What are the downsides and risks of mobile phone thefts everyone faces by relying on mobile, digital, and contactless payments?

Like other global cities, mobile phone thefts have increased in London. Bands of criminals often target tourists and locals enjoying a night out to steal their phones. Most of the time, they resell the devices as soon as they get them due to their high resale value in the black market, limiting the potential loss to their victims. Increasingly, though, robbers maximize their earnings by making transactions with the phone’s digital wallet and contactless abilities or transferring funds from their victim’s banking apps to third-party accounts.

A experience in first person

"As I was walking back to Soho from a concert in London last October, at around 1:10 am, a young man approached me and said, “How’s it going, mate? All good?” While he spoke, I felt his hand getting close to the chest pocket of my rain jacket. I got scared, thinking he had a knife or gun, and walked away. Seconds later, I noticed my iPhone was gone. Then, in December, two days before I traveled back to Mexico, I was waiting for an Uber outside of a cocktail bar in Soho at 1 am. A young man grabbed me by the arm, hit me repeatedly in the arms and legs, and took my phone and my wallet."

Digital payments, ubiquitous as they are, are praised for being seamless and frictionless. Mobile wallets and banking apps are supposed to make our lives easier, making cash nearly redundant. Some – including Björn Ulvaeus, former ABBA singer and co-author of Money, Money, Money, or Harvard Professor Kenneth Rogoff, author of The Curse of Cash –  argue that abolishing cash would eliminate or reduce criminal activity. Consumers in developed nations have all but stopped carrying banknotes, thinking they are safer using their phones to pay for every transaction. However convenient they might be, digital payments increase the risk of losing more funds than a person’s cash.

"After the shock and adrenaline dissipated, both incidents showed me how vulnerable customers are when they lose their mobile phones. (...)"

Tracking the Stolen iPhones and Securing Access to My iCloud Account

"In October, I thought I could have dropped my phone on the street, hoping for the best. I geolocated it using another device. The iPhone’s last location was where the thief intercepted me. Ten minutes later, the location changed to a backyard in the block in front of my hotel. That was when I realized the man was a pickpocketer. The hotel employees called the police from the lobby. They told me another guest had his phone stolen mere days before.

While I called the police, some passers talked to the hotel employees. Two had their phones stolen while I was talking on the phone. The employees showed me the video feed from the front door camera. We witnessed how the thieves exploit the camera’s blind spots: their faces never appear in the recording.

The police operator recommended I erase the device remotely as soon as possible since the thieves could make transactions and transfers if they knew my Apple passcode. That was not the case then. In December, I returned to my hotel and erased the device remotely. After erasing a device, apple sends an email notifying the user that the iPhone’s mobile wallet has been disabled and that no payments can go through. However, I still had to call my banks and credit card issuers to cancel payment cards and report fraudulent transactions. The problem got compounded as I had banking apps and digital cards from the United States, the United Kingdom, and Mexico.

In October, the Apple Store employee said many customers had told her they bought new phones after being pickpocketed. I insured the new phone but AIG took nearly three weeks to process the claim after the December robbery to ship the phone to my friend Alejandro Rubio’s house in Oxford. In October, Lebara shipped a new SIM with expedited delivery, but it arrived late due to Royal Mail’s staff shortages in the Oxford area. In December, I could not get a new phone or a SIM in time to travel back to Mexico: there was no time before the flight and I had lost my HSBC debit card."

Banking Apps

HSBC U.K.

"I called HSBC U.K. first as my primary account. In October, The HSBC executive deactivated the digital card in my Apple wallet and confirmed the thieves made no transactions. He froze my physical debit card, too, which entailed a one-hour-long call to reactivate it to pay for a new phone at the Apple Store. In December, the bank executive repeated the procedure, told me there had been three transactions, each for less than the 100-pound limit to contactless payments, and refunded them.

I could not make the HSBC app work on a new phone, though, as activating it required double verification through an SMS message sent to my old phone. That took the best of a week. Had I changed to a new phone number, HSBC would have restricted my mobile and online banking for five working days, a standard procedure to protect customers from fraud.

For the robbery in December, I had to wait until I returned to the United Kingdom in late February to recover my SIM card. HSBC offered to help me make payments through their phone banking channel. However, this entailed getting the new debit card number, which was only possible with the providential help of my friend Alejandro, who went to my house and took pictures of my new debit card number. Had it not been for him, I would have been unable to pay my Oxford rent or transfer funds to my Mexico bank accounts."

Monzo U.K.

"I employ Wise and Revolut multicurrency accounts to make international transfers. They were both safe. I reestablished access easily, as the mobile phone associated with them is a Google number, which I can access through the Google Voice website and app. My Monzo account was secure, and recovering it was relatively straightforward. Monzo validated my identity after I recorded a video message.

In January, I called HSBC to pay the rent and transfer funds to my Monzo account. From Monzo, I transferred funds to Mexico via Wise. The process took longer than expected, as Monzo’s systems flagged the transaction as suspicious. This digital bank refused to make the transfer at first; it asked me to validate my identity, and after a while, it processed the transaction after a second try."

