Major headaches with Revolut and N26 after phone got stolen

Revolut's model is based on the phone being in the possession of the customer. The model falls apart once the customer is not in possession of the phone. The customer can't easily contact Revolut to report card/phone theft. And Revolut maintains that fradulent transactions by the thief are properly authorised because they were authorised in-app.

Contrast to the pillar banks who maintain 24 hour phone service whereby card theft can be reported, cards frozen, and chargebacks raised on fradulent transactions.
 
Contrast to the pillar banks who maintain 24 hour phone service whereby card theft can be reported, cards frozen, and chargebacks raised on fradulent transactions.
But you need a phone and internet connection to do this. If you have access to a mobile phone, can you not log into Revelut and freeze your card ? How much loops do you need to login ? Genuine question.
 
There is an excellent explainer video from the Wall Street Journal about how iPhones can be compromised. There seems to be always a step where the victim is observed or tricked into revealing their phone PIN.
With just the phone pin, thieves can reset the apple account password, recovery keys, get access to all your saved passwords for other accounts and lock you out of other devices.

Apple now have a feature called stolen device protection, which significantly increases the security here - but it's not enabled by default - everyone should though. It could literally save your (digital) life.
 
To make an Apple Pay transaction, you need the device, and either face/fingerprint or phone PIN confirmation (not card PIN).

The easiest security changes you can make are:
- have a long phone pin, definitely NOT just 4 digits
- only keep a small amount of money (next few days) in account linked to card - transfer in as needed from vault / deposit / space - that way your loss is at most the remaining money in your main account
- don't have all your cards in Apple Pay - just main spending card
- have a different pin / password for your banking apps - and DO NOT store this on your phone
 
But you need a phone and internet connection to do this. If you have access to a mobile phone, can you not log into Revelut and freeze your card ? How much loops do you need to login ? Genuine question.
In a theft situation, you can use a phone in a police station or hotel reception to phone the pillar banks, speak to a human, and freeze your cards. It's extremely difficult to phone a human in Revolut.
 
@dubliner8

I have been thinking about this and trying to figure it out. And I will put on my Ombudsman's hat. You might not like these questions, but they will help you in progressing your complaint.

You had your phone robbed.
They stole money from your Revolut account, your N26 account and your Bank of Ireland account.

So your case is not evidence of any weaker systems in Revolut than N26 or BoI. (They may have responded differently afterwards, but all three were affected.)

Phone security
The first thing that the thief has to do is to get into your phone.

1) Was your phone switched off when it was stolen?
2) Had you auto-switch off set on your phone?
3) If so, how long does your phone have to be idle for when it is switched off?
4) Was it picked from your pocket or was it lying on the table, switched on, beside you in a pub?
5) Was your phone pin easily guessable? For example 1234, your date of birth, etc.?

Google Pay/Banking security
1) How did they get into Google Pay?
2) They must have known your password?
3) Was your password for Google Pay the same as your password for your phone?
4) I presume you need only one password for Google Pay and that accesses all your cards? In other words, you don't need separate pins for all your different cards.

Look my response above was not solely extrapolating out my experience, it was also about the fraud where people say someone added a card to their google pay or apple pay and the other in app fraud.

I made serious changes after my pickpocketing so they should prevent this kind of thing happening again. I won't have my credit card attached to google pay, if I have Revolut/N26/Trade republic attached I will block one or two for a time or have a spend threshold (and will have online transactions turned off until I make an online transaction / use temporary card in Revolut for protection that way). I also don't have Revolut/N26/Boi/TR or any other financial apps on the phone I walk around with and I have a pin now on my email, but haven't seen a way to do that with SMS yet.

