Woeful Security On Financial Phone Apps Is Getting People Murdered

Longtime Slashdot reader theodp writes: Monday brought chilling news reports of the all-count trial convictions of three individuals for a conspiracy to rob and drug people outside of LGBTQ+ nightclubs in Manhattan's Hell's Kitchen neighborhood, which led to the deaths of two of their victims. The defendants were found guilty on all 24 counts, which included murder, robbery, burglary, and conspiracy. "As proven at trial," explained the Manhattan District Attorney's Office in a press release, "the defendants lurked outside of nightclubs to exploit intoxicated individuals. They would give them drugs, laced with fentanyl, to incapacitate their victims so they could take the victims' phones and drain their online financial accounts [including unauthorized charges and transfers using Cash App, Apple Cash, Apple Pay]." District Attorney Alvin L. Bragg, Jr. added, "My Office will continue to take every measure possible to protect New Yorkers from this type of criminal conduct. That includes ensuring accountability for those who commit this harm, while also working with financial companies to enhance security measures on their phone apps."

In 2024, D.A. Bragg called on financial companies to better protect consumers from fraud, including: adding a second and separate password for accessing the app on a smartphone as a default security option; imposing lower default limits on the monetary amount of total daily transfers; requiring wait times of up to a day and secondary verification for large monetary transactions; better monitoring of accounts for unusual transfer activities; and asking for confirmation when suspicious transactions occur. "No longer is the smartphone itself the most lucrative target for scammers and robbers -- it's the financial apps contained within," said Bragg as he released letters (PDF) sent to the companies that own Venmo, Zelle, and Cash App. "Thousands or even tens of thousands can be drained from financial accounts in a matter of seconds with just a few taps. Without additional protections, customers' financial and physical safety is being put at risk. I hope these companies accept our request to discuss commonsense solutions to deter scammers and protect New Yorkers' hard-earned money."

"Our cellphones aren't safe," warned the EFF's Cooper Quintin in a 2018 New York Times op-ed. "So why aren't we fixing them?" Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Simple.

[msauve]

>Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

Re:Simple.

[ls671]

To me, the better solution is to treat financial apps differently from other apps. For example, have a "special folder" on the phone, and any app within that folder is subject to special rules.

If you don't want to use computers, about a dedicated phone just for banking? I have a cheap Intel celeron dedicated laptop just for banking and it's only turned on for banking then turned off again after doing updates when required. It's the only device I use for banking.

I know this breaks the picture of the magical technology dream that allows you to do everything and that most people will find it unpractical and inconvenient but anyway, I am just sharing what I do myself to feel safer.

Re:

[registrations_suck]

I think it is a great approach. It is the one I am recommending for my wife (see post below, "I have a problem"). It's why I just upgraded my phone and our home computer, so as to give the devices I use for family financial the maximum possible lifespans once I'm dead.

However, most people are simply too lazy to implement any kind of good security hygiene. They're just too Polly-annish in general. The same kind of people are typically under-insured or not insured for a great many hazards, drive around looki

Re:

[jenningsthecat]

I know this breaks the picture of the magical technology dream that allows you to do everything and that most people will find it unpractical and inconvenient...

Well, the best we can do is to educate people that there's really no such thing as magic. "Unpractical and inconvenient" is preferable to naive belief in a Phone Fairy which miraculously protects your accounts while simultaneously allowing virtually unfettered access to them anywhere and anytime.

Re:

[Shadow of Eternity]

Second, a password for the folder that, if entered, does something to prevent access. For example, delete the contents of the folder, locks access until a second password is entered later, locks access for some long period of time, like a week or month, and so forth.

So what you're saying is you want to turn phone robberies into kidnappings where you get tortured if you enter the duress password?

Re:

[Bert64]

Extra passwords add a lot of inconvenience, especially for quick payment apps - although you could have exceptions for small transactions.

But the fact is if you're willing to go to the extent of drugging and murdering someone to get access to their accounts, the extra step of beating them with a 5$ wrench until they hand over the password is not much of a stretch.

After all, what use is having money if you're dead? The threat of murder would be enough to convince most people to hand everything over.

Re:

[GuB-42]

Except it is not about trans people in particular. It is just that robbers found that these bar patrons, who may or may not be trans or gay would make good victims.

I don't know about Hell's Kitchen in particular but sometimes, straight people sometimes go there too, gays tend to be good at partying, and many straight people with an open mind recognize this. Unfortunately, it also means lots of drugs and people wasted, making these places particularly attractive to these criminals.

