/ London

If thieves/muggers were digitally savvy, what is the worst they could do?

In March, I was looking for something in the boot of my car when two guys approached me, Guy #1 distracted me while Guy #2 helped himself to my wallet and phone from in the car. I did not even realise the Guy #2 had already disappeared!

IMG_0426

It is a good idea to keep a screenshot of the last known location, because Apple very unhelpfully stop you seeing the last seen location after 24 hours!

While on the phone to the police, I noticed on Find My iPhone that they were just walking to Waterloo station. Hardly the best getaway.

It would be ace if Apple could show you more data (e.g. phone switched off, SIM removed, iPhone put in DFU restore).

The Met police receiver said it would not be possible to get an officer down the area because it is not an emergency. :(

While I don't think it should be prioritised above serious crime, they were annoyingly professional criminals who probably rob many Londoners.

This got me thinking, if criminals were actually digitally savvy, what could you do?

Ranked most severe to least:

  • Debit card could be registered with Apple Pay Easy to verify code by SMS and then be able to make a card transaction over £30.
  • Premium Rate calls/texts Your phone could be used to call a premium rate phone number or SMS premium rate texts, these can be priced at £10/SMS.
  • Social Engineering hack Driving license has current address, date of birth, driving license number, bank cards have the account/sort code.
  • Any 2FA for banking Even if a service provider use SMS as a way to verify the person, it would be possible.
  • Call anyone as me

What happened next?

It was fortunate that I had another device on me to cancel cards, disable SIM and call for help.

It was really odd that they tried all of my cards at Tesco for £25.


Security

If your wallet contains your UK Driving license, they now know your full name, address, date of birth and the driving license ID which you need for many online services.

With a handful of debit/credit cards, you have all the necessary information there, name of cardholder, card number just in case you are asked to verify you have it and account number / sort code to hand.

Typical Security Questions

  • Of course, if they have your card and your address, they can make any online payments and a more sophisticated criminal would automate this
  • "what big payments have you made recently and who to".
    • You could easily extract card transactions from their social media, guessing the amount they spent.
    • You could guess how much they paid the credit card companies for the cards you also have
    • Receipts in the wallet would help you with this information
  • ask "enter digits [4 to 8] of your credit card" as the security question

As they also have your phone, you could easily use this to call the bank, your telecom provider security questions e.g. "What is the phone number on your account?"

I wonder if Apple Pay allows cards to be registered on other Apple IDs, because that would allow a contactless transaction of any value without a PIN.

When I called the bank and also my other card companies, they all asked me very basic security questions that were details on the card.