Woeful Security On Financial Phone Apps Is Getting People Murdered

Longtime Slashdot reader theodp writes: Monday brought chilling news reports of the all-count trial convictions of three individuals for a conspiracy to rob and drug people outside of LGBTQ+ nightclubs in Manhattan's Hell's Kitchen neighborhood, which led to the deaths of two of their victims. The defendants were found guilty on all 24 counts, which included murder, robbery, burglary, and conspiracy. "As proven at trial," explained the Manhattan District Attorney's Office in a press release, "the defendants lurked outside of nightclubs to exploit intoxicated individuals. They would give them drugs, laced with fentanyl, to incapacitate their victims so they could take the victims' phones and drain their online financial accounts [including unauthorized charges and transfers using Cash App, Apple Cash, Apple Pay]." District Attorney Alvin L. Bragg, Jr. added, "My Office will continue to take every measure possible to protect New Yorkers from this type of criminal conduct. That includes ensuring accountability for those who commit this harm, while also working with financial companies to enhance security measures on their phone apps."

In 2024, D.A. Bragg called on financial companies to better protect consumers from fraud, including: adding a second and separate password for accessing the app on a smartphone as a default security option; imposing lower default limits on the monetary amount of total daily transfers; requiring wait times of up to a day and secondary verification for large monetary transactions; better monitoring of accounts for unusual transfer activities; and asking for confirmation when suspicious transactions occur. "No longer is the smartphone itself the most lucrative target for scammers and robbers -- it's the financial apps contained within," said Bragg as he released letters (PDF) sent to the companies that own Venmo, Zelle, and Cash App. "Thousands or even tens of thousands can be drained from financial accounts in a matter of seconds with just a few taps. Without additional protections, customers' financial and physical safety is being put at risk. I hope these companies accept our request to discuss commonsense solutions to deter scammers and protect New Yorkers' hard-earned money."

"Our cellphones aren't safe," warned the EFF's Cooper Quintin in a 2018 New York Times op-ed. "So why aren't we fixing them?" Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Simple.

[msauve]

>Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

Re:Simple.

[ls671]

To me, the better solution is to treat financial apps differently from other apps. For example, have a "special folder" on the phone, and any app within that folder is subject to special rules.

If you don't want to use computers, about a dedicated phone just for banking? I have a cheap Intel celeron dedicated laptop just for banking and it's only turned on for banking then turned off again after doing updates when required. It's the only device I use for banking.

I know this breaks the picture of the magical technology dream that allows you to do everything and that most people will find it unpractical and inconvenient but anyway, I am just sharing what I do myself to feel safer.

Re:

[registrations_suck]

I think it is a great approach. It is the one I am recommending for my wife (see post below, "I have a problem"). It's why I just upgraded my phone and our home computer, so as to give the devices I use for family financial the maximum possible lifespans once I'm dead.

However, most people are simply too lazy to implement any kind of good security hygiene. They're just too Polly-annish in general. The same kind of people are typically under-insured or not insured for a great many hazards, drive around looki

Re:

[jenningsthecat]

I know this breaks the picture of the magical technology dream that allows you to do everything and that most people will find it unpractical and inconvenient...

Well, the best we can do is to educate people that there's really no such thing as magic. "Unpractical and inconvenient" is preferable to naive belief in a Phone Fairy which miraculously protects your accounts while simultaneously allowing virtually unfettered access to them anywhere and anytime.

Re:

[GuB-42]

Except it is not about trans people in particular. It is just that robbers found that these bar patrons, who may or may not be trans or gay would make good victims.

I don't know about Hell's Kitchen in particular but sometimes, straight people sometimes go there too, gays tend to be good at partying, and many straight people with an open mind recognize this. Unfortunately, it also means lots of drugs and people wasted, making these places particularly attractive to these criminals.

Re:Trans hate instead you shold have more

[Powercntrl]

The OP is just a troll with rsilvergun living rent free in his head. Admittedly, this copypasta probably did begin as a variation of something rsilvergun wrote at some point. Lately he's been blaming Trump's victory on culture war issues, which pretty much flies in the face of the actual exit poll data (primary issues were inflation, the economy, and border security).

