A recent New York Times article shocked many, myself included, by showing how easily a stolen passcode can ruin your digital and financial life. It centred on iPhones but Android users are no safer. A criminal would observe someone entering their passcode, trick them into giving it away, or worse still make them reveal it at knifepoint.
Then they’d steal the phone and change the passcode, change the face in FaceID, the password in AppleID, turn off Find My iPhone, and render the passwords in a keychain unusable, all within a minute or two.
My own enthusiasm for financial apps dates back to interviewing an ex-hacker, many years ago. He strongly advised doing online banking through a phone rather than a browser because it was way more secure. Since then, helped by reassuringly sophisticated biometric security features and sheer convenience, phone-based banking has become the norm.
Surveys suggest 90% of us now use banking apps, but unauthorized access to them plus everything else on your phone – social accounts, photos, emails and even these days your car keys – compromises almost all aspects of your life and makes this portable ‘attack surface’ so rewarding for the criminal. It doesn’t help that many extra verification codes are sent through to your phone too – whether by SMS or through a (more secure) authentication app.
The very device that institutions use to try and protect you is the one that’s been nicked. Some banks have been sufficiently concerned about your phone’s vulnerability to start generating their own versions of your biometric identity, which they store on their servers rather than locally on your phone.
To be fair Apple has begun to address the issue seriously in iOS 17.3. The new Stolen Device Protection feature requires additional Face or Touch ID authentication when you’re not in a familiar location and access features like stored passwords. It also introduces a one-hour delay followed by a second Face or Touch ID authentication when you change ‘critical security settings’ like your Apple ID or Face ID. It should give you time to thwart the worst in an emergency.
Are these precautions enough? I called Ken Munro of cyber security experts Pen Test Partners. He’s of the view that, balancing the risks, people should still “bank using their phone rather than web apps, because it’s much more likely that someone would compromise your home PC”. He added that Stolen Device Protection is “one of the best things Apple has done” and that you should switch it on. His major worry, at least for iPhone users, is elsewhere – the recent EU ruling that forces the company to open their phones up to other app stores. “That changes things to my mind, because while Apple is good about keeping rogue apps out of its app store… this potentially exposes customers to bad app stores.”
For the moment, Ken’s words reassured me that I wasn’t quite as vulnerable as I’d feared. I don’t think I’ll abandon my financial apps wholesale and go back to banking purely in a browser. But I might rehearse what to do if my phone gets stolen – an emergency disaster planning scenario that will help me be more effective if the nightmare becomes reality.