Re:Trans hate instead you shold have more

[Powercntrl]

The OP is just a troll with rsilvergun living rent free in his head. Admittedly, this copypasta probably did begin as a variation of something rsilvergun wrote at some point. Lately he's been blaming Trump's victory on culture war issues, which pretty much flies in the face of the actual exit poll data (primary issues were inflation, the economy, and border security).

Sure, I'll admit that Trump's victory certainly has emboldened some of the people who already were bigots to begin with. That's what Hillary's infamous "basket of deplorables" remark was actually about, when taken in context. But the majority of the American public is not suddenly jumping on board the hate and discrimination train just because Trump is president again. I should know, I'm a gay guy living in the middle of MAGA ground zero: Florida. If people truly were becoming more homophobic, I'd have experienced it firsthand.

Re:

[Powercntrl]

Oh, it can get bad for us LGBTQ+ folks with Republicans in charge. I'm not denying that. The issue though is that being collectively okay with throwing us under the bus and being actively bigoted/homophobic are two different things. Americans are just an individualistic bunch, and we all are guilty of it to some degree.

Re: Trans hate instead you shold have more

[Slashythenkilly]

When you feel like making an intelligent comment on the content of the story, feel free to jump in hero.

Re:

[hsthompson69]

Or...just spitballing here...maybe we shouldn't hanging out with stupid people in stupid places at stupid times?

Creating a whole system based on the high risk of going to a club, getting wasted, then taking drugs from a random stranger as you go home, seems like demanding that celibate people use condoms when masturbating because people having unprotected sex might get STDs.

If anything, add a "I'm going out drinking late at night and taking drugs from strangers" button on financial apps, to freeze them from

Re:

[jenningsthecat]

If anything, add a "I'm going out drinking late at night and taking drugs from strangers" button on financial apps, to freeze them from working for 48 hours.

Now THAT seems like a really good idea! If I used my phone to pay for stuff and to access my accounts, I would activate that feature in a heartbeat - and I don't even do high-risk stuff like that mentioned in TFA.

Re:

[Sique]

Perfect! Victim blaming at its finest!

• First, in a sane society, being harmless and stupid should not come with the risk of death.
• Second, the perpetrators are the criminals here.
• Third, the crime is facilitated by apps that make it attractive to drug and rob the victims of their phones.
• Fourth, it should be made clear by the providers of the app that installing the app is akin to carrying your whole net worth in cash with you all the time.

Re:

[battingly]

>Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

You sound like you just woke up from 1995. Do you seriously think there are many people these days who have a computer at home?

Re:

[msauve]

Surely if you go upstairs and ask your mom, she'll let you use her's.

Re:

[NotEmmanuelGoldstein]

... the PC at home.

In one respect you are correct: Security means putting it under lock and key. Now that phones have stopped providing that service, users should not have such applets on their phone.

The phone OS makers recognize they've dumbed-down security: Now, the high-end models offer secure storage that can hold applets and data, not merely photos and voice recordings. For 10 years, third-party applets on Google Play have provided the same security. Once again, the user failed to learn good habits.

You are also

Yep

[abulafia]

That's what I do. Banking and other sensitive apps live on an old phone that doesn't leave the house.

I can count the number of times I've needed to do an unexpected cash transfer when I'm not near home on a veteran meatpacker's hand. Even if it weren't a risk, it simply isn't a capability I need.

The phone that leaves the house also gets its own email address, which isn't used for anything important, and I set an MDM profile to ensure Icloud doesn't start exfiltrating things randomly and a few other thin

Re:

[Tony Isaac]

This problem does not affect banking apps, *all* of which require you to log in to use them. It's just these personal payment apps that have lax security.

Google Wallet has the same problem, you can't set it to require a PIN or password to authorize a payment. If your phone is unlocked, you can pay for things, no more questions asked. Nope, not doing that!

Re:

[havana9]

Nowadays you could install a banking app on your smartphone, or getting SMS to have information on suspicious use of your credit cards or to authorize payments. In one case you have to trust an app, in the other case you can be targeted wit a SIM swap attack.

Re:

[znrt]

that's a good advice in general but won't help in this case. how would the attackers know? they might have beaten you to pulp already before even reaching for that phone, just because you look like carrying a juicy phone and being an easy target.

the defendants lurked outside of nightclubs to exploit intoxicated individuals

just don't hang around risky places in such a sorry state. learn to do drugs.

Re:

[Kisai]

There's two solutions that come to mind.

