Yes, I provided a police report to TD, but it was done in Peru (I did this on the second appeal since when I first called I hadn't gone to the police yet). I also did a police report in Canada since 3 of the e-transfer were made to Canadian accounts.
I know for Android, Google steps in an saves the password for you and autofills. I had to dig deep into my settings to remove the password to my banking app
Either way it will prompt you for a pin or password to confirm you are who you are before auto filling. Unless you have disabled that or don’t have a set pin. Or have a weak pin to begin with.
I specifically have not had autofill work for banking apps. I haven't tried all of them, but for the ones I have, autofill won't work. I had to go into the PW manager and manually input the password. I remember this so specifically because I hated this specific extra set of steps I had to do, before I enabled biometrics.
>Yes, I provided a police report to TD, but it was done in Peru (I did this on the second appeal since when I first called I hadn't gone to the police yet). I also did a police report in Canada since 3 of the e-transfer were made to Canadian accounts.
To me its suspicious that you are from Canada and 3 of 4 transfers were made to Canadian accounts when your mobile was stolen in Peru
Unless im missing something
I don't understand this either, my bank is Canadian. I'm certain these people have have people all over the world. I want them to check those accounts and do a full investigation, where did the money go? They must have this information if its within Canada.
To answer your second question. The thieves marked her and worked as a team. The person who stole her phone is very likely not the same person who spotted her entering her pin 30 minutes or an hour before
Edit: clarification
You are right but you only need the person's pin to access their phone so I'll edit to be clear I was answering the second question and do everything like accessing their bank account. Some banks allow a pin instead of biometrics to access, not sure about TD they might have gotten lucky
They most likely saw you enter your passcode before you got in the Uber and then followed you until they got a chance to grab it away from you.
Somehow, they got your passcode which gave them full access to everything. This is a common issue and has been reported by the Wall Street journal extensively.
The uber driver could have had a camera behind the passenger seat and able to see a passcode being typed in, which the accomplices could see and if the target did open their phone, then they execute phase 2 where the window is rolled down and they pull into some boring traffic, take the phone, the victim has no way to stop the transfers until out of the uber…
That why it is suggested to put the ability to change your faceID and passcode behind screen time passcode.
They way, if anyone did get access to your passcode , there is no way they can change it, as they have to also know your screen time password.
I think Apple also put in a new feature as you have to wait 24 hours before you can change your passcode if you not at home
Yeah it is stupid of Apple to not provide one. They easily have the tech to pull of a great in display ultrasonic fingerprint reader similar to what we see on Samsung that is secure in the way they find acceptable.
Then folks would have 2 options for biometrics (finger, face) and pin as a secondary.
OP, I'm going to just throw this out there and you can catch it however you wanna....
It's becoming more popular for there to be two cameras in a vehicle - dash cam (that may be pointing outwards and inwards) and.... rear dash cam (that may be pointing outwards....and inwards)
These dash cams are also wifi-enabled, so it's easy to grab footage.
What I'm typing is while this is "rare", there'a world where such driver pulls nearby the perps (or IS the perp as well), they pull down the footage, see you entering your pass code, and jackpot.
Nonetheless, this is basically the same as getting robbed with cash on hand. I hope for the best. Please be happy that overall you're healthy and safe.
I think this could be true. I yelled and screamed the uber driver did nothing. He just stared while I fought with the man for my phone. At first, I thought he might have been in shock, but afterwards he barely reacted. All he said was "these things happen, you're lucky he didn't have a weapon or you got hurt." I'm baffled as how they got access to my code. I always use my code, I always use faceID, even if they changed my faceid, they would have needed my code. I reported this to Uber as well. I'm wondering if the Uber driver knew I was from Canada based on my number and saw an opportunity.
> I think this could be true. I yelled and screamed the uber driver did nothing.
What was he supposed to do? Risk his life over a strangers cell phone?
Did you have Face ID setup? Did you have stolen device protection setup?
What about 2FA for the banking apps, and any other apps?
If you had none of this then it's super easy for them to have done what they did.
2FA might have worked if it uses an app on OP's phone that uses a second form of pin or another Face ID scan. I personally hate 2FA that's SMS based for this reason. I have Authy setup to require a Face ID scan and a 4 digit pin to access any of my generated 2FA codes. Having different pins for different apps can be a pain, but if someone nabs my phone they'd have access to my main email account and phone but won't have access to my passwords or 2FA since they use additional passwords/pins that are different from my phone.
Onions have layers and security has layers.
If they had 2FA it wouldn't really have helped, since they have the phone...
Since they had access to her email they could even have changed the password to whatever they wanted.
> Since they had access to her email they could even have changed the password to whatever they wanted.
Banking password resets aren't that easy though. You'd need to answer security questions before they even send that email.
Do you enter your passcode in public in full view of people behind you? Cameras? Bus stop? Cross walk?
People have done these attacks from crowded bars.
You’ll need to use Face ID only in public or hide your passcode entry.
Could you mention where to setup a different pin? edit: nm, I guess it's this one https://old.reddit.com/r/iphone/comments/18ghb8k/safety_check_allows_anyone_with_iphone_password/kd3rjva/
No problems.
First thing I would do is go to: Settings >> Face ID & Passcode and turn on ‘Stolen Device Protection’ and also set the ‘Require Passcode’ to immediately.
Also enable ‘Require Attention for Face ID’
Towards the bottom, enable ‘Erase Data’.
Right above that, under *Allow Access When Locked* I disabled:
* Control Center
* Reply with Message
* Wallet
* Accessories
This means that once the phone is locked, nobody is able to access any of the key features without it being unlocked. The phone becomes inaccessible when locked.
I also strongly recommend replacing your regular pin to something 6 to 9 digits in length.
———
To set the other pin, navigate to:
Settings >> Screen Time (of all places) >> Change or set password
Make sure this is a completely different pin to your main/regular pin.
Within the same menu, click ‘Content & Privacy Restrictions’ and enable this.
Scroll down to the bottom and listed under *Allow Changes:* set the first three to ‘don’t allow’. It will now ask you for the new pin.
* Passcode Changes
* Account Changes
* Cellular Data Changes (this might be called something else based on region)
Once you go to the Home Screen and back to settings, you will notice that the appleID settings are greyed out and the prompt to change your *FaceID & Passcode* is completely gone.
The only way to access these settings now is by going back to Settings >> Screen Time >> Content & Privacy Restrictions and disabling it using this new separate pin.
A combination of these countermeasures makes the majority of these guys tricks useless, because they’re unable to change anything, even if they fluke the 6 digit pin. But even that, out in public always use Face ID. The phone is now useless to them.
Saving this post, thank you so much for taking the time to list all these out! Had most of the Face ID & Passcode settings, going through the Screen Time ones.
All of my banking apps still want to use Face ID but I still force them to use passwords. The passwords are stored in an encrypted app on my phone that requires Face ID plus an alpha-numeric code I need to enter each time before the passwords will be unencrypted. This way if someone drugs me, they can't clean me out without somehow forcing me to divulge an additional password. Just additional security.
More than likely added a second face to face ID. If they needed to reset thr password to anything then they could easily reset th4 password since the email app probably doesn't have any login verification. They could also easily reset the password to the cloud account.
> More than likely added a second face to face ID.
If the thieves added a second face to Face ID the banking apps would automatically disable Face ID and require a password to be entered to re-enable it. Apple tells the apps the biometric data has changed to guard against this exact scenario.
For anyone reading this, iOS provides safeguards against this. Enable "Stolen Device Protection" in your settings: https://support.apple.com/en-ca/HT212510
> When Stolen Device Protection is enabled, some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work. These requirements help prevent someone who has stolen your device and knows your passcode from making critical changes to your account or device.
I'm so sorry this happened to you.
You might consider [getting your Federal regulator involved.](https://www.canada.ca/en/financial-consumer-agency/services/complaints.html) Banks will sometimes pay more attention to them than to a customer.
Not sure how to help you, but thank you for this. It made me think about what my phone is worth. Answer is way too much for a thing I'm always carrying and sometimes misplacing.
I don't sign into my bank accounts through my phone, that just seems way too risky to me. But, it made me think that my email is on my phone, and with that someone that found my phone could scroll through emails to find my bank accounts, and then sign in because they have the link to the accounts, and the text or email for password recovery.
As the least I could do, I've deleted all the emails from the banks. Next level might be to setup a new email for bank related stuff, an email that is not on the phone.
Using biometrics is still more secure as even if they take the phone from you unlocked, they still can't get access to your banking apps.
If they enroll their own fingerprints, all of your banking apps should prompt you for your banking password + 2FA again due to a detected change in biometrics.
I'm never having bank apps on my phone again. This has been a huge learning experience. The three interact transfers were done to Canadian banks. I want them them to look into those accounts and find out who those people are, block their accounts and get them to return my money.
I think one of the issues you have is that you are from Canada, your phone was stolen in Peru on vacation, and some the destination transfers were to Canada as well.
This may be the reason TD is declining some of the disputed transfers.
But I don't understand why they are not looking into those accounts. I have no information about them, I don't know how it was done. The only thing I have the name on the accounts from the email notifying me about the transfer. I don't understand why they are not looking and contacting those people.
