Scam going around getting Victims to sign up to Monzo

Didnt know where to post this or anything.(Also a current Monzo Plus Member)

But Jim Browning has uploaded a video about Scammers getting Victims to sign up to Monzo accounts.

Video can be seen here: https://www.youtube.com/watch?v=wvqyIr-4jBk

Dont know if Monzo/Other banks should impliment something in their App during the sign-up Process to protect potential victims from fraud attempts.

6 Likes

Just came to post this video, hopefully the financial crime team sees this and can do something to help mitigate it.

The scammers seem to be using remote software to get onto the phones to watch the sign up, does that trigger an overlay ? Maybe monzo can try detect if there’s an overlay during sign up.

1 Like

I tried to take a screenshot on iOS and Monzo and Nationwide just let me grab the screen ( they have been obliterated). The only one that mitigated it was my Credit Union account where it detected that i took a screenshot and said it was in a protected environment and gave a blank screenshot in return. Guessing they must be using some form of DRM? Not too clued up on Apps etc.

Like you say though there must be some way of detecting a screen recording or Remote Access app running in the background on both platforms.

3 Likes

Been a while since I opened an account but I thought you only got the account details when you’d activated the card?

From what I remember I had my details before I had my card as I put a couple of quid in the account and swapped my wages straight into the account at the time. When I got the card I had to register my ATM Pin code and it was all tokyo agogo.

Don’t quote me on that though I may be wrong. It’s been a while.

Monzo are probably already aware of this. Just thought i’d create a topic to see if others were.

Correct, this is mostly used by apps like Netflix so you can’t screenshot or record copyrighted content.

Some privacy focused apps use the same techniques to protect their customers sensitive data too. I personally find it more of an overreach and an annoyance, rather than a protection. It’s often useful to take screenshots of my bank app to document a payment or a transfer to show a friend or family member.

There’s a middle ground to find here somewhere, but I would wager that’s down to the platform developers rather than the bank’s app developers. There’s probably work the bank themselves could do, for example block screenshots and screen recording in a context aware manner, but allow an in app option to share a transaction.

A bit of an issue with Monzo is they generate a lot of buzz from customers sharing screenshots and recordings of slick in app experiences that woo potential new customers.

I think the solution to this stuff stems far beyond banks too. Criminals as ever will continue to evolve whatever measures you throw up. So I think it’s important not to sacrifice convenience in the name of security, or more accurately, security theatre. It’s possible to establish a balance of both. It’s always going to be a game of cat and mouse either way.

Quick edit:

I did notice recently, in screen recordings, Monzo actually hides the keypad for pin stuff, so no one can see you enter your pin in the recording. I think that’s a good example that hits a nice medium here.
image

12 Likes

The question is why is our law enforcement not doing the same thing as this YouTube guy? This isn’t some kind of super-advanced scam, all it takes is to set up a few hundred phone numbers (which I’d expect carriers to be willing to provide, considering they are also affected by these scams) and paying agents to pose as potential victims to obtain as much info as possible and unravel the scams (at least collecting account numbers to get them shut down near-instantly with the cooperation of banks).

Question is, what exactly would defend against a scam where someone is literally being guided through signup?

This is an iOS feature if the input field is marked as sensitive!

Mostly because they already have a lot on their plate and borders on a form of entrapment that doesn’t hold up in court. Building a case and getting a conviction is a lot more work than just finding someone!

6 Likes

Yep. Was nice to discover Monzo actually utilise this, rather than blocking out the entire screen, or simply not blocking anything at all, like so many other apps seem to do instead.

Do Monzo do the same (or similar) thing on Android?

On mine the screen recording for the entire sign in is blacked out, however… When entering the pin you can see where I tapped on the screen as it shows a mark where the screen is pressed. Didn’t take a genius to then work out what the 4 digit PIN was

1 Like

See if my GIF thing worked, this isn’t my actual pin don’t worry.

2 Likes

Ah, that’s not great then. Perhaps more of an android limitation that google perhaps ought to address at the system level, so apps like Monzo can then utilise it.

I think there’s definitely more to do from the platform developers to mitigate these sorts of scams, or at least provide the tools for doing so to app developers. The captures shown in the video were from Android devices too, so I wonder if this particular scam is reliant on the more open nature of the Android platform.

Your GIF turned out better quality than the what my script produces! :sweat_smile:

1 Like

I wonder what version of Android they’re running, mines running version 10 and it’s also EMUI on a Huawei phone.

Maybe they’ve got an older version or mine is tweaked slightly to function like that.

For the GIF I just found an app to turn a video into a GIF, tried to upload the video to forum but it said unsupported and gave me the file formats. Didn’t even know there was video to GIF convertors :rofl:

1 Like

Luckily never fallen for such a scam, but have fallen into a spiral of watching Jim Browning videos. Not all heroes wear tights

Thanks for sharing

Had fun demonstrating editing HTML elements on the fly to my bubble

3 Likes

Same here! Very interesting and informative videos. Definitely a YouTube channel I’ll be keeping up to date on now.

On the one hand, I’m glad it’s knowledge that’s being shared around to clue people into this stuff so it’s a less effective scam technique. On the other hand, it’s one of the few things I’m privy to that I use from time to time to prank my friends and family.

Editing the HTML code and then taking the screenshot stands up to scrutiny much better than photoshop. Even if you’re off just by a pixel, people always seem to notice.

1 Like

Up to now I’ve only used it for working around elements that obscure the screen, like annoying full page adverts on every Reach news site

Using it to editing bank transactions like that is wild and my brain had never envisaged that it could find such use in the wild

1 Like

Within settings (of Monzo on Android) you can turn this protection on and off. I keep mine on and on tge rare occasion I need a screenshot turn it off, get the image and turn back on again.

2 Likes

Yeah the issue with that is, it’s not on by default. The average user won’t be delving into settings to turn it on either.

Can guarantee if it was switched on any scammers would just get the person at the other end to switch it off so they can then see what they need to.

True, as Steve Gibson puts it on Security Now “the tyrony of the default”.

1 Like

A few thoughts:

  • Sobering to see this in action
  • But, in my view, irresponsible to record and publish. Has he got the permission of the victim to do this?
  • Even more irresponsible to call the victim and pretend to be from Monzo. That’s reinforcing all the bad behaviour of the scammers.

Really poor behaviour from someone who ought to know better, in my opinion.

Vigilantism on the streets is not in anyone’s interest. Nor should it be online.

3 Likes