Calling bullshit on this. The Santander app is irrelevant if they haven’t gained access to the iPhone OS itself.

The only people who could even hope to manage this are state sponsored groups, and even then, the FBI among others have never been able to bypass iPhone biometrics without coercion of the owner to give up the password.

Halifax, Chase and HSBC all show my PIN, NatWest won’t, and need more security data to send a reminder via post.

Interestingly I read something recently that said that the FBI can now get into some iphone models, not the most recent ones maybe (I don't know anything about iphones) but it is now possible in some circumstances. Not that I think the FBI is involved in thsi theft

@Inklingpot are you able to link to any of your previous warnings? I think it's something I need to improve! Thanks.

Only by potentially brute forcing a PIN in a virtual
machine copy of the phone’s drive, and then, only a four or six digit one. I have a password that is alphanumeric and uses special characters. 12 of them. To brute force that would literally take millennia.

But i still think they took the pin from her signing up at the gym.

Unless they actually looked over her shoulder when she was inputting it, that's not how PINs work, they don't get transmitted as part of the transaction. Just an 'Approved' authorisation. The gym IT equipment never sees the actual number.

@Inklingpot If you could write a blog or an AMA type post about that I'd be very interested.

All of this talk about the phone and app is laughable and irreverent.

The thieves had her pin number by watching her type it in at the desk OR using one of those devices that acts between the pin reader and the computer.

They transferred the funds from the savings to the current account by using a Santander ATM machine.

Once again.. The card and the pin was all that was needed.

I watched a video on FB the other day of how to unlock an iPhone. Laughed then tried it on mine and it worked

This does seem the most likely scenario…

open an account with Metro bank, £££ in my account, stranded in a remote carpark for half an hour because they claimed trying to pay a 40p car park fee was suspicious and could be fraudulent activity😯

My Apple Pay will only work with my face being scanned.

Keep my watch on at the gym so that it tracks my fitness.

Apple payment is safer than cards etc.

Also keep my phone on me at the gym for music though.

I've read the tweets and responses. There is no way that this is a coincidence with the gym barriers being open that day. I think someone has planned this and watched her and possibly others put their pin in at some point. The whole thing was too quick and too clever to be off the cuff.

I think it was something more sophisticated than that, this isn't the article I originally read, I can't remenber where that was but this is a reliable publication Again I don't know about the different models just that some breaking in has been possible

www.washingtonpost.com/technology/2021/04/14/azimuth-san-bernardino-apple-iphone-fbi/

And that was?

I think this is most likely.

There is an Israeli firm of similar repute that works only with the likes of states in trying to crack security in consumer devices. These are not tools that any random thief going to Virgin Gyms to steal thousands is going to gain access to. The tools alone are worth millions at the very least.

I thought it was just whatsapp the FBI struggled with not getting into iphones

Maybe that as well but I think the most well known case is the FBI trying to get into the US terrorists iphones

Anything with AES-256 or above encryption and a decent password is not getting cracked by any gov’t agency. They either need a back door already in the device or a social engineering attack.

And again, this is stuff that GCHQ or the NSA would be dealing with. I don’t even know who this Twitter blue tick is, but rest assured, no one in power with the capacity to do this kind of attack cares.

Jesus.. the phone chatter still goes on..

The employee watched the pin number OR used an overlay skimmer pin logger like this. The Romanian gangs have been doing it in the UK and all over Europe for years. They sit on top of the normal pin buttons and log every pin typed in.

These gyms are now a perfect crime spot because people are leaving their valuables in lockers.

Another thing to note...

Unlike normal gyms that have male and female changing rooms.. These virgin active gyms also have lockers near the front desk, for people who don't get changed.. who just want to leave their bag.

Wear your phone in a pocket or armband. Don’t take any cards/wallet. Locker for towel etc only.
Same in Aldi/ M&S etc… keep your phone secure at all times.
o feel very sorry for her tho. I read that thread earlier 😞

I used Monzo bank which is very good, i get a notification on my phone if there's a purchase straight away.

Also certain transactions and activity will flag up a pin needing to be typed into the phone to allow it.

What good would a notification to your phone do if your phone has been stolen??