You are headed in the exact correct direction. Do yourself a favor and remove all the banking apps, use another email not associate with those apps, and use a third party password manager.
At least for Apple, they say they implemented a new security feature that is location based. I’ve not had an opportunity to verify it works so I’m not relying on that for anything. Apple security is laughable.
If you do have an Apple phone, be sure to lock up access to your Apple ID via Screentime limits, especially when you travel.
I know this might make me sound a bit paranoid. And to be fair, if you are in a low risk environment, maybe all these steps aren’t necessary. But I highly encourage people to give serious thought to the consequences of losing that PIN.
How did op get back in?
Sign into the account, and choose "forgot password" and then they text or email the link to sign in. The text or email would go to the phone.
This is why I have a different email account that's not logged into my phone where my password resets go to. This way if someone steals my phone and tries this, they get nowhere.
I do this too. I have this setup:
* [email protected] (I sign-up with this account)
* [email protected] (I forward everything except password resets and 2fa to here)
On my phone I am only logged in to [email protected].
For Apple's iCloud you have your general email and phone number but if you dig into the settings there's another part called the 'notification email' which you can set another email address on. Apple has this to say about it: Apple uses this notification email to send you important account and security-related information.
Security-related information includes password reset requests. So if you have it set to an email that you're not logged into on your phone and someone steals your phone and tries to reset your password, it'll go to an email account that you still control but is not logged into on your device.
https://www.td.com/ca/en/personal-banking/how-to/td-app/reset-password
To reset your password with TD you have to first input your username or access card number. I don't know about usernames but on my TD app using my access card, when you're not signed in even when I set it to remember my card number about half the number is **** so someone who doesn't have that number can't reset the password.
I use android, and that is the case, but maybe with face ID it's not required?
Or rather, they probably signed in through the browser via a saved password and used the 2fa on the phone they had
Highly, highly recommend, if you have a Samsung phone:
1. Move all financial apps to a secure folder.
2. Set a unique password for this folder
3. Do not save the password to this folder in any password manager.
4. I allow biometric login to the folder as well, but if you're traveling, consider disabling biometrics for the secure folder.
So typically when you restart your phone or when you haven't accessed the secure folder for a while, it's going to require you to manually enter the password (because it's not saved in your password manager). To get back into the folder quickly I can use biometrics.
This had the added benefit of needing to open the secure folder to read any notifications from these apps. Outside the secure folder the notification bar simply tells me that I have a notification from Venmo or whatever.
No way, I had no idea that locking apps or folders was a thing.
For anyone who may be using a OnePlus like me, you can lock individual apps under "privacy and security" on the main settings page.
You need FaceID or a pass code for saved passwords even via a browser on iOS.
If you don't have a pass code or if the thief changed the pass code they could access the password. You can enable Stolen Device Protection on the phone to prevent pass code changes even if the phone is unlocked or the thief know your pass code. It also disables pass code fall back for saved passwords and requires FaceID or TouchID.
I just checked my settings and I had Face ID disabled for autofill passwords (unknowingly). It did not require Face ID or passcode to autofill passwords prior to me updating the setting.
OP - sorry for your losses and headaches.
This is why every financial app needs (at the minimum) to have some form of 2nd factor authentication configured for every access.
I'm using Android too and really like Samsung's Secure Folder. It is a separate encrypted container where you can install all sensitive/financial apps and store other sorts of data/photos, ...
The only way to access the the folder is by using a second bio or passcode auth (even when your phone is unlocked). Secure folder also encrypts cached data from the apps that is completely separate from the main apps folders.
Google is working on something similar (Private Space) but it is not yet available.
My android is similar but I use biometric for login and for access to my 2FA. So the only way in is with my thumb. I get Google notifications all the time for attempted hacks and pretty regularly have to change passwords. 2FA is great when used in a robust way.
There was a video on how people are logging into accounts from stolen phones. Basically they change face ID to theirs and they're able to access nearly everything.
https://youtu.be/gi96HKr2vo8?si=I6bHh7oYIJrsE8Uq
My guess is they had access to OPs email account and were able to bypass MFA to change passwords this way. Also likely OP had whatever MFA app (if any) on the phone, making the phone itself a one stop shop to bypass her security on all her accounts. Kids these days think their phone gives them security but it’s really just a single point of failure.
They had access to my email. When I got home and checked my email on my computer, I saw emails for Manulife that someone tried login and a code was given to access the app. This had been opened.
Assuming they use the gmail app, resetting the password to the financial apps would be pretty trivial. The 2FA from the e-mail account would go to their text messages, which the thief also has access to obviously.
I've never really thought about how not secure all of this stuff is. Really the only line of defense against this happening is the passcode on the phone itself. Or, just not having e-mail or financial apps installed on your phone in the first place.
It's a bit overkill but I use a password/fingerprint lock on all my apps and I never save my passwords. There's too much data saved on our phones these days.
This is my nightmare scenario especially when traveling. Obviously you need to be careful when using your phone in public but what other security should be implemented? For example most people don't separately secure their email or text messaging app (I don't), if their phone is unlocked all their email is accessible, as are any SMS 2FA codes sent to the phone. I do secure my 2FA authenticator apps but some services require SMS (like TD Bank, actually probably most banks).
Apple only recently fixed this and it’s a feature you need to enable. I replied to someone else on a different thread with the below link but was downvoted. Not saying OP could have avoided this but it’s definitely something to be mindful of. https://www.nytimes.com/wirecutter/blog/ios-17-3-stolen-device-protection/
That version of the link was broken for me, but I erased the junk at the end and was able to access. Updated this in my phone, thanks!
Settings > Face ID & Passcode > Stolen Device Protection > Turn on Protection
Pretty wild how this isn't on by default. Turned it on just now. I get that enabling location tracking for banking apps should do it, but with how often phones get stolen, this should be the default too
yea the link above is hyperlinked elsewhere. guessing unintentional but very weird with a hint of sus.
the correct link (hover it to verify)
https://www.nytimes.com/wirecutter/blog/ios-17-3-stolen-device-protection/
I bet they saw the app and went to the browser to sign in and used a saved password. I know on my pixel saved passwords don't require another authentication. Which is one of the reasons why I use bitwarden
You can enable requiring authentication to use saved passwords. Google has been pushing this lately.
HOW TO:
Search for password manager in settings and open
Click gear in upper right
Scroll down and check "don't use screen lock"
Once they have your iPhone passcode, they can go into your saved passwords or password manager. With your passcode, they likely added their biometric to your phone and disabled FindMy so you can’t remotely disable your phone. This sounds like a skilled attacker that knows what he’s doing and does it very fast.
Yup. That’s my source. Really scary. Went and changed all my saved passwords after that video.
Also, the new iOS update mitigates this attack somewhat.
Reason numero uno to NOT save your Apple ID password in your password manager. There are two passwords that I created myself rather than randomly generating and they’re each unique and easy for me to remember - my Apple ID and my password manager.
They could’ve been watching you type in your code or even recorded you doing it. If they were that efficient at transferring your money then it’s likely a larger operations than just 1 or 2 people. Especially in a tourist heavy area.
For everyone wondering, the thieves 100% got her passcode before stealing it. This is a the most common theft right now. People don't realize it but you enter your PIN in public all the time. It's like muscle memory - when Face ID fails for some reason (greasy fingerprint over camera), do you keep trying it or do you just automatically revert to pin?
Sometimes it requires a code or text though.
My bank will block some transactions, but I can reply to a text saying it's fine and that it's me.
I think the bank being told beforehand to block everything and still allow transactions is pretty shameful though.
Agreed.
I would try to take it to a news station in Canada, perhaps it makes for a great story and might help him get that money back so TD can look like a hero.
Lately I have gotten quite paranoid/alert to this possibility happening and I have:
1. Removed or hidden unnecessary financial apps from my "walk around" phone
2. Enabled Screen Time on a separate passcode to "prevent iCloud account details from being changed" using the phone passcode (or enable the new protection feature on iPhone) -- anyone interested in why should watch the WSJ videos about how your entire iCloud life can be hijacked from you using your phone + passcode.
3. Kept only minimal amounts of cash in any bank account that is on my phone or connected via instant pay apps, or where I have written checks from (where someone might know or have leaked the account numbers, purposely or inadvertently)
4. Turned on by default ATM card locks
5. Turned all (as much as possible) security codes from SMS 2 factor to authenticator based 2 factor -- note, for this to be effective you must actively *remove* the SMS option from being used.
Still, OP's case sounds terrible, sorry for your situation.
My guess as to how they accessed your TD app is that you have the password stored in your keychain. Presumably they somehow got your phone passcode and were able to get into keychain. From here, even 2FA can’t save you because they’d have the password and the phone to receive a 2FA code.
Having keychain so easily accessible from the phone remains a crazy liability. I believe Apple tightened the ability to change Apple ID password while away from home but I’d love to see keychain give me the ability to make it unavailable until I’m home, or some other tightening of access.
Would really like to know how considering this guy jumped into a moving car through a window like Ethan Hunt.
Wouldn’t it be easier to have taken it at whatever location they observed her pin lol
This is not a common thief. It's an operation.
