São Paulo pickpockets are increasingly stealing people’s smartphones not to pawn off the device, but rather to gain access to their bank account.
That’s according to a report from Brazilian newspaper Folha de S.Paulo this week. As first spotted by 9to5 Mac, the report claims this kind of theft has been going on since the early days of the pandemic, but now specialized gangs have adopted the tactic to empty users’ bank accounts, and it’s put local authorities on high alert.
It remains unclear exactly how these criminals are bypassing security measures for the phones and banks involved. According to São Paulo police chief Roberto Monteiro, they appear to target devices that have already been unlocked by the owner.
“Usually Waze users in the car with an Android smartphone are their main focus. Although breaking an iOS system is more difficult, they have also specialized in it,” he said, 9to5 Mac reports.
Transfers are carried out overnight to avoid arousing the victims’ attention, he continued. In at least one case, criminals appear to have impersonated a victim after breaking into their email account and convinced their bank to transfer thousands of dollars to outside accounts.
While no official statistics have been released at this time, the problem is severe enough that the region’s consumer protection regulator Procon-SP has called on smartphone manufacturers and banks to improve their security measures.
“Procon has already learned about a gang of cell phone receivers whose main illegal business is not the resale of cell phones, but the defrauding of passwords for bank fraud. This is being done through an army of hackers,” said Procon-SP executive director Fernando Capez according to a Google translation.
In some cases, banks have refused to refund the stolen money to victims, arguing that their security systems didn’t fail but rather the clients were negligent by not regularly updating their passwords, Folha de S.Paulo reports. However, clients have fiercely pushed back in these cases. One victim currently involved in a legal battle with the São Paulo-based bank Bradesco said she hadn’t slacked on updating her passwords and her phone was closed when thieves took it. Another victim claimed he had enabled facial recognition and token-based authentication on his phone when it was stolen.
The Brazilian Federation of Banks told the outlet it had no record of any breaches in bank applications. It added that in order for bank applications to be available to the public, usage data and customer passwords can never be stored by the app on the customers’ phones. In response to these incidents, Itaú Unibanco and Nubank, the largest financial institutions in Brazil and Latin America respectively, have said they regularly update their security systems and encouraged clients to keep their phones and banking apps up-to-date.