1. Require two simultaneous inputs any time an unfamiliar store is used. Eg Apple Pay at a new merchant over $50 requires you to insert the chip + PIN card first. The last 50 dollars is run through Apple Pay and the rest on the chip card. Merchants won't like this because it results in paying two sets of fees.
2. For P2P (Cashapp/Venmo/PayPal/Zelle/Wise/Xe etc) require establishing trust by
a) physically meeting and exchanging long tokens by NFC (not QR) which confirms

Re:

[thegarbz]

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

That's called throwing the baby out with the bathwater. Why not try saying the word "password", or "2FA" or "transaction limit" instead.

I went to buy a car the other day but when the shop keeper wouldn't give it to me. Apparently he didn't want to come to my house and didn't understand when I told him I don't carry my wallet so I can't get robbed.

Re:

[Bert64]

This is a case of robbery and murder...
You will probably be carrying some form of ID which contains your home address, and likely to also be carrying the keys for accessing your home address. After murdering you, the criminals are free to take these things and visit your home address, enter using the key and take anything they find.

As an aside, having stripped your body of identifying material it will take the police longer to identify your corpse and discover your home address, so by the time they turn up

of course

[Lehk228]

Of course the useless DA blames the app companies for his failure to do anything about rampant crime in NY

Re:

[ArchieBunker]

We know what news you watch. Meanwhile crime in NYC is below the national average (for 2022 at least) https://en.wikipedia.org/wiki/... [wikipedia.org]

Houston has 19 murders per 100,000 people for comparison.

Re:

[Powercntrl]

This is what they mean by that expression "there are lies, damned lies, and statistics". Other places may have more crime, but they don't have criminals going all Jeffrey Dahmer to commit robbery.

If you don't have a lot of crime but the crime you do have is seriously messed up, you still have a problem.

Re:

[lilTimmy]

Dead is dead... doesn't really matter how scary it is, and red states have a higher homicide rate. Also lower education, healthcare and pretty much everything else that matters.

Re:

[ceoyoyo]

Ah yes, that expression made up by people who are annoyed when reality harshes their narrative.

Are you comparing a couple guys who drugged people to steal their money and accidentally ODed a couple to a guy who ate his victims?

Re:

[Powercntrl]

Are you comparing a couple guys who drugged people to steal their money and accidentally ODed a couple to a guy who ate his victims?

Other than the motive being one of profit rather than psychopathic behavior, the crimes otherwise had a lot of similarities. I'd even go as far to suggest that recent renewed interest in Dahmer's crimes (gee, thanks Netflix) might've provided some inspiration to the Hell's Kitchen criminals.

Re:

[Shadow of Eternity]

You're committing Chesa Boudin Fraud. Just because you refuse to count them doesn't mean the crimes stop existing.

Make banks responsible

[alexgieg]

Make banks responsible for financial transactions done on their apps by victims of criminals. If the person can prove they were robbed, kidnapped, mugged, intoxicated, or whatever, the bank is obliged to cover the stolen funds so the victim loses nothing.

Once such a law goes into effect, you'll see banks RUSHING to make their apps as secure as possible. Let them figure out the details, as I'm sure they'll be way more creative than whatever criminals can think of.

Re:

[msauve]

>Make banks responsible for financial transactions done on their apps by victims of criminals.

Which is the same as saying "make all the other customers share the responsibility", so those in relatively crime free communities subsidize those in high crime ones.

Re:

[alexgieg]

Which is the same as saying "make all the other customers share the responsibility"

AKA insurance, one of the neatest features of civilization.

Re:

[iAmWaySmarterThanYou]

No. They hate America for our power and wealth.

People who have never been free either long for that freedom and will do dangerous things to get freedom for themselves or in the case of our blindly hateful European friends are bitter about their dead empires and wish they were still the ones running the planet.

Literally no one hates us for our freedoms. But you can go on with that if you want. You do you.

Re:

[iAmWaySmarterThanYou]

Amusing. Saying people should be responsible and accountable for their actions is flame bait -1.

I don't walk in dark alleys in bad neighborhoods at night taking drugs from strangers. Why do they?

Jfc... smh.

Re:Make banks responsible

[alexgieg]

Making party A accountable for the actions of Party B is an absolutely horrible idea.

Nah, what I described works quite fine in my country. Such insurance is legally imposed upon banks, so their apps are extraordinarily secure compared to the crap US banks distribute to their customers. And if customers here want extra protection over the legally imposed, banks sell insurance for as low as $1.49/month with, for example, 72 hours to report robbery, rather than the legally required 24 hours.

For the record, my country has much higher crime rates than the US. And banks are HUGELY profitable despite all the "horribleness" of the idea.