Out of all three bank cards I had attached to google pay and all three banking apps on phone, I feel Bank of Ireland was the safest. They would not have gotten in to the app and Bank of Ire tend to refund fraud. Revolut might be a bit safer than N26, as with N26 the password is saved so you just select saved password and you're in. Email account was not pin protected so they got access to N26 through forgot password and then did a top up there from BOI cc, although they should have faced a pin different to my phone pin they may have gotten access to change this with the forgot password and chatting to N26 perhaps. For the google pay transactions I'd have expected them to have had to enter a pin but maybe they looked over my shoulder inputting it. Yet Revolut is also digital first and phone first and it's all about making payments and doing financial stuff using the phone and probably for that reason and the way they flat out reject most fraud refunds, I'm not convinced that their app is safer or as safe as those of the non-digital first banks's apps and that they protect account holders' money in the first place.

[On your google pay question google pay goes with the phone pin being entered, not a pin of its own.]
 
Last edited:
Apple now have a feature called stolen device protection, which significantly increases the security here - but it's not enabled by default - everyone should though. It could literally save your (digital) life.
I think that this is a very important message and bears repeating. Stolen Device protection substantially improves security and protection for iPhone users and should definitely be switched on.
 
Look my response above was not solely extrapolating out my experience, it was also about the fraud where people say someone added a card to their google pay or apple pay and the other in app fraud.

I made serious changes after my pickpocketing so they should prevent this kind of thing happening again. I won't have my credit card attached to google pay, if I have Revolut/N26/Trade republic attached I will block one or two for a time or have a spend threshold (and will have online transactions turned off until I make an online transaction / use temporary card in Revolut for protection that way). I also don't have Revolut/N26/Boi/TR or any other financial apps on the phone I walk around with and I have a pin now on my email, but haven't seen a way to do that with SMS yet.

Out of all three bank cards I had attached to google pay and all three banking apps on phone, I feel Bank of Ireland was the safest. They would not have gotten in to the app and Bank of Ire tend to refund fraud. Revolut might be a bit safer than N26, as with N26 the password is saved so you just select saved password and you're in. Email account was not pin protected so they got access to N26 through forgot password and then did a top up there from BOI cc, although they should have faced a pin different to my phone pin they may have gotten access to change this with the forgot password and chatting to N26 perhaps. For the google pay transactions I'd have expected them to have had to enter a pin but maybe they looked over my shoulder inputting it. Yet Revolut is also digital first and phone first and it's all about making payments and doing financial stuff using the phone and probably for that reason and the way they flat out reject most fraud refunds, I'm not convinced that their app is safer or as safe as those of the non-digital first banks's apps and that they protect account holders' money in the first place.

[On your google pay question google pay goes with the phone pin being entered, not a pin of its own.]
How do you click " saved password and youre in" on N26 app?
I see you can reset your password by clicking "forgot my password" and they ask for your "new password " and your "postcode"
I suppose postcode could be obtained from perusing your email correspondence.
If you've lost your phone / card N26 allow you to phone a foreign number to contact their " automated phone line" How does this work?
 
How do you click " saved password and youre in" on N26 app?
I see you can reset your password by clicking "forgot my password" and they ask for your "new password " and your "postcode"
I suppose postcode could be obtained from perusing your email correspondence.
If you've lost your phone / card N26 allow you to phone a foreign number to contact their " automated phone line" How does this work?
I don't think you can.
On an iPhone, you need to do biometric authentication to use the saved password in the app.

If you have the password saved in your keychain, then you could view those if you knew the PIN code of the phone.
But if you have stolen device protection enabled (and you really really should) - then the PIN can't unlock the keychain - only biometric can.

So all a thief could do is try to reset the password. I think the biggest security risk here is that the email associated with the n26 account might be going to your email app on the phone. Would be better to have a separate email account which you only log into from home for recovery purposes. Getting the postcode is probably trivial as you said, it's likely in many email receipts.
 
Android is getting an identical sounding security feature too - https://blog.google/products/android/android-theft-protection/
I don't know if android devices are better now at getting big software upgrades, or if it's still mainly the pixel phones.

Increased authentication to protect you in case your PIN is known by a thief. When enabled, our new enhanced authentication will require biometrics for accessing and changing critical Google account and device settings, like changing your PIN, disabling theft protection or accessing Passkeys, from an untrusted location.
 
Would be better to have a separate email account which you only log into from home for recovery purposes. Getting the postcode is probably trivial as you said, it's likely in many email receipts.

