Serial Thief Steals Thousands Using Cellphones (and Credit Cards) from Gym Locker Rooms

Long-time Slashdot reader n3hat writes: The BBC reports that a thief has been emptying gym patrons' accounts by stealing their bank card and mobile phone, registering the account to the thief's own mobile, and emptying the victims' bank accounts. The thief works around 2-factor authentication by taking advantage of the victim's phone having been configured to show notifications on the lock screen, so the thief can view the 2FA credential even though they don't have the unlock code.

The article gives instructions on how to disable notifications on the lock screen, for both iPhone and Android.

Oh no that's horrible!

[mobby_6kl]

Was he stealing I2C or SPI?

Re:

[awwshit]

Probably RS-232, always wondered why my phone has a DB-25 connector.

Re:

[DontBeAMoran]

Wow, get a new phone man, the new ones have a DB-9 connector, as it should be.

Re:Oh no that's horrible!

[dohzer]

Technically they're "DE-9" Connectors, but sure.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re: Oh no that's horrible!

[TuballoyThunder]

I'm partial to RS-485. I find it more balanced

Re: Oh no that's horrible!

[mnemotronic]

Is that what it is? I always assumed it was a Centronics port. Doesn't do me any good. I can't find my parallel port printer.

"He" is probably "She"

[ac22]

"He" is probably "She". The thief has been operating in women's locker rooms, a man would struggle to pass the "what the hell are you doing in here?" test.

Re: "He" is probably "She"

[computererds]

Not to mention we have pockets and do not generally leave our phones

Who here doesn't like settings?

[drinkypoo]

I know I'm not the only one whose first action upon getting a new gadget or installing a new app is to immediately survey the settings. Consequently, I already came across the option to only display innocuous notifications on the Android lock screen.

Re:

[gweihir]

Indeed. But that should have been the default all along. Vendors still do not care about user security.

Re: Who here doesn't like settings?

[NagrothAgain]

If the banks gave a shit they'd support a variety of 2fa apps, instead of relying on sms or email based codes.

Re:

[gweihir]

My bank has its own app and desktop application for this reason and you need to confirm anything on two independent devices and you need to log into the app and application. And they will block and call if anything triggers their anomaly detection, which works pretty well. They do not do SMS or email, nor does any other bank I know here. If somebody steals my smartphone and bank card, they can do exactly nothing with that. If somebody hacks my smartphone and the banking app and my PC and the banking applica

Re:

[gweihir]

Note: My Fairphone 4 has these notifications off by default...

Re:

[arglebargle_xiv]

Until I saw this article I didn't even know something this dumb was possible, let alone (apparently) enabled by default. My lock screen displays a date and time, nothing more. I've just had a look at Authy, the 2FA app I use, and can't see any option to display anything on the lock screen.

Re:

[bagofbeans]

Once they have the phone and the card, they register the card on the relevant bank's app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded.

Shirley a lot of information is demanded by the app to validate the account holder? Stuff that isn't hanging around someone's purse/handbag?

Re:

[algaeman]

No, the 2FA is typically enough to get in and change a lot of the account holder details, but it should send an email to the original email address (and physical) when you change this on a financial account.
(and don't call me Shirley)

Re:

[dsgrntlxmply]

"Don't call me Shirley."

Re:

[LostMonk]

I too scan the settings on new apps, but in this we are the minority.
Most people are unaware of-, don't care about- or can't keep up with all these increasingly-complex tools and services.

2FA is pointless

[Kevin108]

2FA is just a means of data collection by web sites, etc. You had an account, then you have to give them an e-mail address and/or a phone number. Then when they get hacked, all your information is out there. No thanks.

Re:2FA is pointless

[gweihir]

Bullshit. 2FA makes sure when you password is compromised, and you have, like an idiot, used it in several places. Then not everything is open. 2FA also makes your weak-ass password quite a bit stronger. For people with good password practices, 2FA provides defense in dept.

Note that Text Messages are not considered 2FA for a while now by actual experts due to not only the problem mentioned in the story. Use at least an authenticator app.

Re:

[AmiMoJo]

I'm sure some services only support SMS messages because they want your phone number.

Then you have Steam, who only support their own app because they really want you to install that.

Re:

[gweihir]

Yep. There are services I have not bought because they wanted my phone number with an entirely phony reason given.

Re:

[itsme1234]

Go and read TFA first. It's about YOUR BANK. Yea, I mean you could (maybe?) be doing banking without giving them an e-mail address and/or a phone number but it's kind of the wrong milenium for that. And really, you'd give your email to slashdot but freak out that if your bank gets hacked your email gets leaked?

Also it seems that even the "Slashdot reader" that put up the summary didn't really read the article, 2FA isn't even mentioned, it's more likely about PASSWORD RECOVERY which is "1FA" or maybe even le

Re:

[clovis]

Go and read TFA first. It's about YOUR BANK. Yea, I mean you could (maybe?) be doing banking without giving them an e-mail address and/or a phone number but it's kind of the wrong milenium for that. And really, you'd give your email to slashdot but freak out that if your bank gets hacked your email gets leaked?

