DEAR SALLY:
My son, who is in his 20s, had his iPhone stolen on his way home earlier this year by two guys, one of whom told him he had a knife.
By 8.30am someone had hacked into his phone and taken out a loan
with Halifax for £25,000. The loan was approved and issued by 11am and the money was transferred out of my son’s account and into someone else’s.
By 3pm my son managed to get hold of a new phone and SIM card, though he found he was locked out of his iCloud storage. When he eventually got into his Halifax account, he discovered what had happened.
After two hours on the Halifax helpline, he was told the loan application was legitimate and that he owed the money.
How could such a loan be taken out without an application form and proof of income?
The man on the phone said it was because it was an ‘online loan’. The case was closed, and my son has been told he must make the repayments.
Anon
Sally Hamilton replies: Some aspects of this case are likely to surprise and worry readers, as they did me.
On reading your letter, I was alarmed to learn about your son’s ordeal. It seemed to be an example of a growing type of phone crime, where gangs don’t just steal devices in the hope of selling them on for a few quid but see them as a source of greater riches.
Our phones are stuffed with personal information that can provide crooks with the keys they need to enter the owner’s online banking — potentially allowing them to raid their accounts.
You told me that after reporting the incident to Halifax you alerted the police, and within an hour an officer was at the door.
When your son logged on to his account the next day, he found a message from his bank stating he must pay more than £600 a month for 72 months to repay the loan.
Together you phoned Halifax. You said an operator explained that as the loan had passed your son’s phone and face ID security steps, the bank considered the application legitimate. It emerged that someone had phoned the bank at 8.32am and 11.05am that day to approve transactions made from the account.
I was mystified as to how your son’s phone could have provided such easy access to his bank account, especially as it required a PIN or facial recognition to operate it. A possible explanation was that, since your son said he had been on his phone at the time of the incident, the thieves could have retrieved useful data and acted before it locked itself.
To establish further how the robbers could have hijacked your son’s phone and find out why Halifax had turned down his claim, I asked the bank to reopen your case. To my astonishment, I learnt your son had suffered a fraud via another mobile phone — this time stolen from him while on a train last year. A ‘third party’ seemingly managed to log in to his banking app from Saudi Arabia and make a payment out of his account.
Just as with the later occasion, the fraudster had apparently made use of banking login and password information stored on the phone’s Notes app. Following this first incident, Halifax reimbursed your son (£260, you told me) and arranged for his login details to be changed.
Halifax explained it had declined your son’s second claim based on information it received when he first reported the problem and the ‘evidence’ held in its systems. At this point it had not been informed about police attending your home. Your son later updated Halifax and confirmed that his banking passwords were once again stored on the Notes app.
This offered a partial explanation as to how a crook could have tricked Halifax, but the mystery remains, as the loan application required additional financial information that apparently was not stored on the phone.
Halifax also says your son was unable to provide details of the police who interviewed him, nor was it able to validate the crime reference numbers provided. It does not feel it did anything wrong in turning down your son’s claim initially, but on reviewing the case it believes it could have intervened before the money was lost, due to the unusual pattern of activity on the account.
It has therefore decided to unwind the loan and remove it from your son’s record.
Hours after a mobile phone was snatched by thieves, hackers had taken out a £25,000 loan
I’m left scratching my head, as I find it hard to believe that anyone could be careless enough to be robbed in this way twice — and Halifax obviously had its doubts, too. Had I known about the first incident at the outset, I might have had second thoughts about pursuing this case.
Halifax has told your son that storing login details on his phone is not a safe way to manage his security information, and should he experience a similar incident in the future, it says it may consider this gross negligence and decline to refund him.
A Halifax spokesman says: ‘We have a great deal of sympathy for our customer as the victim of theft. It’s important that customers let us know as soon as possible if their details have become compromised and provide us with accurate information when making a fraud claim.
‘We strongly advise against storing online banking login details on a phone.’
I hope this case will prompt all readers to be careful about what can be accessed on their phones.
Straight to the point
I had to cancel my British Airways holiday to Italy as my husband is due to have heart surgery. We paid a non-refundable deposit of £150 and a flight upgrade of £68. My request for a refund was denied and we do not have travel insurance.
A. D., Pinner.
BA apologises for your experience. It has issued you with a refund.
I dropped my tanzanite and diamond ring and the tanzanite cracked. A jeweller quoted me £5,510 for a like-for-like stone.
But Lloyds Bank, which dealt with the insurance claim for Saga, said it would pay only £2,268 for a repair. I asked to settle with cash, but Lloyds said it would give me only £1,452 less a £250 excess.
S. S., via email.
Lloyds Bank apologises and says it offered to either repair the ring or make a cash settlement. You chose a cash settlement and in these cases the amount is equal to the sum that repairs would cost the supplier.
MY partner bought a car from an online dealership and the bonnet lever didn’t work. We reported it to the dealership, but soon the power outlet stopped working and a fault light appeared. The repairs still haven’t been made three months on.
D. P., Somerset.
The dealership apologises and has now repaired the car. Your partner has also been refunded her initial administration fee.
Last August I booked an Ambassador Cruise Line trip through Reader Offer LTD (ROL). I paid a £485 deposit in May but in the following weeks my wife passed away. I asked ROL if I could cancel the cruise, but it said it would not refund me.
R.W., via email.
ROL offers its condolences. Although you paid a non-refundable deposit and had not purchased travel insurance, ROL and Ambassador Cruise Line have agreed to return your deposit as a goodwill gesture.
Scamwatch
Households should beware scam emails that offer funding for solar panels, Action Fraud warns.
Recipients are asked to check their eligibility for funding to cover the upfront cost of installing solar panels.
But links in the email ask for personal and financial information that can be used by fraudsters. Clicking the links can also download malware onto a device.
Action Fraud has received 971 reports of the scam emails in just two weeks.
If you receive the email, do not click on the links. Forward it to report@phishing.gov.uk instead.
Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.