Money not refunded by bank after I was mugged

masonic

GeoffTF said:

masonic said:

born_again said:

masonic said:

It is very important to remember that the banks are the gatekeepers of banking facilities and no criminal can steal your money by bank transfer anonymously without a failure in the system.

This is not aimed at OP. Just a reply to the quote above

Such as this case. Due to violence & threats someone's phone is stolen, & they are forced to open the bank app. So the fraudster can transfer funds.
That is not a failure of the banking system. Unless you want the bank to question every transfer you make out of your app.
Given the nature of app's funds can be moved at any time. Some people will often move funds late at night to pay friends etc.

I think you've missed the point. I am not criticising the sending bank who knew their customer. I'm criticising the bank that allowed the money to flow into an account being used by someone who they cannot identify, or into a service that hides the identity of their customers. Somewhere along the line the criminals have gained access to other banking facilities fraudulently which are essential to them getting the cash out of the banking system without revealing who they are. A system without this failing would prevent such events taking place, because the criminals would have nowhere to move the money that wouldn't lead the police to them. Part of the solution has to come from government, as part of the problem is people being recruited as money mules.

You are asking for the impossible. The money could have been transferred overseas, out of UK jurisdiction. Alternatively, a scammer could have persuaded someone to legitimately open a UK bank account in their own name granting the scammer access (either directly or by allowing software to be installed on their device). That account can then be sold to the highest bidder.

At some point the money must pass from the safety of highly regulated accounts where it could be recovered, to unregulated accounts and services where it disappears without a trace. More could be done at that boundary to check the source of funds. 

Additionally, the problem of money mules I mentioned needs to be addressed by government. These people are accessories to these hideous acts, so public awareness needs to be raised, and those cooperating in such acts should be charged with converting the proceeds of crime. These people already find themselves unbanked, but in the few media articles on the subject, there is clearly a lack of awareness amongst those susceptible to being targeted.

Regarding malicious software installed on the device, it should not be possible for any software installed on a device to complete a transaction without the device owner's cooperation (such a transaction would by definition be unauthorised and the bank liable for it). A mobile device should not be used as a second factor if the transaction was initiated from the same device. Someone else mentioned having a pause between new payee being set up and being available to transact.

So I think we are a long way from the point where we throw up our hands and say we've done everything we can to address this issue.

GeoffTF

masonic said:

At some point the money must pass from the safety of highly regulated accounts where it could be recovered, to unregulated accounts and services where it disappears without a trace. More could be done at that boundary to check the source of funds.

The money can be drawn out at an ATM from a legitimate account. Checking the source of funds does not help if that source is legitimate.

masonic said:

Regarding malicious software installed on the device, it should not be possible for any software installed on a device to complete a transaction without the device owner's cooperation (such a transaction would by definition be unauthorised and the bank liable for it).

You do not need malicious software, you can just get the victim to set up a legitimate account in his own name, give you the username and password, and set the mobile phone number to yours. Tell him he has to do that create a safe account. If you want to use malicious software to obfuscate what you are doing (e.g. a dodgy password manager), you can get the victim to install it for you. There are plenty of software vulnerabilities than can be used too, but it is easier to find a victim who can be conned into doing whatever you want.

Olinda99

Your wish has been granted - there is no software that can be installed on a mobile device that can make an unauthorised transaction without the owner's cooperation

masonic

GeoffTF said:

masonic said:

At some point the money must pass from the safety of highly regulated accounts where it could be recovered, to unregulated accounts and services where it disappears without a trace. More could be done at that boundary to check the source of funds.

The money can be drawn out at an ATM from a legitimate account. Checking the source of funds does not help if that source is legitimate.

masonic said:

Regarding malicious software installed on the device, it should not be possible for any software installed on a device to complete a transaction without the device owner's cooperation (such a transaction would by definition be unauthorised and the bank liable for it).

You do not need malicious software, you can just get the victim to set up a legitimate account in his own name, give you the username and password, and set the mobile phone number to yours. Tell him he has to do that create a safe account. If you want to use malicious software to obfuscate what you are doing (e.g. a dodgy password manager), you can get the victim to install it for you. There are plenty of software vulnerabilities than can be used too, but it is easier to find a victim who can be conned into doing whatever you want.

ATM withdrawals are rate limited and the account holder can be put into overdraft for such a limited amount if the money is to be recovered. If there was a legitimate reason for the recipient to receive the funds from the sender then that's outside the scope of this discussion. If someone lies to the bank about having a legitimate reason to receive funds in the process of money laundering then that should be a criminal offence.

