Credit Card Fraud That Bypasses 2FA

Someone in the UK is stealing smartphones and credit cards from people who have stored them in gym lockers, and is using the two items in combination to commit fraud:

Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank cards can be stopped.

But the thief has a method which circumnavigates those basic safety protocols.

Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account.

Tags: , , , ,

Posted on September 20, 2022 at 6:29 AM23 Comments

Comments

Michael September 20, 2022 6:48 AM

That’s the reason I turned off displaying the contents of messages on the lock screen many years ago. At that time it was more for passwords but the principle is the same.

Untitled September 20, 2022 7:01 AM

That’s the reason I turned off displaying the contents of messages on the lock screen many years ago.

Indeed. On an up-to-date iPhone, Settings > Notifications > Messages > Show Previews > Never (which is now the default).

Peter Galbavy September 20, 2022 7:16 AM

There is a more subtle danger, also mentioned in the source article I believe, which is the thief can also move the SIM from the stolen phone to another one and then view the incoming SMS. If you have not set an SMS PIN then this is simple. I have now, for the first time in many years, set my SMS PINs as I had forgotten these even existed.

Rene Bastien September 20, 2022 8:13 AM

This issue is solely a banking application/system issue. As mentioned by phanmo, the bank should require the banking password before initiating a new installation. If the card is already registered to a device and to a given app on that device, then the bank should be able to know and ask for an additional layer of authentication.

Berreth Stefan September 20, 2022 9:27 AM

Banks here (CH) have long moved away from SMS as a second factor. Instead a mobile app needs to be initialized with a QR code based secret key that was snailmailed to your home you need to have once at app-setup time. You can‘t switch phones without it after that or you have to request being issued a new one to be snailmailed to your home first. Not unattackable, but way better than the old SMS scheme.

bv September 20, 2022 10:23 AM

Interesting and good to know. But how many scammers and thieves subscribe to Schneier for explicit primers like this?

Tom September 20, 2022 10:49 AM

On iPhones with FaceID, it is the default to not show the contents unless the phone has been locked with your face. On iPhones with Touch ID or Android however you need to take action yourself.

Bob Paddock September 20, 2022 1:33 PM

“Banks here (CH) have long moved away from SMS as a second factor.”

Banks around here didn’t get the memo. Without warning a month ago my 85 year old mother’s bank demanded her cell phone number to access her account with a SMS code. She doesn’t own a cell phone.

SpaceLifeForm September 20, 2022 3:00 PM

@ Bob Paddock, Clive

How was that demand conveyed to your mom?

Snailmail, email, or landline?

I suspect landline using forged CallerID.

She thought it was her bank. I’ve seen this movie recently. Welcome to SS7, the show that never ends.

SpaceLifeForm September 20, 2022 5:09 PM

@ Ted, Peter Galbavy, Clive

eSim on iPhone is not your friend.

The attacker does not need to move a physical SIM card to another phone.

The attacker do not even need to social engineer a Celco admin.

So, Ted, good thread, but it is not the complete picture.

Why was the initial entry security barrier not functioning? Was the locker security also using the same radio passkey that was disabled? It is not clear, and for some mysterious reason, my googlefu is failing.

‘https://www.pcmag.com/news/iphone-14s-esim-requirement-irks-some-international-travelers

‘https://www.theverge.com/2022/9/7/23341368/apple-iphone-14-dual-esim-no-physical-sim

Ted September 20, 2022 10:10 PM

@SpaceLifeForm, All

Was the locker security also using the same radio passkey that was disabled?

That’s a good question. There are several articles about Charlotte’s gym fiasco. In one I see she refers to her “combination padlock.” And she wonders if they used bolt cutters. So maybe no special tech on the lockers at her gym.

However there’s a company that lists Virgin Active’s London location as a case study for their implementation of “smart lockers.”

https://compactstorage.co.uk/case-studies/virgin-active/

People on her Twitter thread were saying that many of their bank apps have a “feature” that allows their PIN to be revealed. Like here:

https://twitter.com/mrsjhatchett/status/1564288793540055040

It’s rather outrageous that Charlotte’s bank first accused her being careless with her PIN without knowing more.

Someone on a fintech forum posted on his attempt to hack his own PIN. Basically he followed the prompts for a forgotten online bank user name and password. And all he needed was a physical bank card, an ID card with DOB, and phone SMS preview.

