Phone security if stolen
Discussion
With everything web based that needs to be secure using 2FA and various banking / investment apps on my phone, how safe are these if the phone is stolen, it seems to me that someone has your phone, they have access to everything. What steps have folks taken to mitigate the risk of your phone being / lost or stolen and getting into the hands of someone who has the wrong intentions.
I have sim lock, biometric security etc, but is this enough?
I have sim lock, biometric security etc, but is this enough?
Was thinking about that the other day if was robbed at gun point. You have to give the pin, so only a small amount of time to act.
I'd have to get my wife or brother to jump on a pc and do the find my phone and erase it from there, But the kids are quick so not sure how much damage they could already have done by then....
I wish there was an alternate password/pin that would wipe your phone after 2 minutes, and you could give them that while you make a hasty exit...
I'd have to get my wife or brother to jump on a pc and do the find my phone and erase it from there, But the kids are quick so not sure how much damage they could already have done by then....
I wish there was an alternate password/pin that would wipe your phone after 2 minutes, and you could give them that while you make a hasty exit...
I think realistically anyone willing to use that level of violence is going to fancy a more certain payoff than hoping their target has something of value to exploit once the phone is accessed.
Especially since most things of actual value will require further info, it’s not like they can transfer thousands of pounds to a new account without further authentication
Especially since most things of actual value will require further info, it’s not like they can transfer thousands of pounds to a new account without further authentication
Craikeybaby said:
On iPhone 5 quick presses of the power button turn off FaceID/TouchID, so you need to enter a password next time. Depending on settings, it may also call the emergency services.
This is because if the police want you unlock the phone using biometrics they can force you, but asking for a passcode you can invoke the fifth.USA Only ops.
If you are going to have banking apps on phone.. turn off visible notifications when locked. Ie so there is no preview of messages when the phone is locked.
Ie so if someone messages you, there isn't a preview of the message on your phone.
This has been used to exploit SMS based password reset and authentication codes., allowing criminals to access people accounts..
Clearly they need to steal the phone, and get sight of your bank details (eg stolen card) too..
https://www.google.com/amp/s/www.askaboutmoney.com...
So make sure message notification preview is hidden.
In the news today:https://www.bbc.co.uk/news/business-64240140 (unclear exactly what happened here)
There is also a vulnerability with Apple pay and Visa cards on iPhone allowing people to fool the phone into thinking it is in "transport mode"* and thus take unauthorised and arbitrary NFC payments from ApplePay loaded with a visa card.
https://www.birmingham.ac.uk/news/2021/visa-and-ap...
I have seen this demonstrated with my own eyes to remove money from a locked phone.
Don't enable transport mode if you use Apple pay loaded with a visa card..
Ie so if someone messages you, there isn't a preview of the message on your phone.
This has been used to exploit SMS based password reset and authentication codes., allowing criminals to access people accounts..
Clearly they need to steal the phone, and get sight of your bank details (eg stolen card) too..
https://www.google.com/amp/s/www.askaboutmoney.com...
So make sure message notification preview is hidden.
In the news today:https://www.bbc.co.uk/news/business-64240140 (unclear exactly what happened here)
There is also a vulnerability with Apple pay and Visa cards on iPhone allowing people to fool the phone into thinking it is in "transport mode"* and thus take unauthorised and arbitrary NFC payments from ApplePay loaded with a visa card.
https://www.birmingham.ac.uk/news/2021/visa-and-ap...
I have seen this demonstrated with my own eyes to remove money from a locked phone.
Don't enable transport mode if you use Apple pay loaded with a visa card..
- allows you to pay for travel (eg underground on transport for London) using NFC with out unlocking your phone, or being prompted to authenticate..
Edited by HiAsAKite on Friday 27th January 07:48
I don't think the issue is that the tech as peoples ignorance of tech or choosing convenience over security.
I'm no expert but with an iPhone I'd be pretty comfortable nobody is going to get into it with either biometrics or a minimum 8 character complex PIN and some sensible settings around wiping after invalid attempts etc.
Don't know about modern Android.
I'm no expert but with an iPhone I'd be pretty comfortable nobody is going to get into it with either biometrics or a minimum 8 character complex PIN and some sensible settings around wiping after invalid attempts etc.
Don't know about modern Android.
b
hstewie said:
hstewie said: I don't think the issue is that the tech as peoples ignorance of tech or choosing convenience over security.
I'm no expert but with an iPhone I'd be pretty comfortable nobody is going to get into it with either biometrics or a minimum 8 character complex PIN and some sensible settings around wiping after invalid attempts etc.
Don't know about modern Android.
You'd think so, but then there's thing like ths: https://www.birmingham.ac.uk/news/2021/visa-and-ap...I'm no expert but with an iPhone I'd be pretty comfortable nobody is going to get into it with either biometrics or a minimum 8 character complex PIN and some sensible settings around wiping after invalid attempts etc.
Don't know about modern Android.
Or other exploits that do not require criminals to unlock the phone if they can physically get to it
There was a prog on Channel 5 a couple of nights ago with Alexis Conran
https://www.channel5.com/show/phone-scams-don-t-ge...
Usual plenty of padding, type programme, but not as bad as some.
Can someone explain to me. Why, if you have money stolen and it isn't your fault, why must it be the bank's fault?
https://www.channel5.com/show/phone-scams-don-t-ge...
Usual plenty of padding, type programme, but not as bad as some.
Can someone explain to me. Why, if you have money stolen and it isn't your fault, why must it be the bank's fault?
HiAsAKite said:
You'd think so, but then there's thing like ths: https://www.birmingham.ac.uk/news/2021/visa-and-ap...
Or other exploits that do not require criminals to unlock the phone if they can physically get to it
Does that really pose a threat to the average person though?Or other exploits that do not require criminals to unlock the phone if they can physically get to it
It's a fair point but there are far more things that will bite me before I'm going to lose any sleep over that kind of thing as I think it's very much an edge case in terms of likelihood.
I wonder how many people have credit card details stored online (for example) in online retailers behind really crappy passwords linked to an email account with a really crappy password and no 2FA etc.
You get the idea
bhstewie said:
hstewie said: Does that really pose a threat to the average person though?
It's a fair point but there are far more things that will bite me before I'm going to lose any sleep over that kind of thing as I think it's very much an edge case in terms of likelihood.
I wonder how many people have credit card details stored online (for example) in online retailers behind really crappy passwords linked to an email account with a really crappy password and no 2FA etc.
You get the idea
Fair pointIt's a fair point but there are far more things that will bite me before I'm going to lose any sleep over that kind of thing as I think it's very much an edge case in terms of likelihood.
I wonder how many people have credit card details stored online (for example) in online retailers behind really crappy passwords linked to an email account with a really crappy password and no 2FA etc.
You get the idea
Right now, I think its pretty theoretical (despite being demonstrated) and questionable whether its actually been used "in the wild". One of the lead researchers stated this.
However the underlying issue is one convergence if services/MFA into single common devices and channels, and configuration combinations, despite being "theoretically secure'", are exploitable.
Eg use of phones as MFA channels via SMS and email, along with locked screen notifications.
User experience "features" allowing payment without authentication, which can be exploited to breech limits, or used where unintended...
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff