https://www.theguardian.com/money/article/2024/jul/13/mobile-banking-fraudsters-accounts-scams-refund-victims

"Mobile banking: alarm as fraudsters take over handsets and raid accounts

Scams underline risks of banking on mobile, with not all lenders
prepared to refund victims

The risks of doing banking on your mobile handset have been underlined
by the stories of Guardian Money readers who had their mobiles taken
over by fraudsters, who then emptied their bank accounts.

In recent months, Guardian Money has become increasingly alarmed at how
often people are reporting that their mobile phone account has been
taken over – with O2 our most complained-about provider.

In some of the cases we have heard about, victims initially had their
email account hacked, while in another, the phone may have been taken
over using malware. Once in control of the email account, and armed with
other personal data, the fraudsters then posed as the customer to the
mobile company, resetting all the passwords and ordering a replacement
sim card.

Having assumed control of someone’s mobile phone it is relatively easy
to pretend to be them to their bank, using two-step verification codes
sent to the phone, to take over the account, and ultimately empty it."

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

On 13.07.24 12:58, Java Jive wrote:
> https://www.theguardian.com/money/article/2024/jul/13/mobile-banking-fraudsters-accounts-scams-refund-victims
>
> "Mobile banking: alarm as fraudsters take over handsets and raid accounts

The article is extremely unspecific how the accounts/mobiles were taken
over. Not very helpful.

I'm suspicious that elementary security rules were violated by the user
and not the bank or the telecom provider.

In the first place a phone locked by a strong password or biometric
means cannot be taken over.

The bank account if professionally set up will at least need another
strong password or a biometric login, which should be mutually different
from the device login.

And sorry to say: If a device can be "taken over by malware" something
is fundamentally wrong with the user. For banking it is never a good
idea to use old hard- and software which is no longer supported.

And it is also not a good idea to load "security software" on a mobile
device. Wherever it comes from.

This article gives no relevant insight into anything that happened.

Jörg

--
"De gustibus non est disputandum."

Jörg Lorenz wrote:

> The article is extremely unspecific how the accounts/mobiles were taken
> over. Not very helpful.

Snatch the unlocked phone from the user's hands. Bonus points if they
can trick the owner into unlocking it, and then snatching it

On 13.07.24 15:42, Andy Burns wrote:
> Jörg Lorenz wrote:
>
>> The article is extremely unspecific how the accounts/mobiles were taken
>> over. Not very helpful.
>
> Snatch the unlocked phone from the user's hands. Bonus points if they
> can trick the owner into unlocking it, and then snatching it

Seriously?

--
"De gustibus non est disputandum."

Andy Burns <usenet@andyburns.uk> wrote:
> Jörg Lorenz wrote:
>
>> The article is extremely unspecific how the accounts/mobiles were taken
>> over. Not very helpful.
>
> Snatch the unlocked phone from the user's hands. Bonus points if they
> can trick the owner into unlocking it, and then snatching it
>

It’s usually a sim swap fraud. Somehow convince the mobile operator to port
the number to another mobile operator where the new sim is in the
possession of the fraudster. If you have access to the victim’s email
account it is often possible to harvest enough information for the
fraudster to “prove” they are the victim. Eg copies of utility bills. Other
weaknesses are where the victim uses the same password for their mobile
account as for some other account, eg an online shop, where that password
has been already stolen.

It’s not really an issue with *mobile* banking. Accessing the bank account
via a regular computer would be equally vulnerable if the bank relies on
SMS one time codes. It’s the ability to intercept these codes that is the
flaw.

On 13/07/2024 15:17, Jörg Lorenz wrote:
> On 13.07.24 15:42, Andy Burns wrote:
>> Jörg Lorenz wrote:
>>
>>> The article is extremely unspecific how the accounts/mobiles were taken
>>> over. Not very helpful.
>>
>> Snatch the unlocked phone from the user's hands. Bonus points if they
>> can trick the owner into unlocking it, and then snatching it
>
> Seriously?
>

Well that lets you onto the phone but most banking apps require the user
re-authenticate after switching to a different app. I suppose you can
then reset access to the passwords.

Dave

On Sat, 13 Jul 2024 14:42:31 +0100, Andy Burns <usenet@andyburns.uk>
wrote:

>Jörg Lorenz wrote:
>
>> The article is extremely unspecific how the accounts/mobiles were taken
>> over. Not very helpful.
>
>Snatch the unlocked phone from the user's hands. Bonus points if they
>can trick the owner into unlocking it, and then snatching it

Or kidnap the owner and torture them till they reveal the passwords.

I don't have a banking app on my phone, partly for that reason, and
partly because there's no room.

