Warning over-the-shoulder surfing pin thieves stealing information from smartphones – this is how you stay safe
- Thieves shoulder-surf victims to see how they enter the PIN before stealing the phone
- They then unlock the mobile and access apps and personal information
- It can lead to entire bank balances or savings accounts being drained
Britons using smartphone banking apps are being warned about scammers ‘shoulder surfing’ to steal PINs.
Metropolitan Police Detective John Roch says that while the technology behind apps is safe, criminals are getting better at exploiting human behavior.
He said the exact number of people who fell victim to this fraud is unknown, but the Met has seen a sharp increase in these types of crimes.
Scammers target unsuspecting victims not at the smartphone itself, but at access to the apps.
Shoulder surfing: most people shield their PIN at an ATM, but now they should do the same with their smartphones
Thieves typically “shoulder surf” their victims to see their PIN before stealing the phone – often pickpocketing or snatching.
They then unlock the mobile and access apps and personal information on a victim’s phone, which can drain entire bank balances or savings accounts.
Steve Gracey, from HSBC, said: ‘We are aware of reports of this happening.
“There has always been a risk of people being shoulder-surfed when using an ATM, and people are now more conscious about shielding their PIN when withdrawing money.
“As a result, the way these criminals operate means that people now need to be more mindful when entering a PIN or pattern on their phone in a public place, even shielding it as they would at an ATM.”
Timo Salmi, of cybersecurity firm F-Secure, said: “Phones contain huge amounts of personal information and apps to handle banking and shopping with pre-filled credentials ready for action.
“A mobile phone is like a master key to our digital life, and all of this is guarded by a simple access code. Although most new devices offer biometric access controls, such as fingerprints or facial recognition, a PIN code is often still used as a backup mechanism.’
A mobile phone is like a master key to our digital life, and all this is guarded by a simple access code.
In many cases, fraudsters only need a passcode, as it’s common for people to store passwords for banking apps on their phones – often in notes, reminders, or unsecured documents.
Those who reuse the same passwords and PINs for all their apps and bank cards run an increased risk, according to experts.
“One of the main risks of online services is account takeover – when a fraudster takes control of an account and makes unauthorized changes,” Salmi added.
“The risk is greatly increased by reusing passwords across multiple services. The same goes for pin codes.
‘There are far too many passwords and PIN codes to remember, so the chances of savings being made are very high.’
Most smartphones now come with biometric security features including facial recognition and fingerprint scanning, meaning many Brits can avoid entering passcodes altogether.
Gracey adds: “We advise customers to use the phone’s biometrics when authorizing payments in public and not choose a passcode for the device that is easy to guess.
“When a phone is lost, contacting the bank is one of the first things people should do to protect their money.”