Also it seems that even the "Slashdot reader" that put up the summary didn't really read the article, 2FA isn't even mentioned, it's more likely about PASSWORD RECOVERY which is "1FA" or maybe even less...

That was my thought. Something doesn't sound right about the articles method for gaining access that would allow to transfer funds.
Perhaps the hack is to use the stolen phone and info from their wallet for account retrieval which often involves getting a SMS code for password recovery. Barclays asks for the debit card info, plus name and birth date.

Re:

[shmlco]

What phone displays the actual notification text on the Lock Screen?

Re:

[itsme1234]

Any phone if configured that way? Might be even the default on many. Keep in mind security is very often at odds with usability and unless there's a big scandal the usability wins. Also the "Lock Screen" predates mostly everything, starting with biometric sensors or even smartphones and was mostly used to just prevent butt dialing not as a security measure.

People are here gasping like beached fish about how can be possible to be able to glance a few words from an incoming SMS on a locked phone but in real l

Re:

[splutty]

The 2FA you're talking about is utter garbage, and should not ever be used in any application that requires actual security.

If a code is sent to you, it's broken by design. The way 2FA should work is that you are the only one with access to the code, and a password. So for example with the Google Auth app, or with several other (less used) open source alternatives that do not require you to give them any information, at all.

The fact that apparently the banks of the victims use SMS based 'authentication' is

Re:

[aaarrrgggh]

The irony here is that if you used an RSA token as a second factor you would also be screwed. The contrast to the devices used in Sweden and other places which looks like a small phone, has a camera to do challenge/response to QR codes, and has a pin to unlock.

Re: 2FA is pointless

[ArmoredDragon]

So use a FIDO2 token.

That is why Text Message/SMS is not 2FA anymore

[gweihir]

Or at least it should not be and security experts have been saying this for a few years now. Some of the usually incompetents (Microsoft, I am looking at you) still accept it at least in the defaults. That needs to go away.

Re:

[test321]

SMS were banned from 2FA by the EU Payment Services Directive 2nd revision (PSD2) in 2015 https://en.wikipedia.org/wiki/... [wikipedia.org] Final deadline was originally 14 Sept 2019, extended in some Member States to 31 Dec 2020. TFA is in UK and since UK exited EU on 31 Jan 2020, they could avoid implementing the ban.

Re:

[Errol backfiring]

Why on earth would you put your biometric data in the worst security nightmare in existence? But I agree, 2-factor by SMS is not that smart either. In fact, a banking app AND a 2-factor authentication app on the same untrusted device is a crappy thing to begin with. Luckily, the banks have separate devices for 2-factor authentication.

Basic security

[registrations_suck]

Apple doesn't understand basic security either. It doesn't allow disabling of the camera from the Lock Screen...so anyone with access to your phone can put dick picks, child porn or whatever else they want to put in your phone.

It's a fucking LOCK screen. The only thing you should be able to do from it is unlock the phone.

Duh!!!!

Re: Basic security

[registrations_suck]

Only if you want to disable the camera entirely.

Re:

[fermion]

Sounds like someone setting up the defense for how child porn got on their phone.

Re:

[fropenn]

If you turn the iphone off the passcode is required for any function, including the camera or showing texts on the lock screen. So just turn your phone off if you are leaving it anywhere.

Don't bring your banking phone to the gym ..

[tekram]

That is the first thing you learn if you go to the gym often. Lock it up in the car is usually safer or don't bring it at all to the trip. An alternative is to bring a burner phone without all the banking information.

Re:

[fermion]

My question generally is not if the secure, but is it more secure. My stuff is now in my phone. It is secure. No. Is it more secure than having checks and credit cards on my person. Yes. I activate the gas pump from my phone. Are there security issues. Yes. It is safe that carrying cash to the store. Or giving my card to a random stranger in Oregon. Yes.

F having text notifications are a security risk, for instance because on lover will see notes from another lover, then turn it off. Notifications are eas

Re:

[BeaverCleaver]

I activate the gas pump from my phone.

Where I live, you're not allowed to use a phone at a gas pump.

Re:

[fermion]

I been to places. Fortunately you can activate before you get to the pump. But that places is also full service and they want cash.

Re:

[clovis]

That is the first thing you learn if you go to the gym often. Lock it up in the car is usually safer or don't bring it at all to the trip. An alternative is to bring a burner phone without all the banking information.

I wear cargo shorts to the gym, so I always have everything with me.
Wallet, phone, keys, water bottle, Ruger lcr, leatherman tool, passport, nutrient bars.
Lately I've included hand sanitizer, gloves, and spare mask, but that's temporary, I hope.

Re: Don't bring your banking phone to the gym ..

[flyingfsck]

Nice, now try swimming with that.

Re:

[clovis]

Nice, now try swimming with that.

Interesting idea. I'm headed over there tomorrow, and I'll let you know how it turns out.

