Monzo fraud - they refuse to do anything!

Nasqueron

GeoffTF said:

Nasqueron said:

GeoffTF said:

[Deleted User] said:

If she has re-used a phone pin on the Monzo app then their reticence to refund is understandable.

How would they know?

I would guess they know the account was accessed via PIN correctly being entered, therefore they don't need to know, per se, that the PIN was used on multiple accounts, they can just infer it.

That is effectively a claim that the bank's app has perfect security, even on an insecure phone. Banks typically say that the phone must run Android 8 and above. Android 8 ceased to get security updates years ago. Security updates do not fix zero day exploits anyway. If a bank is claiming that their app can only be activated by entering a valid PIN, I would not want to use their app. If there is security weakness that allows a hacker to get in, they are going to deny my claim. Doesn't a bank have to prove negligence in cases like this?

Bank security is only as secure as the weakest link in the chain. In a theoretical example, which is what I was talking about, thief shoulder surfs someone using a PIN to unlock the phone, steals the phone, tests the PIN on the banking app, it lets them in, so they quickly change the details and move the money. That is not the fault of the bank that the same PIN was used, but I haven't looked at any FOS rulings to see if they consider that a valid reason to reject a fraud refund.

I am not sure what you mean on the rest - banking apps I have used have all had biometrics so for me, my phone needs a fingerprint to unlock (after a restart, a 6 digit PIN) and all my banking apps need a fingerprint. My work iPhone needs face ID to unlock and approve things (and a 6 digit pin occasionally). Barclays is the only app I have that does sometimes ask for a (5 digit) pin for extra security - though others do ask for random parts of a security code/password if the fingerprint isn't read clearly a couple of times. I doubt any mainstream bank only has /requires you to use PIN access. I seem to recall I also need to use a fingerprint to confirm a new payee and sometimes get an authorisation code/text though if the thief has access to the phone that isn't an issue.

There is no hacking/hacker involved, simply using people's habit of using the same numbers - I don't even know most of the PINs for my cards as I either don't use them (use google pay) or don't even carry them. I think the last time I took money out of an ATM, for a social weekend, was last May and that's pretty much a once a year thing and even then I could probably avoid doing it.

As to OS versions - I agree they should be higher but there are many people who refuse to replace older (working) phones just for security reasons. Personally I'd have a rule that as soon as an OS is obsolete / no more major security patches, you can't use the phone anymore but that would no doubt shut off all the people on say Android 10 or older

GeoffTF

Nasqueron said:

Bank security is only as secure as the weakest link in the chain. In a theoretical example, which is what I was talking about, thief shoulder surfs someone using a PIN to unlock the phone, steals the phone, tests the PIN on the banking app, it lets them in, so they quickly change the details and move the money. That is not the fault of the bank that the same PIN was used, but I haven't looked at any FOS rulings to see if they consider that a valid reason to reject a fraud refund.

My point is that the bank has no way of knowing your phone's PIN. Android (or IOS) will not divulge that to any app on the phone. The bank has no way of knowing how access was gained to the phone. It could have been by shoulder surfing or it could have been some other way. (There was a case in the US where Apple told the Police that they could no gain access to an iPhone without the PIN, and the Police had to hire someone else to do it.)

Similarly the bank has no certain way of knowing how access was gained to their banking app. It could have been using the PIN, or it could have been by bypassing the app's security. Nonetheless, there are much easier ways of stealing money than bypassing the security of a banking app.

In principle, the bank could have surveillance footage of someone shoulder surfing, stealing the phone, and then using the PIN to unlock both the phone and the banking app, but that is extremely unlikely.

eskbanker

Nervalslobster said:

The nonsense with Monzo is still ongoing. The next step is to escalate via the press/ombudsman.

[...]

To anyone who asked, the theft was reported to the police, who believe she was observed entering her passcode. There are gangs that specifically do this apparently. 

Perhaps worth noting the bolded text within the FCA stance on unauthorised transactions, and especially the use of 'prove':

Your bank can only refuse to refund an unauthorised payment if:

• it can prove you authorised the payment
• it can prove you acted fraudulently
• it can prove you deliberately, or with 'gross negligence', failed to protect the details of your card, PIN or password in a way that allowed the payment
• you only told your bank about the unauthorised payment 13 months (or more) after the date it left your account 

If the unauthorised payment was from an overdrawn current account or a credit card payment, your bank can only refuse a refund if:

• it can prove you, or someone acting on your behalf, authorised the payment
• the loss was due to the use of a payment card (including a virtual card) by someone who had it with your consent

In all cases, banks can’t simply say that the use of your password, card or PIN proves you authorised a payment.

If your card was lost, stolen or copied, you may have to pay the first £35 of an unauthorised transaction. But this won’t be the case if you weren’t aware of the loss, or if your bank was at fault.

https://www.fca.org.uk/consumers/unauthorised-payments-account

In terms of next steps, has she logged a formal complaint with Monzo yet, as this is a prerequisite before escalation to FOS (after eight weeks or final response)?

Nasqueron

GeoffTF said:

Nasqueron said:

Bank security is only as secure as the weakest link in the chain. In a theoretical example, which is what I was talking about, thief shoulder surfs someone using a PIN to unlock the phone, steals the phone, tests the PIN on the banking app, it lets them in, so they quickly change the details and move the money. That is not the fault of the bank that the same PIN was used, but I haven't looked at any FOS rulings to see if they consider that a valid reason to reject a fraud refund.

My point is that the bank has no way of knowing your phone's PIN. Android (or IOS) will not divulge that to any app on the phone. The bank has no way of knowing how access was gained to the phone. It could have been by shoulder surfing or it could have been some other way. (There was a case in the US where Apple told the Police that they could no gain access to an iPhone without the PIN, and the Police had to hire someone else to do it.)

Similarly the bank has no certain way of knowing how access was gained to their banking app. It could have been using the PIN, or it could have been by bypassing the app's security. Nonetheless, there are much easier ways of stealing money than bypassing the security of a banking app.

In principle, the bank could have surveillance footage of someone shoulder surfing, stealing the phone, and then using the PIN to unlock both the phone and the banking app, but that is extremely unlikely.

The bank doesn't need to know your PIN, the bank will know, however, that the app was logged into correctly and security processes followed to setup a new payee - that proves whoever did it had access to the phone. A common thief using shoulder surfing will not have access to the military level expertise needed to break into an iphone, the US had to use some Israeli specialists to do that in one case I saw years ago as they were in danger of locking out the phone from not having the PIN. The expertise needed to do that wouldn't be wasted on someone who could have the phone bricked and accounts locked in a matter of an hour in some cases.

Similarly the bank has no certain way of knowing how access was gained to their banking app. It could have been using the PIN, or it could have been by bypassing the app's security.

Sorry but this is getting into the realms of fantastical movie hacking, the bank will know from the records how it was accessed, nobody is hacking into random phones with the level of sophisticated needed just on the off chance they  can steal a couple of hundred quid from a random person.

What happened here is one of a few things:

3) Completely unlikely - the victim was robbed by an incredibly skilled hacking group who used nth level security beating devices to get into a phone to steal money, but these people randomly target people on the street not knowing how much the victim had in the account

2) Not likely - the victim is involved in the scam and is pretending to have lost the money they gave away (as sassy_one mentioned 7/12/23)

1) Most likely - the victim used the same PIN for the phone and bank app and didn't have biometric security or they used the option to get PIN entry, PIN was surfed and used to unlock the phone, they tested it on the banking app on the phone and found it worked so got lucky (see also AmityNeon post 8/12/23)

The original post is largely misleading - nobody hacked emails, they had access to the phone so could access the emails. OP says the phone was locked with face ID and PIN but the thieves got into 3 different bank accounts - I have used Santander and Monzo, both have biometric security, the chance of them getting into all 3 by hacking is so low it might as well be zero. The phone was likely unlocked by PIN and the OP's daughter had the same PIN for all the apps and they got in that way

GeoffTF

Nasqueron said:

The bank doesn't need to know your PIN, the bank will know, however, that the app was logged into correctly and security processes followed to setup a new payee - that proves whoever did it had access to the phone. A common thief using shoulder surfing will not have access to the military level expertise needed to break into an iphone, the US had to use some Israeli specialists to do that in one case I saw years ago as they were in danger of locking out the phone from not having the PIN. The expertise needed to do that wouldn't be wasted on someone who could have the phone bricked and accounts locked in a matter of an hour in some cases.

The fact that is is difficult and unlikely does not mean that it is impossible. As you can see from the post above yours, the FCA says: "In all cases, banks can’t simply say that the use of your password, card or PIN proves you authorised a payment." Saying that you must have given your PIN away does not wash.