I have just one phone and the banks are now insisting more and more that I use a phone for 2FA on significant account transactions. So I use my one phone. I take the same phone to the pub and on public transport and on walks in the countryside (when I get the chance for those these days). Over the years I’ve lost a couple of phones.
Speaking to my brother-in-law at the weekend the riskiness of this was brought into focus when he told me that his wife’s son had had his phone snatched on the way home from a night out. He was walking down the street at 02:30 and was actually using the phone (I’m not sure - trying to get a ride home maybe ? Still in conversation with the mates he’d been out with ?) so it was effectively unlocked. It was a pro job. By the time he managed to put a stop on stuff (not so easy in the small hours some way from home after a few pints and, of course, now without his phone) they’d maxed out several accounts to a total of a few grand. Fortunately things like his crypto account had limits set for the amount that could be withdrawn in a 24 hour period, so they gave up after taking just £100 or so from that (there are tens of grand in it).
The obvious fix is a ‘bank’ phone kept securely at home. The out-on-the-lash phone would only be linked to a single isolated account with, say, a couple of grand in. Do any of you do that ?
I don’t think that scenario would ever apply to me.
I never use my phone while walking about.
I am sure you have a spare phone, and there are sim only deals for £5 a month.
Pretty cheap to do, if you feel the need.
I would have thought that this was something you could, and probably already do, fix with process.
All modern financial apps are really twitchy about security unless you unwisely tell them not to bother with pesky old logins and stuff. Many will also re-challenge at the point of transaction.
If I handed my unlocked phone to a young man in a hoodie riding a stolen Lime bike I struggle to think of any further than trivial damage that they could do.
As an aside, when the MiL was in hospital or otherwise indisposed the wife and her siblings complained that MFA made supermarket shops and money transfers blooming awkward. They didn’t like it when I pointed out that they were trying to subvert exactly what it was meant to defeat.
My friend’s son-in-law had his drink spiked on a night out. The perpetrators then scooped him up, put him in a car and systematically stole tens of thousands of pounds using his face and fingerprints as required.
Same here. The banks still want to SMS a code to my phone though and the last few that don’t seem desperate to jump on the bandwagon, as here (screenshot from Smile)
so the banks now regard my phone number as a reliable contact channel.
I’m curious to know how the felons managed to access my relative’s accounts. I have absolutely no idea, but unless this is an elaborate story to explain to his wife where all the money went one night, clearly they did. For what it’s worth he’s in his early 40’s and works in IT. I can’t say I know him really well but he doesn’t come across either as dumb or reckless. Apparently the banks have been very sympathetic and he’s not going to lose out significantly which, I guess, means we all are as they’ll spread the losses.
I’m a bit surprised they got access even if the device was unlocked as normally the banking apps require some level of 2FA, usually biometric such as fingerprint or face.
The biometrics often revert to PIN after failure, but that’s unlikely to work as they will lock after a few attempts to prevent brute force attacks.
Perhaps they got enough personal details to do things the old school way, I.e. call the bank up.
It’s arguable that phone banking is more secure than the laptop because the second factor of authentication can easily be biometrics as opposed to hoping that it’s the owner who has the phone in their hand when the SMS code is sent.
This doesn’t mitigate the kidnapping etc. described above but that’s just the modern version of tying you to a chair and beating the safe combination out of you.
My b-i-l, the one who told me about his wife’s son’s phone-snatching, is a director of a company specialising in business process management software. ISTR him once saying to me that they default to regarding every client’s devices/systems as compromised and insist on the use of Authenticators.
My phone locks if it detects theft - either a sudden jerk while open or being placed into airplane mode (which is what thieves often do, apparently). However, this feature did need to be turned on, even though it’s built in.
The only problem is that there are a couple of crap games I like to play in airplane mode to avoid ads, and it’ll randomly lock the phone at me in mid game!
Actually I’m not sure that’s the real reason for all the grief. I can’t quite remember why (some phone issue or other, I think) but a bank did actually send me one of those recently, and by recently I mean earlier this year. So they haven’t given up on them completely.
The problem is pester power. The world, and in particular the children, want to do everything with their new toy, even when the toy is really not suited for the job. The banks either give in to them (think harrassed parent by the checkout sweets display) or really lose business, especially with the all-important children. So the answer to every question has to be ‘my phone’. Really, it does. Even when the providers have to tie themselves in dreadful knots to mitigate the worst of the device’s shortcomings.
I shouldn’t say that. Mobile telephony paid my mortgage and is keeping me in a lifestyle which I really don’t deserve (thanks everyone). But like so much IT, keeping it secure is, well, a challenge. If, after all these years, a bunch of teens in their bedrooms can do this much harm to national enterprises then surely the whole security subject area really needs to have a word with itself.
