Payments with Stolen Phone

10 Mar 2026

My phone got stolen, which caused all kinds of trouble. The thief managed to make wireless payments with the phone. The way how he was able to do that remains a mystery.

The theft was a pickpocket job. It took some time until I realized that my phone was stolen. Luckily, I was not traveling alone, therefore I could borrow a phone to quickly contact my banks and company to lock out all access. However, it turned out it was already a bit late. I had my phone set up for contactless payments, and a significant sum of money was already gone.

My phone was locked at the time it was stolen. I'm not sure about many details of the events that happened, I'm not even sure when exactly the phone was stolen. However, I'm very confident it was locked. I'm always explicitly locking the phone by pressing the lock button. I always press the button when I put phone in my pocket, I'm pressing the button even if I put the phone on a table in front of me, I'm pressing the button even when I'm at home alone. It is automatic. The phone was locked.

My phone was Fairphone 6 running Murena /e/OS. My phone was set up for biometric (fingerprint) unlock and PIN unlock. The PIN was non-trivial. There was additional biometric confirmation of payments in the payment app itself. The payments were authorized minutes after the theft (my best guess, as I do not know when exactly was the phone stolen).

How was the thief able to make substantial payments with a locked phone in such a short time? I thought that this is very unlikely, yet it happened. I'm considering several possibilities:

• The thief might be able to break biometric authentication. Certainly, fingerprint lock is far from being perfect. Obviously, my fingerprints must have been all around the phone. I'm aware of methods that might have been used to open the lock in several ways, involving powders, image processing, latex and so on. However, these methods looked like hours of tedious work with uncertain results. I was not aware that phone fingerprint lock can be broken in minutes.
• The thief could have seen my PIN. My PIN was not trivial, yet, in retrospect, the thief might be able to guess it if they see me entering it into my phone. This would explain a lot. The only problem with this theory is that I do not recall entering the unlock PIN into my phone that day at all. I never unlock the phone with PIN unless the phone explicitly prompts be to, I use fingerprint all the time. My memory may be deceiving me, but I believe that it is unlikely that the thief could have seen my PIN.
• The thief might be able to make payments with locked phone. I do not think I had my phone set up to allow this. However, security settings of the phone and payment apps can be confusing. I know. I have a habit to look through the settings of any new app that I install. It is kind of an obsession of an old software engineer. I'm sure I did look through all the setting of both the phone an the app, and I would not consciously leave any channel for unauthenticated payments open. There a possibility that the settings might have changed since I have enrolled for mobile payments, or I might have overlooked something. Of course, there is also possibility that the app of phone might be vulnerable, or that such payments might be allowed "by design" (as in "this not a bug, it is a feature").
• Then there are exotic possibilities. Thief might be able to unlock the phone using USB debugging (which I did not enable). They might have booted a different OS to read the data (I had not rooted the phone not unlocked the bootloader, I bought it from Murena with /e/OS pre-installed). There might have been vulnerability in phone OS (which I keep upgraded all the time). Honestly, I do not think any of this happened.

It is a mystery. I cannot really explain what happened. It should not be possible, yet it happened. When I got home and changed all my passwords all around the Internet, I have contacted all involved parties:

• I have contacted my bank, reporting fraudulent transactions. The bank did not really care about any technical details.
• I have contacted provider of the payment application, reporting the transactions. They asked me about the circumstances of the event in a very bureaucratic manner. I have expressed my concerns about security of the payments, yet I have got an impression that they were largely ignoring my concerns.
• I have contacted Murena, where I purchased my phone. Their response was quick and truly fantastic. Even though it looks like I was the first to report this, they were concerned and reacted appropriately. We have discussed the circumstances, including technical details and possible scenarios. The details of my particular incident remain mysterious. However, I got impression that my problem was not ignored, and that they are going to follow up on the investigation.

There is kind of a happy end to this story. The fraudulent payments were rolled back and refunded. I got lucky this time. However, my concerns regarding security of mobile payments remain. I still do no know what happened, and it looks like I will never find out. My phone is gone, no way to learn anything there. The bank and the payment provider are obviously not inclined to share any more details. This route seems to be closed.

Although I do not know what happened, I have an impression that this experience is a consequence of the overall approach taken by fintech and mobile industry. I think that the fintech is motivated to trade off security for convenience. Easier access to payments mean higher revenues for fintech. Of course, there is an increased risk when a convenience takes precedence over security. However, the risk could be easily "mitigated" by shifting it over to the consumers. I was lucky, the transactions were refunded in my case. Will I be so lucky next time? I do not know. What I know for sure is that I'm not going to risk it again. I've got brand new Murena Fairphone now, all applications re-installed and ready to go. All except one. I'm not going to risk mobile payments again.