Mobile fraud: Thieves 'shoulder surfing' victims to steal phones
[JJ: and PINs]

https://www.bbc.co.uk/news/business-65456325

"Criminals are getting smarter at targeting victims to gain access to
banking apps on mobile phones, a senior UK fraud officer has said.

Detective Superintendent John Roch says the technology behind the apps
is secure but criminals are getting better at exploiting human behaviour.

Thieves typically "shoulder surf" victims to catch them entering their
PIN before stealing the phone.

The financial impact of the crime can be enormous."

Goes on to tell of one man losing £22,000

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

On 5/22/2023 2:53 AM, Java Jive wrote:
> Mobile fraud: Thieves 'shoulder surfing' victims to steal phones
> [JJ: and PINs]
>
> https://www.bbc.co.uk/news/business-65456325
>
> "Criminals are getting smarter at targeting victims to gain access to
> banking apps on mobile phones, a senior UK fraud officer has said.
>
> Detective Superintendent John Roch says the technology behind the apps
> is secure but criminals are getting better at exploiting human behaviour.
>
> Thieves typically "shoulder surf" victims to catch them entering their
> PIN before stealing the phone.

A good reason to use fingerprint, face, or iris scan instead. But on my
iPhone I find myself entering my PIN pretty often when FaceID doesn't
unlock the device.

> The financial impact of the crime can be enormous."
>
> Goes on to tell of one man losing £22,000

Both Apple and Google could largely address this issue by allowing the
user to require per-app authentication with a different PIN (or pattern)
or by allowing the user to require fingerprint, or face, or iris scan
authentication.

Some Android devices have this capability included, but it's not an
Android standard feature. There are Android apps that do a decent job on
adding this capability, i.e. "AppLock
<https://play.google.com/store/apps/details?id=com.domobile.applockwatcher>.

Also on Android you could create separate users for apps requiring more
security (banking, shopping, e-mail etc.) while one user profile can be
used for apps that don't require high security. This is not possible on
iOS devices because Apple doesn't allow multiple users on iOS devices.
There are Jailbreak tweaks for the iPhone that allow individual app
protection as well as multi-user capability, if these tweaks still work.

I cover this in my Google Docs document "Android and iOS features that
Users of the Other Operating System Wish they Had" in item 187a on page
96 (see
<https://docs.google.com/document/d/1JznrWfGJDA8CYVfjSnPTwfVy8-gAC0kPyaApuJTcUNE/edit#bookmark=id.8m5lho8ne3if>).

[adding misc.phone.mobile.iphone)]
--
“If you are not an expert on a subject, then your opinions about it
really do matter less than the opinions of experts. It's not
indoctrination nor elitism. It's just that you don't know as much as
they do about the subject.”—Tin Foil Awards

In article <u4g5gh$27bsk$1@dont-email.me>, sms
<scharf.steven@geemail.com> wrote:

> > Thieves typically "shoulder surf" victims to catch them entering their
> > PIN before stealing the phone.
>
> A good reason to use fingerprint, face, or iris scan instead. But on my
> iPhone I find myself entering my PIN pretty often when FaceID doesn't
> unlock the device.

bullshit, and iris scans don't work. samsung tried it and it failed.

of course, you could just turn on the room lights :)

> Both Apple and Google could largely address this issue by allowing the
> user to require per-app authentication with a different PIN (or pattern)
> or by allowing the user to require fingerprint, or face, or iris scan
> authentication.

apps with sensitive data, e.g., banking, already do that.

Java,

> "Criminals are getting smarter at targeting victims to gain access to
> banking apps on mobile phones, a senior UK fraud officer has said.

Its not that criminals get smarter - shoulder-surfing has been done for
decennia, trying to glean what someone enters on an ATM - but people are
getting stupider.

While people have been warned to make it hard for anyone to see what they
enter into an ATM by putting their other hand over the hand entering the PIN
code, those same people one-handedly enter their PIN in on devices in
stores, where I personally have to put effort into NOT seeing what they
enter - of either the customer infront of me or the next cash register over
(even easier, as you can look more-or-less straight ahead).

Most people using smartphones behave as if they are the only one on earth -
speaking loudly enough that a whole bus or train couch can follow their side
of the conversation of what happened at their appointement with the doctor,
upto-and-including being absolutily oblivious of people (and objects) around
them ( (i)phone zombies anyone ?).

No, those criminals just rinse-and-repeat an old trick. Nothing really
smart about that.

Heck, decennia ? Make that centuries. People "shoulder surfing" to see
what safe combination someone enters predates even electricity.

