Last weekend my son-in-law had his iPhone 13 snatched from his hand (a common occurrence in London) while being ever-so-slightly under the influence.
He was able fairly quickly though able to get his phone locked.
In the short space of time (approx 15 minutes) the thief had managed to move £500 out of his account - thankfully they moved it to one of his other accounts (which he had also managed to lock though his bank).
Thankfully he didnt lose any money but he did lose the phone.
So the question that has been puzzling us this week is ‘how did the thirf manage to move the money since he had neither the face or the fingerprint’?
Would be grateful for any clues so that we can all be aware and make sure we don’t lose money.
I think the answer to that will lie with the banking app in question. Obviously, the thief had an unlocked phone and could thus open any apps. But if the banking app required any sort of authentication (password, PIN, Face ID), it would have prevented the problem.
2 Likes
Some banking apps offer limited functionality without 2FA, account balance view, that kind of thing. It may be that the app permitted transfer within personal accounts held by an individual.
Convenience and Security, opposite ends of a spectrum…
Sorry to hear that. I would agree with my fellow posters here. It would almost certainly require an app that provides for such banking transactions without authentication.
I can tell you that the app I use for my bank accounts, the app I use for my credit card, as well as the couple apps I use to monitor my 401k accounts all require authentication (in my case FaceID) in order to launch or initiate transactions. Indeed, also the Wallet app itself requires FaceID authentication to make a bank transfer or initiate payment (ApplePay, Apple Cash).
Perhaps a lessons learned could be to set these apps up to require authentication, and if that is not possible, to stop using them and switch to an alternative (where available, of course).
1 Like
If the phone were stolen while he was still using it, then there would have been no authentication needed to open his banking app while the current session was still active. If he had recently logged into the backing app and closed it without logging out, it’s possible that it had not timed out and was available for the thief to make the transfer without any need to re-authenticate.
I make sure to explicitly log out of any app that is not purely informational when I move on to a new task.
2 Likes
Explicitly logging out is normally a good idea, but some apps have a stupid design whereby when you log out, they “forget” your activation of Face ID for the app and require you to use userid and password the next time you log in. For those apps, I try to remember to not log out. But then I lose out on the improved security I would have otherwise had. Harumpf.
All of my bank and credit card apps require authentication to open. I can use FaceID after logging in the first time. So the only risk is if I was using the banking app within the ten minute timeout they use to log me out and my phone is unlocked.
1 Like
Well, yes, but: in some apps FaceID seems to work instantaneously (e.g. Paypal), but in some it can take minutes or never happens at all (the worst one, in my experience, is the Fidelity NetBenefits app – it’s FaceID usage is glacial like hell – or it’s just a sluggish server response??).
The latter app has gone through at least half a dozen updates on my phone but this problem never got fixed, at least not on iOS (now at 17.5.1 on my phone 15 Pro). How can anybody rely on FaceID with apps like that? (luckily I don’t need it often, so I can live with it, but it’s still mega-annoying).
Behind the scenes, FaceID simply unlocks data (e.g. login credentials like passwords and tokens) stored in your keychain.
What an app does with that data afterward is out of Apple’s control. If it needs to access a server (as I’d expect for any kind of banking app), you’re going to be at the mercy of that server’s speed and reliability.