--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

Andy Burns <usenet@andyburns.uk> wrote:
> Jörg Lorenz wrote:
>
>> The article is extremely unspecific how the accounts/mobiles were taken
>> over. Not very helpful.
>
> Snatch the unlocked phone from the user's hands. Bonus points if they
> can trick the owner into unlocking it, and then snatching it

That's not what the article is about.

I do agree with Jörg that I didn't follow what the article is describing.
The only common thread seems to be O2 but I've no idea what it is, if
anything, they're being accused of.

David Wade <dave@g4ugm.invalid> wrote:
> On 13/07/2024 15:17, Jörg Lorenz wrote:
>> On 13.07.24 15:42, Andy Burns wrote:
>>> Jörg Lorenz wrote:
>>>
>>>> The article is extremely unspecific how the accounts/mobiles were taken
>>>> over. Not very helpful.
>>>
>>> Snatch the unlocked phone from the user's hands. Bonus points if they
>>> can trick the owner into unlocking it, and then snatching it
>>
>> Seriously?
>>
>
> Well that lets you onto the phone but most banking apps require the user
> re-authenticate after switching to a different app. I suppose you can
> then reset access to the passwords.

Most people use the same passcode on the lock screen as for (banking) apps
so the thief videos you typing in your code and then steals the phone. Now
they get access to your phone AND money.

In comp.mobile.android, on Sat, 13 Jul 2024 18:45:12 -0000 (UTC), Chris
<ithinkiam@gmail.com> wrote:

>David Wade <dave@g4ugm.invalid> wrote:
>> On 13/07/2024 15:17, Jörg Lorenz wrote:
>>> On 13.07.24 15:42, Andy Burns wrote:
>>>> Jörg Lorenz wrote:
>>>>
>>>>> The article is extremely unspecific how the accounts/mobiles were taken
>>>>> over. Not very helpful.
>>>>
>>>> Snatch the unlocked phone from the user's hands. Bonus points if they
>>>> can trick the owner into unlocking it, and then snatching it
>>>
>>> Seriously?
>>>
>>
>> Well that lets you onto the phone but most banking apps require the user
>> re-authenticate after switching to a different app. I suppose you can

That's a no-brainer. Just snatch the phone when he's using the banking
app.

>> then reset access to the passwords.
>
>Most people use the same passcode on the lock screen as for (banking) apps

Really? I would never do that. If I had a phone passcode it would be
different from all the others. The bank password is the same as on the
PC, of course, where it was set a decade or more before there were
smartphones.

>so the thief videos you typing in your code and then steals the phone. Now
>they get access to your phone AND money.

In comp.mobile.android, on Sat, 13 Jul 2024 18:45:14 +0200, Steve Hayes
<hayesstw@telkomsa.net> wrote:

>On Sat, 13 Jul 2024 14:42:31 +0100, Andy Burns <usenet@andyburns.uk>
>wrote:
>
>>Jörg Lorenz wrote:
>>
>>> The article is extremely unspecific how the accounts/mobiles were taken
>>> over. Not very helpful.
>>
>>Snatch the unlocked phone from the user's hands. Bonus points if they
>>can trick the owner into unlocking it, and then snatching it
>
>Or kidnap the owner and torture them till they reveal the passwords.

+1
>
>I don't have a banking app on my phone, partly for that reason, and
>partly because there's no room.

I do,but the only time I use it is to deposit a check. I don't get
many checks, but when I do, this saves a trip to the bank.

One time in Little Rock, I lost half my wallet**, the half with cards,
and only had a small amount of money left. I foudn someone who would
lend me enough money to get home on, gas and food, and motels. Long
aga, I don't think I had a cell phone then, but I did have my laptop
with me and we found out he had an account at the same bank. I was able
to transfer money to him even before he went home to get the cash. So I
didn't really borrow it. I went to a nother branch in Tennessee and got
a new card. So except for the time spent looking, I really wasn't
inconvenienced.**

I didn't even know I could use the webpage to spend money. But I had
still guarded that password.

** I looked all over. I had it an hour earlier, I went back to cafeterie
where I used it to pay for lunch, I looked on the sidewalk and in street
trash cans wherever I had walked, I reported it to the police, I asked
them Where is Traveler's Aid. He'd never heard of it. (Apprently it's
mostly in movies made in NY during WW2.) AFAICT no one ever used or
tried to use the cards in the wallet. I wonder where I lost it and if
anyone found it.