Regards,
Rudy Wieser

sms <scharf.steven@geemail.com> wrote:
> On 5/22/2023 2:53 AM, Java Jive wrote:
>> Mobile fraud: Thieves 'shoulder surfing' victims to steal phones
>> [JJ: and PINs]
>>
>> https://www.bbc.co.uk/news/business-65456325
>>
>> "Criminals are getting smarter at targeting victims to gain access to
>> banking apps on mobile phones, a senior UK fraud officer has said.
>>
>> Detective Superintendent John Roch says the technology behind the apps
>> is secure but criminals are getting better at exploiting human behaviour.
>>
>> Thieves typically "shoulder surf" victims to catch them entering their
>> PIN before stealing the phone.
>
> A good reason to use fingerprint, face, or iris scan instead. But on my
> iPhone I find myself entering my PIN pretty often when FaceID doesn't
> unlock the device.
>
>> The financial impact of the crime can be enormous."
>>
>> Goes on to tell of one man losing £22,000

I always wonder with these stories why do people have so much money in easy
to access accounts. It should be put away in an ISA or high interest
savings account.

> Both Apple and Google could largely address this issue by allowing the
> user to require per-app authentication with a different PIN (or pattern)
> or by allowing the user to require fingerprint, or face, or iris scan
> authentication.

They do. Problem is most people use the same PIN for apps as the lock
screen. I was one of them, but have changed due to stories like this.

R.Wieser <address@is.invalid> wrote:
> Java,
>
>> "Criminals are getting smarter at targeting victims to gain access to
>> banking apps on mobile phones, a senior UK fraud officer has said.
>
> Its not that criminals get smarter - shoulder-surfing has been done for
> decennia, trying to glean what someone enters on an ATM - but people are
> getting stupider.

Not sure it's that they're stupider, more that their stupidity has more
significant consequence. At an ATM you'd lose £300 at most.

On 5/22/2023 1:04 PM, R.Wieser wrote:

<snip>

> Its not that criminals get smarter - shoulder-surfing has been done for
> decennia, trying to glean what someone enters on an ATM - but people are
> getting stupider.
>
> While people have been warned to make it hard for anyone to see what they
> enter into an ATM by putting their other hand over the hand entering the PIN
> code, those same people one-handedly enter their PIN in on devices in
> stores, where I personally have to put effort into NOT seeing what they
> enter - of either the customer infront of me or the next cash register over
> (even easier, as you can look more-or-less straight ahead).

<snip>

It's not quite the same. Shoulder surf someone entering their PIN to use
with a debit card and you have the PIN but you're unlikely to steal
their debit card which is necessary to get money.

With a phone, you watch them enter their PIN and then immediately grab
their phone and run. Then you quickly change the PIN, open apps that
don't require additional verification to pay for things (Apple Pay,
Google Pay, Amazon, etc.). If you have tied those apps to a bank
account, rather than a credit card, then the bank may not have the kind
of fraud protection that credit cards have.

In the U.S., because of the lack of "Chip & PIN" on credit card
transactions, the card issuers are very aggressive in terms of fraud
detection and alerts. I recall one time where I didn't even realize that
I had lost my credit card and I got a call from the issuing bank asking
if some transactions were mine.

I warn people visiting San Francisco and San Jose to not be talking on
their phone when walking down the street in busy areas.

One other thing with bank cards is to request an ATM card, not a debit
card. Since there's a limit to how much cash you can withdraw with an
ATM card, potential losses are less than with a debit card. The only
issue with that is that a few stores still refuse credit cards but
accept debit cards (i.e. WinCo).

--
“If you are not an expert on a subject, then your opinions about it
really do matter less than the opinions of experts. It's not
indoctrination nor elitism. It's just that you don't know as much as
they do about the subject.”—Tin Foil Awards

On 22/05/2023 10:53, Java Jive wrote:
> Mobile fraud: Thieves 'shoulder surfing' victims to steal phones
> [JJ: and PINs]
>
> https://www.bbc.co.uk/news/business-65456325
>
> "Criminals are getting smarter at targeting victims to gain access to
> banking apps on mobile phones, a senior UK fraud officer has said.
>
> Detective Superintendent John Roch says the technology behind the apps
> is secure but criminals are getting better at exploiting human behaviour.
>
> Thieves typically "shoulder surf" victims to catch them entering their
> PIN before stealing the phone.
>
> The financial impact of the crime can be enormous."
>
> Goes on to tell of one man losing £22,000

Oops, first ng should have been uk.telecom.mobile, not this one.

Sorry about that.

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

In article <u4gi91$28m45$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

>
> I always wonder with these stories why do people have so much money in easy
> to access accounts. It should be put away in an ISA or high interest
> savings account.

those are also easy to access.

