Earlier this year, gyms in London were targeted by a sophisticated scam that left victims thousands of pounds out of pocket. Although the banks originally blamed the victims for sharing their bank details, it was later discovered that the thief was using a verification password scam to access their accounts.
The gym phone thefts: how did they happen?
At the end of August, one victim tweeted about her experience of her phone being stolen from her locker whilst she was exercising at the gym.
Upon stealing her bank cards and smartphone, the thief spent a total of £8,000 before the card was frozen. The thief had managed to access her bank accounts, transfer money out of her savings account and into her current account, before using her bank card and pin number in a number of stores in London.
Although initially suggesting that the victim in the case recorded her pin on the back of her bank card, or shared the pin with friends and family, Santander eventually conceded that this was not the case and reimbursed the victim.
At time of writing, there are at least seven victims that have come forward with similar experiences; all users of VirginActive gyms, with fraudulent purchases made at the same stores in London.
What do these thefts tell us about security?
There are a number of interesting aspects with this theft which can help us identify some issues with smartphone security. According to BBC news, once the thief has access to the phone and the bank card, they can use their own device to set up online banking using a one time password, or OTP. This is a form of two-factor authentication, or 2FA; where you’re required to have two separate pieces of information in order to access an account. In this case, the two pieces of information are the bank card, and the code sent to the stolen mobile phone.
The bank recognises that the device is new, and sends a code to the stolen phone. The thief can then use this code to sign up to banking services on their device. Money can then be moved from a savings account to a current account. Once the thief has access to the bank account, they can even request an instant reminder for the card’s PIN number. This feature is available on a number of banking apps, including Santander, Barclays, Lloyds and HSBC.
These thefts have identified the impact of some serious security flaws; that two-factor authentication is rendered almost useless when the thief has access to both the smartphone and the bank card, and the PIN reminder feature on many banking apps can be accessed incredibly easily when both the bank card and phone are stolen.
How can you stay safe?
Although this scam is a sophisticated one, there are a couple of things that you can do to prevent yourself from falling victim to these kinds of thefts.
-
Turn off message previews
In this case, two-factor authentication is thought to have been bypassed through the message previews feature. Although the thief did not have the passcode to the victim’s phone, they may have been able to view the one time password when it appeared on the lock screen. By turning off message previews, you can prevent information like this being seen by thieves. -
Separate your phone and bank card
The reason that this scam was so effective is that the victim’s smartphone and bank card were stored in the same location. Where possible, store your bank cards and smartphone separately.
Tweet us @TranscenditUK
