Payments with Stolen Phone

10 Mar 2026

My phone got stolen, which caused all kinds of trouble. The thief managed to make wireless payments with the phone. The way how he was able to do that remains a mystery.

The theft was a pickpocket job. It took some time until I realized that my phone was stolen. Luckily, I was not traveling alone, therefore I could borrow a phone to quickly contact my banks and company to lock out all access. However, it turned out it was already a bit late. I had my phone set up for contactless payments, and a significant sum of money was already gone.

My phone was locked at the time it was stolen. I'm not sure about many details of the events that happened, I'm not even sure when exactly the phone was stolen. However, I'm very confident it was locked. I'm always explicitly locking the phone by pressing the lock button. I always press the button when I put phone in my pocket, I'm pressing the button even if I put the phone on a table in front of me, I'm pressing the button even when I'm at home alone. It is automatic. The phone was locked.

My phone was Fairphone 6 running Murena /e/OS. My phone was set up for biometric (fingerprint) unlock and PIN unlock. The PIN was non-trivial. There was additional biometric confirmation of payments in the payment app itself. The payments were authorized minutes after the theft (my best guess, as I do not know when exactly was the phone stolen).

How was the thief able to make substantial payments with a locked phone in such a short time? I thought that this is very unlikely, yet it happened. I'm considering several possibilities:

• The thief might be able to break biometric authentication. Certainly, fingerprint lock is far from being perfect. Obviously, my fingerprints must have been all around the phone. I'm aware of methods that might have been used to open the lock in several ways, involving powders, image processing, latex and so on. However, these methods looked like hours of tedious work with uncertain results. I was not aware that phone fingerprint lock can be broken in minutes.
• The thief could have seen my PIN. My PIN was not trivial, yet, in retrospect, the thief might be able to guess it if they see me entering it into my phone. This would explain a lot. The only problem with this theory is that I do not recall entering the unlock PIN into my phone that day at all. I never unlock the phone with PIN unless the phone explicitly prompts be to, I use fingerprint all the time. My memory may be deceiving me, but I believe that it is unlikely that the thief could have seen my PIN.
• The thief might be able to make payments with locked phone. I do not think I had my phone set up to allow this. However, security settings of the phone and payment apps can be confusing. I know. I have a habit to look through the settings of any new app that I install. It is kind of an obsession of an old software engineer. I'm sure I did look through all the setting of both the phone an the app, and I would not consciously leave any channel for unauthenticated payments open. There a possibility that the settings might have changed since I have enrolled for mobile payments, or I might have overlooked something. Of course, there is also possibility that the app of phone might be vulnerable, or that such payments might be allowed "by design" (as in "this not a bug, it is a feature").
• Then there are exotic possibilities. Thief might be able to unlock the phone using USB debugging (which I did not enable). They might have booted a different OS to read the data (I had not rooted the phone not unlocked the bootloader, I bought it from Murena with /e/OS pre-installed). There might have been vulnerability in phone OS (which I keep upgraded all the time). Honestly, I do not think any of this happened.

It is a mystery. I cannot really explain what happened. It should not be possible, yet it happened. When I got home and changed all my passwords all around the Internet, I have contacted all involved parties:

• I have contacted my bank, reporting fraudulent transactions. The bank did not really care about any technical details.
• I have contacted provider of the payment application, reporting the transactions. They asked me about the circumstances of the event in a very bureaucratic manner. I have expressed my concerns about security of the payments, yet I have got an impression that they were largely ignoring my concerns.
• I have contacted Murena, where I purchased my phone. Their response was quick and truly fantastic. Even though it looks like I was the first to report this, they were concerned and reacted appropriately. We have discussed the circumstances, including technical details and possible scenarios. The details of my particular incident remain mysterious. However, I got impression that my problem was not ignored, and that they are going to follow up on the investigation.

There is kind of a happy end to this story. The fraudulent payments were rolled back and refunded. I got lucky this time. However, my concerns regarding security of mobile payments remain. I still do no know what happened, and it looks like I will never find out. My phone is gone, no way to learn anything there. The bank and the payment provider are obviously not inclined to share any more details. This route seems to be closed.