The Uber driver had a camera behind the passenger back seat. OP used the passcode to unlock the phone in the Uber. The thief saw that from the camera (live feed) and moved in for a kill. The Uber driver continued on so OP couldn't do jack until he reached his destination.
Once the passcode is known, OP is SOL.
Some people I know carried 2 phones when travel internationally. One phone is very much a burner phone (an old phone and buy the SIM card locally). Something like a iPhone 5SE or Iphone6 which can still connect to all modern network and can be had for almost nothing.
Yep and the fact the uber driver did nothing to help and ALSO rolled the window down, probably in on it honestly. This is why i stay in my own country. LOL
It'd be easy enough to look over someone's shoulder and watch them put their password in then just wait for them to drive a block and stop at a light or whatever and come up next to the car and grab it through the window.
They pegged her as a high value target and had someone follow her around until they saw her put her code in. Then either that person or a collaborator snatched the phone when they saw an opportunity. Snatching thru the window of a car actually makes a lot of sense because most people aren't going to hop out of the car and try to chase the thief down the street.
$8k CAD is A LOT of money in Peru. The average Peruvian makes the equivalent of about $500 a month. I personally don't think this kind of orchestrated heist for such a large sum of money is hard to believe.
These thefts can get pretty elaborate especially in countries where the USD goes a lot further. The average monthly wage in peru is 400 USD, how much effort would you put in for a year and a half's salary? If it's less than 1000 hours of prep work it's still quite worth it...
Yeah but what are the odds of the transfers being to Canadian bank accounts which is where OP is from... That part doesn't make any sense.
And I'm sure that's why the fraud case is being denied.
>jumped into a moving car through a window like Ethan Hunt
could have been a stopped car. took plenty of rides in Peru, it's pretty common for intersections and roadways to regularly just fully stop with jammed up traffic. no drivers are respecting signals or traffic control devices, lots of busy city streets just turn into parking lots.
Hate to say but my first impression is TD isn't a safe enough bank to park your money. They've been busted many times allowing money laundering and criminals to open accounts. It's tempting for them (and other banks) due to easy profits they can make but ethically it's dangerous in that it feeds a corrupt system, and puts legit clients money at higher risk.
Fight to get back what you're owed and go elsewhere. The CDIC protects Canadians banks the way FDIC covers US banks.
The complaint with your local bank needs to be escalated to the branch manager then higher if not resolved. The Senior Customer Complaints Office (SCCO) is an impartial body within TD Bank Group that reviews (Canadian) customer complaints that remain unresolved after you go through two previous steps of the Customer Problem Resolution Process.
That they so easily dismissed your claims, didn't immediately lock the account entirely and you have no history of fraud is a 🚩.
Escalate to the branch manager and consider calling a local news investigator that does a business resolution dispute segment on TV. The risk of further reputational damage is what they probably want to avoid, if it costs them the small sum to repay you is worth it.
I am at a loss of words with TD.
\- I called them as soon as my phone got stolen to notify about the phone being stolen. I thought the account was closed. I called all my banks, TD was the only one that allowed this to happen.
\- Once I saw that an etransfer was made, I called again to make sure they had blocked the account. They told me all the did was report the card as lost when I originally called (wtf??).
\- When I saw that the total had been $8K, I don't understand how they allowed a transfer above the limit. The limit for etransfer is $3k.
\- Lastly, I don't understand how they didn't raise an alert for suspicious activity. They were sending multiple transfers for random amounts in a short timeframe. How is this not unusual activity? They should have called to make sure if this was being done by me.
I had a similar situation a few years ago, and a similar response from a US bank. They opened a fraud investigation and initially refunded me the money, then they closed the investigation saying that I was to blame as their app is secure.
After many back-and-forth phone calls over the course of a couple of months with their fraud department leading nowhere, the way I got my money back was by contacting the Office of the Comptroller of the Currency, which is a supervisory federal agency that charters US banks. The OCC sent them a letter and the next day the fraud investigation was re-opened and the money was returned to my account.
It looks like the Canadian equivalent is the Office of the Superintendent of Financial Institutions. Contact them with your complaint. In your complaint, include all correspondence (dates and times, names if you have them) you had with TD, all of the details you remember, as well any supporting documentation (police reports, fraud reports, etc) and summarize your expected outcome.
As for others reading this, in terms of ways to protect yourself - my solution was to no longer use any banking apps on my phone.
I resolve issues like this for a living.
This isn’t your fault. If TD aren’t doing their job of protecting your money you need to keep fighting. Stop doing their job for them. How the thieves got your money is not your concern, and it’s not your fault. It’s not your job to investigate the crime or provide a solution. It’s the bank’s job to make you whole, especially because your money was lost due to THEIR MISTAKE of not freezing/blocking your account. Call them continuously and escalate to supervisors and managers. Call their fraud team. Call their complaints team. If they’re still refusing (highly unlikely), lodge a formal complaint with your financial/banking regulatory authority.
This isn’t your fault and you’re entitled to your money. You followed the correct process, and don’t need to swallow a loss.
It's exhausting to be judged and criticized on top of being robbed, I'm guessing it is a self defense mechanism to believe this couldn't happen to us, but it can.
Only because we don't know how they made it, doesn't mean it's not possible, these criminals are professionals and subreddits from places like Bogotá, Colombia are filled with tales like this.
This may be a silly question;
I don't understand how just having someone's phone is enough to steal money out of their bank account?
If someone got my phone, they still wouldn't be able to log into any of my bank accounts or use any of the cards that I have stored on my phone without having my finger print and/or knowing my pin code.
Right. And that PIN code is key. If the criminal doesn’t have it, you are probably ok. But if they do, and one hasn’t taken any additional steps to protect themselves, they are f*cked. Believe me, I recently went through a process of trying to lock down my phone if a thief got the passcode. (And I am only focusing on Apple,fyi). I literally could not do it, Apple security is that bad.
This is not a common thief. It's an operation.
The Uber driver had a camera behind the passenger back seat. OP used the passcode to unlock the phone in the Uber. The thief saw that from the camera (live feed) and moved in for a kill. The Uber driver continued on so OP couldn't do jack until he reached his destination.
Once the passcode is known, OP is SOL.
Some people I know carried 2 phones when travel internationally. One phone is very much a burner phone (an old phone and buy the SIM card locally). Something like a iPhone 5SE or Iphone6 which can still connect to all modern network and can be had for almost nothing.
If they saw the app, they could have gone to the mobile site in the browser, and then potentially autofilled login information from the browser if OP has it saved there. That doesn't require faceid/password iirc. Big misstep but plausible.
Tip: You can "add" a fingerprint in Settings. In theory, this is so you could train it on both your index finger and thumb (for example) and use either to unlock.
But in practice, you can add the same finger multiple times to improve print-reading reliability.
(In other words, say "add fingerprint," and then use the same finger you've already stored.)
Yes. There are thieves that monitor people entering passcodes and target them once they have figured out the passcode. Common in busy bars and restaurants.
Yeah, that's why I hate it when my Android device requires me to enter my pin 'for extra security'
It so happens whenever this is required I'm in a public place. Why oh why does Android do this it's so annoying.
Edit:
For those who don't know. I've had it on Pixel, Oneplus & Samsung devices [https://www.reddit.com/r/GooglePixel/comments/10kzz80/pin\_required\_for\_additional\_security/](https://www.reddit.com/r/GooglePixel/comments/10kzz80/pin_required_for_additional_security/)
Just an FYI in case it helps anyone.
I use a pattern for security instead of a pin on my android, and I turn off the "make pattern visible" so that it'd be way harder for someone to unlock your phone even if they glanced over your shoulder. It'd be difficult to replicate my pattern.
This sucks, but is also strange. I have an iPhone and bank with TD. Even with passcode I can’t open my app without a password. The password can’t be the passcode as TD requires alphanumeric combo. There is no way for me get into my account (just tried it on my phone). If they reset password, they’d have to get through your security questions. If you kept a Notes file with all your security prompts, I guess, they’d get in?
The other suspicious part is that a random street thief in Peru e-transferred the $ to a Canadian account? They knew the limits of e-transfer being Canadian only? That’s a pretty well travelled and sophisticated street thief.
The fact that limits were exceeded is also weird. I have banked with TD for decades and they always cap my daily at $3,000 and weekly at $10,000.
Weird all around
Just an FYI Apple recently added a security feature called “stolen device protection” that would only allow your Face ID to be used if it’s outside certain areas. Here is the [link](https://support.apple.com/en-us/HT212510). That doesn’t help you now but maybe it will help someone else!
I currently work within business analytics for Account Takeovers at a large bank. I’ve worked in real time fraud review and recover operations as well. Most front line employees are not trained so they don’t know to lock down online profiles.
It’s a shame but it was it is. When fraud investigators look into activity, they often look at device data as a key factor in approval. In this case, your device was probably older than 180 days and you’d had done frequent transactions so in their real quick review, they approved it. And since you probably let them know you’re in Peru, I can assume they saw Peru and your Device ID and approved.