It was you who suggested software could be installed to remote control a banking app. Such software could only ever be malicious as banks do not permit this. Olinda is probably correct that this is not a reality.

If someone fraudulently opens a bank account and sets it up so that someone else has primary access for their own purposes, then that that is itself fraud. I do not see how someone could do this without knowing they are doing wrong, but I've already commented on steps that could be taken regarding awareness and deterrence of becoming a money mule. This would include people who open accounts and give access to others, people who launder money through their accounts, and people who launder money via ATMs.

It seems quite implausible a fraudster would get someone to apply for a new current account as part of a "safe account" scam. Time is of the essence in such scams because people usually come to their senses. Going through a current account application, then waiting for a decision, and often waiting for something to arrive in the post would make such a scam difficult to succeed. Some banks, e.g. Barclays, block transfers out on new accounts for the first week or so. Good practice if this is a risk.

35har1old

jon81uk said:

DullGreyGuy said:

Goes to show why you shouldn't use the same PIN for multiple things too!

 Given you were fit to drive and inevitably would have had a wait for an ambulance it's unfortunate that you didnt activate any of the remote security features on the phone. I don't know on Android but certainly Apple you can remote wipe the phone but it remains locked to your appleID. Given they used a banking app on the phone it must have been connected to the internet so would have become a useless lump to them. 

Hopefully you are on the mend, it would be difficult for the bank to state you were 'grossly negligent' based on your description here and as long as there isn't more to the story that you aren't telling us. 

In the newest version of iOS there is a feature to try and prevent this sort of access to bank accounts if they get access to the phone PIN Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection | WIRED
It means they need the biometrics (faceID or touchID) in addition to the PIN.

Touch ID do you mean fingerprint if so it sounds like that in this case it would have been a bad idea

35har1old

masonic said:

GeoffTF said:

masonic said:

born_again said:

masonic said:

It is very important to remember that the banks are the gatekeepers of banking facilities and no criminal can steal your money by bank transfer anonymously without a failure in the system.

This is not aimed at OP. Just a reply to the quote above

Such as this case. Due to violence & threats someone's phone is stolen, & they are forced to open the bank app. So the fraudster can transfer funds.
That is not a failure of the banking system. Unless you want the bank to question every transfer you make out of your app.
Given the nature of app's funds can be moved at any time. Some people will often move funds late at night to pay friends etc.

I think you've missed the point. I am not criticising the sending bank who knew their customer. I'm criticising the bank that allowed the money to flow into an account being used by someone who they cannot identify, or into a service that hides the identity of their customers. Somewhere along the line the criminals have gained access to other banking facilities fraudulently which are essential to them getting the cash out of the banking system without revealing who they are. A system without this failing would prevent such events taking place, because the criminals would have nowhere to move the money that wouldn't lead the police to them. Part of the solution has to come from government, as part of the problem is people being recruited as money mules.

You are asking for the impossible. The money could have been transferred overseas, out of UK jurisdiction. Alternatively, a scammer could have persuaded someone to legitimately open a UK bank account in their own name granting the scammer access (either directly or by allowing software to be installed on their device). That account can then be sold to the highest bidder.

At some point the money must pass from the safety of highly regulated accounts where it could be recovered, to unregulated accounts and services where it disappears without a trace. More could be done at that boundary to check the source of funds. 

Additionally, the problem of money mules I mentioned needs to be addressed by government. These people are accessories to these hideous acts, so public awareness needs to be raised, and those cooperating in such acts should be charged with converting the proceeds of crime. These people already find themselves unbanked, but in the few media articles on the subject, there is clearly a lack of awareness amongst those susceptible to being targeted.

Regarding malicious software installed on the device, it should not be possible for any software installed on a device to complete a transaction without the device owner's cooperation (such a transaction would by definition be unauthorised and the bank liable for it). A mobile device should not be used as a second factor if the transaction was initiated from the same device. Someone else mentioned having a pause between new payee being set up and being available to transact.

So I think we are a long way from the point where we throw up our hands and say we've done everything we can to address this issue.

Mules are usually vulnerable people
Simple answer to not using a mobile device for both making the transaction and verifying the payment is to ditch all banking apps
 

masonic

35har1old said:

Simple answer to not using a mobile device for both making the transaction and verifying the payment is to ditch all banking apps.

 You would need to ditch your smartphone altogether if using this approach. Online banking can still be accessed via a web browser on a smartphone. The alternative approach is to ditch SMS as a means of verification. It may be inconvenient to have to use a secure key or card reader to set up a new payee, but I suspect many could cope with not having that ability when out and about.

