[Reading time: 3 minutes]

The Irish Independent recently reported on the latest techniques used by criminals to drain the bank accounts of mobile phone users.

At their core, these types of scams require the criminals:

  1. To find out the device’s PIN / passcode (e.g. by watching us as we type it in – also known as ‘shoulder-surfing), and
  2. To get their hands on the device.

Once they have the phone and the phone’s PIN / passcode, they can now access anything on the phone that is not protected with a different security PIN or password.

This particular story discusses a very sophisticated crime that has impacted at least 100 victims in Ireland.

There are similar scams that achieve the same result*.

Security like FaceID or TouchID may not protect you – With the phone’s security PIN, they can reset the FaceID / TouchID settings, so the phone accepts their face and their fingerprint. (See one caveat below**)


So what?

It’s a stark reminder that the security of our data and our money may be fully reliant on the security of our mobile phone and its security PIN / passcode.


So what should you do?

  1. Be careful when you are typing in your phone’s PIN / passcode – Do your best to avoid places where others could see the code.
  2. Make sure your phone’s passcode is more than 4 digits – The longer it is, the harder it is for a criminal to see you typing it in.
  3. Use unique passcodes – Make sure the important apps on your phone (e.g. your bank apps; your password manager app) are protected with unique security codes. Do not reuse your phone’s PIN / passcode for these apps.
  4. Reduce the number of bank cards set up in your Apple Wallet (or Android equivalent), because your Wallet can be used with just your phone’s PIN / passcode. Perhaps restrict your Wallet to a single card connected to a bank account that only has a relatively small amount of money in it***.
  5. Disable FaceID / TouchID integration on the most important apps, so the unique passcode is needed to log in to each one of them. At a minimum, disable this integration whenever you are going to be in a vulnerable position – e.g. When you’re “out-out”!  (This step may be unnecessary based on my own tests**).
  6. If your phone has disappeared – Log into your Apple / Google account online and see if you can lock and/or erase the device remotely. You also need to contact your banks as soon as possible so they can take steps to protect your bank accounts and bank cards.


Hopefully, these tips will ruin Christmas for these scammers.


* I hear that there is a similar scam used by criminals if they have your phone but don’t know your PIN / passcode. In this scam, they wait for you to call the phone, and they tell you that they are the police and the device is safe. But to confirm that you are the owner of the device, they need you to tell them what the PIN / passcode is.. You know what happens from there.


** Based on my own tests, Apple FaceID / TouchID does include some protections for this scenario. If the FaceID / TouchID settings on your phone are changed, many apps (e.g some banking and password manager apps) require you to type in the app’s password / PIN code before FaceID / TouchID can be used to login to the app again.


*** I also hear that cash is still accepted in most locations, so just bring what you need for the night (which will be twice as much as you think you will need).