Then he could use the user name and password to register on the app and reveal the PIN.

I don’t know how many attack vectors there are.

https://fintechforum.uk/t/how-is-a-thief-taking-thousands-from-london-gym-goers/1563/21

I’m really surprised we haven’t heard more chatter about the new eSIM situation in iPhone 14 in the US. I am scratching my head thinking about how this may impact fraud.

SpaceLifeForm September 21, 2022 1:59 AM

@ Ted, ALL

Charlotte’s Web

I have crawled over it quite a bit, and there is something fishy.

I suspect Virgin Active UK and Santander UK are both hacked/pwned by insiders.

Note that Charlotte did get her money back, plus £750 in compensation.

You think, maybe, they just want this story to go away? That she would just shut up?

This is two orgs to not do business with. Even if they are trying, their security sucks. It seems these days, the only way to get an organization to respond to problems, is to shame them publicly on social media.

Clive Robinson September 21, 2022 5:46 AM

@ Bruce, ALL,

Externalising Cost and Risk

It is fairly from this story that,

1, Santander UK
2, Virgin Active

And I assume most other UK Banks and Gyms etc are very deliberately “Externalising Cost and Risk”

Some years ago you wrote a piece on banks Externalising Risk, perhaps it’s time to update and publish it again.

@ ALL,

Oh and for anyone visiting or living in London, do not bother getting in contact with the Met Police, as I have discovered they are not even handing out crime refrence numbers so that people can make “insurance claims”… They give you a “call refrence” instead that has no validity for anything.

The best you can do is try to humiliate them, unless you can aford a legal representative who will charge you hunderds if not thousands to send one or two “standard form letters”.

@ ALL,

But people even here have wondered in the past why I’m a “Cash Only” person, and I don’t do online banking as well as not doing Email or social media… Well lets just say I’ve been ahead of this “crime wave” whilst you that were or are still wondering are behind the curve as it were and thus extreamly vulnerable.

It’s your choice where you are, but remember each time you give way to some eyjit behind a desk you make it harder for everyone else.

I have a standard policy and it starts with a firm and loud enough to be heard by others “NO” and it progresses from there…

As long as we do not “stand together” then unfortunately the other part of that saying comes into play and one by one “we hang together”.

I could explain why governments are actually encoraging this “Externalising Cost and Risk” policy in legislation and the like…

But my comment probably would be found against the rules. Let’s just say that legislators, their advisors, and seniors paid from the public purse, are still just as susceptible to inducments as ever they were, in fact probably more so than ever.

Bob Paddock September 21, 2022 9:01 AM

@SpaceLifeForm

“How was that demand conveyed …”

Went to log into her account and Bank said to access account we are sending you a Text code that you must enter to login. Then demanded a cell phone number for sending said text. Rather moronic logic in asking for the phone number …

SpaceLifeForm September 21, 2022 6:34 PM

@ Bob Paddock

Sounds like USBank. Like I said, I have seen this movie before. Am I wrong?

Maybe, the bank should provide a cell phone and service on their dime so your mom can securely login over the internet.

Maybe, it would be cheaper for the bank to provide their customers a SecurID.

Maybe, the bank is setting up a scenario where they are selling the PII and she has to worry about getting phished later.

Maybe, the bank does not understand attack vectors on their security theatre.

Maybe, this is an org to not do business with.

Peter Galbavy September 22, 2022 1:41 AM

@Bob Paddock … this is simple tick box culture. The regulator requires (in the EU the law requires) two-factor “like” authentication for financial access and SMS is cheap. Who cares (in the banks) if it’s insecure?

ResearcherZero September 22, 2022 7:33 PM

@Clive Robinson

Externalising Cost and Risk is standard practice across most of these tech companies. Baked in from the initial company setup, the ‘default configuration’ was put in place as a legal means of avoiding liability, so that the customer became responsible for their security. The politicians thought that annoying regulations may stifle growth.

“Regulations begone!”, they decreed. It turned out to be a cracking idea, and nothing ever went wrong.

Steven Shank October 15, 2022 7:34 PM

I just don’t understand how this works. I have a USBank app. It requires that I login with a username and password, neither of which would be known to the thief. How do they even get to the point where a 2nd factor would be offered? If you setup a new banking app, aren’t you required to login to your account? Then if it is a new device they also want a 2nd factor, but why isn’t the thief stopped by the username and password?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.