Seems like an opportunity

[aerogems]

For both Apple and Google to add functionality to their respective mobile operating systems to detect 2FA messages and automatically exclude them from lock screen notifications. Maybe work with banks and other places to come up with a standard format for the messages to make them easier to detect. iOS already has some functionality like this, being able to pull the code from a text message and insert it into a text entry box, so all they need to do now is make it hide those messages from the lock screen.

Re:Seems like an opportunity

[sirket]

Why? The iPhone can display that a message came in, but won't display the message itself unless you unlock it. Since the iPhone uses FaceID, it will show the owner of the phone the contents of the message as soon as they glance at the screen, but anyone else looking at the phone will just see that a message came in but the contents won't be visible. That would already seem to solve the problem without having to recognize the message type.

Re: Seems like an opportunity

[sethmeisterg]

Thank you. You are like the only one who actually understands how modern iPhones work. This article is bullshit.

Re:

[aerogems]

Except not everyone has a "modern" iPhone, such as one with FaceID. Plenty of people are still rocking a 6S or possibly even older.

Re:

[sirket]

So what? They can still be configured not to show the contents of the message- just the fact that the message came in.

Re:

[thegarbz]

For both Apple and Google to add functionality to their respective mobile operating systems to detect 2FA messages and automatically exclude them from lock screen notifications.

No thanks. 2FA is about something you have, not a second form of something you know. Here's a better one for you: WTF would credit card companies rely on sending a 2FA passcode not be using a different form of authentication? 2x something you have is not the point of 2FA.

You can have my phone, my credit card, and I'll even hand it to you unlocked. If you try and spend online (which triggers 2FA) you'll also need to know my Verified by Visa password too.

Once again, country specific problems exist because co

Re:

[AmiMoJo]

Google actually does detect 2FA messages and offer to copy the code to the clipboard in one tap.

Android has an option to display "sensitive" notifications that will hide the content of 2FA messages. It's just that many people don't enable it.

Why can a physical card be used for online use?

[illafam]

When you get a CC why don’t you get 2, one which is an actual chipped card that requires a pin for use on larger purchases.. and a second one that’s online only that requires 2FA? Card gets stolen, they need your pin and you can still use your e-card. The thief would also need your code and somewhere to physically buy something.

Re:

[PPH]

an actual chipped card that requires a pin

I'm guessing that you are not in the USA. Because all the chipped credit cards I've seen here do not require PINs for purchases. Right up to the card's limit.

Some vendors may require a signature. But flip the card over, practice copying an unintelligible scrawl a few times and you're good to go.

Re: Why can a physical card be used for online use

[flyingfsck]

I donâ(TM)t sign my cards.

Re: Why can a physical card be used for online use

[PPH]

signatures have been dead for decade

Rare but not dead. It's up to the merchant to request one. And if charges are reversed, it's the merchant's loss. I've signed the occasional merchant copy recently. And there are a few merchants that request signed picture ID for charges. Most often in downtown Seattle, where the blue politics of prosecutorial indifference support the practice of lifting someone's wallet. Combined with the entitlement to run up credit cards so acquired to their limit. By people whom local politicians have imbued the right t

Who leaves their wallet and phone out?

[bradley13]

I live in a very safe area. Even so, I either have my important stuff with me, or it is in a locker (locked). Who leaves the wallet and phone lying around unprotected? Seems like a stupidity-tax.

Re:

[PPH]

Who leaves the wallet and phone lying around unprotected?

Been to a gym lately? All the car keys and cell phones left lying on unused benches. Supposedly to "reserve" that piece of equipment for their owner, who is across the room, using another piece of equipment. You don't have to break into lockers. Just walk through the weight room.

And then there's my pet peeve: People sitting on some equipment, texting (or posting shit on Slashdot). If you are not actually working out, get off the machine. Better yet, leave your damned phone in your car.

did they hack (locked) lockers at the gym to open

[Joe_Dragon]

did they hack (locked) lockers at the gym to open them?

Re:

[Anonymous Coward]

did they hack (locked) lockers at the gym to open them?

That's probably the easiest part.
In the gym I use, the lockers are the kind where you find an unlocked one, put your stuff in, close door, and enter 4 digits which become your code to unlock. It's like those hotel safes. This is ripe for shoulder surfing and just plain guessing . Also, the gym has a master code (about 20 digits) to open lockers so there's the possibility of insider thefts.
Also, some people (technically speaking, includes women) leave their wallet/keys/phone in their gym bag on the bench whi

Re:

[OzPeter]

I live in a very safe area. Even so, I either have my important stuff with me, or it is in a locker (locked). Who leaves the wallet and phone lying around unprotected? Seems like a stupidity-tax.

I you actually read TFA you would see that these items are being stolen out of locked lockers. And the thief (thieves) are being assisted in this by the gyms (reasonably) not having security cameras in the locker rooms.

Re:

[hoofie]

Security cameras in changing rooms in the UK are an absolutely massive no-no under any circumstances due to privacy rules. Even if everyone agreed to their use I guarantee you 100% the footage would end up somewhere dodgy within hours no matter what controls were in place.