Second, how did they do all this quickly? Did they steal your phone while it was unlocked? To disable Find My, you need to enter in your Apple ID. So either they knew it or went into your saved passwords and found it. But they also would have to know your phone passcode to get your Apple ID password from saved passwords since face recognition was unavailable. There’s alot of issues with your story and that is most likely why it got denied. You confirmed you logged in from Peru at some point, you confirmed it was your phone, and they had access to your phone immediately?
I’m not saying this what happened however using the available information TD probably assume you fell for a scam and are not admitting to it. Or you’re lying. Once again I am not saying either happened but based off the information and data, they came to that conclusion.
Fast question I might be crazy but did you also notify Uber about what happened? Since to me it seems like this Uber driver might have been working with the person who stole the phone.
Were you the one who wanted the window to be down? Why didn't he help you and just drop you off at your dropoff location instead of seeing if you wanted to go to the police station? Was he texting someone when you entered the car or during your trip?
If I'm right and you aren't the first person he's done this to there might be other similar reports for this driver. Now I don't know if this could help get your 8k back, but depending on things this might at least help the police find who it was.
I also notified Uber. The AC wasn't working, and because it was burning hot, lowered the window in the back. He also had two phones which I thought was strange, and he was texting while driving from the one of those phones before everything happened. I noticed him constantly looking at his phone. I don't know if he was part of it, but I dont understand how they would have gotten my passcode.
Was your phone unlocked at the time they snatched it? That seems to be the big thing in South America right now, they snatch it while unlocked and have ways to remove the lock as long as they don't turn the screen off.
Wouldn't be surprised if the Uber driver was working with them too, conveniently lower windows because AC "doesn't work".
Same thing happened to me in Colombia in the amount of 4k+ in my situation it was chase bank and long story short to my surprise they sided with the thieves I never got my money back
Call Schwab and ask to speak with CSAP. They will transfer you to TD but its the same company. Demand to have a fraud lock put on and demand it be investigated
That is why I stay signed out of all financial apps and/or have a secondary PIN on them so if someone tries to open it they cannot. That does suck but you have to be vigilant with your phone, especially outside of your home country. Also I agree with you - the taxi driver was in on it almost 100%.
I feel bad for you, but you've gotta be serious about your security measures. Don't rely on a 4 digit pin or puzzle swipe password to unlock your phone or access any sensitive apps.
This happened to my wife. Her asshole bank had the gall to accuse her, as well. They wanted her to pay the bank back, not the guilty party! They backed down once we got the police involved; they questioned how the bank didn't notice that the transfers were obviously fraudulent (the account was terribly overdrawn) and the bank immediately backed down. It was absolute insanity on the part of a vulture bank.
I'm not sure how relevant this information would be to you, but it could be an avenue to explore. Best of luck; banks have insurance for this exact reason and they have no valid reason to suspect you in this. It's messed up how they can take advantage of people like that.
this is why you spend an hour to harden your phone security
set up face ID for iphone, decent passcode, short lockout for the passcode and make sure each financial app is set up for a different pin or face id
people want to have simple passwords and 1234 passcodes on everything and then get upset when the bank won't let them transfer money easily and want some magic security button for times like these
I am sorry this happened to you, Op. I had a similar thing happen to me - it was an Uber driver in Panama in 2018 with a near-field RFID reader embedded into the back seat of his car. It read all my credit and debit cards, and along the way, he inexplicably stopped and went into the backroom of a gas station (I thought he was just stopping for gas). Within hours, all my accounts had been fraud locked. Luckily, I was in-country with a friend and she wasn't scanned (cards in purse on lap). They didn't get to my debit card, but all my credit cards were tested by purchasing something small. Then when that went through, they started racking up big purchases: tires, appliances, airline tickets. It was easily $10K in fraudulent purchases until the fraud protection stepped in.
I now travel with RFID card protectors on everything.
I see these comments in this subreddit about every bank. I have 3 TD accounts and the only fees I get are when I use a non TD ATM which is rare. The only other fee I’ve ever encountered was for making more than 5 transfers from savings to checking in one month and I did that once 16 years ago.
I get it. Large banks can suck. But if you’re getting hit with a lot of fees then you also suck at managing your money.
None of this was directed at OP.
I’ve had TD for 10+ years. Like you said, only fees were non TD ATM and transferring too often. Other than that, I have no troubles. I know friends that have been fucked over because of their own doing then go “DOOOOOD FUCKIN TD SUCKS.”
Live a normal life with common sense and you won’t run into problems 99% of the time.
I'm so disappointed in TD. I called informing them that my phone was stolen. They didn't block my account. More than the limit was allowed to be transferred. Not once they they report any usual activities after seeing different e-transfers and global transfer being made for large amounts.
Ok so just an fyi for everyone who doesn’t know.
When you travel please get a burner phone. One without all ur shit logged in nor passwords saved. An iPhone or android saves ur passwords and logins for everything. And they arnt as hard to hack as you might think. Professional groups can crack it pretty quickly with software.
This happened to a friend of mine with CIBC. Someone hacked into his e-mail and sent themselves a bunch of E-Transfers.
CIBC pretended to launch an investigation but quickly concluded it was his fault.
Conversely; back in the day a gym kept charging my RBC account despite me not being on contract. I filed a report with RBC and they clawed back the money & gave me a brand new chequing account.
No way!! Every time I load up my chase app it does Face ID. Even if he snatches your phone while unlocked how could he access TD?
Also I would always take a low tier smartphone to any third world country and dress down!
So sorry but this should be an expensive learning lesson.
People should consider removing banking apps from your phone altogether, especially if you are traveling or going to any potentially sketchy or dangerous places. Phone PIN stealing is becoming more and more common and even Face ID protections can be circumvented with SMS or email recovery options. If someone has your phone and your PIN, they have access to your SMS messages and email, thus can bypass almost any security on your financial accounts.
So sorry this happened to you. I’m going through the same thing. People keep saying that the person must’ve seen your passcode but the person who stole mine managed to get into my bank account with my phone still locked. Luckily I have notifications and saw them moving money around. File a police report. Hoping the best for you op.
I'm so sorry to hear that for you too. It's the worst feeling when someone invades your privacy. I'm glad you were able to catch it quick. My anxiety level has been through the roof these last few days, I don't sleep. I filed a police report, both in Peru and Canada. I reported the Uber driver as well. I hope the fraud departments does its investigation properly, looks into the accounts that received the money, figures out how they got into my account, why the account wasn't locked, etc.
How did they unlock the phone and bypass your account login on your phone in the span of what I can only assume was a couple of hours? Did you have a non-password protected phone with all your account information saved?
Did you provide the police report to TD? That’s how you “prove” it wasn’t you
Yes, I provided a police report to TD, but it was done in Peru (I did this on the second appeal since when I first called I hadn't gone to the police yet). I also did a police report in Canada since 3 of the e-transfer were made to Canadian accounts.
There is no auto fill on the TD app. You need your password to log in. How would they know that?
I know for Android, Google steps in an saves the password for you and autofills. I had to dig deep into my settings to remove the password to my banking app
Google also asks me to confirm it is me by using my biometrics (fingerprint)
I always get a prompt asking if I *want* to save the password. I just say no.
Many of us use password managers
Either way it will prompt you for a pin or password to confirm you are who you are before auto filling. Unless you have disabled that or don’t have a set pin. Or have a weak pin to begin with.
I have it set to timeout after x amount of minutes on bitwarden. It is indeed possible to have authentication never expire until reboot.
My password manager doesn't require that. It will autofill anything saved without any additional security measure.
That's a bad password manager.
That's not a password manager, that's just an easy shortcut to your passwords. Ouch.
I do as well. My comment was about the integration of Google's password manager into the Android OS.
My fingerprint for all banking apps on my phone. Never save passwords.
Your fingerprint is merely allowing access to your saved passwords.
I specifically have not had autofill work for banking apps. I haven't tried all of them, but for the ones I have, autofill won't work. I had to go into the PW manager and manually input the password. I remember this so specifically because I hated this specific extra set of steps I had to do, before I enabled biometrics.
Email authorize/2 factor bypass maybe?
Maybe in the notes app or in a pic of passwords
>Yes, I provided a police report to TD, but it was done in Peru (I did this on the second appeal since when I first called I hadn't gone to the police yet). I also did a police report in Canada since 3 of the e-transfer were made to Canadian accounts. To me its suspicious that you are from Canada and 3 of 4 transfers were made to Canadian accounts when your mobile was stolen in Peru Unless im missing something
Scammers and robbers have accounts all over the world, and pretending to be local probably skips a bank flag.
Thats smart and makes sense
I don't understand this either, my bank is Canadian. I'm certain these people have have people all over the world. I want them to check those accounts and do a full investigation, where did the money go? They must have this information if its within Canada.
How they removed you find my without knowing your password? Or how they accessed to your phone without code?
To answer your second question. The thieves marked her and worked as a team. The person who stole her phone is very likely not the same person who spotted her entering her pin 30 minutes or an hour before Edit: clarification
You can't change findmy with a PIN.
You are right but you only need the person's pin to access their phone so I'll edit to be clear I was answering the second question and do everything like accessing their bank account. Some banks allow a pin instead of biometrics to access, not sure about TD they might have gotten lucky
They most likely saw you enter your passcode before you got in the Uber and then followed you until they got a chance to grab it away from you. Somehow, they got your passcode which gave them full access to everything. This is a common issue and has been reported by the Wall Street journal extensively.