In article <u4gi91$28m45$2@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >> "Criminals are getting smarter at targeting victims to gain access to
> >> banking apps on mobile phones, a senior UK fraud officer has said.
> >
> > Its not that criminals get smarter - shoulder-surfing has been done for
> > decennia, trying to glean what someone enters on an ATM - but people are
> > getting stupider.
>
> Not sure it's that they're stupider, more that their stupidity has more
> significant consequence. At an ATM you'd lose £300 at most.

that depends on the bank and status of the account holder.

for some accounts, the limit is significantly higher.

<https://www.cnet.com/personal-finance/banking/advice/atm-withdrawal-lim
its/>
Knowing which ATMs have the highest withdrawal limits is important
for successful cash withdrawals. Some banks, such as Morgan Stanley
and Citi have relatively high daily ATM withdrawal limits as high as
$5,000 per day. Depending on the account type, banks generally offer
various withdrawal limits.

In article <u4gjil$28qe9$1@dont-email.me>, sms
<scharf.steven@geemail.com> wrote:

> It's not quite the same. Shoulder surf someone entering their PIN to use
> with a debit card and you have the PIN but you're unlikely to steal
> their debit card which is necessary to get money.

skimmers and shimmers say hello.

nospam <nospam@nospam.invalid> wrote:
> In article <u4gi91$28m45$1@dont-email.me>, Chris <ithinkiam@gmail.com>
> wrote:
>
>>
>> I always wonder with these stories why do people have so much money in easy
>> to access accounts. It should be put away in an ISA or high interest
>> savings account.
>
> those are also easy to access.

Not in the UK, typically. Especially not ISAs.

nospam <nospam@nospam.invalid> wrote:
> In article <u4gi91$28m45$2@dont-email.me>, Chris <ithinkiam@gmail.com>
> wrote:
>
>>>> "Criminals are getting smarter at targeting victims to gain access to
>>>> banking apps on mobile phones, a senior UK fraud officer has said.
>>>
>>> Its not that criminals get smarter - shoulder-surfing has been done for
>>> decennia, trying to glean what someone enters on an ATM - but people are
>>> getting stupider.
>>
>> Not sure it's that they're stupider, more that their stupidity has more
>> significant consequence. At an ATM you'd lose £300 at most.
>
> that depends on the bank and status of the account holder.

Not for most people in the UK. There are hard limits on almost all ATMs.

> for some accounts, the limit is significantly higher.
>
> <https://www.cnet.com/personal-finance/banking/advice/atm-withdrawal-lim
> its/>
> Knowing which ATMs have the highest withdrawal limits is important
> for successful cash withdrawals. Some banks, such as Morgan Stanley
> and Citi have relatively high daily ATM withdrawal limits as high as
> $5,000 per day. Depending on the account type, banks generally offer
> various withdrawal limits.

The OP is a UK story so the above is irrelevant.

sms <scharf.steven@geemail.com> wrote:
> On 5/22/2023 1:04 PM, R.Wieser wrote:
>
> <snip>
>
>> Its not that criminals get smarter - shoulder-surfing has been done for
>> decennia, trying to glean what someone enters on an ATM - but people are
>> getting stupider.
>>
>> While people have been warned to make it hard for anyone to see what they
>> enter into an ATM by putting their other hand over the hand entering the PIN
>> code, those same people one-handedly enter their PIN in on devices in
>> stores, where I personally have to put effort into NOT seeing what they
>> enter - of either the customer infront of me or the next cash register over
>> (even easier, as you can look more-or-less straight ahead).
>
> <snip>
>
> It's not quite the same. Shoulder surf someone entering their PIN to use
> with a debit card and you have the PIN but you're unlikely to steal
> their debit card which is necessary to get money.

Not true. My dad was mugged years ago after his card PIN was shoulder
surfed. They managed to get a couple ATM transactions and a few hundred
euros.

This isn't new behaviour.

On Mon, 22 May 2023 22:04:41 +0200, "R.Wieser" <address@is.invalid>
wrote:

>While people have been warned to make it hard for anyone to see what they
>enter into an ATM by putting their other hand over the hand entering the PIN
>code, those same people one-handedly enter their PIN in on devices in
>stores, where I personally have to put effort into NOT seeing what they
>enter - of either the customer infront of me or the next cash register over
>(even easier, as you can look more-or-less straight ahead)

Indeed. At the supermarket checkout I usually find myself musing that
it depends on the same protocol as that of the gentlemen's urinal...

Rod.

A few years ago, a friend in the US told me they were getting cases of
people using IR cameras to detect the heat from keys being pressed.

