London Thief Exploits Yet Another Flaw with SMS OTPs

Londoners have been gripped by a rising number of stories from women whose bank accounts have been drained and credit cards have been used to make expensive purchases after their bags were taken from gym lockers. All the stories suggest the same criminal is involved each time; after each heist the thief makes purchases from the same London stores and then uses the victim’s cards to pay for a fast food meal. Meanwhile, the victims find themselves struggling with unsympathetic banks that have been slow at canceling cards and have often refused to compensate victims for their losses. Several victims have been told by their banks they are not entitled to compensation because they bear responsibility for writing down the PIN numbers associated with their cards and keeping them in the same bag, even though the victims insist they did not. What emerges is a pattern where a clever crook has identified a way to exploit the flaws in the way London gyms are run, the weaknesses of bank security, the complacency of police who expect businesses to cover the cost of crimes like these, and excessive reliance on SMS messages sent to mobile phones to verify an online customer’s identity.

Drawing upon multiple accounts of victims reported in different newspapers, the following pattern emerges:

  1. The thief, who is probably a woman, spends time visiting a series of London gyms. Each gym belongs to a chain so that one pass will grant the thief entry to multiple gyms within London. The thief observes the movements of women customers, looking for those whose clothes, jewelry, and handbags are indicative of wealth.
  2. Changing rooms will not have surveillance cameras. When the thief is alone or nobody is observing their movements closely, they pry open the victim’s locker, probably using a sliver of metal purposefully designed to jimmy open locks. The locks are likely to be of similar design from gym to gym.
  3. The thief removes the victim’s bag including their mobile phone and bank cards. They rapidly proceed to use the victim’s details to register for online banking services in the hope the victim has not previously registered themselves. If the victim has not previously registered then an SMS one-time password (OTP) will be sent to the victim’s phone. If the SIM card was removed from the phone then the message would be received on whichever other phone the thief is using. And even if the SIM remains inside the same locked handset then the settings might allow the contents of the SMS to briefly flash up on the locked screen.
  4. Thousands of pounds of cash is moved between accounts and withdrawn from ATMs. Credit and debit cards are used to make purchases from central London shops selling high-value items, such as Harrods, Selfridges and the Apple Store in Covent Garden. The victim’s card is also used to pay for taxis that ferry the thief between the various locations she visits during her spending spree.
  5. The heist is complete within a few hours, and the thief treats herself to a meal as a reward for another successful ‘job’ whilst the victim is only just realizing what has happened and is struggling to contact her bank.

The gyms take no responsibility for thefts that occur on their property. To the further chagrin of victims, some of their banks will refuse to pay compensation because they insist the victim must have allowed their PIN numbers to become known to the thief, when the truth is that the thief was able to key in a working PIN number because she had already used the reset feature provided by online banking services. Instead of checking whether the thief had just registered for online banking, the banks’ so-called security team just make assumptions about how the thief obtained a PIN number. In one case the security team kept calling the stolen phone and sending it messages about the progress of their investigation! Multiple victims have suffered because the police performed minimal investigation for case after case, and hence failed to identify the pattern or warn banks to improve their procedures.

The initial takeaway is to protect yourself by never putting valuables in a gym locker, registering for your own online banking services before somebody else does, choosing any second factor for authentication except the sending of SMS messages, and ensuring phone settings do not display SMS messages when the handset is locked. The more important observation is that criminals can be far more imaginative, cunning and conscientious than the people employed to thwart them. Verifying the identities of the majority of online customers via their phone services has turned those phones and those services into an even bigger magnet for criminals. We need superior strategies for authenticating customers. The usual stopgap answer of raising public awareness is a guarantee that we will always be doing too little, and too late.

You can read some recent stories about the London gym thief here, here and here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), an association of professionals working in risk management and business assurance for communications providers. RAG was founded in 2003 and Eric was appointed CEO in 2016.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press.

Related Articles

Get Our Weekly Newsletter by Email