Phone stolen? Call the bank quickly — your accounts can be raided
The “Find my iPhone” app may seem like a great way to track your device if it’s lost or stolen, but ironically, it could be how phone thieves are able to get into their victims’ banking app on the stolen phone and clean out their accounts.
In the past week, TimesLIVE heard from several people who had their iPhones stolen, mostly in the Sandton area, and then discovered that their bank accounts had been raided via the banking app on their phones.
Sasha Sathianathan of Durban had her cellphone, an iPhone XR, snatched from her hand outside Sandton City as she was hailing an Uber in October.
She later discovered that R43,000 was transferred out of her accounts into a Capitec account.
Standard Bank said it was not liable for her loss and her passwords were compromised.
“My phone was unlocked when it was grabbed from me, but my banking app requires a password, and I have no idea how they got it,” Sathianathan said.
“I’ve opened a case with the police, who've said they've received similar complaints,” she said.
Mahreen Chenia of Vereeniging had her iPhone stolen from her jacket pocket while shopping in Sandton City in July, and discovered the next morning that R90,000 was stolen from her FNB bank account, and R30,000 — her credit limit — was transferred out of her credit card.
FNB offered to refund her R20,000, being the one transaction which was not successful.
“That was my life savings,” said Chenia, a freelance broadcast journalist. “This has absolutely devastated me, and not just financially.
“For four days after it happened I barely slept, terrified that the criminals, who have all my details, would find me and demand more. “And I am still too afraid to shop alone.”
FNB’s recent communication to the customer suggested that she may be refunded the rest, but the bank could not confirm this at the time of writing.
FNB’s head of digital, Giuseppe Virgillito, offered the following “explanation” of how the criminals could be accessing the banking apps of the phones they steal.
“Customers who have had a device stolen typically follow the ‘Find my iPhone' process. Once the customer selects ‘lost phone’, the customer needs to enter the number that they want to be notified on should the device be located. This could be the customer’s number or that of a family member, and these details could also be retrieved using Apple’s Medical ID, which can be located directly from the lock screen.
“As per Apple’s ‘lost phone’ process, confirmation of this request is sent to both the stolen device and the customer’s new phone, which has been SIM swapped.
“The fraudster now has the customer’s cell number, to which they send a smishing message, or alternatively to the customer’s emergency contact. And because the customer has indeed lost the phone, they are expecting the message and they typically respond by supplying their Apple cloud credentials.
“The fraudsters then say the credentials have been entered incorrectly and then request the phone passcode, which the client enters.
“The fraudster now has access to all the customer’s apps.”
Standard Bank said it could not verify how the criminals obtained Sathianathan’s banking credentials.
“Sophisticated security controls exist to protect clients, but crime that is physical in nature, such as robbery and theft of phones, is outside of the bank’s control,” the bank said.
“In this matter, whilst every attempt was made to secure stolen funds on behalf of the client, the window of opportunity to secure any stolen funds was lost, as the criminal withdrew the funds prior to the matter being reported.”
Standard Bank advised its customers to contact the bank and their network service providers immediately when their phones were lost or stolen, “as you would do if your wallet was stolen”.
A Durban businessman, who asked not to be named, was walking in Sandton’s Maude Street last month, talking on his cellphone, a new iPhone 11, when someone came up behind him and grabbed it.
When he got back to his hotel, he called MTN to block the phone, accessed his iCloud account and tried in vain to locate his phone.
Without thinking, I clicked on the linkDurban businessman
Back home, having set up a second-hand phone, he got a text message “that looked like it was from Apple”, advising him that his lost phone had been located and was active, and providing a link.
“Without thinking, I clicked on the link,” he said.
“It took me to what appeared like an Apple iCloud logon screen. I logged on, but the screen gave me an error message.”
Around R145,000 was transferred out of his accounts.
iStore CEO Chris Dodd said iStores countrywide would offer training on device security in the new year.