On 22/05/2023 10:53, Java Jive wrote:
> Mobile fraud: Thieves 'shoulder surfing' victims to steal phones
> [JJ: and PINs]
>
> https://www.bbc.co.uk/news/business-65456325
>
> "Criminals are getting smarter at targeting victims to gain access to
> banking apps on mobile phones, a senior UK fraud officer has said.
>
> Detective Superintendent John Roch says the technology behind the apps
> is secure but criminals are getting better at exploiting human behaviour.
>
> Thieves typically "shoulder surf" victims to catch them entering their
> PIN before stealing the phone.
>
> The financial impact of the crime can be enormous."
>
> Goes on to tell of one man losing £22,000
>

Apple iPhone's are vulnerable.

Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital
Life in Minutes | WSJ
https://www.youtube.com/watch?v=QUYODQB_2wQ

How iPhone Recovery Keys Help Thieves Lock Users Out of Apple Accounts |
Tech News Briefing | WSJ
https://www.youtube.com/watch?v=NVm8Io7nQ2U

How iPhone Thieves Lock You Out Of Your Apple Account | WSJ
https://www.youtube.com/watch?v=tCfb9Wizq9Q

--
Adrian C

On Tue, 23 May 2023 08:24:30 +0100, MB <MB@nospam.net> wrote:

>A few years ago, a friend in the US told me they were getting cases of
>people using IR cameras to detect the heat from keys being pressed.

Simply solved by a randomising keeypad, easily done with a touch
screen. The keys are placed in a different pattern each time so the
same code doesn't result in the same smudge pattern.

Rod.

Am 23.05.23 um 08:33 schrieb Chris:
> nospam <nospam@nospam.invalid> wrote:
>> In article <u4gi91$28m45$2@dont-email.me>, Chris <ithinkiam@gmail.com>
>> wrote:
>>
>>>>> "Criminals are getting smarter at targeting victims to gain access to
>>>>> banking apps on mobile phones, a senior UK fraud officer has said.
>>>>
>>>> Its not that criminals get smarter - shoulder-surfing has been done for
>>>> decennia, trying to glean what someone enters on an ATM - but people are
>>>> getting stupider.
>>>
>>> Not sure it's that they're stupider, more that their stupidity has more
>>> significant consequence. At an ATM you'd lose £300 at most.
>>
>> that depends on the bank and status of the account holder.
>
> Not for most people in the UK. There are hard limits on almost all ATMs.
>
>> for some accounts, the limit is significantly higher.
>>
>> <https://www.cnet.com/personal-finance/banking/advice/atm-withdrawal-lim
>> its/>
>> Knowing which ATMs have the highest withdrawal limits is important
>> for successful cash withdrawals. Some banks, such as Morgan Stanley
>> and Citi have relatively high daily ATM withdrawal limits as high as
>> $5,000 per day. Depending on the account type, banks generally offer
>> various withdrawal limits.
>
> The OP is a UK story so the above is irrelevant.

Your comment is irrelevant to the topic.

Perhaps it would be even better to reduce the hard limit to £100 in the
United Kingdom and the whole of the Commonwealth ... *SCNR*

--
De gustibus non est disputandum

On 22/05/2023 21:04, R.Wieser wrote:
> Java,
>
>> "Criminals are getting smarter at targeting victims to gain access to
>> banking apps on mobile phones, a senior UK fraud officer has said.
> Its not that criminals get smarter - shoulder-surfing has been done for
> decennia, trying to glean what someone enters on an ATM - but people are
> getting stupider.
>
I was in Greece last year, the hand held Chip'n'Pin machines there
presented me with a 1 to 0 key pad, but it was randomised  (Virtual key
pad on a touch screen of course).

This was to reduce a shoulder surfer being able to observe your regular
PIN 'pattern'. It's a bit weird at first, but hey...

In article <u4hmms$2flbg$2@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >
> >>>> "Criminals are getting smarter at targeting victims to gain access to
> >>>> banking apps on mobile phones, a senior UK fraud officer has said.
> >>>
> >>> Its not that criminals get smarter - shoulder-surfing has been done for
> >>> decennia, trying to glean what someone enters on an ATM - but people are
> >>> getting stupider.
> >>
> >> Not sure it's that they're stupider, more that their stupidity has more
> >> significant consequence. At an ATM you'd lose £300 at most.
> >
> > that depends on the bank and status of the account holder.
>
> Not for most people in the UK. There are hard limits on almost all ATMs.

as i said, it depends.