BBVA Mexico

"Most annoyingly, I was unable to use my BBVA app, my main bank account, during my stay in Mexico. Telcel deactivated my cell phone number shortly after I moved to the United Kingdom. While in Mexico, I withdrew funds from my BBVA debit account and paid most of my expenses with cash. To make interbank transfers, I relied on Hey and Spin, digital debit cards issued by Banregio and Oxxo, respectively.

While I could still use the BBVA physical debit and credit cards, I could not make transfers or online transactions, as the bank expected users to access the app and provide data from a digital card to prevent fraud. The app crashed whenever I tried reactivating my BBVA app with a new phone number.

After multiple visits to the bank branch, phone calls to BBVA’s customer service line, and direct messages on Twitter, a patient employee at the branch went with me through every step of the onboarding process. It turned out that I had to e-sign a PDF document hidden within the registration form to complete the onboarding."

Credit Cards

U.S. Apple Card

"I did not need to freeze or cancel my Apple Card as Apple deleted it from the stolen phones. Thus, the thieves could not make transactions with it. However, Apple and Goldman Sachs assume their users will always have an iPhone to freeze the card or pay their balances. Apple advises customers to call the U.S. customer service line to freeze or cancel the card and flag any fraudulent transactions. By default, the card will charge users the entire balance at the end of the month. Customers are expected to get a new phone as soon as possible or call the issuer to pay a different amount.

The above was fine in October, as I got a new iPhone immediately. After the robbery in December, I had to wait until I got to Mexico. I had given an iPhone 12 to my friend and colleague Gustavo Del Ángel (CIDE and a member of CashEssentials’ academic network) in April, seeing that I did not need it. Gustavo gave it to my parents when he went back to Mexico. Once I got to Mexico on December 18, I used that phone and signed on to iCloud, and I could use my Apple Wallet to pay the card balance."

American Express Mexico

"Out of precaution, I removed my American Express Aeromexico Rewards credit card from my Apple wallet when I moved to the United Kingdom. This meant I did not have to worry about it in October. However, I carried the physical card in my wallet in December. As with the HSBC UK’s debit card, the thieves made several transactions under the 100-pound contactless limit. American Express refunded them and issued a new card. It arrived two days after I landed in Mexico City."

QR Payments and Mobility Cards

"The theft in October took place mere steps away from my hotel so that I could walk there safely. Did the Uber arrive to pick me up in December? I vaguely remember that it did, and he left hurriedly, not wanting to get involved in an active crime scene. Other people leaving the cocktail bar also hurried away. When the robber left me, I stopped a cab and explained the situation. I told him I could transfer funds to pay for my ride when I returned to Oxford. “Hop on; this ride is on me. I want you to be safe; I will take you to your hotel,” he said graciously. His empathy saved me from having to walk after the episode.

After both robberies, I had to figure out how to return to Oxford without the Trainline app’s digital tickets on my Apple Wallet. Luckily, I could retrieve the digital tickets using my tablet. I had no trouble using the Tube in October, as I had a physical Oyster card with funds. In December, however, I could not pay for my fare. At King’s Cross police station, the woman who filed my crime report wrote a note requesting all transportation providers to let me travel for free, as I had been a crime victim. I did not think it would work, but when I showed it to the London underground employees and the Oxford bus driver, they let me in, no questions asked, and said they were sorry for what I had gone through.

On my way to Heathrow on December 17, I booked a ticket for The Airline bus using my tablet. The  Gloucester Square bus station’s WiFi did not work. Alejandro gave me access to his phone’s data, but another problem arose. The QR reader on the bus was too small to read the QR on my iPad. Luckily, our friend Tony Lorenzo took a picture of the QR with his mobile phone, and that worked, preventing me from paying twice for the same bus trip to the airport."

Lessons Learned

"After having my phone robbed in October, I removed all unnecessary cards from my new device. I downloaded my banking apps to my iPad and ensured I could also access them on my computer. I also decided always to carry cash in my wallet. My risk planning did not account for having my phone and my purse robbed at the same time, mere days before an international flight. I will keep two phones when I return to the United Kingdom in late February. The one I carry with me will only have Monzo for daily payments; the other will have my banking apps and never leave my house.

I will also carry extra cash in my shoe, something I did in Mexico City before I moved to New York City in 2011. Then and now, cash is my ultimate safeguard against petty crime. I might be an outlier regarding how many financial entities I deal with, but the issue remains. The multiplication of payment options reduces interoperability and ease of use. Digital payments are convenient until they are not. Then, they become a nightmare."

Manuel A. Bautista-González.

MONFIN researcher

---

This was originally post on Cash Essentials:

Bautista-González. Manuel A. (February 20th, 2023) "Stolen iPhones and Digital Payments (I)” (https://cashessentials.org/stolen-iphones-and-digital-payments-i/ )

Bautista-González. Manuel A. (March 4th, 2023) "Stolen iPhones and Digital Payments (II)” (https://cashessentials.org/stolen-iphones-and-digital-payments-ii/ )