Skip to main content

Verification password scam: what is it, and how to stay safe

Earlier this year, gyms in London were targeted by a sophisticated scam that left victims thousands of pounds out of pocket. Although the banks originally blamed the victims for sharing their bank details, it was later discovered that the thief was using a verification password scam to access their accounts. 

The gym phone thefts: how did they happen?

At the end of August, one victim tweeted about her experience of her phone being stolen from her locker whilst she was exercising at the gym. 

Upon stealing her bank cards and smartphone, the thief spent a total of £8,000 before the card was frozen. The thief had managed to access her bank accounts, transfer money out of her savings account and into her current account, before using her bank card and pin number in a number of stores in London. 

Although initially suggesting that the victim in the case recorded her pin on the back of her bank card, or shared the pin with friends and family, Santander eventually conceded that this was not the case and reimbursed the victim.

At time of writing, there are at least seven victims that have come forward with similar experiences; all users of VirginActive gyms, with fraudulent purchases made at the same stores in London.

What do these thefts tell us about security?

There are a number of interesting aspects with this theft which can help us identify some issues with smartphone security. According to BBC news, once the thief has access to the phone and the bank card, they can use their own device to set up online banking using a one time password, or OTP. This is a form of two-factor authentication, or 2FA; where you’re required to have two separate pieces of information in order to access an account. In this case, the two pieces of information are the bank card, and the code sent to the stolen mobile phone.

The bank recognises that the device is new, and sends a code to the stolen phone. The thief can then use this code to sign up to banking services on their device. Money can then be moved from a savings account to a current account. Once the thief has access to the bank account, they can even request an instant reminder for the card’s PIN number. This feature is available on a number of banking apps, including Santander, Barclays, Lloyds and HSBC.

These thefts have identified the impact of some serious security flaws; that two-factor authentication is rendered almost useless when the thief has access to both the smartphone and the bank card, and the PIN reminder feature on many banking apps can be accessed incredibly easily when both the bank card and phone are stolen. 

How can you stay safe?

Although this scam is a sophisticated one, there are a couple of things that you can do to prevent yourself from falling victim to these kinds of thefts. 

  • Turn off message previews

    In this case, two-factor authentication is thought to have been bypassed through the message previews feature. Although the thief did not have the passcode to the victim’s phone, they may have been able to view the one time password when it appeared on the lock screen. By turning off message previews, you can prevent information like this being seen by thieves.

  • Separate your phone and bank card

    The reason that this scam was so effective is that the victim’s smartphone and bank card were stored in the same location. Where possible, store your bank cards and smartphone separately. 

Tweet us @TranscenditUK


The Transcendit Way

Transcendit understand that when you choose to work with us, whether we're taking care of your IT, app or web development, you're trusting us with part of your business. So whether we're looking after your computers, phone systems or servers we always do things 'the Transcendit way'.

The whole of our team adhere to the same values, beliefs and policies - the principles that were written when Transcendit first formed in 2000. Whether you come to us for cloud services or recovery backup you can be confident that you'll always receive the same excellent service.

The Transcendit way outlines how we do business; following the same straightforward principles with every client and customer, regardless of how big or small they may be.

That means we get to know you and your business. We offer you a friendly, professional and efficient service, and we'll always be honest with you.
We understand that not everybody speaks fluent IT, so we try to explain things in a way that is simple and clear. We always spend as much time as is necessary explaining things to you.
If you need to talk to us about something, no matter how insignificant, we are only ever a phone call away – and we’re never too busy to make you a cup of tea and have a sit down with you in person.
We understand how frustrating it can be when things are late. When we schedule an appointment with you, we are there when you’re expecting us. If something prevents us from getting there, we always call you in advance to let you know.
Sometimes things can go wrong, but we never lie to you or try to cover something up. If things go askew we tell you what’s happened and how we plan to prevent it affecting your business.
We want you to continuously benefit from working with us. We regularly discuss your business and make suggestions for improving systems and processes wherever we can – but we never try to push you into a purchase.
When we quote a fixed price, that's always the amount we charge – you won’t find any nasty surprises on a bill from us. If you are paying by time and materials, we inform you if our approximations could change.
We understand the importance of privacy for your business and your customers. We respect the confidentiality of your data, and we will never pass on your information to third parties.
We appreciate it when you take the time to give us feedback. A system called CustomerSure records our client's responses, so you can trust that our reviews are from real people.
Find out what they're saying here.
SIRIUS use Transcendit for our IT needs. They are proactive, high quality, charge fairly and are a pleasure to work with. Shkun Chadda

Based on 12075 reviews our customers rate us 9.8/10. Reviews and ratings by Customersure. 09-October-2024

Transcendit are proud sponsors of CHUF, the Children's Heart Unit Fund.

Transcendit is a Living Wage employer
Transcendit is a Microsoft Gold certified partner
VMWARE partner
Vipre partner
IPCortex partner
WithSecure partner
DELL partner
Barracuda partner
Veeam partner
N-Able partner