Sure, I'll admit that Trump's victory certainly has emboldened some of the people who already were bigots to begin with. That's what Hillary's infamous "basket of deplorables" remark was actually about, when taken in context. But the majority of the American public is not suddenly jumping on board the hate and discrimination train just because Trump is president again. I should know, I'm a gay guy living in the middle of MAGA ground zero: Florida. If people truly were becoming more homophobic, I'd have experienced it firsthand.

Re:

[Powercntrl]

Oh, it can get bad for us LGBTQ+ folks with Republicans in charge. I'm not denying that. The issue though is that being collectively okay with throwing us under the bus and being actively bigoted/homophobic are two different things. Americans are just an individualistic bunch, and we all are guilty of it to some degree.

Re: Trans hate instead you shold have more

[Slashythenkilly]

When you feel like making an intelligent comment on the content of the story, feel free to jump in hero.

Re:

[hsthompson69]

Or...just spitballing here...maybe we shouldn't hanging out with stupid people in stupid places at stupid times?

Creating a whole system based on the high risk of going to a club, getting wasted, then taking drugs from a random stranger as you go home, seems like demanding that celibate people use condoms when masturbating because people having unprotected sex might get STDs.

If anything, add a "I'm going out drinking late at night and taking drugs from strangers" button on financial apps, to freeze them from

Re:

[jenningsthecat]

If anything, add a "I'm going out drinking late at night and taking drugs from strangers" button on financial apps, to freeze them from working for 48 hours.

Now THAT seems like a really good idea! If I used my phone to pay for stuff and to access my accounts, I would activate that feature in a heartbeat - and I don't even do high-risk stuff like that mentioned in TFA.

Re:

[ArchieBunker]

Thanks for letting me know your important shit is at home and not on your person!

Re:

[battingly]

>Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

You sound like you just woke up from 1995. Do you seriously think there are many people these days who have a computer at home?

Re:

[msauve]

Surely if you go upstairs and ask your mom, she'll let you use her's.

Re:

[NotEmmanuelGoldstein]

... the PC at home.

In one respect you are correct: Security means putting it under lock and key. Now that phones have stopped providing that service, users should not have such applets on their phone.

The phone OS makers recognize they've dumbed-down security: Now, the high-end models offer secure storage that can hold applets and data, not merely photos and voice recordings. For 10 years, third-party applets on Google Play have provided the same security. Once again, the user failed to learn good habits.

You are also

Yep

[abulafia]

That's what I do. Banking and other sensitive apps live on an old phone that doesn't leave the house.

I can count the number of times I've needed to do an unexpected cash transfer when I'm not near home on a veteran meatpacker's hand. Even if it weren't a risk, it simply isn't a capability I need.

The phone that leaves the house also gets its own email address, which isn't used for anything important, and I set an MDM profile to ensure Icloud doesn't start exfiltrating things randomly and a few other thin

Re:

[Tony Isaac]

This problem does not affect banking apps, *all* of which require you to log in to use them. It's just these personal payment apps that have lax security.

Google Wallet has the same problem, you can't set it to require a PIN or password to authorize a payment. If your phone is unlocked, you can pay for things, no more questions asked. Nope, not doing that!

Re:

[znrt]

that's a good advice in general but won't help in this case. how would the attackers know? they might have beaten you to pulp already before even reaching for that phone, just because you look like carrying a juicy phone and being an easy target.

the defendants lurked outside of nightclubs to exploit intoxicated individuals

just don't hang around risky places in such a sorry state. learn to do drugs.

Re:

[Kisai]

There's two solutions that come to mind.

1. Require two simultaneous inputs any time an unfamiliar store is used. Eg Apple Pay at a new merchant over $50 requires you to insert the chip + PIN card first. The last 50 dollars is run through Apple Pay and the rest on the chip card. Merchants won't like this because it results in paying two sets of fees.
2. For P2P (Cashapp/Venmo/PayPal/Zelle/Wise/Xe etc) require establishing trust by
a) physically meeting and exchanging long tokens by NFC (not QR) which confirms

of course

[Lehk228]

Of course the useless DA blames the app companies for his failure to do anything about rampant crime in NY

Re:

[ArchieBunker]

We know what news you watch. Meanwhile crime in NYC is below the national average (for 2022 at least) https://en.wikipedia.org/wiki/... [wikipedia.org]

Houston has 19 murders per 100,000 people for comparison.

