How to stay safe from shoulder surfing PIN thieves

Britons who use smartphone banking apps are being warned about scammers who ‘shoulder surf’ to steal PINs.

Detective Superintendent John Roch of the Metropolitan Police says although the technology behind apps is secure, criminals are becoming better at exploiting human behaviour.

He said the exact number of people who have fallen victim to this fraud is unknown, but the Met has seen a sharp increase in this type of crime.

Scammers target unsuspecting victims not for the smartphone itself, but access to the apps.

Thieves typically ‘shoulder surf’ victims to see their PIN before stealing the phone – often pickpocketing or snatching it.

They then unlock the mobile and gain access to apps and personal information on a victim’s phone that could result in entire bank balances or savings accounts being emptied.

Steve Gracey, from HSBC, said: ‘We are aware of reports of this happening.

‘There has always been a risk of people being shoulder-surfed when using an ATM, and people are now more conscious of shielding their PIN when withdrawing money.

‘As a result, the way these criminals work means that people should now be more conscious when entering a PIN or a pattern on their phone in a public place, even shielding it like they would when they use an ATM.’

Timo Salmi, of cyber security firm F-Secure, said: ‘Phones hold massive amounts of personal information, and apps for handling banking, and shopping with credentials already filled in ready for action.

‘A mobile phone is like a master key to our digital life, and all this is guarded by a simple access code. While most new devices offer biometric access controls like fingerprint or facial recognition, a PIN is often still used as a backup mechanism.’

In many cases, fraudsters only need a passcode as it’s common for people to store passwords to banking apps on their phone – often in notes, reminders or unprotected documents.

Anyone who re-uses the same passwords and PINs for all their apps and bank cards are at increased risk, according to experts.

‘One of the key risks related to online services is account takeover – when a fraudster takes control of an account and makes unauthorised changes,’ adds Salmi.

‘The risk is increased significantly by reuse of passwords in multiple services. Same applies to PINs.

‘There are far too many passwords and PINs to remember, so the likelihood of cutting corners is very high.’

Most smartphones now come with biometric security features including facial recognition and fingerprint scanning meaning many Britons can avoid typing in passcodes altogether.

Gracey adds: ‘We advise customers to use the phone’s biometrics when authorising payments in public and not to choose a device passcode that can be easily guessed.

‘If a phone is lost, contacting the bank is one of the first things people should do to protect their money.’