<https://www.thesun.co.uk/money/6659541/maximum-cash-withdraw-limit-uk-b
ank/>
There are tens of thousands of ATM machines across the UK which allow
people to withdraw cash.
....
At Lloyds and Halifax you can withdraw up to £500 a day.
....
[Barclays] Customers with personal current accounts can take out up
to £300 per day from an ATM, while Premier and Platinum accounts
can take out up to £1,000 per day.
....
If you have a [NatWest] Black account, the limit is £750 a day.
....
If you have a Santander Select Current Account, you can withdraw
£1,000 in a single day.
....
If you have HSBC Premier, it's £1,000.

> > for some accounts, the limit is significantly higher.
> >
> > <https://www.cnet.com/personal-finance/banking/advice/atm-withdrawal-lim
> > its/>
> > Knowing which ATMs have the highest withdrawal limits is important
> > for successful cash withdrawals. Some banks, such as Morgan Stanley
> > and Citi have relatively high daily ATM withdrawal limits as high as
> > $5,000 per day. Depending on the account type, banks generally offer
> > various withdrawal limits.
>
> The OP is a UK story so the above is irrelevant.

theft is not limited to any particular country or region.

nospam <nospam@nospam.invalid> wrote:
> In article <u4hmms$2flbg$2@dont-email.me>, Chris <ithinkiam@gmail.com>
> wrote:
>
>>>
>>>>>> "Criminals are getting smarter at targeting victims to gain access to
>>>>>> banking apps on mobile phones, a senior UK fraud officer has said.
>>>>>
>>>>> Its not that criminals get smarter - shoulder-surfing has been done for
>>>>> decennia, trying to glean what someone enters on an ATM - but people are
>>>>> getting stupider.
>>>>
>>>> Not sure it's that they're stupider, more that their stupidity has more
>>>> significant consequence. At an ATM you'd lose £300 at most.
>>>
>>> that depends on the bank and status of the account holder.
>>
>> Not for most people in the UK. There are hard limits on almost all ATMs.
>
> as i said, it depends.
>
> <https://www.thesun.co.uk/money/6659541/maximum-cash-withdraw-limit-uk-b
> ank/>
> There are tens of thousands of ATM machines across the UK which allow
> people to withdraw cash.
> ...
> At Lloyds and Halifax you can withdraw up to £500 a day.
> ...
> [Barclays] Customers with personal current accounts can take out up
> to £300 per day from an ATM, while Premier and Platinum accounts
> can take out up to £1,000 per day.
> ...
> If you have a [NatWest] Black account, the limit is £750 a day.
> ...
> If you have a Santander Select Current Account, you can withdraw
> £1,000 in a single day.
> ...
> If you have HSBC Premier, it's £1,000.

Not many people have those accounts (except lloyds and halifax) as they're
exclusive to people with salaries way above the median.

Still not £20,000

In article <u4j6ih$2m498$1@dont-email.me>, Chris <ithinkiam@gmail.com>
wrote:

> >>>> Not sure it's that they're stupider, more that their stupidity has more
> >>>> significant consequence. At an ATM you'd lose £300 at most.
> >>>
> >>> that depends on the bank and status of the account holder.
> >>
> >> Not for most people in the UK. There are hard limits on almost all ATMs.
> >
> > as i said, it depends.
> >
> > <https://www.thesun.co.uk/money/6659541/maximum-cash-withdraw-limit-uk-b
> > ank/>
> > There are tens of thousands of ATM machines across the UK which allow
> > people to withdraw cash.
> > ...
> > At Lloyds and Halifax you can withdraw up to £500 a day.
> > ...
> > [Barclays] Customers with personal current accounts can take out up
> > to £300 per day from an ATM, while Premier and Platinum accounts
> > can take out up to £1,000 per day.
> > ...
> > If you have a [NatWest] Black account, the limit is £750 a day.
> > ...
> > If you have a Santander Select Current Account, you can withdraw
> > £1,000 in a single day.
> > ...
> > If you have HSBC Premier, it's £1,000.
>
> Not many people have those accounts (except lloyds and halifax) as they're
> exclusive to people with salaries way above the median.

some do.

as i said, it depends on the bank and account holder status.

> Still not £20,000

it is if someone with multiple accounts, or by using something other
than an atm, such as venmo.

>
> I always wonder with these stories why do people have so much money in easy
> to access accounts.
>

So do I !!

Some time ago I read a report of a fraud trial at the Old Bailey where
it was revealed that the defendant was a personal assistant to some sort
of merchant banker / hedge fund manager bloke.

The "victim" (of his own gullibility) had given her access to his
current account, enabling the theft of nearly £2 million.

As if that wasnt bad enough, it apparently incuded one single
transaction of over £200,000

--
random signature text inserted here