Mobile App Security

where_are_we

On Saturday R4 Moneybox reported on someone who had her mobile and bank card stolen from a locker at a gym. Santander wanted to know how the thieves had got her card pin. She denied it was written down and said they must have got it from her mobile app. It is possible to see your card pin on the Santander App but you have to get through biometrics to access this information. Should I be worried? Can you ask Santander to remove this information on the App. I know my card pin and do not need it to be stored on the App. I also have my phone locked.

TadleyBaggie

Bet her phone passcode was 1234 or something similar. There is way more to the story than was reported.

Browntoa

As above , I cannot access my banking app without fingerprint or password and 2FA .

Probably had the pin written down somewhere 

Daliah

She allegedly fell victim to a SIM swap. Long threads on Twitter by her. Santander eventually caved in and reimbursed her but I think this was just to squash publicity. Many questions about this fraud remain unanswered - such as how did the fraudsters get hold of the victim's Registration Number or Biometrics which are needed to view the PIN in the app (which allegedly they did).

 

https://twitter.com/MorganBroadcast/status/1566756324557438978?s=20&t=579y5hiD_Tkkzz1q8uwLUg

Daliah

where_are_we said:

On Saturday R4 Moneybox reported on someone who had her mobile and bank card stolen from a locker at a gym. Santander wanted to know how the thieves had got her card pin. She denied it was written down and said they must have got it from her mobile app. It is possible to see your card pin on the Santander App but you have to get through biometrics to access this information. Should I be worried? Can you ask Santander to remove this information on the App. I know my card pin and do not need it to be stored on the App. I also have my phone locked.

I don't think there is a way to remove the PIN from the app - - - and anyway, you do need your Registration Number or biometrics to view it.  It is a total mystery to me how the fraudsters got this information. As an aside: lots of banking apps now let you view your PIN.

Here is what you can do if you don't do it already:

Put a SIM lock on your phone.

Don't take your cards out of the house - use ApplePay / Google Wallet

where_are_we

In a previous thread I mentioned a possible mobile phone security weakness that allows messages to flash up when phone is locked. This allows a thief to read verification codes sent to you by the bank without having to unlock your phone. I know it is convenient to be able to read these messages immediately, but to be more secure it is best to go to "settings" and select "Don`t Show Notifications". I`m not sure if this weakness was exploited in the case highlighted above.

k_man

where_are_we said:

In a previous thread I mentioned a possible mobile phone security weakness that allows messages to flash up when phone is locked. This allows a thief to read verification codes sent to you by the bank without having to unlock your phone. I know it is convenient to be able to read these messages immediately, but to be more secure it is best to go to "settings" and select "Don`t Show Notifications". I`m not sure if this weakness was exploited in the case highlighted above.

According the the BBC, that was part of the exploit:
https://www.bbc.co.uk/news/uk-england-london-62809151

Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device.

However, if the bold section is correct, that suggests a significant flaw in the bank security process (ability to register someone else's card).
Or, key info has been omitted from the story, lest there is a spate of copycats.

nyermen

k_man beat me to it, i was about to mention this article.

I suspect its certain specific banks rather than all - HSBC has a whole series of stages to allow activating a mobile app on a new device.   I mention this (rather than just using a card) because people have also complained that their savings were transferred to their current account - still unclear how they are getting into Mobile banking to do this unless they are doing something like activating to a new device and using a transfer code (HSBC require me to provide codes from existing app plus sms etc, and each time requires passcode / faceid to approve.

jbrassy

k_man said:

where_are_we said:

In a previous thread I mentioned a possible mobile phone security weakness that allows messages to flash up when phone is locked. This allows a thief to read verification codes sent to you by the bank without having to unlock your phone. I know it is convenient to be able to read these messages immediately, but to be more secure it is best to go to "settings" and select "Don`t Show Notifications". I`m not sure if this weakness was exploited in the case highlighted above.

According the the BBC, that was part of the exploit:
https://www.bbc.co.uk/news/uk-england-london-62809151

Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device.

However, if the bold section is correct, that suggests a significant flaw in the bank security process (ability to register someone else's card).
Or, key info has been omitted from the story, lest there is a spate of copycats.

This is the weak point:
"That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device."

However, the BBC article also explains how to fix this problem: 
"the best way to stop this particular thief and this particular method is to make sure they cannot read the verification code sent by the bank. This is done in your phone's settings:

For iPhones:

Go to Settings

Scroll to Messages

Scroll to Notifications

Scroll to Show Previews where there are three choices: Always / When Unlocked / Never

Select either When Unlocked or Never. Your messages will no longer flash up when your phone is locked

For Android:

Go to Settings

Select Lock Screen

Select Notifications

Select Don't Show Notifications. Your messages will no longer flash up when your phone is locked"

Daliah

k_man said:

Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

Which bank allows you to activate their app with a card number and a texted passcode only?

k_man

Daliah said:

k_man said:

Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

Which bank allows you to activate their app with a card number and a texted passcode only?

I don't know of any, but the quoted news article implies that is the case (as no mention of the other credentials required).
Which is why I stated the following:

However, if the bold section is correct, that suggests a significant flaw in the bank security process (ability to register someone else's card).
Or, key info has been omitted from the story, lest there is a spate of copycats.