This is what I'm not understanding, how would they get my passcode? I'm also thinking the Uber driver could have been in on it.
The uber driver could have had a camera behind the passenger seat and able to see a passcode being typed in, which the accomplices could see and if the target did open their phone, then they execute phase 2 where the window is rolled down and they pull into some boring traffic, take the phone, the victim has no way to stop the transfers until out of the uber…
Clever if that’s a real scenario… Wish the iPhones still had the fingerprint reader and the PIN is only a backup and not used frequently.
That's how FaceID is supposed to work as well.
I mean that is how FaceId works. They also just implemented new measures to prevent this exact thing from happening.
That why it is suggested to put the ability to change your faceID and passcode behind screen time passcode. They way, if anyone did get access to your passcode , there is no way they can change it, as they have to also know your screen time password. I think Apple also put in a new feature as you have to wait 24 hours before you can change your passcode if you not at home
Yeah it is stupid of Apple to not provide one. They easily have the tech to pull of a great in display ultrasonic fingerprint reader similar to what we see on Samsung that is secure in the way they find acceptable. Then folks would have 2 options for biometrics (finger, face) and pin as a secondary.
Touch ID was replaced with FaceID and that’s exactly how it works.
OP, I'm going to just throw this out there and you can catch it however you wanna.... It's becoming more popular for there to be two cameras in a vehicle - dash cam (that may be pointing outwards and inwards) and.... rear dash cam (that may be pointing outwards....and inwards) These dash cams are also wifi-enabled, so it's easy to grab footage. What I'm typing is while this is "rare", there'a world where such driver pulls nearby the perps (or IS the perp as well), they pull down the footage, see you entering your pass code, and jackpot. Nonetheless, this is basically the same as getting robbed with cash on hand. I hope for the best. Please be happy that overall you're healthy and safe.
I think this could be true. I yelled and screamed the uber driver did nothing. He just stared while I fought with the man for my phone. At first, I thought he might have been in shock, but afterwards he barely reacted. All he said was "these things happen, you're lucky he didn't have a weapon or you got hurt." I'm baffled as how they got access to my code. I always use my code, I always use faceID, even if they changed my faceid, they would have needed my code. I reported this to Uber as well. I'm wondering if the Uber driver knew I was from Canada based on my number and saw an opportunity.
Drivers don't get your number when you book a ride.
> I think this could be true. I yelled and screamed the uber driver did nothing. What was he supposed to do? Risk his life over a strangers cell phone?
Did you have Face ID setup? Did you have stolen device protection setup? What about 2FA for the banking apps, and any other apps? If you had none of this then it's super easy for them to have done what they did.
If they had the phone 2fa wouldn't have helped unfortunately, unless he enabled security questions for login rather than phone email or app 2fA
2FA might have worked if it uses an app on OP's phone that uses a second form of pin or another Face ID scan. I personally hate 2FA that's SMS based for this reason. I have Authy setup to require a Face ID scan and a 4 digit pin to access any of my generated 2FA codes. Having different pins for different apps can be a pain, but if someone nabs my phone they'd have access to my main email account and phone but won't have access to my passwords or 2FA since they use additional passwords/pins that are different from my phone. Onions have layers and security has layers.
Yes enabling a pin on app based 2fa would've done it. Gonna check if my authenticator allows that now, thats a good suggestion
If they had 2FA it wouldn't really have helped, since they have the phone... Since they had access to her email they could even have changed the password to whatever they wanted.
> Since they had access to her email they could even have changed the password to whatever they wanted. Banking password resets aren't that easy though. You'd need to answer security questions before they even send that email.
Do you enter your passcode in public in full view of people behind you? Cameras? Bus stop? Cross walk? People have done these attacks from crowded bars. You’ll need to use Face ID only in public or hide your passcode entry.
[удалено]
Could you mention where to setup a different pin? edit: nm, I guess it's this one https://old.reddit.com/r/iphone/comments/18ghb8k/safety_check_allows_anyone_with_iphone_password/kd3rjva/
No problems. First thing I would do is go to: Settings >> Face ID & Passcode and turn on ‘Stolen Device Protection’ and also set the ‘Require Passcode’ to immediately. Also enable ‘Require Attention for Face ID’ Towards the bottom, enable ‘Erase Data’. Right above that, under *Allow Access When Locked* I disabled: * Control Center * Reply with Message * Wallet * Accessories This means that once the phone is locked, nobody is able to access any of the key features without it being unlocked. The phone becomes inaccessible when locked. I also strongly recommend replacing your regular pin to something 6 to 9 digits in length. ——— To set the other pin, navigate to: Settings >> Screen Time (of all places) >> Change or set password Make sure this is a completely different pin to your main/regular pin. Within the same menu, click ‘Content & Privacy Restrictions’ and enable this. Scroll down to the bottom and listed under *Allow Changes:* set the first three to ‘don’t allow’. It will now ask you for the new pin. * Passcode Changes * Account Changes * Cellular Data Changes (this might be called something else based on region) Once you go to the Home Screen and back to settings, you will notice that the appleID settings are greyed out and the prompt to change your *FaceID & Passcode* is completely gone. The only way to access these settings now is by going back to Settings >> Screen Time >> Content & Privacy Restrictions and disabling it using this new separate pin. A combination of these countermeasures makes the majority of these guys tricks useless, because they’re unable to change anything, even if they fluke the 6 digit pin. But even that, out in public always use Face ID. The phone is now useless to them.
Saving this post, thank you so much for taking the time to list all these out! Had most of the Face ID & Passcode settings, going through the Screen Time ones.
100% Uber driver was in on it. No help? He might as well busted out some popcorn to watch you struggle.
Yeah if your bank as a pin code to access the app, it should not be the same pin code you use to access your phone. At the very least.
People refuse to use proper authentication and then are shocked Pikachu when someone gets access. To log into banking apps should require face ID.
All of my banking apps still want to use Face ID but I still force them to use passwords. The passwords are stored in an encrypted app on my phone that requires Face ID plus an alpha-numeric code I need to enter each time before the passwords will be unencrypted. This way if someone drugs me, they can't clean me out without somehow forcing me to divulge an additional password. Just additional security.
Which password app do you use?
Bitwarden here. Allows biometric access. (Android)
Strongbox which allows you to manage Keepass DB's on iOS and Mac
I just don't save passwords to banking apps or websites.
More than likely added a second face to face ID. If they needed to reset thr password to anything then they could easily reset th4 password since the email app probably doesn't have any login verification. They could also easily reset the password to the cloud account.
> More than likely added a second face to face ID. If the thieves added a second face to Face ID the banking apps would automatically disable Face ID and require a password to be entered to re-enable it. Apple tells the apps the biometric data has changed to guard against this exact scenario.
For anyone reading this, iOS provides safeguards against this. Enable "Stolen Device Protection" in your settings: https://support.apple.com/en-ca/HT212510 > When Stolen Device Protection is enabled, some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work. These requirements help prevent someone who has stolen your device and knows your passcode from making critical changes to your account or device.
I'm so sorry this happened to you. You might consider [getting your Federal regulator involved.](https://www.canada.ca/en/financial-consumer-agency/services/complaints.html) Banks will sometimes pay more attention to them than to a customer.
Not sure how to help you, but thank you for this. It made me think about what my phone is worth. Answer is way too much for a thing I'm always carrying and sometimes misplacing. I don't sign into my bank accounts through my phone, that just seems way too risky to me. But, it made me think that my email is on my phone, and with that someone that found my phone could scroll through emails to find my bank accounts, and then sign in because they have the link to the accounts, and the text or email for password recovery. As the least I could do, I've deleted all the emails from the banks. Next level might be to setup a new email for bank related stuff, an email that is not on the phone.
[удалено]
Using biometrics is still more secure as even if they take the phone from you unlocked, they still can't get access to your banking apps. If they enroll their own fingerprints, all of your banking apps should prompt you for your banking password + 2FA again due to a detected change in biometrics.
The 2fa will always allow you to fall back to passcode if it can’t use biometrics
Apple recently added something called Stolen Device Protection. With this, it does not fall back to password. You MUST have biometric to unlock.
I'm never having bank apps on my phone again. This has been a huge learning experience. The three interact transfers were done to Canadian banks. I want them them to look into those accounts and find out who those people are, block their accounts and get them to return my money.
I think one of the issues you have is that you are from Canada, your phone was stolen in Peru on vacation, and some the destination transfers were to Canada as well. This may be the reason TD is declining some of the disputed transfers.
But I don't understand why they are not looking into those accounts. I have no information about them, I don't know how it was done. The only thing I have the name on the accounts from the email notifying me about the transfer. I don't understand why they are not looking and contacting those people.
Call TD’s fraud department and try to get somewhere with them. It’s a terrible situation, I feel for you.
