To ask you to take care when using gyms/Apple/Google Pay and debit/credit cards?

[gatehouseoffleet]

I am posting this Twitter thread here as a warning. Charlotte Morgan. a news producer (so fortunately she has the reach to get some decent advice and retweeting to the right people) went to her local Virgin Active gym last week. The security barriers were unmanned. She put her stuff in a locker, went into the gym and returned to find out that her locker and several others had been broken into.

To cut a long story short, the thieves went on a spending spree in various Apple shops etc and Santander, her bank, are blaming her and refusing (currently) to refund. Their app shows the card PIN so if the thieves had bypassed the app security they could get it. It may also be that the thieves used Apple Pay. Either way, she has currently lost a lot of money.

Please make sure your phone security is set up as well as it can be. Consider if you need Apple/Google Pay at all or if you can cap transaction values. And be careful about what you take to the gym!

Here is the thread - apologies if there is another thread somewhere: twitter.com/MorganBroadcast/status/1564178676874448896

I'm with Santander and you can see your PIN but I need to use thumbprint twice and then there is 20 seconds to view it

I've been able to do this for a good few months so I'm guessing outside the possibility of a hacker (which any tech is vulnerable to) Santander must have had to justify this with a seriously heft risk assessment.

Still sucks if it happens to you though.

You can also see your PIN on the app for HyperJar cards.

Ah, they have the card and the phone. They register the card on the relevant banking app on their own phone. When the two stage verification code flashes up on the lock screen of the stolen phone, they note it and enter it into their own phone and hey presto they are in!

So the lesson would be - don't keep your phone and cards together. Don't have text message preview notifications on your lock screen.

This is what they said must have happened on You and Yours on Radio4 yesterday.

Recommend listening to You & Yours and ensuring that your phone does not allow notifications to show on the Lock Screen (this is the iPhone default setting for instance).

www.bbc.co.uk/programmes/m001brnl

That explanation makes a lot more sense than the oneabout thieve s shoulder surfing and hoping the woman belongs to a gym and leaves her things in a locker

I've now changed my lock screen notifications

I thought my Android phone was safe, I looked in lock screen settings and it was set not to give details of notifications. But in the messaging app settings, it was set to display previews of messages, which I disabled. (I don't know if the lock screen settings would override the messaging app settings.)

Looking at the updates, it goes back to the same thing for me

don't have banking on your phone unless you really have to.

I'm also wondering if it's safer to bank online via the website rather than app but I am clueless about apps.

Summary here if people find it helpful

www.bbc.co.uk/news/uk-england-london-62809151

Article in the times today about this. It's happened many times across virgin gyms in London.
Hope you get your money back OP

www.thetimes.co.uk/article/774daaca-2eda-11ed-9b12-7a2e56f7aeb6?shareToken=280dd28ca906296eac0ab6e300c51c82

It's pretty shocking. I never wanted to have banking on my phone but was forced into it by HSBC.

This is what worries me. How did they enforce it, just out of interest?

@EmmaH2022 I suppose a pedant would say I wasn't forced but they made it impossible for me not to. I can't fully remember the details now, but it became harder and harder to do what I normally did without using the app. So I caved.

Also, I set my phone to Auto Lock after 30 seconds. So I'd never see messages if I disabled them. I don't have the preview though.

Yes, you know you can alter the £100 contactless limit to lower it...I was told I can only do that on the app, which I don't have.

I could put the app on my computer I suppose.

I bet there's lots of other holes in security. I think saying "keep card and phone separate" is mad - most of us will have them in a handbag.

That's weird.
I can't view my pin on Santander without using my fingerprint being scanned to unlock the view.
Maybe there is another way to unlock the view without fingerprint, but I don't know what that is.

On the app you can transfer between accounts & to other accounts without fingerprint again, I think. It's not as high secure as Nationwide : but Nationwide App requires CardReader to set up new payees, which is a pain for spontaneous payments away from home.

ps: I love banking apps on my phone, no way I'm giving that up.

Santander have relented and refunded her money. They took her sim out to use in another phone. That's how they bypassed her security

Ancient person here. What I don’t understand is not the complexities of what you can and can’t do on your smartphone etc, but the basic casualness of leaving your phone and your cards in a gym locker. I thought that lockers must be much more sophisticated than when I used them, needing a thumbprint or different code, but it seems they are still the same old tin cans. It says in the BBC piece that you can force them with another piece of tin, just as you always could. They are really only safe to put your clothes etc in, not valuables.

now being enlightened as to what you can keep on your phone, I can’t understand how anyone can keep their phone and the card together in an unsafe place. It’s no different from writing it your diary or something ( I may be wrong) . My DF used to work in security, and he used to say you have to regard every one and every place as potentially risky, and take appropriate precautions.

I find the fact that the purchases are always being made in the same places quite interesting. The thief obviously has a way of getting rid of these purchases (fencing). I also wonder if the same shop assistants are facilitating the purchases , because that is what is happening with many banking frauds, though the banks for obvious reason try to conceal this.

the point about the car key is horrific! I’d missed that….

I do not use my phone to pay for anything

All when I used a gym, I took a little bag with wallet and phone and it was hooked over the machine I was using. My parents really drummed that sort of thing into us.

i don't know how banking apps work. Maybe someone here can tell me, do they store info? Even in my home PC, I never save passwords.

Bumping this thread this is so scary

@gatehouseoffleet thanks for posting this. It should really be known widely with how much of our lives are accessible on our phones

BBC also picked it up as so many others are affected :

BBC Article

Follow up from the original thread