Use an app lock on all financial apps, settings, text email apps and indeed Google Play.

It's another layer of safety. If a thief gets into your phone for whatever reason he is then greeted with a request for fingerprint when he tries to access your bank app or email etc.

It's a minor inconvenience day to day for you the legitimate user having to use fingerprint to access hitherto free access to your own apps but worth it as thief will likely abandon attempt to access and steal.

The app is quite good and intuitive to use. Very likeky similar for iphone.

 
Last edited:
How do you click " saved password and youre in" on N26 app?
I see you can reset your password by clicking "forgot my password" and they ask for your "new password " and your "postcode"
I suppose postcode could be obtained from perusing your email correspondence.
If you've lost your phone / card N26 allow you to phone a foreign number to contact their " automated phone line" How does this work?
I was describing the log in process with the N26 app there, the password for the app is saved so you bring up the saved password and enter the app - you click on the app icon, click in the password field, the saved password comes up as an option to select, you select that saved password, you click on log in, and now you're in the app.
 
I was describing the log in process with the N26 app there, the password for the app is saved so you bring up the saved password and enter the app - you click on the app icon, click in the password field, the saved password comes up as an option to select, you select that saved password, you click on log in, and now you're in the app.
I would never use a saved password on a banking app.
 
Just an update here re the Revolut transaction. Just off a call with the financial ombudsman. Revolut last week strangely put through a preliminary refund. They told the financial ombudsman that this was not provisional, it was final and would stand. They said the problem stemmed from one department not talking to the other at Revolut [edit, as in why they hadn't refunded back in April]
 
Last edited:
Another update here re the N26 transaction which was just over 300eur: they have now processed the chargeback this morning to my account. I had submitted my case to the Bundesbank, I had also quoted articles 70 to 72 from the payments directive https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366 and advised that these articles had been transposed into German law, although not sure this was necessary.
So now I have retrieved all the money that was taken back in April.
 
It is good that you got your money back but it seems to me that you had no protection on your phone to prevent the pickpockets from accessing your bank accounts. You never answered if you had a pin on your phone or had face recognition enabled or if your phone had an automatic lock enabled.

With face recognition enabled on my phone I rarely use a pin. My banking app, AIB also has Face ID enabled as does Revolut. So another added layer of protection.
 
With face recognition enabled on my phone I rarely use a pin. My banking app, AIB also has Face ID enabled as does Revolut. So another added layer of protection.
On iPhone I now have FaceID/passcode enabled on all banking, email, and messaging apps.

It slows access down by about a second each time but I sleep easy as even if it’s snatched from my hand the thief won’t be able to access these apps.
 
It is good that you got your money back but it seems to me that you had no protection on your phone to prevent the pickpockets from accessing your bank accounts. You never answered if you had a pin on your phone or had face recognition enabled or if your phone had an automatic lock enabled.

With face recognition enabled on my phone I rarely use a pin. My banking app, AIB also has Face ID enabled as does Revolut. So another added layer of protection.

You do realise your comment is dripping with arrogant contempt?

My comment of 22/4 "Yes I would have thought they would face having to use a pin for each of the transactions or at some point. Not sure if they looked at me entering my phone pin and other pins."

With regards protection of the banking apps, Revolut was protected by the six digit pin, BOI by their pin, N26 had by far the weakest protection because you get in with a saved password - you don't have to enter a pin - but not having the N26 on my phone kills that now thankfully.

Also my comment of 22/4 "I don't know if the phone was in locked state or unlocked when they took it."
They may have snatched my phone from my hands or as I was putting it in my pocket while the phone was about to lock.

Seriously, you need to think of this from more than your narrow angle of you never being in this situation and your phone set up being perfect.

I wrote extensively on my experience, that I had a false sense of security with google pay and the likes. That it has been a wake up call and that consequently I have put in place the protection of not having banking apps on the phone I walk around with and managing spending limits on a daily basis for each card added to google pay.

You and others are obsessed with picking apart my phone entry set up as if everything is down to this and that it's so black and white. But it's not.
 
Last edited:
Back
Top