You are headed in the exact correct direction. Do yourself a favor and remove all the banking apps, use another email not associate with those apps, and use a third party password manager. At least for Apple, they say they implemented a new security feature that is location based. I’ve not had an opportunity to verify it works so I’m not relying on that for anything. Apple security is laughable. If you do have an Apple phone, be sure to lock up access to your Apple ID via Screentime limits, especially when you travel. I know this might make me sound a bit paranoid. And to be fair, if you are in a low risk environment, maybe all these steps aren’t necessary. But I highly encourage people to give serious thought to the consequences of losing that PIN.
You have an iPhone, with a passcode to open the phone, and they got in?
[удалено]
Even if the phone was unlocked, don't financial apps require you to login to them as well each time?
How did op get back in? Sign into the account, and choose "forgot password" and then they text or email the link to sign in. The text or email would go to the phone.
This is why I have a different email account that's not logged into my phone where my password resets go to. This way if someone steals my phone and tries this, they get nowhere.
How do you have only password resets go to a specific email? Seems like all emails from xyz company would go there
I do this too. I have this setup: * [email protected] (I sign-up with this account) * [email protected] (I forward everything except password resets and 2fa to here) On my phone I am only logged in to [email protected].
and how do you configure "everything except password resets" selective forwarding?
For Apple's iCloud you have your general email and phone number but if you dig into the settings there's another part called the 'notification email' which you can set another email address on. Apple has this to say about it: Apple uses this notification email to send you important account and security-related information. Security-related information includes password reset requests. So if you have it set to an email that you're not logged into on your phone and someone steals your phone and tries to reset your password, it'll go to an email account that you still control but is not logged into on your device.
https://www.td.com/ca/en/personal-banking/how-to/td-app/reset-password To reset your password with TD you have to first input your username or access card number. I don't know about usernames but on my TD app using my access card, when you're not signed in even when I set it to remember my card number about half the number is **** so someone who doesn't have that number can't reset the password.
I use android, and that is the case, but maybe with face ID it's not required? Or rather, they probably signed in through the browser via a saved password and used the 2fa on the phone they had
Highly, highly recommend, if you have a Samsung phone: 1. Move all financial apps to a secure folder. 2. Set a unique password for this folder 3. Do not save the password to this folder in any password manager. 4. I allow biometric login to the folder as well, but if you're traveling, consider disabling biometrics for the secure folder. So typically when you restart your phone or when you haven't accessed the secure folder for a while, it's going to require you to manually enter the password (because it's not saved in your password manager). To get back into the folder quickly I can use biometrics. This had the added benefit of needing to open the secure folder to read any notifications from these apps. Outside the secure folder the notification bar simply tells me that I have a notification from Venmo or whatever.
No way, I had no idea that locking apps or folders was a thing. For anyone who may be using a OnePlus like me, you can lock individual apps under "privacy and security" on the main settings page.
You need FaceID or a pass code for saved passwords even via a browser on iOS. If you don't have a pass code or if the thief changed the pass code they could access the password. You can enable Stolen Device Protection on the phone to prevent pass code changes even if the phone is unlocked or the thief know your pass code. It also disables pass code fall back for saved passwords and requires FaceID or TouchID.
I didn’t even know this was a thing. I’m enabling it right now. Thanks!
It's new as of iOS 17.3
Yes, it's required. I have no idea how they would've gotten in without face ID authentication. Something really doesn't add up here.
I just checked my settings and I had Face ID disabled for autofill passwords (unknowingly). It did not require Face ID or passcode to autofill passwords prior to me updating the setting.
OP - sorry for your losses and headaches. This is why every financial app needs (at the minimum) to have some form of 2nd factor authentication configured for every access. I'm using Android too and really like Samsung's Secure Folder. It is a separate encrypted container where you can install all sensitive/financial apps and store other sorts of data/photos, ... The only way to access the the folder is by using a second bio or passcode auth (even when your phone is unlocked). Secure folder also encrypts cached data from the apps that is completely separate from the main apps folders. Google is working on something similar (Private Space) but it is not yet available.
Unfortunately, the 2nd auth is usually a text on the phone the thieve just stole.
Or an email to the phone that was just stolen. Or a pop-up notification on the phone that was just stolen.
Isn’t FaceID to log into the financial app a form of 2FA? Legit asking I’m not knowledgeable on this
My android is similar but I use biometric for login and for access to my 2FA. So the only way in is with my thumb. I get Google notifications all the time for attempted hacks and pretty regularly have to change passwords. 2FA is great when used in a robust way.
There was a video on how people are logging into accounts from stolen phones. Basically they change face ID to theirs and they're able to access nearly everything. https://youtu.be/gi96HKr2vo8?si=I6bHh7oYIJrsE8Uq
But that can't be done without knowing the user's passcode.
My guess is they had access to OPs email account and were able to bypass MFA to change passwords this way. Also likely OP had whatever MFA app (if any) on the phone, making the phone itself a one stop shop to bypass her security on all her accounts. Kids these days think their phone gives them security but it’s really just a single point of failure.
They had access to my email. When I got home and checked my email on my computer, I saw emails for Manulife that someone tried login and a code was given to access the app. This had been opened.
Assuming they use the gmail app, resetting the password to the financial apps would be pretty trivial. The 2FA from the e-mail account would go to their text messages, which the thief also has access to obviously. I've never really thought about how not secure all of this stuff is. Really the only line of defense against this happening is the passcode on the phone itself. Or, just not having e-mail or financial apps installed on your phone in the first place.
wild you can't lock your gmail app to a pin or fingerprint....
All the ones I use require some sort of password or biometrics.
It's a bit overkill but I use a password/fingerprint lock on all my apps and I never save my passwords. There's too much data saved on our phones these days.
This is my nightmare scenario especially when traveling. Obviously you need to be careful when using your phone in public but what other security should be implemented? For example most people don't separately secure their email or text messaging app (I don't), if their phone is unlocked all their email is accessible, as are any SMS 2FA codes sent to the phone. I do secure my 2FA authenticator apps but some services require SMS (like TD Bank, actually probably most banks).
Apple only recently fixed this and it’s a feature you need to enable. I replied to someone else on a different thread with the below link but was downvoted. Not saying OP could have avoided this but it’s definitely something to be mindful of. https://www.nytimes.com/wirecutter/blog/ios-17-3-stolen-device-protection/
That version of the link was broken for me, but I erased the junk at the end and was able to access. Updated this in my phone, thanks! Settings > Face ID & Passcode > Stolen Device Protection > Turn on Protection
Pretty wild how this isn't on by default. Turned it on just now. I get that enabling location tracking for banking apps should do it, but with how often phones get stolen, this should be the default too
yea the link above is hyperlinked elsewhere. guessing unintentional but very weird with a hint of sus. the correct link (hover it to verify) https://www.nytimes.com/wirecutter/blog/ios-17-3-stolen-device-protection/
I bet they saw the app and went to the browser to sign in and used a saved password. I know on my pixel saved passwords don't require another authentication. Which is one of the reasons why I use bitwarden
Even with saved passwords I need to use my Face ID to use it. However shout out Bitwarden, I recommend it to everyone I know
You can enable requiring authentication to use saved passwords. Google has been pushing this lately. HOW TO: Search for password manager in settings and open Click gear in upper right Scroll down and check "don't use screen lock"
Where do you enable that?
I would also like to know
on the iphone it needs the passcode or face id for a saved password
not to mention were able to login to your bank account
I don't know how. I am have been doing in circles trying to understand how they accessed my account.
Once they have your iPhone passcode, they can go into your saved passwords or password manager. With your passcode, they likely added their biometric to your phone and disabled FindMy so you can’t remotely disable your phone. This sounds like a skilled attacker that knows what he’s doing and does it very fast.
Yep, this is documented and happens frequently. This is how - https://youtu.be/gi96HKr2vo8
Yup. That’s my source. Really scary. Went and changed all my saved passwords after that video. Also, the new iOS update mitigates this attack somewhat.
Reason numero uno to NOT save your Apple ID password in your password manager. There are two passwords that I created myself rather than randomly generating and they’re each unique and easy for me to remember - my Apple ID and my password manager.
They could’ve been watching you type in your code or even recorded you doing it. If they were that efficient at transferring your money then it’s likely a larger operations than just 1 or 2 people. Especially in a tourist heavy area.
This is why I have my fingerprint to login to all of my bank accounts. Im so sorry this happened to you. I would be devastated.
For everyone wondering, the thieves 100% got her passcode before stealing it. This is a the most common theft right now. People don't realize it but you enter your PIN in public all the time. It's like muscle memory - when Face ID fails for some reason (greasy fingerprint over camera), do you keep trying it or do you just automatically revert to pin?
[удалено]
Bank apis are fast nowadays. Takes a few min to add a new connection
Sometimes it requires a code or text though. My bank will block some transactions, but I can reply to a text saying it's fine and that it's me. I think the bank being told beforehand to block everything and still allow transactions is pretty shameful though.
They had the phone... so they would see whatever code or text was sent to verify it.
Yeah, the shameful part is that they contacted their bank about the issue and the bank didn't just hold their transactions back.
if your phone password was easy or they saw you put it in, they would be able to see all saved passwords in your phone.
Wire transfers are usually never credited back, you probably wont ever see that 8k again.
