Cybersecurity thoughts in response to The Guardian article on "lending phone to help a stranger led to financial loss"

02 Mar, 2024

This is an attempt to derive some takeaways and suggestions related to “digital safety”, based on an incident reported by The Guardian: “‘I was in despair’: how lending a phone led to life savings being stolen”.

This could be viewed as a social engineering attack on the ground. The magnitude of this attack was further amplified by additional issues related to 'personal digital safety'.

Let's break it down:

• The malicious actor gained access to an iPhone, with the phone in an unlocked state. The phone was voluntarily unlocked by the owner before it being handed over to the malicious actor - as an act of help - based on the story of need presented by the malicious actor.

• The phone was housed in a 'case' that also contained debit card(s).

• The Notes app in the phone contained ATM pin(s) stored plainly. The victim had the same PIN for multiple ATM cards.

The combination of the above three factors is what led to the crime of the malicious actor using a debit card of the victim to make purchases. The malicious actor was able to make high-value purchases because they had access to the PIN, and could use the chip card+PIN authentication method at the POS terminals. This meant that they didn't find themselves blocked by any contactless/Tap & Pay limits (currently GBP 100 in the UK).

Broadest, sweeping takeaway: do not lend your phone to be used by strangers.

Because, a smartphone in an unlocked state can mean a total free pass into a user's digital life. iPhones do not have a “Guest mode” - the device is not expected/designed to be used by anyone apart from its 'owner'. (What if it was stolen, instead? The device passcode lock would have prevented access to the Notes app, which contained the ATM pin.)

Defence-in-Depth suggestions

1. Enable/turn on additional “locks” for individual apps, like the Notes app.

Illustration:

• The “Notes” app by Apple offers the option to keep individual notes locked.
• You have the option to use the device passcode itself (avoiding the need to use a new, separate password just for the notes), or create a new password just for the notes.
• You can additionally enable existing biometric access options such as Face ID / Touch ID.
• Then, turn on the “lock” feature for notes containing sensitive info.

This would mean that, even if you lend your phone to someone in an unlocked state (for them to make a call, for instance), your sensitive notes will stay protected.

2. Set/enable daily transaction limits on debit/credit cards. (E.g. max GBP 2000/day)

Honourable mention

Avoid bundling sensitive items like your phone, debit cards, and ID cards as a single case/object.

Keeping the phone as just a phone, and your cards (payment and ID) as a separate wallet, could lower the risk of unfavourable outcomes.

Additional takeaways/suggestions

1. Learn to store sensitive information safely - enable lock options, enable encryption, understand encryption options and the importance of safeguarding encryption keys. This would mean that, even if you lose “possession” of your data, the data will remain “confidential”.

2. Consider using a password manager - like Bitwarden, and learning to use it safely. Learning to use a password manager “properly” is IMPORTANT because, otherwise, it could end up being yet another single point of failure.

• Most people will not take up this step, and might be using the default password managers provided by the operating system (Apple Passwords/Keychain, Google Passwords) - which could still be a good suggestion. But again, learning to use them properly remains important.
• The essential point to ensure is that you will be able to access your securely stored passwords even when you don't have access to your primary devices (phones, laptops). In the case of Apple, it might be problematic to access your stored passwords, if you don't have access to any Apple device.

3. Get familiar with emergency routines (maybe individuals should have access to “phone security emergency drills”, like fire drills):

• how to use the “Lost my device” / “Remote lock/wipe” options provided by phone operating systems.
• how to remotely log out of email accounts that could be active on lost devices.
• how to contact banks without access to your phone, and freeze your payment cards. (This is where a standalone password manager like Bitwarden can help. You could store your telephone banking password / security questions there. And, since Bitwarden allows you to log in to your account from any internet-connected device and web browser, you could access it even if your device is lost.)

Aravind Jose T.