Re:

[Powercntrl]

This is what they mean by that expression "there are lies, damned lies, and statistics". Other places may have more crime, but they don't have criminals going all Jeffrey Dahmer to commit robbery.

If you don't have a lot of crime but the crime you do have is seriously messed up, you still have a problem.

Re:

[lilTimmy]

Dead is dead... doesn't really matter how scary it is, and red states have a higher homicide rate. Also lower education, healthcare and pretty much everything else that matters.

Re:

[ceoyoyo]

Ah yes, that expression made up by people who are annoyed when reality harshes their narrative.

Are you comparing a couple guys who drugged people to steal their money and accidentally ODed a couple to a guy who ate his victims?

Re:

[Powercntrl]

Are you comparing a couple guys who drugged people to steal their money and accidentally ODed a couple to a guy who ate his victims?

Other than the motive being one of profit rather than psychopathic behavior, the crimes otherwise had a lot of similarities. I'd even go as far to suggest that recent renewed interest in Dahmer's crimes (gee, thanks Netflix) might've provided some inspiration to the Hell's Kitchen criminals.

Make banks responsible

[alexgieg]

Make banks responsible for financial transactions done on their apps by victims of criminals. If the person can prove they were robbed, kidnapped, mugged, intoxicated, or whatever, the bank is obliged to cover the stolen funds so the victim loses nothing.

Once such a law goes into effect, you'll see banks RUSHING to make their apps as secure as possible. Let them figure out the details, as I'm sure they'll be way more creative than whatever criminals can think of.

Re:

[msauve]

>Make banks responsible for financial transactions done on their apps by victims of criminals.

Which is the same as saying "make all the other customers share the responsibility", so those in relatively crime free communities subsidize those in high crime ones.

Re:

[alexgieg]

Which is the same as saying "make all the other customers share the responsibility"

AKA insurance, one of the neatest features of civilization.

Re:

[iAmWaySmarterThanYou]

Or maybe they could stop going to clubs late at night in bad areas and taking drugs from strangers in the alleyway.

Re:Make banks responsible

[alexgieg]

Making party A accountable for the actions of Party B is an absolutely horrible idea.

Nah, what I described works quite fine in my country. Such insurance is legally imposed upon banks, so their apps are extraordinarily secure compared to the crap US banks distribute to their customers. And if customers here want extra protection over the legally imposed, banks sell insurance for as low as $1.49/month with, for example, 72 hours to report robbery, rather than the legally required 24 hours.

For the record, my country has much higher crime rates than the US. And banks are HUGELY profitable despite all the "horribleness" of the idea.

Re:

[alexgieg]

Heh, weak trolling. :-)

Re:

[alexgieg]

We do. They're almost completely forbidden here. Our one handgun factory sells mostly to other countries, not internally.

Re:

[Tony Isaac]

These aren't bank apps. Bank apps require you to log in to use them. These are non-bank payment apps, like Apple Pay and Cash App. Big difference.

What in the actual fuck?

[Powercntrl]

"Woeful security" on apps is not getting people killed. People are getting killed because that area clearly has a crime problem that isn't being properly addressed. Even the best security can be defeated by the $5 wrench attack [xkcd.com].

When you think about it, most locks for houses are pretty insecure too. The majority of them can be easily opened with a bump key. Course, here in Florida you can legally be shot for doing that (and even us liberals have guns here), so that's the real deterrent.

Re: What in the actual fuck?

[commodore73]

"Give me access or I break your fingers" is also a pretty good password cracker. I cannot possibly see how the apps or banks are responsible for street crime here. Why not just blame money itself, hence the fed.