Although I do not know what happened, I have an impression that this experience is a consequence of the overall approach taken by fintech and mobile industry. I think that the fintech is motivated to trade off security for convenience. Easier access to payments mean higher revenues for fintech. Of course, there is an increased risk when a convenience takes precedence over security. However, the risk could be easily "mitigated" by shifting it over to the consumers. I was lucky, the transactions were refunded in my case. Will I be so lucky next time? I do not know. What I know for sure is that I'm not going to risk it again. I've got brand new Murena Fairphone now, all applications re-installed and ready to go. All except one. I'm not going to risk mobile payments again.

Stolen Phone

05 Mar 2026

It finally happened. My phone got stolen, and it caused all kinds of trouble, even more than I have expected.

The theft was not a big surprise. I'm dealing with cybersecurity-related topics for more than 30 years. I knew that this can happen. Being in cybersecurity for such a long time, I thought that I was prepared for it reasonably well. I was not.

It was a pickpocket job. It happened on my way home from a weekend trip, shortly before boarding a shuttle to the airport. It took me some time before I realized that my phone is gone. Luckily, I was not traveling alone, therefore I could borrow a phone to quickly contact my banks and company to lock out all access. However, it turned out it was already a bit late. I had my phone set up for contactless payments, and a significant sum of money was already gone (which I did not know at the time).

Fortunately, the thief was just after the quick money. However, I have realized how exposed I could have been if the thief was better skilled or motivated. I had no access to company email or files from the phone, and I have contacted my colleagues to disable my access very quickly, to be on the safe side. However, the phone had access to a lot of personal stuff, social network accounts, personal email, chat applications, transport apps, etc. There is an application for everything these days, and I had a lot of them on my phone.

I have a unique random password in each application. There is not much I could have done to secure my online presence unless I got access to my password manager. In fact, I was relatively lucky that my phone was klepped on my way back home. I got home few hours later, and I started to change my passwords and disable app access one by one. It felt like I have changed passwords all over the Internet that night. However, it scares me a bit to think what would I have done if the phone was stolen on a longer trip, especially if I'm traveling alone. That surely made me re-think some things.

I'm safe again now, as much as I could be anyway. I thought about writing down a list for my future self (and also for others), while my experience is still fresh. Here is a list of preventive measures, as well as post-incident reactions when a phone gets stolen. I hope this helps.

Even though I'm safe now, there are still several questions that this experience opened, and I have no answers to them. One of the questions is the problem of the payments. My phone was locked, how were these payments even possible? It is a bit of a mystery. Stay tuned, more on that later.

If Only Could AI be Secure

09 Feb 2026

I keep reading things like this all the time: "AI would be such a marvelous efficiency boost, if only it could be made secure."

If only it can be made secure. It is not only. It is not just. Securing AI is a huge problem. It may easily turn out that securing LLM is much more complex than creating LLM in the first place. It is like trying to secure a 3 year old with few boxes of matches, playing in a haystack.

The usual answer of the AI folk is "guardrails". However, it is like trying to secure that 3 year old in a haystack by having five more 3 year old kids to watch over him.

MCP gateways and "human in the loop" approaches are just shifting the problem from the vendor to the user, without really solving it. These are mostly just an alibi. We know from the decades of cybersecurity experience that this does not work at all.

Strict sandboxing is not going to work either. We do not have a good solution for that even for relatively simple scripting languages. Doing that for AI agents is going to be much more complex.

Agentic AI identity is not going to solve it either. The "agent" or "proxy" identity is a big problem on its own, lurking in the muddy depths of identity platforms for decades. It is not a new problem, as many voices in identity sphere would like you to believe. However, even if we could solve it, it will not bring us closer to a solution.

The real solution to AI security needs to be a clever combination of many techniques, many of which we are just starting to explore, building up on foundations that we do not have yet, relying on experience that we are just gaining.

AI security is not "only" or "just" and it is definitely not "simple". Do not expect it anytime soon.