I personally wouldn’t ever leave more than a few hundred quid accessible in an app for obvious reasons but the response of the bank does seem to be unreasonable based on the information provided there.
I’m not surprised the bank are not giving his money back.
So the criminals broke through face id on the phone and passcode protection on the banking app and stole 22500? That’s a difficult thing to do. I’m not surprised the bank said no.
Seriously, what did he expect?
On one hand banks know just how easy it is to brute force pins and bypass app security on most phones.
On the other hand he relied on bank security to keep his money safe.
What galls me is that banks have this huge push toward decentralisation and banks are forcing everyone on to apps under the guise of connivance whilst they know full well the security implications of doing so. Since branch closures have wiped out any kind of local service for me, it’s now a two hour round trip for me to access bank services.
The bottom line is that if it connects to the public internet and is still usable, a way will be found to break that security. Biometrics are a step in the right direction but the [5lb wrench hack](https://xkcd.com/538/) easily gets round that. What we will end up with is all living with burner phones locked away in a hidden safe that are only used for 2FA verification, which in itself is spoofable (but admittedly not so easily).
Edit: From the down votes I guess everyone is a little surprised and dismayed that banking apps are inherently insecure and that banks will try their hardest to mitigate responsibility for their miss use? I honestly though that this was very common knowledge.
I can confidantly say this will never happen to me unless they put £25K in my account first.
> Criminals ‘shoulder surf’ a victim to learn their PIN
Ding ding ding. That’s why I won’t use a PIN on my banking app. It’s got a long, long password in Lastpass, which is fingerprint locked.
Still not perfect but the best balance of security and usability I think
I’ve very much been meaning to remove all apps like that off my phone. I really must do it.
Theres never really been a time that I needed my banking apps on my phone that my cards couldnt handle. Id rather run that risk than run the risk of fraud.
> “I don’t access my phone using a pin code – I use facial recognition. My Barclays pin is different to my phone pin and they’d need to have both of them.”
So he says he doesn’t access his phone using his PIN, but clearly his phone does USE a PIN because it’s a different one to his app.
I’ve lost count of the number of times the facial recognition on my phone has failed and I’ve entered my PIN.
And I think that’s what happened here. He’s entered the PIN and someone has seen it and robbed his phone.
One thing you don’t see mentioned in articles like this is where are the criminals sending this money to? They clearly have to set up an account to transfer the money into, and they clearly have to get the money out somewhere before the banks can trace it and refund it.
This is like that story going around about the woman whose phone was stolen from a gym locker in London with similar results. We need to know how they are managing to do this despite several layers of ‘security’.
Have to admit, i don’t trust Barclays as far as i can throw them (and they have some BIG heavy buildings), but it’s difficult to see how the thief could have breached both his phone security and his mobile banking app.
I’m sorry but does Barclays seriously not require a card reader and 2FA with a pin number to be used to transfer money out of your account to a new account? That seems….really shitty if they allow that.
That’s an oddly specific amount. Smells fishy to me.
It’s ridiculous that ordinary members of the public have been given such easy control over significant sums in their accounts.
It’s like the government are trying to make it easy for people to be scammed or stolen from.
Blimey he looks really happy in that pic considering someone’s stolen 22grand of him.
If they didn’t shoulder surf his pin, maybe his phone is set to lock after a number of minutes, not immediately.
I don’t even have my real email address on my phone.
Activate and change from default the SIM PIN on your phones!
Default PIN can be googled.
Don’t use your date of birth as the PIN obvs.
This stops someone putting your SIM in another phone and being able to receive OTPs from banks that use SMS as a form of MFA.
What utter c*nts! I feel so sorry for them. That money is not easy to come by. That’s a lot of hard work.
That would be gutting, but I’m still baffled how it happened if he has biometric lock and two different pin numbers. With it being investigated there is clearly something he is not telling.
19 comments
I personally wouldn’t ever leave more than a few hundred quid accessible in an app for obvious reasons but the response of the bank does seem to be unreasonable based on the information provided there.
I’m not surprised the bank are not giving his money back.
So the criminals broke through face id on the phone and passcode protection on the banking app and stole 22500? That’s a difficult thing to do. I’m not surprised the bank said no.
Seriously, what did he expect?
On one hand banks know just how easy it is to brute force pins and bypass app security on most phones.
On the other hand he relied on bank security to keep his money safe.
What galls me is that banks have this huge push toward decentralisation and banks are forcing everyone on to apps under the guise of connivance whilst they know full well the security implications of doing so. Since branch closures have wiped out any kind of local service for me, it’s now a two hour round trip for me to access bank services.
The bottom line is that if it connects to the public internet and is still usable, a way will be found to break that security. Biometrics are a step in the right direction but the [5lb wrench hack](https://xkcd.com/538/) easily gets round that. What we will end up with is all living with burner phones locked away in a hidden safe that are only used for 2FA verification, which in itself is spoofable (but admittedly not so easily).
Edit: From the down votes I guess everyone is a little surprised and dismayed that banking apps are inherently insecure and that banks will try their hardest to mitigate responsibility for their miss use? I honestly though that this was very common knowledge.
I can confidantly say this will never happen to me unless they put £25K in my account first.
> Criminals ‘shoulder surf’ a victim to learn their PIN
Ding ding ding. That’s why I won’t use a PIN on my banking app. It’s got a long, long password in Lastpass, which is fingerprint locked.
Still not perfect but the best balance of security and usability I think
I’ve very much been meaning to remove all apps like that off my phone. I really must do it.
Theres never really been a time that I needed my banking apps on my phone that my cards couldnt handle. Id rather run that risk than run the risk of fraud.
> “I don’t access my phone using a pin code – I use facial recognition. My Barclays pin is different to my phone pin and they’d need to have both of them.”
So he says he doesn’t access his phone using his PIN, but clearly his phone does USE a PIN because it’s a different one to his app.
I’ve lost count of the number of times the facial recognition on my phone has failed and I’ve entered my PIN.
And I think that’s what happened here. He’s entered the PIN and someone has seen it and robbed his phone.
One thing you don’t see mentioned in articles like this is where are the criminals sending this money to? They clearly have to set up an account to transfer the money into, and they clearly have to get the money out somewhere before the banks can trace it and refund it.
This is like that story going around about the woman whose phone was stolen from a gym locker in London with similar results. We need to know how they are managing to do this despite several layers of ‘security’.
Have to admit, i don’t trust Barclays as far as i can throw them (and they have some BIG heavy buildings), but it’s difficult to see how the thief could have breached both his phone security and his mobile banking app.
I’m sorry but does Barclays seriously not require a card reader and 2FA with a pin number to be used to transfer money out of your account to a new account? That seems….really shitty if they allow that.
That’s an oddly specific amount. Smells fishy to me.
It’s ridiculous that ordinary members of the public have been given such easy control over significant sums in their accounts.
It’s like the government are trying to make it easy for people to be scammed or stolen from.
Blimey he looks really happy in that pic considering someone’s stolen 22grand of him.
If they didn’t shoulder surf his pin, maybe his phone is set to lock after a number of minutes, not immediately.
I don’t even have my real email address on my phone.
Activate and change from default the SIM PIN on your phones!
Default PIN can be googled.
Don’t use your date of birth as the PIN obvs.
This stops someone putting your SIM in another phone and being able to receive OTPs from banks that use SMS as a form of MFA.
What utter c*nts! I feel so sorry for them. That money is not easy to come by. That’s a lot of hard work.
That would be gutting, but I’m still baffled how it happened if he has biometric lock and two different pin numbers. With it being investigated there is clearly something he is not telling.