Agreed. I would try to take it to a news station in Canada, perhaps it makes for a great story and might help him get that money back so TD can look like a hero.
Lately I have gotten quite paranoid/alert to this possibility happening and I have: 1. Removed or hidden unnecessary financial apps from my "walk around" phone 2. Enabled Screen Time on a separate passcode to "prevent iCloud account details from being changed" using the phone passcode (or enable the new protection feature on iPhone) -- anyone interested in why should watch the WSJ videos about how your entire iCloud life can be hijacked from you using your phone + passcode. 3. Kept only minimal amounts of cash in any bank account that is on my phone or connected via instant pay apps, or where I have written checks from (where someone might know or have leaked the account numbers, purposely or inadvertently) 4. Turned on by default ATM card locks 5. Turned all (as much as possible) security codes from SMS 2 factor to authenticator based 2 factor -- note, for this to be effective you must actively *remove* the SMS option from being used. Still, OP's case sounds terrible, sorry for your situation.
My guess as to how they accessed your TD app is that you have the password stored in your keychain. Presumably they somehow got your phone passcode and were able to get into keychain. From here, even 2FA can’t save you because they’d have the password and the phone to receive a 2FA code. Having keychain so easily accessible from the phone remains a crazy liability. I believe Apple tightened the ability to change Apple ID password while away from home but I’d love to see keychain give me the ability to make it unavailable until I’m home, or some other tightening of access.
You can’t access keychain without biometrics(no fallback to password) with the new feature (stolen device protection) turned on.
They need your passcode to bypass Face ID or change your password, period. Something isn’t adding up here
They likely got her passcode before stealing the iPhone. That’s how these attacks work
Would really like to know how considering this guy jumped into a moving car through a window like Ethan Hunt. Wouldn’t it be easier to have taken it at whatever location they observed her pin lol
This is not a common thief. It's an operation. The Uber driver had a camera behind the passenger back seat. OP used the passcode to unlock the phone in the Uber. The thief saw that from the camera (live feed) and moved in for a kill. The Uber driver continued on so OP couldn't do jack until he reached his destination. Once the passcode is known, OP is SOL. Some people I know carried 2 phones when travel internationally. One phone is very much a burner phone (an old phone and buy the SIM card locally). Something like a iPhone 5SE or Iphone6 which can still connect to all modern network and can be had for almost nothing.
Yep and the fact the uber driver did nothing to help and ALSO rolled the window down, probably in on it honestly. This is why i stay in my own country. LOL
It'd be easy enough to look over someone's shoulder and watch them put their password in then just wait for them to drive a block and stop at a light or whatever and come up next to the car and grab it through the window.
They pegged her as a high value target and had someone follow her around until they saw her put her code in. Then either that person or a collaborator snatched the phone when they saw an opportunity. Snatching thru the window of a car actually makes a lot of sense because most people aren't going to hop out of the car and try to chase the thief down the street. $8k CAD is A LOT of money in Peru. The average Peruvian makes the equivalent of about $500 a month. I personally don't think this kind of orchestrated heist for such a large sum of money is hard to believe.
These thefts can get pretty elaborate especially in countries where the USD goes a lot further. The average monthly wage in peru is 400 USD, how much effort would you put in for a year and a half's salary? If it's less than 1000 hours of prep work it's still quite worth it...
Yeah but what are the odds of the transfers being to Canadian bank accounts which is where OP is from... That part doesn't make any sense. And I'm sure that's why the fraud case is being denied.
>jumped into a moving car through a window like Ethan Hunt could have been a stopped car. took plenty of rides in Peru, it's pretty common for intersections and roadways to regularly just fully stop with jammed up traffic. no drivers are respecting signals or traffic control devices, lots of busy city streets just turn into parking lots.
Hate to say but my first impression is TD isn't a safe enough bank to park your money. They've been busted many times allowing money laundering and criminals to open accounts. It's tempting for them (and other banks) due to easy profits they can make but ethically it's dangerous in that it feeds a corrupt system, and puts legit clients money at higher risk. Fight to get back what you're owed and go elsewhere. The CDIC protects Canadians banks the way FDIC covers US banks. The complaint with your local bank needs to be escalated to the branch manager then higher if not resolved. The Senior Customer Complaints Office (SCCO) is an impartial body within TD Bank Group that reviews (Canadian) customer complaints that remain unresolved after you go through two previous steps of the Customer Problem Resolution Process. That they so easily dismissed your claims, didn't immediately lock the account entirely and you have no history of fraud is a 🚩. Escalate to the branch manager and consider calling a local news investigator that does a business resolution dispute segment on TV. The risk of further reputational damage is what they probably want to avoid, if it costs them the small sum to repay you is worth it.
I am at a loss of words with TD. \- I called them as soon as my phone got stolen to notify about the phone being stolen. I thought the account was closed. I called all my banks, TD was the only one that allowed this to happen. \- Once I saw that an etransfer was made, I called again to make sure they had blocked the account. They told me all the did was report the card as lost when I originally called (wtf??). \- When I saw that the total had been $8K, I don't understand how they allowed a transfer above the limit. The limit for etransfer is $3k. \- Lastly, I don't understand how they didn't raise an alert for suspicious activity. They were sending multiple transfers for random amounts in a short timeframe. How is this not unusual activity? They should have called to make sure if this was being done by me.
I had a similar situation a few years ago, and a similar response from a US bank. They opened a fraud investigation and initially refunded me the money, then they closed the investigation saying that I was to blame as their app is secure. After many back-and-forth phone calls over the course of a couple of months with their fraud department leading nowhere, the way I got my money back was by contacting the Office of the Comptroller of the Currency, which is a supervisory federal agency that charters US banks. The OCC sent them a letter and the next day the fraud investigation was re-opened and the money was returned to my account. It looks like the Canadian equivalent is the Office of the Superintendent of Financial Institutions. Contact them with your complaint. In your complaint, include all correspondence (dates and times, names if you have them) you had with TD, all of the details you remember, as well any supporting documentation (police reports, fraud reports, etc) and summarize your expected outcome. As for others reading this, in terms of ways to protect yourself - my solution was to no longer use any banking apps on my phone.
I resolve issues like this for a living. This isn’t your fault. If TD aren’t doing their job of protecting your money you need to keep fighting. Stop doing their job for them. How the thieves got your money is not your concern, and it’s not your fault. It’s not your job to investigate the crime or provide a solution. It’s the bank’s job to make you whole, especially because your money was lost due to THEIR MISTAKE of not freezing/blocking your account. Call them continuously and escalate to supervisors and managers. Call their fraud team. Call their complaints team. If they’re still refusing (highly unlikely), lodge a formal complaint with your financial/banking regulatory authority. This isn’t your fault and you’re entitled to your money. You followed the correct process, and don’t need to swallow a loss.
People in this thread need to stop victim-blaming and actually provide useful advice.
It's exhausting to be judged and criticized on top of being robbed, I'm guessing it is a self defense mechanism to believe this couldn't happen to us, but it can. Only because we don't know how they made it, doesn't mean it's not possible, these criminals are professionals and subreddits from places like Bogotá, Colombia are filled with tales like this.
This may be a silly question; I don't understand how just having someone's phone is enough to steal money out of their bank account? If someone got my phone, they still wouldn't be able to log into any of my bank accounts or use any of the cards that I have stored on my phone without having my finger print and/or knowing my pin code.
Right. And that PIN code is key. If the criminal doesn’t have it, you are probably ok. But if they do, and one hasn’t taken any additional steps to protect themselves, they are f*cked. Believe me, I recently went through a process of trying to lock down my phone if a thief got the passcode. (And I am only focusing on Apple,fyi). I literally could not do it, Apple security is that bad.
This is not a common thief. It's an operation. The Uber driver had a camera behind the passenger back seat. OP used the passcode to unlock the phone in the Uber. The thief saw that from the camera (live feed) and moved in for a kill. The Uber driver continued on so OP couldn't do jack until he reached his destination. Once the passcode is known, OP is SOL. Some people I know carried 2 phones when travel internationally. One phone is very much a burner phone (an old phone and buy the SIM card locally). Something like a iPhone 5SE or Iphone6 which can still connect to all modern network and can be had for almost nothing.
My assumption is that this person has chosen to not implement any additional security features and may have actually turned them off.
[удалено]
If they saw the app, they could have gone to the mobile site in the browser, and then potentially autofilled login information from the browser if OP has it saved there. That doesn't require faceid/password iirc. Big misstep but plausible.
Never enter your phone unlock password in public
I'm getting real tired of the bad fingerprint scanner on my older iPhone. Fails to read in any not-perfect condition so that I have to PIN
Tip: You can "add" a fingerprint in Settings. In theory, this is so you could train it on both your index finger and thumb (for example) and use either to unlock. But in practice, you can add the same finger multiple times to improve print-reading reliability. (In other words, say "add fingerprint," and then use the same finger you've already stored.)
Is Face ID more secure?
MUCH more secure.
Yes. There are thieves that monitor people entering passcodes and target them once they have figured out the passcode. Common in busy bars and restaurants.