35har1old said:

Mules are usually vulnerable people

The majority are young people recruited through social media who simply don't think about the consequences of their actions. Some may go on to be coerced into other criminal acts including taking part in robberies. Some of those being seduced into money muling are children. This is why government needs to play a role. It is good to see there is work being done in this area...

https://policeprofessional.com/news/government-unveils-biggest-ever-crackdown-on-money-mules-in-the-uk/

Section62

masonic said:

It may be inconvenient to have to use a secure key or card reader to set up a new payee, but I suspect many could cope with not having that ability when out and about.

Based on comments from Nationwide members on this forum, and on Nationwide's Connect forum, it would be the absolute end-of-the-world-as-we-know-it if a secure key/card reader was required for setting up a new payee - this requirement by Nationwide on their app users has been one of the biggest bugbears for several years.  Probably less of an issue if the requirement was only imposed on those who weren't using biometrics though.

Personally I don't see the current arrangement where banks are held liable to be sustainable in the long-term.  I've refrained from commenting in the thread until now as the whole victim-blaming issue makes it difficult to comment without risking offence.  But in general terms (not the OP's case specifically) the banks and their customers have to accept some level of shared responsibility for security (and the consequences where that security is breached) because otherwise banks will either start declining to offer accounts to people they feel might be a risk, or else impose increasing restrictions on the transactions we make in terms of quantum and speed.

It wouldn't surprise me if we end up with a two (or more) tier system where if you want greater flexibility to make larger transactions and have full-service mobile baking then (a) you will get charged a fee and (b) you will have to accept (partial) liability for losses.  Those wanting the bank to be fully liable for losses would have to accept greater restriction on their account(s).  Obviously this is something the regulators need to play catch-up on and makes sure the system is fair to everyone.

GeoffTF

masonic said:

It may be inconvenient to have to use a secure key or card reader to set up a new payee, but I suspect many could cope with not having that ability when out and about.

My Tesco Clubcard Pay+ app does not offer that facility, but I expect that it is possible to set up a new payee by logging in via a mobile phone web browser. It would be easy to block that by using a cheap dumb phone as the authentication device and keeping it under lock and key at home. (Assuming that an OTP is required to set up a new payee.) A potential problem is that the bank may send an OTP if you try to make a big in person payment. There is a potential clash between the bank's security measures and your own.

masonic

Section62 said:

masonic said:

It may be inconvenient to have to use a secure key or card reader to set up a new payee, but I suspect many could cope with not having that ability when out and about.

Based on comments from Nationwide members on this forum, and on Nationwide's Connect forum, it would be the absolute end-of-the-world-as-we-know-it if a secure key/card reader was required for setting up a new payee - this requirement by Nationwide on their app users has been one of the biggest bugbears for several years.  Probably less of an issue if the requirement was only imposed on those who weren't using biometrics though.

Personally I don't see the current arrangement where banks are held liable to be sustainable in the long-term.  I've refrained from commenting in the thread until now as the whole victim-blaming issue makes it difficult to comment without risking offence.  But in general terms (not the OP's case specifically) the banks and their customers have to accept some level of shared responsibility for security (and the consequences where that security is breached) because otherwise banks will either start declining to offer accounts to people they feel might be a risk, or else impose increasing restrictions on the transactions we make in terms of quantum and speed.

It wouldn't surprise me if we end up with a two (or more) tier system where if you want greater flexibility to make larger transactions and have full-service mobile baking then (a) you will get charged a fee and (b) you will have to accept (partial) liability for losses.  Those wanting the bank to be fully liable for losses would have to accept greater restriction on their account(s).  Obviously this is something the regulators need to play catch-up on and makes sure the system is fair to everyone.

Personally, I don't get the "end of world" sentiment around this approach to new payee set up. I find it reassuring. There will always be a vocal minority who will not accept any inconvenience to them having absolute power over their accounts at all times while simultaneously demanding to be held harmless of any consequences of the lower security required to enable this. I've been an advocate of having the ability to opt in to a better security model (or opt out if it can be made the default) and agree the sort of model you describe is probably where things will end up. We've seen baby steps around customers being given control of contactless payment / faster payment limits etc., although these are of somewhat limited benefit if they can be changed at will on a device you carry with you at all times. I would welcome a combination of adding delays to highly sensitive account changes and the ability to limit the circumstances in which certain operations can be performed.