Money not refunded by bank after I was mugged

AmityNeon

I can't begin to imagine what the experience must have been like for you. Your phone wasn't just stolen, and you weren't even just mugged. To be heavily injured, held against your will, and then forced to divulge critically sensitive details under extreme duress as you feared for your life.

Unfortunately, the regulatory systems we have in place are reactive and compensatory, exacerbated by fraudulent claim attempts placing further stress on the innocent victims attempting to heal as they put their lives back together after suffering an already incredibly traumatic experience. Whilst there are no guarantees, you can be proactive in strengthening your information security to minimise the risk of unauthorised access in circumstances where you may be vulnerable or compromised.

• Sacrificing convenience, you can keep a smartphone that's used only for banking purposes strictly at home, whilst your 'mobile' phone can be a plain dumbphone that literally cannot access anything sensitive.
• For a more balanced approached with better flexibility, your mobile could be a smartphone with only essential apps installed, with no access to your finances or sensitive accounts (e.g. cloud storage, email account linked to 2FA or password resets). I strongly recommend using a separate email address for banking purposes.
• If possible, ensure as many of your apps are protected with a separate passcode (different from your phone's passcode). Some services offer more security options than others, e.g. Proton Mail allows a long custom passcode to be set whereas Gmail has no options whatsoever. The key is to prevent unauthorised access to your personal details (e.g. emails, notes, photos, files in cloud storage) that could allow an adversary to impersonate you (or worse).

Sea_Shell

This thread has definitely got me thinking about phone security and if I NEED all my banking apps on there.

I have now deleted the Fidelity app, as although not easy access (would have to sell investments), I don't want anyone to know how much I've got!    I always use the laptop to make transactions anyway.  

Our main easy access savings are with our main current account holder at the moment (due to good rates), but we don't usually hold a large balance with them.

But it is about striking a balance between convenience and security.     

sausage_time

All this talk of not taking phones out and about with banking and finance apps is certainly something to think about.  But smartphones have web browsers too - and in many cases the passwords may be stored there. 

Zanderman

sausage_time said:

All this talk of not taking phones out and about with banking and finance apps is certainly something to think about.  But smartphones have web browsers too - and in many cases the passwords may be stored there. 

Yes, but are muggers likely to be looking at your browser? They'll be looking for the apps as easier wins, I assume. 

And it would be really bad practice to allow your browser - on your phone - to save banking passwords wouldn't it? (I never allow my browser to save any passwords, on any device)

AmityNeon

sausage_time said:

All this talk of not taking phones out and about with banking and finance apps is certainly something to think about.  But smartphones have web browsers too - and in many cases the passwords may be stored there. 

Smartphones also have app stores and a history of purchases/downloads. It’s about creating layers of obfuscation so adversaries are faced with additional hurdles.

Storing passwords in a web browser is terrible security practice, although this raises a point regarding password managers on smartphones. Avoid having the app installed if possible, but if not, make sure it’s secured with something other than the default phone passcode.

MattMattMattUK

sausage_time said:

All this talk of not taking phones out and about with banking and finance apps is certainly something to think about.  But smartphones have web browsers too - and in many cases the passwords may be stored there. 

Banking sites flag to Chrome and it does not allow their passwords to be stored. 

oldernonethewiser

AmityNeon said:

sausage_time said:

All this talk of not taking phones out and about with banking and finance apps is certainly something to think about.  But smartphones have web browsers too - and in many cases the passwords may be stored there. 

Smartphones also have app stores and a history of purchases/downloads. It’s about creating layers of obfuscation so adversaries are faced with additional hurdles.

Storing passwords in a web browser is terrible security practice, although this raises a point regarding password managers on smartphones. Avoid having the app installed if possible, but if not, make sure it’s secured with something other than the default phone passcode.

The password manager I use cannot be opened with anything as simple as a passcode. 

DullGreyGuy

oldernonethewiser said:

AmityNeon said:

sausage_time said:

All this talk of not taking phones out and about with banking and finance apps is certainly something to think about.  But smartphones have web browsers too - and in many cases the passwords may be stored there. 

Smartphones also have app stores and a history of purchases/downloads. It’s about creating layers of obfuscation so adversaries are faced with additional hurdles.

Storing passwords in a web browser is terrible security practice, although this raises a point regarding password managers on smartphones. Avoid having the app installed if possible, but if not, make sure it’s secured with something other than the default phone passcode.

The password manager I use cannot be opened with anything as simple as a passcode. 

Wouldn't it be more helpful to name the password manager?

Zanderman said:

sausage_time said:

All this talk of not taking phones out and about with banking and finance apps is certainly something to think about.  But smartphones have web browsers too - and in many cases the passwords may be stored there. 

And it would be really bad practice to allow your browser - on your phone - to save banking passwords wouldn't it? (I never allow my browser to save any passwords, on any device)

Which bank gives access to its website by a simple password? Most, from my experience, want at least 2 codes and often at least 1 will be 3rd letter type stuff and most web browsers cannot store two and can't deal with random character entry. 

This at least is where Apple's new security feature would help as if the phone is in a non-normal place for you then you can only access stored passwords (in Safari) using biometrics and not pin/password

The OP remains light on certain detail but I am struggling to imagine them being held onto the ground whilst they are using his phone to physically do the bank transfers... I'm guessing the transfers were to overseas accounts otherwise far too easy for the police to trace and that would be a lot of codes for them to remember whilst dealing with their victim at the same time and working out how you do international transfers in whichever random bank the victim happens to use. 

GeoffTF

To log into my Santander account via a browser I need my 10 digit Personal ID. I have not memorised that. I paste it into the browser on my desktop PC, and it is not stored on my phone. Are you going to be stabbed because you are mugged and do not have any cash, bank cards or mobile phone on you? Perhaps. I have not been able to find any Visa credit card that lets me set my own contactless limit, but the banks seem to compensate people for theft anyway.

jon81uk

DullGreyGuy said:

jon81uk said:

DullGreyGuy said:

Goes to show why you shouldn't use the same PIN for multiple things too!

 Given you were fit to drive and inevitably would have had a wait for an ambulance it's unfortunate that you didnt activate any of the remote security features on the phone. I don't know on Android but certainly Apple you can remote wipe the phone but it remains locked to your appleID. Given they used a banking app on the phone it must have been connected to the internet so would have become a useless lump to them. 

Hopefully you are on the mend, it would be difficult for the bank to state you were 'grossly negligent' based on your description here and as long as there isn't more to the story that you aren't telling us. 

In the newest version of iOS there is a feature to try and prevent this sort of access to bank accounts if they get access to the phone PIN Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection | WIRED
It means they need the biometrics (faceID or touchID) in addition to the PIN.

@jon81uk I was going to mention that too but then looked at the details and I am not convinced it helps in this scenario. 

It stops the person from being able to use the PIN to go into Wallet or Saved Passwords and stops them from being able to change your AppleID password for example. 

If however it doesn't stop the phone being unlocked by the PIN nor does it stop banking apps being loaded which if they have been setup to use the same PIN or gave them both PINs means the person can still access them.  Effectively stops breaches via Apple applications but not non-Apple ones. Lost Mode and Remote Wipe are the two protections for those and only the later if the person has the device pin

Yes true it doesn't help where the online banking password is revealed seperately.

For my First Direct app if FaceID fails you need to know the secure key password (alphanumeric, not a PIN). So the new Apple stuff would stop them resetting FaceID using the Apple device PIN and then using the new FaceID to get into toe banking app, but if you reveal the separate banking app password then they would have access.


In regards to the OPs situation its not clear if the bank is liable to give the money back, I thought this would be more of a police matter to recover stolen funds?