To ask you to take care when using gyms/Apple/Google Pay and debit/credit cards?

[gatehouseoffleet]

I am posting this Twitter thread here as a warning. Charlotte Morgan. a news producer (so fortunately she has the reach to get some decent advice and retweeting to the right people) went to her local Virgin Active gym last week. The security barriers were unmanned. She put her stuff in a locker, went into the gym and returned to find out that her locker and several others had been broken into.

To cut a long story short, the thieves went on a spending spree in various Apple shops etc and Santander, her bank, are blaming her and refusing (currently) to refund. Their app shows the card PIN so if the thieves had bypassed the app security they could get it. It may also be that the thieves used Apple Pay. Either way, she has currently lost a lot of money.

Please make sure your phone security is set up as well as it can be. Consider if you need Apple/Google Pay at all or if you can cap transaction values. And be careful about what you take to the gym!

Here is the thread - apologies if there is another thread somewhere: twitter.com/MorganBroadcast/status/1564178676874448896

I read this on the bbc. The thief is simply registering the card on their own phone and then watching for the passcode to flash up on the stolen phone screen and f Dcnterinv it on their phone. They can then lick you out if your accounts.
My iPhone 12 has it as default to not flash up security codes when locked. Check your settings for notifications because there is sn option for it to show up when locked. Or - turn the phone off when putting it in the locker. That simple act prevents the thief spending your money.

Entering and lock you out!

Companies are starting to support phones as the main form of electronic access. In the past I've found things I can't do on a web site, I've had to use the phone app even though I'd always rather use my PC if I could. My newest bank account is Chase Bank, it's phone-only, there is no web site access.

Yes, I see that's where they are going. Going to have keep a separate phone rather than a computer. Computers will do apps though?

I read this and couldn't understand what you meant by "registering the card on their own phone" as you cant just add a card to your banking app...but then realised you mean registering the card on their ApplePay (or andoid equivalent)?!?

Very sneaky 😖

But this should not have taken so long to resolves either as banks have all this info logged ie, theyd be able to identify the wallet transactions came from a new device and so shouldve cleared the victim immediately

That being said...how did they clear out her savings accounts if they only had access to her card via apple/android pay??

They had full access to her accounts via the apps, not just apple pay.

That's what I thought - you can't log into email from a new device without some security.

That’s not what is said above. The explanation was they’d added her card to their phone. How did they get access to her banking app??

That's what I was asking. I thought the whole point of fingerprint was you'd have to do that every time.

still confused but have zero confidence in banking apps.

@BoogieBoogieWoogie they entered all her details (from her card) onto the app on their own phone.

They didn’t need to access her phone apart from the verification code sent from the bank which flashed up on the Lock Screen of her phone. Even better for them if they get driving licence as well - DoB and address on that as well.

How did they get access to her banking app??

They didn't. They set a new banking app up on a new phone and then using the fact the old phone got a code that was visible over the lock screen on the old stolen phone they were able to activate it.

Hhhmmm. That’s not what the latest is explanation says. It says they added her card to their digital wallet. The whole thing isn’t clear at all

I read it was the sim. That if they take the sim from her phone and put It in a new unlocked phone that all data and everything is available to set up with new security access.

So the solution is to lock your sim with a pin.

That’s not how SIMs work. The banking app would still need to be set up with details, and likely if anything like the HSBC one, cannot be on two mobile devices at the same time without authorisation from the first device.

They’d merely have her numbers saved on the SIM, if indeed they were.

Those daft things that are like "your name and birth month will tell us which city you should live in!" with people posting details. Then another one might ask your school and pet's name.

All common things used as passwords/security questions