On 2024-07-13 20:59, micky wrote:
> In comp.mobile.android, on Sat, 13 Jul 2024 18:45:12 -0000 (UTC), Chris
> <ithinkiam@gmail.com> wrote:
>
>> David Wade <dave@g4ugm.invalid> wrote:
>>> On 13/07/2024 15:17, Jörg Lorenz wrote:
>>>> On 13.07.24 15:42, Andy Burns wrote:
>>>>> Jörg Lorenz wrote:
>>>>>
>>>>>> The article is extremely unspecific how the accounts/mobiles were taken
>>>>>> over. Not very helpful.
>>>>>
>>>>> Snatch the unlocked phone from the user's hands. Bonus points if they
>>>>> can trick the owner into unlocking it, and then snatching it
>>>>
>>>> Seriously?
>>>>
>>>
>>> Well that lets you onto the phone but most banking apps require the user
>>> re-authenticate after switching to a different app. I suppose you can
>
> That's a no-brainer. Just snatch the phone when he's using the banking
> app.
>
>>> then reset access to the passwords.
>>
>> Most people use the same passcode on the lock screen as for (banking) apps
>
> Really? I would never do that. If I had a phone passcode it would be

The fingerprint is the same.

--
Cheers, Carlos.

On 7/13/2024 12:10 PM, micky wrote:

> One time in Little Rock, I lost half my wallet**, the half with
> cards, and only had a small amount of money left.

On trips I used to keep emergency cash hidden under the floormat in the
car. Luckily I never needed it. I came close to forgetting about it one
time when I got home and put the car through the full service car
wash though... 8-O

On 7/13/2024 11:45 AM, Chris wrote:

> Most people use the same passcode on the lock screen as for
> (banking) apps

I doubt that. Any links...

On 7/13/2024 6:42 AM, Andy Burns wrote:

> Snatch the unlocked phone from the user's hands. Bonus points if
> they can trick the owner into unlocking it, and then snatching it

No trick necessary if they snatch the phone while the victim is using it
and thus it's already unlocked. If a Google user all the Google apps are
also open in this theft method...

AJL <noemail@none.com> wrote:
> On 7/13/2024 11:45 AM, Chris wrote:
>
>> Most people use the same passcode on the lock screen as for
>> (banking) apps
>
> I doubt that. Any links...

https://www.ft.com/content/26be349d-4717-4815-a221-a749e29de2b2

I know I did until I started reading about these types of thefts.

micky <NONONOmisc07@fmguy.com> wrote:
> In comp.mobile.android, on Sat, 13 Jul 2024 18:45:12 -0000 (UTC), Chris
> <ithinkiam@gmail.com> wrote:
>
>> David Wade <dave@g4ugm.invalid> wrote:
>>> On 13/07/2024 15:17, Jörg Lorenz wrote:
>>>> On 13.07.24 15:42, Andy Burns wrote:
>>>>> Jörg Lorenz wrote:
>>>>>
>>>>>> The article is extremely unspecific how the accounts/mobiles were taken
>>>>>> over. Not very helpful.
>>>>>
>>>>> Snatch the unlocked phone from the user's hands. Bonus points if they
>>>>> can trick the owner into unlocking it, and then snatching it
>>>>
>>>> Seriously?
>>>>
>>>
>>> Well that lets you onto the phone but most banking apps require the user
>>> re-authenticate after switching to a different app. I suppose you can
>
> That's a no-brainer. Just snatch the phone when he's using the banking
> app.

How would a thief know?

>>> then reset access to the passwords.
>>
>> Most people use the same passcode on the lock screen as for (banking) apps
>
> Really? I would never do that. If I had a phone passcode it would be
> different from all the others. The bank password is the same as on the
> PC, of course, where it was set a decade or more before there were
> smartphones.

Not the same thing. Bank apps ask you to set a PIN as an added level of
security. People are lazy and don't want to remember another PIN so use the
same one as the phone lock screen.

>> so the thief videos you typing in your code and then steals the phone. Now
>> they get access to your phone AND money.
>

On 2024-07-13 16:20, Chris wrote:
> AJL <noemail@none.com> wrote:
>> On 7/13/2024 11:45 AM, Chris wrote:
>>
>>> Most people use the same passcode on the lock screen as for
>>> (banking) apps
>>
>> I doubt that. Any links...
>
> https://www.ft.com/content/26be349d-4717-4815-a221-a749e29de2b2
>
> I know I did until I started reading about these types of thefts.
>

Nope.

Never did, never WOULD use my phone PIN for anything but...

....unlocking my PHONE!

On 7/13/2024 4:20 PM, Chris wrote:

> Bank apps ask you to set a PIN as an added level of security. People
> are lazy and don't want to remember another PIN so use the same one
> as the phone lock screen.

