DEAR SALLY:
My son, who is in his 20s, had his iPhone stolen from his home earlier this year by two men, one of whom said he had a knife.
At 8:30 a.m. someone stole the phone and took the loan
with Halifax for £25,000. The loan was approved and issued at 11 am and the money was transferred out of my son’s account and into someone else’s account.
At 3pm my son was able to get hold of the phone and a new SIM card, although he found it locked out of iCloud storage. When he finally got into his Halifax account, he discovered what had happened.
After two hours on the Halifax helpline, he was told the loan application was valid and he owed the loan.
How can the loan be done without an application form and proof of income?
The person on the phone said it was because it was an ‘online loan’. The case is closed, and my son has been told that he will have to pay it back.
Anon
Sally Hamilton replied: Some aspects of this case may surprise and worry readers, as I did.
When I read your letter, I was shocked to understand the suffering of your son. It seems to be an example of a growing type of crime phone, where gangs do not just steal devices in the hope of selling them for a few quid but see them as a source of further wealth.
Our phone is loaded with personal information that can provide crooks with the same key they need to enter the owner’s online banking – potentially allowing them to raid the account.
You said that after reporting the incident to Halifax, you alerted the police, and within an hour an officer was at the door.
When your son logs into his account the next day, he finds a message from the bank saying he needs to pay more than £600 a month for 72 months to pay off the debt.
When you call Halifax. You said the operator explained that the loan has passed the child’s phone and face ID security measures, the bank considers the application valid. It appears that someone called the bank at 8:32 a.m. and 11:05 a.m. that day to approve transactions made from the account.
I’m confused as to how your child’s phone can provide easy access to a bank account, especially since it requires a PIN or facial recognition to operate. A possible explanation is that, since the son said he was on the phone when it happened, the thieves were able to take useful data and act before locking themselves.
To further determine how the robbers were able to hijack your son’s phone and find out why Halifax denied the claim, I am asking the bank to reopen your case. To my surprise, I found out that your son suffered fraud through another cell phone – this time it was stolen from him while on the train last year. A ‘third party’ appears to be able to log into the banking application from Saudi Arabia and make payments from the account.
Just like the next time, the fraudster has used the banking login and password information stored in the Phone Notes application. After this first incident, Halifax refunded your child (£260, you tell me) and arranged for his login details to be changed.
Halifax explained that they rejected your son’s second claim based on the information they received when they first reported the problem and the ‘evidence’ they had in the system. At this time, there is no news of the police attending your home. Your child later updates Halifax and confirms that their banking password is saved again in the Notes app.
This provides a partial explanation of how the crook managed to defraud Halifax, but the mystery remains, as the loan application requires additional financial information that is not stored on the phone.
Halifax also said her son could not provide any information about the police he interviewed, nor could he validate the crime reference number he was given. He didn’t feel guilty when he rejected his son’s claim at first, but when he looked into the case, he believed he could have intervened before the money disappeared, given the unusual pattern of activity in the account.
That’s why he decided to release the loan and remove it from his son’s record.
Hours after a mobile phone was seized by thieves, hackers took out a £25,000 loan.
I’m left scratching my head, because I find it hard to believe that anyone could be careless enough to be robbed in this way twice – and Halifax obviously has its doubts, too. If I had known about the first incident in the first place, I might have had second thoughts about pursuing this case.
Halifax has told his son that storing login details on the phone is not a safe way to manage security information, and should experience the same incident in the future, he said he can consider this gross negligence and refuse to refund.
A Halifax spokesman said: ‘We have great sympathy for our customers as victims of theft. It is important that customers are made aware that their details have been compromised and provide accurate information when making fraudulent claims.
‘We strongly advise against saving your online banking login details on your phone.’
I hope this case will guide all readers to be careful about what they can access on their phones.
Straight to the point
I had to cancel my British Airways holiday to Italy because my husband needed heart surgery. We paid a £150 non-refundable deposit and a £68 flight upgrade. My request for a refund was denied and we do not have travel insurance.
AD, Smart.
BA is sorry for your experience. Have issued you a refund.
I put the tanzanite and the diamond ring and the tanzanite cracked. A jeweler quoted me £5,510 for like-for-like stones.
But Lloyds Bank, which handles insurance claims for the Saga, said it would pay just £2,268 for repairs. I asked to settle with cash, but Lloyds said it would give me only £1,452 less £250 excess.
SS, via email.
Lloyds Bank apologizes and says it offers to either repair the ring or make a cash settlement. You choose a cash settlement and in this case the amount is equal to the amount that the repair will cost the supplier.
My partner bought a car from an online dealer and the bonnet lever didn’t work. We reported it to the dealer, but soon the outlet stopped and the fault light appeared. Repairs are still not completed for three months.
DP, Somerset.
The dealer apologized and has now fixed the car. Your partner has also been reimbursed for the initial administration fee.
Last August I booked an Ambassador Cruise Line trip through Reader Offer LTD (ROL). I paid a deposit of £485 in May but the following week my husband died. I asked ROL if I could cancel the cruise, but he said he would not refund me.
RW, via email.
ROL offered his condolences. Even if you have paid a non-refundable deposit and have not purchased travel insurance, ROL and Ambassador Cruise Line have agreed to refund your deposit as a goodwill gesture.
Scamwatch
Households should beware of scam emails offering financing for solar panels, Fraud Action warns.
Recipients are asked to check their eligibility for funding to cover the initial cost of installing solar panels.
But links in emails ask for personal and financial information that fraudsters can use. Clicking on links can also download malware to your device.
Action Fraud has received 971 email scam reports in just two weeks.
If you receive an email, do not click on the link. Continue to report@phishing.gov.uk to change.
Some of the links in this article may be affiliate links. If you click, we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow commercial relationships to affect our editorial independence.
