To ask you to take care when using gyms/Apple/Google Pay and debit/credit cards?

[gatehouseoffleet]

I am posting this Twitter thread here as a warning. Charlotte Morgan. a news producer (so fortunately she has the reach to get some decent advice and retweeting to the right people) went to her local Virgin Active gym last week. The security barriers were unmanned. She put her stuff in a locker, went into the gym and returned to find out that her locker and several others had been broken into.

To cut a long story short, the thieves went on a spending spree in various Apple shops etc and Santander, her bank, are blaming her and refusing (currently) to refund. Their app shows the card PIN so if the thieves had bypassed the app security they could get it. It may also be that the thieves used Apple Pay. Either way, she has currently lost a lot of money.

Please make sure your phone security is set up as well as it can be. Consider if you need Apple/Google Pay at all or if you can cap transaction values. And be careful about what you take to the gym!

Here is the thread - apologies if there is another thread somewhere: twitter.com/MorganBroadcast/status/1564178676874448896

Her mobile banking app could only have been entered with a PIN, thumbprint or Face ID. Therefore, it’s most likely she’s been tailed and someone has seen her use the PIN and she has used it elsewhere. This is why banks tell you not to use the same one twice.

It isn’t possible for someone to have bypassed other identification. That’s why the bank will be holding her responsible - because she didn’t take care of her own personal details.

(Or they might think she was pulling a fast one due to the transfer from savings to current account and then payments after that).

@LiamNorfolk i don’t understand what you mean about a keystroke logger? On her phone? Or you mean a fraudster would use a PIN entered for a locker on a phone/mobile banking?

Ok I just read as far as the thread would let me.

It’s this tweet that shows why they’re holding her responsible. To get to the PIN required biometric ID or PIN into the phone then code for banking. Let’s agree that there must be some degree of social engineering going on for them to know she had more than a fiver in any one account, then it’s not beyond the realms of possibility she’s shared her DOB, or her dog’s DOB or whatever that she always uses as a PIN. She has a twitter account after all, there are LOTS of data scraping activities happening.

I’m not saying it’s her fault, but bypassing everything with no prior info is impossible.

I can't see the thread because Twitter is down

but I still can't see how social engineering would help unless someone's given away all info relating to their account? Is hacking now classified under social engineering?

My phone likes to reject my fingerprint all the time.

Not long ago I cut my finger badly and had to wear a plaster for a week. It soon surprised me to realise it usually worked first time when my fingerprint wasn’t actually available.

Either unbelievably high tech magic or just utter pants 🤷‍♀️

He means a way of catching all PINs entered in a keypad, typically for an ATM as that tends to be how gangs have managed to use stolen cards by watching withdrawals and then taking that person’s card.

if she, and the other Virgin Active members, have been tailed, that's even more scary.

I don't take my phone with me when I go swimming, but I do have a car key with me. It's easy enough to find a car in the car park just by pressing the button and the lights give a friendly "over here" blink! It would be very easy for someone to steal the car but I can't think of an alternative (other than cycling, which I don't want to do in the dark - and then some wotsit would steal the bike!)

As for how this was all possible. Her phone was locked with biometrics. So it is very odd that someone managed to bypass all of the phone, banking app and "show me my PIN" security. But they did. And that was after conveniently breaking into her locker when the barriers to the gym were open.

For those asking about social engineering, see here:

www.webroot.com/gb/en/resources/tips-articles/what-is-social-engineering

In terms of sites like MN it can take the form of posting threads asking seemingly innocuous questions like ‘how many children do you have and what are their ages?’ or asking about locations, cost of your house, salaries, pet names etc, basically anything to elicit personal information. If you don’t NC regularly, information can be pieced together about you quite quickly.

Facebook is another site where social engineering is rife - encouraging users to take part in quizzes and share them, asking questions like ‘your rock start name is the name of your first pet and the make of your first car’, both common web security questions.

The above are just two methods but there are others and it’s all designed to get you to give away information which can be used in identity theft.

You can't use Apple Pay without a PIN or Password set up on your phone. It will be contactless cards they have used. Happened to a colleague of mine when her car was broken into for her handbag on the front seat.

I see what you did there. 😉

Didn't they steal thousands? Is that possible on a contactless card?

The victim will have done something wrong. It will be buried in their story somewhere.

A few years ago I won a few quid after a Guardian journalist published a 10 page article screaming about how they had been "hacked" and if it could happen to someone as clever as them then it could happen to anyone.

My bet was they had done something stupid, and lo ! they had. They had given the criminals their PIN over the phone (the one thing every card issuer tells you not to). From that point it was easy pickings.

Fair play, they tried to hide that fact with paragraphs of hyperbole. But end of the day if they had followed the card issuers advice ...

There are some arcane techniques to crack SMS based 2FA. But they are very niche and nothing you or I need to over worry about.

Yeah I get that, but if this all stems from a phone how would a keystroke logger be placed on a phone?

That's the incorrect assumption, that it comes from the phone. This can easily be executed via card theft only with ID. Breaking into any suitably protected mobile now is essentially impossible for intelligence services, nevermind common thieves.

But Charlotte is saying money has gone from her savings account, which in guessing doesn’t have a card.

Can you do transfers from savings accounts to current account at an ATM? I've always thought my savings account would be more secure because it doesn't have a card.

Oh yes, you can. I forgot that. If it was a savings account connected to a current, that’ll be it.

I suppose she will then miss out on compensation because they will say that she should have had her cards in phone kept safer and a gym locker won’t count.

Interesting update on this case here: www.bbc.co.uk/news/uk-england-london-62809151

Definitely looks like a concerted pattern of crimes, with all the victims being female gym goers.

From the article. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device.

Which suggests to me that you could just change the notification settings to not show details on the lock screen.

Just read further down the article and can see that is what they suggested.

I have an iPhone and the only way your able to make contactless/ Apple Pay payments are by either face recognition or entering the password to unlock the phone.

This doesn’t sound like a Google pay/ Apple Pay issue; it sounds like a lack of security on her phone issue.

Looks like you were wrong!

Shame it took Shari Vahl to do a bit of basic detective work but then the Met are completely and utterly shit.

Virgin Gyms really should have cared enough about their customers to sort this out too.

First thing I thought of too. I also have Siri blocked from the locked screen as this was a way in to unlock everything

Yes you can see your pin on the app. Go the either the light bulb top right or what ever is the top left ( I can't remember) go down to cards and it's there.

As a programmer myself, if a human can code stuff we can find hacks. It's not invented by the gods, just mere mortals, introducing lots of vulnerabilities. Somethings are surprisingly insecure. Think big companies not securing their networks so bypasses could log in. It happens. Door cards and security guards on the door but no password on your open network. That happened a lot in the past

The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device

Yes I didn't think about this, but have just experimented with my Nationwide account and it put the whole thing on my lock screen (on an Android phone). Admittedly you'd need to know my customer number to be able to log in (and I think you need it to log in on another device as my son was having problems with it and uninstalled and reinstalled and needed his customer number and card reader).