Depends on the bank app. Mine don't offer pin capability but do require
long passwords using all types of characters. And initially 2FA on a
new device.

On 7/13/2024 4:20 PM, Chris wrote:
> AJL <noemail@none.com> wrote:
>> On 7/13/2024 11:45 AM, Chris wrote:
>>
>>> Most people use the same passcode on the lock screen as for
>>> (banking) apps

>> I doubt that. Any links...

> https://www.ft.com/content/26be349d-4717-4815-a221-a749e29de2b2

The link is locked for me...

> I know I did until I started reading about these types of thefts.

On 2024-07-13 17:06, AJL wrote:
> On 7/13/2024 4:20 PM, Chris wrote:
>> AJL <noemail@none.com> wrote:
>>> On 7/13/2024 11:45 AM, Chris wrote:
>>>
>>>> Most people use the same passcode on the lock screen as for
>>>> (banking) apps
>
>>> I doubt that. Any links...
>
>> https://www.ft.com/content/26be349d-4717-4815-a221-a749e29de2b2
>
> The link is locked for me...

Try this:

<https://archive.is/OsN5j>

In comp.mobile.android, on Sat, 13 Jul 2024 14:09:14 -0700, AJL
<noemail@none.com> wrote:

>On 7/13/2024 12:10 PM, micky wrote:
>
>> One time in Little Rock, I lost half my wallet**, the half with
>> cards, and only had a small amount of money left.
>
>On trips I used to keep emergency cash hidden under the floormat in the
>car. Luckily I never needed it. I came close to forgetting about it one
>time when I got home and put the car through the full service car
>wash though... 8-O

When I got stopped for speeding in Chicago in 1970 -- I had the top down
and my long hair was blowing in the breeze, so he showed no mercy, LOL I
really was speeding. -- I had an outofstate license so I had to post 50
dollars bond, which I didn't have. It was summer, most people I knew
had gone home, I couldn't find my girlfriend at work, but fortunately
her girlfriend worked at a nearby desk and she came, when she got off
work. So I only spend 5 hours in stir.

After that, for 20 years I carried 60 dollars in travelers checks in the
trunk, but I stopped. I've thought about starting again.

In comp.mobile.android, on Sat, 13 Jul 2024 14:09:19 -0700, AJL
<noemail@none.com> wrote:

>victim

I thought this said violin. LOL

"No trick necessary if they snatch the phone while the victim is using
it"

In comp.mobile.android, on Sat, 13 Jul 2024 23:20:55 -0000 (UTC), Chris
<ithinkiam@gmail.com> wrote:

>micky <NONONOmisc07@fmguy.com> wrote:
>> In comp.mobile.android, on Sat, 13 Jul 2024 18:45:12 -0000 (UTC), Chris
>> <ithinkiam@gmail.com> wrote:
>>
>>> David Wade <dave@g4ugm.invalid> wrote:
>>>> On 13/07/2024 15:17, Jörg Lorenz wrote:
>>>>> On 13.07.24 15:42, Andy Burns wrote:
>>>>>> Jörg Lorenz wrote:
>>>>>>
>>>>>>> The article is extremely unspecific how the accounts/mobiles were taken
>>>>>>> over. Not very helpful.
>>>>>>
>>>>>> Snatch the unlocked phone from the user's hands. Bonus points if they
>>>>>> can trick the owner into unlocking it, and then snatching it
>>>>>
>>>>> Seriously?
>>>>>
>>>>
>>>> Well that lets you onto the phone but most banking apps require the user
>>>> re-authenticate after switching to a different app. I suppose you can
>>
>> That's a no-brainer. Just snatch the phone when he's using the banking
>> app.
>
>How would a thief know?

They're smart. LOL

On 7/13/2024 5:17 PM, Alan wrote:
> On 2024-07-13 17:06, AJL wrote:
>> On 7/13/2024 4:20 PM, Chris wrote:
>>> AJL <noemail@none.com> wrote:
>>>> On 7/13/2024 11:45 AM, Chris wrote:
>>>>
>>>>> Most people use the same passcode on the lock screen as for
>>>>> (banking) apps
>>
>>>> I doubt that. Any links...
>>
>>> https://www.ft.com/content/26be349d-4717-4815-a221-a749e29de2b2
>>
>> The link is locked for me...
>
> Try this:
>
> <https://archive.is/OsN5j>

That link worked. Interesting article. I also live in a large metro area
(Phoenix AZ US) and the same stuff happens here.

But you said: "Most people use the same passcode on the lock screen as
for (banking) apps" and I saw nothing in that piece to verify that.
"Most" being over half the phone using population. I still doubt that
assertion but also can't prove otherwise...