Did you know that if someone steals your bank card and your phone then they can easily clean out ALL your bank accounts in just a few minutes!
That's right - if a thief has stolen both your bank debit card and your phone - he/she can find out your bank card PIN number very quickly and can then use your bank card + PIN to steal all your money. They can even transfer all your money from your bank's savings accounts into your bank's current account too so that they clean you out completely!
Here is how it works...
1. Both your bank debit card and phone are stolen or lost (many people actually put their cards in their phone case or handbag, thus guaranteeing they lose both at the same time!).
2. The thief installs a matching banking app (e.g. Barclays, Nat West, Chase, etc.) on a spare burner phone and then enters your bank account details from the stolen bank card.
3. They then use the banking app on their spare phone to request a one-time password as they have 'forgotten' your banking app PIN/password.
4. A message flashes up on the screen of your stolen phone with a one-time password or number for the bank app login. If they have your driving licence, they will also know your date of birth (which is also required by a few bank apps).
5. The thief then uses that number to log in to your bank account on their burner phone. They then transfer all money from all your savings accounts into your current account.
6. The thief then uses the app to display your bank card PIN number - again this is easy if they have your bank debit card in their possession - e.g. for Barclays - see here.
7. Now they have the PIN code for your bank debit card and they can visit ATMs, shops, etc. and clean out your account!
The problem is that the banks can see that your debit card has been used with your PIN number, so they can accuse you of not keeping your PIN number secure (i.e. "you must have told it to someone" or "you must have written it down") and so they could refuse to compensate you even if you reported the theft to them immediately.
Banks are aware of the problem, but do not seem to be doing anything about it!
Note that the PIN code for your phone is not needed.
By using an ATM and purchasing valuable items with your card and PIN number, they cannot be traced.
Security flaws
As I see it, there are two major security flaws here:
1. A bank app should never display your debit card PIN number! If you have forgotten it, then they should reset it and send you a new card in the post using the address on record for that account holder.
2. Each time you log in to the banking app, they should remind you to disable all notification messages from displaying on a locked phone as this is a major security risk. Of course, they should also tell you to do this when you first install the bank app too.
They should also provide a test button in their app which will send you an automated test message after a 1 minute delay (to allow you time to lock your phone) which says
'This message should not be visible on the screen of a locked phone. If you can read this message on a locked phone it is a major security risk, please change your phone notifications settings immediately and retest.'
Or send a two-part pass code - one part as an SMS message and the other part as an email?
Prevention
1. Never keep your cards in the same place as your phone. If you have multiple cards, leave you bank debit card at home - there is too much information printed on that card!
2. Configure your phone so that it won't display messages on the screen when it is locked. Change the notification setting of your phone NOW!
I assume that other cards and apps, e.g. credit cards, store cards, may have similar security flaws...
I hope you found this article useful - please share this post with all your friends (unless you are a thief of course).
No comments:
Post a Comment