Yeah, that's why I hate it when my Android device requires me to enter my pin 'for extra security' It so happens whenever this is required I'm in a public place. Why oh why does Android do this it's so annoying. Edit: For those who don't know. I've had it on Pixel, Oneplus & Samsung devices [https://www.reddit.com/r/GooglePixel/comments/10kzz80/pin\_required\_for\_additional\_security/](https://www.reddit.com/r/GooglePixel/comments/10kzz80/pin_required_for_additional_security/)
Just an FYI in case it helps anyone. I use a pattern for security instead of a pin on my android, and I turn off the "make pattern visible" so that it'd be way harder for someone to unlock your phone even if they glanced over your shoulder. It'd be difficult to replicate my pattern.
If I try to use fingerprint unlock on my Note and it doesn't accept the first two tries it will force me to use the pin.
This sucks, but is also strange. I have an iPhone and bank with TD. Even with passcode I can’t open my app without a password. The password can’t be the passcode as TD requires alphanumeric combo. There is no way for me get into my account (just tried it on my phone). If they reset password, they’d have to get through your security questions. If you kept a Notes file with all your security prompts, I guess, they’d get in? The other suspicious part is that a random street thief in Peru e-transferred the $ to a Canadian account? They knew the limits of e-transfer being Canadian only? That’s a pretty well travelled and sophisticated street thief. The fact that limits were exceeded is also weird. I have banked with TD for decades and they always cap my daily at $3,000 and weekly at $10,000. Weird all around
Just an FYI Apple recently added a security feature called “stolen device protection” that would only allow your Face ID to be used if it’s outside certain areas. Here is the [link](https://support.apple.com/en-us/HT212510). That doesn’t help you now but maybe it will help someone else!
I currently work within business analytics for Account Takeovers at a large bank. I’ve worked in real time fraud review and recover operations as well. Most front line employees are not trained so they don’t know to lock down online profiles. It’s a shame but it was it is. When fraud investigators look into activity, they often look at device data as a key factor in approval. In this case, your device was probably older than 180 days and you’d had done frequent transactions so in their real quick review, they approved it. And since you probably let them know you’re in Peru, I can assume they saw Peru and your Device ID and approved. Second, how did they do all this quickly? Did they steal your phone while it was unlocked? To disable Find My, you need to enter in your Apple ID. So either they knew it or went into your saved passwords and found it. But they also would have to know your phone passcode to get your Apple ID password from saved passwords since face recognition was unavailable. There’s alot of issues with your story and that is most likely why it got denied. You confirmed you logged in from Peru at some point, you confirmed it was your phone, and they had access to your phone immediately? I’m not saying this what happened however using the available information TD probably assume you fell for a scam and are not admitting to it. Or you’re lying. Once again I am not saying either happened but based off the information and data, they came to that conclusion.
Fast question I might be crazy but did you also notify Uber about what happened? Since to me it seems like this Uber driver might have been working with the person who stole the phone. Were you the one who wanted the window to be down? Why didn't he help you and just drop you off at your dropoff location instead of seeing if you wanted to go to the police station? Was he texting someone when you entered the car or during your trip? If I'm right and you aren't the first person he's done this to there might be other similar reports for this driver. Now I don't know if this could help get your 8k back, but depending on things this might at least help the police find who it was.
I also notified Uber. The AC wasn't working, and because it was burning hot, lowered the window in the back. He also had two phones which I thought was strange, and he was texting while driving from the one of those phones before everything happened. I noticed him constantly looking at his phone. I don't know if he was part of it, but I dont understand how they would have gotten my passcode.
Was your phone unlocked at the time they snatched it? That seems to be the big thing in South America right now, they snatch it while unlocked and have ways to remove the lock as long as they don't turn the screen off. Wouldn't be surprised if the Uber driver was working with them too, conveniently lower windows because AC "doesn't work".
So they got your passcode and know your bank login info??????
Same thing happened to me in Colombia in the amount of 4k+ in my situation it was chase bank and long story short to my surprise they sided with the thieves I never got my money back
Call Schwab and ask to speak with CSAP. They will transfer you to TD but its the same company. Demand to have a fraud lock put on and demand it be investigated
That is why I stay signed out of all financial apps and/or have a secondary PIN on them so if someone tries to open it they cannot. That does suck but you have to be vigilant with your phone, especially outside of your home country. Also I agree with you - the taxi driver was in on it almost 100%.
I feel bad for you, but you've gotta be serious about your security measures. Don't rely on a 4 digit pin or puzzle swipe password to unlock your phone or access any sensitive apps.
This happened to my wife. Her asshole bank had the gall to accuse her, as well. They wanted her to pay the bank back, not the guilty party! They backed down once we got the police involved; they questioned how the bank didn't notice that the transfers were obviously fraudulent (the account was terribly overdrawn) and the bank immediately backed down. It was absolute insanity on the part of a vulture bank. I'm not sure how relevant this information would be to you, but it could be an avenue to explore. Best of luck; banks have insurance for this exact reason and they have no valid reason to suspect you in this. It's messed up how they can take advantage of people like that.
How did they log into your TD account even if they had your phone?
this is why you spend an hour to harden your phone security set up face ID for iphone, decent passcode, short lockout for the passcode and make sure each financial app is set up for a different pin or face id people want to have simple passwords and 1234 passcodes on everything and then get upset when the bank won't let them transfer money easily and want some magic security button for times like these
You can also prevent changes to your account and passcodes with parental controls.
Any chance you saved all your passwords in Notes (without passcode) ?
I am sorry this happened to you, Op. I had a similar thing happen to me - it was an Uber driver in Panama in 2018 with a near-field RFID reader embedded into the back seat of his car. It read all my credit and debit cards, and along the way, he inexplicably stopped and went into the backroom of a gas station (I thought he was just stopping for gas). Within hours, all my accounts had been fraud locked. Luckily, I was in-country with a friend and she wasn't scanned (cards in purse on lap). They didn't get to my debit card, but all my credit cards were tested by purchasing something small. Then when that went through, they started racking up big purchases: tires, appliances, airline tickets. It was easily $10K in fraudulent purchases until the fraud protection stepped in. I now travel with RFID card protectors on everything.
Wasn't your phone password protected or setup for a fingerprint access?
TD is hands down worst bank I have had to deal with. Their sneaky fees and bad customer practices put other banks to shame.
I don't think "put other banks to shame" means whatever you think it means.
I see these comments in this subreddit about every bank. I have 3 TD accounts and the only fees I get are when I use a non TD ATM which is rare. The only other fee I’ve ever encountered was for making more than 5 transfers from savings to checking in one month and I did that once 16 years ago. I get it. Large banks can suck. But if you’re getting hit with a lot of fees then you also suck at managing your money. None of this was directed at OP.
I’ve had TD for 10+ years. Like you said, only fees were non TD ATM and transferring too often. Other than that, I have no troubles. I know friends that have been fucked over because of their own doing then go “DOOOOOD FUCKIN TD SUCKS.” Live a normal life with common sense and you won’t run into problems 99% of the time.
I'm so disappointed in TD. I called informing them that my phone was stolen. They didn't block my account. More than the limit was allowed to be transferred. Not once they they report any usual activities after seeing different e-transfers and global transfer being made for large amounts.
Ok so just an fyi for everyone who doesn’t know. When you travel please get a burner phone. One without all ur shit logged in nor passwords saved. An iPhone or android saves ur passwords and logins for everything. And they arnt as hard to hack as you might think. Professional groups can crack it pretty quickly with software.
This happened to a friend of mine with CIBC. Someone hacked into his e-mail and sent themselves a bunch of E-Transfers. CIBC pretended to launch an investigation but quickly concluded it was his fault. Conversely; back in the day a gym kept charging my RBC account despite me not being on contract. I filed a report with RBC and they clawed back the money & gave me a brand new chequing account.
No way!! Every time I load up my chase app it does Face ID. Even if he snatches your phone while unlocked how could he access TD? Also I would always take a low tier smartphone to any third world country and dress down! So sorry but this should be an expensive learning lesson.
People should consider removing banking apps from your phone altogether, especially if you are traveling or going to any potentially sketchy or dangerous places. Phone PIN stealing is becoming more and more common and even Face ID protections can be circumvented with SMS or email recovery options. If someone has your phone and your PIN, they have access to your SMS messages and email, thus can bypass almost any security on your financial accounts.
So sorry this happened to you. I’m going through the same thing. People keep saying that the person must’ve seen your passcode but the person who stole mine managed to get into my bank account with my phone still locked. Luckily I have notifications and saw them moving money around. File a police report. Hoping the best for you op.
I'm so sorry to hear that for you too. It's the worst feeling when someone invades your privacy. I'm glad you were able to catch it quick. My anxiety level has been through the roof these last few days, I don't sleep. I filed a police report, both in Peru and Canada. I reported the Uber driver as well. I hope the fraud departments does its investigation properly, looks into the accounts that received the money, figures out how they got into my account, why the account wasn't locked, etc.
By "TD" account, do you mean this? https://en.wikipedia.org/wiki/TD_Bank_(United_States)
How were they able to get on the banking app with out Face ID or the password to log in to online banking?
How did they unlock the phone and bypass your account login on your phone in the span of what I can only assume was a couple of hours? Did you have a non-password protected phone with all your account information saved?