How to protect banking apps in case of cell phone theft

  • Bruno de Paula, a user of Nubank and Banco do Brasil, had his cell phone stolen and his accounts hacked. His story went viral on social media. In total, there were more than BRL 100,000 in losses.
  • According to the STJ, financial institutions must reimburse customers in case of theft and fraud
  • It is possible to make it as difficult as possible for thieves to access accounts. Some of the measures are to inform the IMEI with the incident report, use ‘password vaults’ and avoid using Face ID and biometrics

Bruno de Paula lived a real nightmare at the end of last month. After landing at Guarulhos airport on April 29, the talent agent took a taxi home. He left the car window open and pulled out his cell phone to order a delivery. It was at that moment that a criminal reached into the vehicle and stole the device, which was unlocked.

Apart from the fear of having a stolen item, Bruno had to live for a few days with a much greater terror: the thieves managed to access the banking applications of Nubank (NUBR33) and Banco do Brasil (BBAS3).

In the ‘roxinho’ app alone, around R$ 27 thousand were withdrawn from the account through 4 deposit slips: one for R$ 9 thousand and another three for R$ 5 thousand, R$ 8 thousand and R$ 4, 9 thousand.

“It’s hard to explain the feeling, because there are so many things to solve that you don’t even know what to do. I reported it to Nubank, who did nothing”, said the talent agent, in posts on Twitter. “Nubank’s neglect was bizarre. If you see, everything was done within 3 minutes. How does the bank release this?.”

Then Bruno called Banco do Brasil and asked them not to let him move the account. However, the next morning, he noticed that the scammers had made 2 loans and 2 transfers (one of them scheduled) plus a pix. In total, R$ 116 thousand in losses.

“The worst week of my life. It’s not about the money, it’s the despair, the fear, the trauma,” Bruno said. “It all happened on Friday (April 29) and I reported (the theft) right away. From Sunday to Monday, exactly 00:00, my pix limit was R$ 90 thousand. The guys programmed, they know about Nubank’s failure. How did they not cancel the order?”

Last Thursday (5), Bruno told the story on his Twitter profile. The outburst went viral and was commented on by at least 16,000 people.

Financial institutions contacted Bruno to refund the money on Friday (6). “And it’s not a question of refunds and now everything is fine. Is not’. During the week and now, I explained the serious flaws in the companies’ processes”, said the agent.

Banks must compensate for the loss

Faced with such a situation, reports similar to that of Bruno de Paula began to appear – some still without reimbursement from financial institutions. “I was lucky they got it fixed, but there are a lot of people desperate for an ounce of attention from the bank,” said the talent agent.

According to Guilherme Klafke, a researcher at the Center for Teaching and Research in Innovation at the Fundação Getulio Vargas Law School of São Paulo (FGV Direito SP), banks are obliged to refund amounts in the event of fraud, theft or coercion (when the criminal forces you to provide passwords, for example).

Precedent 479 of the Superior Court of Justice (STJ) defines that ‘financial institutions are objectively liable for damages generated by internal fortuitous events related to fraud and crimes committed by third parties in the context of banking operations’.

“Sumula is a statement that summarizes several precedents of the Court. And this one says that the bank is responsible for damages that happen because of their activity”, says Klafke. “The São Paulo Court of Justice has been understanding that it is the responsibility of banks to create security mechanisms (for fraud and theft).”

As soon as the cell phone is stolen, financial institutions must be notified immediately. In addition, an incident report is required. “If you communicated to the bank, it is already a point that counts in your favor. If transactions deviate from your spending pattern, that’s another point in the customer’s favor,” says Klafke.

How to secure apps

1- Set automatic screen lock

For Klafke, the watchwords are ‘prevent, buy time and act immediately’. In this first step, prevention, it is necessary to set a time for the cell phone to automatically lock the screen. That way, it will be more difficult for the criminal to keep the device unlocked.

Alessandro Magalhães, Cyber ​​Security Manager at Mazars Digital, recommends that the maximum time for automatic blocking is 30 seconds. “If the guy passes by stealing on a bike or running, he won’t be touching the screen all the time to avoid being blocked. It is a protective factor, but it does not guarantee.”

2- Know your IMEI and block the device remotely

An IMEI is an identification code for each mobile device, that is, it is like a ‘CPF’ for the smartphone. You can find the code by dialing *#06#. In case of theft, it is necessary to inform the IMEI along with the incident report.

In this way, it is possible to ask the operator to lock the device completely. This means that the device, in addition to stopping receiving and making calls, will no longer be able to connect to the internet or social networks.

3- ‘Vaults’ applications

There are ‘safe’ applications where you can gather all financial apps (or other sensitive apps, such as SMS itself) in a kind of ‘folder’. To access this folder, it is necessary to enter a password. “This is a preventive measure, in case the user is stolen with the cell phone unlocked”, says Klafke.

There are also apps that ‘hide’ apps. That is, bank accounts do not appear in the cell phone menu. “It’s a way to buy time,” explains Klafke. “A cell phone theft is a race against time between the user and the criminal.”

4- Different passwords or PINs

Whenever possible, the tip is to vary the passwords and pins used in the applications. When you only have one, it’s much easier for the criminal to break into the accounts. Magalhães also advises the use of ‘password vaults’. “There are several manufacturers. These are secure applications where you ‘keep’ all your passwords using a unique password. You use this on demand, not even the user will need to know all the passwords by heart, just the main one,” he says.

5- Specific email for password recovery

Another tip is to have a specific email for password recovery. This email cannot be logged into your cell phone and must be on a separate device. That way, there is no risk of criminals being able to change your password through the email opened on your smartphone. “If the criminal has access to your email, he can do whatever he wants,” says Klafke.

6- Avoid Face ID and fingerprint

An important issue is to avoid using facial or fingerprint recognition to log into banking apps. This is because there are devices in which there are gaps: that is, it is possible to change these factors.

“If someone takes and changes Face ID and biometrics, they can log into accounts and make transactions. I do not advise using these resources to automate the login”, says Magalhães.

7- Use multiple authentication factor

Multiple Factor Authentication (MFA) is an important feature to make it difficult for criminals to gain access. Through it, bank and brokerage applications will need a second confirmation in addition to the password to be accessed. This confirmation can be via SMS, phone or email.

8- Lock the device via eSIM

In newer devices there is the eSIM (virtual SIM card). Once you have your phone stolen, you can remotely locate the device, lock or unlock it, and delete the data. The links to the page that tracks via eSIM are:


“You buy the SIM subscription and synchronize it with your cell phone. If someone steals your cell phone, they can’t change the SIM card, and if the device has a battery, you can remotely delete data through these pages,” says Magalhães.

The FGV researcher also sees it as an important resource, which should be done as soon as possible. “If I had the phone stolen, I would go into the first store, ask to use the computer, go into my ‘find my phone’ and lock the phone immediately. And you can even remotely delete apps,” says Klafke.