Do you know those cases, increasingly frequent, in which bandits steal a person’s cell phone and then empty their bank accounts – even without having the passwords?
You must have heard of it, and probably wondered how they do. There are two ways. The easiest, and fired the most common, is as follows.
The bandit takes the mobile already open (he pulled out of your hand while you used it, or forced you to unlock it) and triggers the multitasking function – the one that shows, in various small telines, tod…
It runs through that list until you find your bank app, and simply click on it. Okay, you got into the account.
The thief can already see his bank balance, but still can’t transfer the money. After all, you do not have the password that authorizes transactions. You know what he does? It triggers the “forgot my password” function of the app itself. Then the bank sends a new text message, and it was already.
Ok, it’s not always that easy. The app can ask your CPF, date of birth and your mother’s name, for example, before resetting the password. The thief finds all this in a few seconds – he enters your Gmail and enters “CPF”, “mother” or “niver” in the search field.
But and facial biometry, which more and more banks are using? On Android phones, it is tragically easy to burlate. This is because almost none of them have 3D front camera, with infrared projection (like TrueDepth present on iPhones).
Therefore, and for most people to use biometrics, banking apps generally accept a flat, 2D image. Then the bandit simply takes a selfie of his, in the smartphone image gallery or on his social networks, and displays on the screen of another device – that he positions well in front of the stolen cell phone, simulating his presence there. Voilà.
Many people started to leave banking apps on an older mobile phone, which is stored at home (and uninstall everyone from the smartphone going to the street). That’s great, extremely recommended. But it doesn’t solve everything.
Having access to your Gmail, for example, the thief gets enough information to open bank accounts and issue credit cards using his name.
You can also kidnap your social networks and messaging apps, where you’ll go through – and then ask your acquaintances for money on WhatsApp, or simulate the sale of your (clothing, smartphones, games etc.) objects on Instagram, which your friends will “buy” by sending PIX to the craft. Above all, the bandit will control your email – and you can exchange the passwords of all the online services you use.
The first thing is to put secondary protection (by fingerprint, password or pattern drawn on screen) in the most critical applications. By doing this, they will always ask for this confirmation before opening – even if the phone is already with the unlocked screen. Xiaomi and Samsung phones already come with a type function; on other Androids, just install Norton App Lock.
This makes the mobile usage experience slightly less fluid, but you get used to it (it only bothers even on WhatsApp, which is opened many times a day – and therefore you may be without secondary protection). >
iPhone does not have this secondary protection feature, and there are no applications that allow you to add it (because they require direct access to the operating system, which Apple does not allow). But you can make a gambiarra with the iOS team.
The other adjustment you need to make is for all mobile phones, whether iPhones or Android: protect the operator chip. Otherwise, it’s no use your smartphone being all armored. The thief simply takes the chip, inserts into another device and begins to pass by you. And there it can request password reset of various services, including banking.
Therefore, it is essential to place password on the chip. It is also worth doing something else: using an authentication app instead of the codes that arrive by SMS.
This way, even if your phone number is cloned (a scam that requires the connivance of operators’ employees and is more common in the US than in Brazil, although it also happens here), thieves will not receive the codes and passwords. The best is Authy, because it can also be installed on your home computer – which you can use if you have the stolen phone.
Ready. By doing these procedures, you will be 99% protected. The other 1%? Remember when we talk at the beginning of this text that there is a simpler and more sophisticated way to invade accounts?
The most refined method consists of using specific software (in the case of iPhone, a hardware device) to break the authentication mechanisms of the operating system. It works. But it is something of relatively restricted knowledge – and unknown to the vast majority of bandits. Keep it that way.