Security is inconvienient

[FeelGood314]

If it is inconvienient people will by pass it. People want higher transaction limits. Good security requires the project manager to actually think intelligently about the problem for 5 minutes. ( Collectively all the project managers in the world have never had 5 minutes of intelligent thought). NIST has only just changed their rules to explicitly dissallow password rules like a Capital, small, number, symbol and rotate your password every X days. They finally also dissallowed SMS as a 2FA. Every app wants you to have an account and password. Guess what, most apps aren't important enough for me to create a unique password for, so most people use the same password for everything. (and putting some spin on the app or website as a prefix for you password doesn't add much entropy to your password).

If I make a more secure app people will use my competitors. My app could even be easier to use but if it doesn't follow the user flow they are used to they won't use it.

I would recomend banking from home but my bank has a $2000 transfer limit on the web app and a $15000 limit on the phone app. My rent is $2500, guess which I have to use.

People are dumb. Regulations will likely make it worse as people will all use similar work arounds to make their lives easier.

On iphone? If feeling uneasy tap power 5x

[TigerPlish]

On iphone, if you half-suspect you're 1) about to be arrested or 2) about to be mugged, tap the side button 5 times, or nail and hold the power and volume together.

Do that,, and the phone won't open unless passcode is given.

Do people actually walk around with their guard completelydown?!

(yes, yes they do. No situational awareness at all.)

Re:

[Powercntrl]

Tried the five button presses just to see what would happen. It activated my accessibility shortcut (I use it for dimming the screen below the normal minimum brightness level) and then brought up my wallet. Must be a feature they added to a later version of iOS.

Good thing I don't regularly get arrested or mugged.

Re:

[HiThere]

This doesn't sound like a hate crime, but rather "picking the low hanging fruit". Look for the most vulnerable, and rate which is the most profitable to attack.

Re:

[Powercntrl]

Look for the most vulnerable, and rate which is the most profitable to attack.

Which is why I wholeheartedly support the "arm the gays" movement.

Re:

[HiThere]

They were looking for people coming out of nightclubs and drunk enough to take drugs from strangers. Being armed wouldn't have helped.

The first step is not blaming the apps

[Slashythenkilly]

The apps are working as intended and can be encrypted, password protected, or simply not put on whatever device you are going to the bar with. If your defense is "the perpetrator sold me drugs" well thats on you too. Everyone is acting like this is some big mystery to solve when all along its as simple as dont carry wads of cash.

Re:

[Tony Isaac]

The point is, the apps should not *allow* you to make a payment without a password. Real bank apps already do this.

Your argument is like saying that if a woman wears a bikini to a bar, it's her own fault if she gets raped. Well maybe it's not so smart, but rape is still a crime committed by the rapist.

Re:

[Todd Knarr]

"Real bank apps" do in fact have options to allow transfers, payments, etc. without additional authentication. They're there because, as bad an idea as they are, users have demanded ways to avoid having to enter credentials (even biometrics) every time they want to pay someone. Those of us who understand security have been saying over and over that this is a bad idea because if you can do something without needing to authenticate first then anyone who has your phone can do it too. And users still enable tho

Re:

[angel'o'sphere]

If he uses your finger prints or holds your head to make a facial scan, it is not a thief but a robber.
Significant difference.

Re:

[kiviQr]

They are not. FaceID, finger print - that works with drugged person. Banking app should require additional pin for transactions. They should also allow for distress pin that would pretend that action was done.

Wait! What?

[PPH]

They would give them drugs, laced with fentanyl, to incapacitate their victims

People just accept drugs from strangers? This sort of blows the whole claim that the pro-drug people have to leave distribution channels alone. Because that is what gets addicts killed. Taking unknown mixtures of who knows what from people that they have no trust relationship with.

So much for listening to junkies.

Nope

[skogs]

Adding an extra password, pin number, etc will not have any effect on this. Thumbprint....whatever.

The bad men got people high in order to do the modern, and significantly longer, version of snatch and grab mugging. If you make it harder to log in to each app...all you're really going to do is force these twats to be rougher with their victims while they molest them to get the pin/face/eyeball/thumb/finger/number/password/pattern/textauthenticator. The person getting victimized is still sitting there. T

Thousands? Maybe

[viperidaenz]

Tens of thousands? That should be triggering an alert at the bank, requiring the customer to call them to authorise the transfers.
At least that's how my bank works. They have daily transfer limits.