Re:

[alexgieg]

Heh, weak trolling. :-)

Re:

[thegarbz]

It's a horrible idea which is standard and works to make banking better in literally every other country OECD country than the USA.

It may be horrible, and I'm glad we have you to feel sorry for us, but we're doing just fine thanks. You can direct your concerns somewhere else.

Re:

[alexgieg]

We do. They're almost completely forbidden here. Our one handgun factory sells mostly to other countries, not internally.

Re:

[Tony Isaac]

These aren't bank apps. Bank apps require you to log in to use them. These are non-bank payment apps, like Apple Pay and Cash App. Big difference.

What in the actual fuck?

[Powercntrl]

"Woeful security" on apps is not getting people killed. People are getting killed because that area clearly has a crime problem that isn't being properly addressed. Even the best security can be defeated by the $5 wrench attack [xkcd.com].

When you think about it, most locks for houses are pretty insecure too. The majority of them can be easily opened with a bump key. Course, here in Florida you can legally be shot for doing that (and even us liberals have guns here), so that's the real deterrent.

Re: What in the actual fuck?

[commodore73]

"Give me access or I break your fingers" is also a pretty good password cracker. I cannot possibly see how the apps or banks are responsible for street crime here. Why not just blame money itself, hence the fed.

Re:

[havana9]

I have a plain old Mastercard credit card, with magnetic strip, chip and pin and wireless options, and embossed numbers.
Getting mugged at gunpoint near an ATM it's possible and happened in some crime infested areas, or pickpocketers swapping credit cards at ATM while secretly filming the PIN.

Re:

[thegarbz]

"Woeful security" on apps is not getting people killed. People are getting killed because that area clearly has a crime problem that isn't being properly addressed. Even the best security can be defeated by the $5 wrench attack [xkcd.com].

Except the $5 wrench isn't the goal. The goal is to rob people through drugging and weak security. The risk of that crime is fundamentally different for the people committing it than kidnapping someone and wrenching them to hand over their passwords. By the way the best wrench in the world can't beat a transaction limit.

Your comment is the same as those used in gun control debates - the idea that there is a perfect alternative in every way, and that one less gun means just one more stabbing, or one more bea

Security is inconvienient

[FeelGood314]

If it is inconvienient people will by pass it. People want higher transaction limits. Good security requires the project manager to actually think intelligently about the problem for 5 minutes. ( Collectively all the project managers in the world have never had 5 minutes of intelligent thought). NIST has only just changed their rules to explicitly dissallow password rules like a Capital, small, number, symbol and rotate your password every X days. They finally also dissallowed SMS as a 2FA. Every app wants you to have an account and password. Guess what, most apps aren't important enough for me to create a unique password for, so most people use the same password for everything. (and putting some spin on the app or website as a prefix for you password doesn't add much entropy to your password).

If I make a more secure app people will use my competitors. My app could even be easier to use but if it doesn't follow the user flow they are used to they won't use it.

I would recomend banking from home but my bank has a $2000 transfer limit on the web app and a $15000 limit on the phone app. My rent is $2500, guess which I have to use.

People are dumb. Regulations will likely make it worse as people will all use similar work arounds to make their lives easier.

On iphone? If feeling uneasy tap power 5x

[TigerPlish]

On iphone, if you half-suspect you're 1) about to be arrested or 2) about to be mugged, tap the side button 5 times, or nail and hold the power and volume together.

Do that,, and the phone won't open unless passcode is given.

Do people actually walk around with their guard completelydown?!

(yes, yes they do. No situational awareness at all.)

Re:

[Powercntrl]

Tried the five button presses just to see what would happen. It activated my accessibility shortcut (I use it for dimming the screen below the normal minimum brightness level) and then brought up my wallet. Must be a feature they added to a later version of iOS.

Good thing I don't regularly get arrested or mugged.

Re:

[ledow]

In the nicest possible way, no technical measure can account for a human making a very bad decision.

Which is why draining a retirement account shouldn't be just behind a technical measure but require a lot of very explicit authorisation. Not wanting her to have the financial apps is basically identical to just not wanting her to have a card or access to the account because you don't trust her. Whether that's justified or not, it's not something that anyone else can do anything about, and it's not related

Re:

[HiThere]

This doesn't sound like a hate crime, but rather "picking the low hanging fruit". Look for the most vulnerable, and rate which is the most profitable to attack.

Re:

[Powercntrl]

Look for the most vulnerable, and rate which is the most profitable to attack.

Which is why I wholeheartedly support the "arm the gays" movement.

Re:

[HiThere]

They were looking for people coming out of nightclubs and drunk enough to take drugs from strangers. Being armed wouldn't have helped.

Re:

[Shadow of Eternity]

So you're saying getting drunk and then taking unknown drugs from complete strangers in high crime areas is so inherently tied to being gay that criminals targeting those people is a hate crime against gays?

Wow that's pretty bigoted of you.

The first step is not blaming the apps

[Slashythenkilly]

The apps are working as intended and can be encrypted, password protected, or simply not put on whatever device you are going to the bar with. If your defense is "the perpetrator sold me drugs" well thats on you too. Everyone is acting like this is some big mystery to solve when all along its as simple as dont carry wads of cash.

Re:

[Tony Isaac]

The point is, the apps should not *allow* you to make a payment without a password. Real bank apps already do this.

Your argument is like saying that if a woman wears a bikini to a bar, it's her own fault if she gets raped. Well maybe it's not so smart, but rape is still a crime committed by the rapist.

Re:

[Todd Knarr]

"Real bank apps" do in fact have options to allow transfers, payments, etc. without additional authentication. They're there because, as bad an idea as they are, users have demanded ways to avoid having to enter credentials (even biometrics) every time they want to pay someone. Those of us who understand security have been saying over and over that this is a bad idea because if you can do something without needing to authenticate first then anyone who has your phone can do it too. And users still enable tho

Re:

[angel'o'sphere]

If he uses your finger prints or holds your head to make a facial scan, it is not a thief but a robber.
Significant difference.

Re:

[kiviQr]

They are not. FaceID, finger print - that works with drugged person. Banking app should require additional pin for transactions. They should also allow for distress pin that would pretend that action was done.

Wait! What?

[PPH]

They would give them drugs, laced with fentanyl, to incapacitate their victims

People just accept drugs from strangers? This sort of blows the whole claim that the pro-drug people have to leave distribution channels alone. Because that is what gets addicts killed. Taking unknown mixtures of who knows what from people that they have no trust relationship with.

So much for listening to junkies.

Re:

[thegarbz]

People just accept drugs from strangers?

Yes. Wait where did you think people got drugs from? Do you think they get IDs and do background checks on their dealers? Do you think there is a certification body for drug dealers? Of course most drugs come from strangers.

Way to go telling the world you've never gone to a music festival before.

Nope

[skogs]

Adding an extra password, pin number, etc will not have any effect on this. Thumbprint....whatever.

The bad men got people high in order to do the modern, and significantly longer, version of snatch and grab mugging. If you make it harder to log in to each app...all you're really going to do is force these twats to be rougher with their victims while they molest them to get the pin/face/eyeball/thumb/finger/number/password/pattern/textauthenticator. The person getting victimized is still sitting there. T

Thousands? Maybe

[viperidaenz]

Tens of thousands? That should be triggering an alert at the bank, requiring the customer to call them to authorise the transfers.
At least that's how my bank works. They have daily transfer limits.

There's no need for any of this

[hyades1]

I've never felt a need to create any link whatsoever between my cell phone and my financial resources. Over the years, I've watched banks where I have accounts pushing to change the rules in ways that would make customers responsible for any losses that may occur from their accounts, no matter how they happen. So far, they've had only limited success, but they just don't stop trying. I have little doubt they'll get what they're after sooner or later.

Given the inevitable outcome, I have decided I have no compelling need to change my current arrangement. If I want to bank, I'll do it in person or on-line, from a PC far more secure than my cell phone could ever be.

Re:

[ledow]

I bank via an app-only bank, have done for years. It took me forever to actually find a bank in my country that had any decent online offering (I can remember leaving one bank because they tried to tell me that a Java applet in an HTTP site that showed a padlock in the Java applet window was "secure", when all the other banks were just using SSL/TLS).

But then I live in a country with consumer law too.

You are missing that there are certain things that online doesn't do that an app does.

I stand in a queue.

Re:

[thegarbz]

I'm glad I live in a place where what you describe is not legally an option for the bank.

If I want to bank, I'll do it in person or on-line

For how long? As you said the banks make the rules. While we have strong consumer protection laws where I live one of the laws we are missing are bank service laws. Sure you can do banking in person but you have to make an appointment first and they charge you a $5 fee.

Fingerprints

[ledow]

Which is why I have never advised people to use fingerprints for security - it can be used when you're unconscious and without your consent.

I mean, good luck getting a passcode out of me, even drugged... I'm not sure I know what many of them are, I just know the finger-pattern. And it's hard to type that in when I'm perfectly fine, let alone incapacitated.

Fingerprints are NOT security, they are NOT your password. We need to make financial apps realise this and stop allowing their use, much like we need p