55logo mikael le bot avocat

Phone Theft & Face ID: Banking Fraud, Bank Liability & Reimbursement

  • Banking Law

As a lawyer dedicated to defending your rights, I note with concern the evolving risks associated with mobile phone theft. It is no longer merely the loss of a valuable object; it is potentially a direct attack on your digital identity and your finances. Understanding this threat and knowing how to respond is fundamental.

Here is a comprehensive overview, based on available information, of the dangers, legal framework, and essential protective measures.

Phone theft: a threat far more serious than the mere loss of property

If your phone is stolen, the cost of replacing it is often the least of your worries. Fraudsters can cause far more damage than you might imagine with your device alone. The real danger lies in their ability to access your personal information and finances.

How thieves operate to access your data

Thieves are opportunistic and often target moments when you are least vigilant, such as in or around bars. They prefer to steal your phone while you are using it, as it is already unlocked when they take it. They then have access to all your applications, notes, and stored personal information.

A common tactic, particularly targeting young adults who may be under the influence of alcohol, involves obtaining your phone’s unlock code. A thief may ask you to note their information on your phone under a false pretext, discreetly observing you enter the code. The false pretext may, for example, consist of asking to add you on Snapchat, taking the phone, “locking” it, then asking for the code to “unlock” it, observing or even filming the victim as they enter it. The passcode then becomes the key that opens everything.

What thieves do with your phone and your passcode

The passcode is of paramount importance. It allows thieves to access stolen phones, plunder bank accounts and money applications, and lock victims out of their Apple accounts, sometimes permanently. Once they have the phone and the code, speed is essential — it is like a “bank heist.”

Fraudsters go into the settings to reset the iCloud password using the six-digit code and create their own password. Then they enable the “Find My iPhone” feature, which completely locks the owner out of the phone. With just the passcode, a thief can change someone’s Apple ID password and perform a multitude of actions on your account and your phone. This can be done extremely quickly, in 5 to 10 seconds. The purpose of this speed is to take control before the victim can react.

After obtaining the code, they can remove the owner’s Face ID access and register their own. This facilitates access to passwords saved in banking applications. The thief can then access various accounts such as savings accounts, current accounts, cryptocurrency applications, Venmo, and PayPal. If applications cannot be unlocked with Face ID, thieves will search elsewhere on the phone, for example in the Notes application or even photos, where passwords and other sensitive information such as social security numbers are sometimes stored.

Often, the money is transferred before 5 a.m. while the victims are asleep. If the victim has a line of credit, thieves can use it to make expensive purchases in stores, using Apple Pay for example. They can spend thousands of euros on clothing, shoes, and other items simply by using their face with Apple Pay after registering their own Face ID. Thieves have even used stolen Apple products and the Apple Pay feature to purchase more Apple products, which they then resold for profit. After stealing the money, the thief can wipe the phone using the passcode and password, then sell it.

Facial Recognition (Face ID) and AI: Specific Vulnerabilities

The rise of facial recognition technology has brought convenience and security, but has also introduced new vulnerabilities. Sophisticated attackers exploit AI-powered “face swapping” services to create convincing “deepfakes,” deceiving even robust security systems. These malicious actors also use fake mobile applications to gain unauthorized access to victims’ accounts and compromise sensitive information and identities.

Given the rise of AI-generated content, digital identities can no longer truly be trusted. For example, fraudsters can take photos shared online and use AI to create mimicked videos or fake profiles. If you use facial recognition, AI can potentially imitate it, making it appear that it is you when it is not.

Facial recognition is not inherently secure simply because no one else looks exactly like you. Furthermore, camera-only systems may have limitations due to camera quality, and even Face ID on iPhone can sometimes fail, requiring the passcode. It is very important to understand that camera-only security is not always infallible. It is preferable to have multiple layers of security.

Be cautious with mobile applications. Make sure you do not grant unnecessary camera access to an application. Download applications only from official stores such as the Apple Store or the Google Play Store; be very cautious with third-party applications. Some applications do not need camera access, and granting them this access makes you vulnerable to information theft. The primary objective of attackers is to get paid, often by gaining access to your banking information. If your facial ID is compromised, this could give them access to your bank accounts.

AI is used to create “deepfakes,” and it can also be used for detection, but the sophistication of the application matters. AI is created by humans and can make mistakes. Being informed is an essential human factor in mitigating certain problems.

The legal framework: Strong authentication and bank liability

French law strictly regulates the security of payment transactions. Strong authentication is a legal requirement. It must rely on two or more distinct elements belonging to the categories of “knowledge” (something only the user knows), “possession” (something only the user possesses), and “inherence” (something the user is, such as a biometric characteristic). The compromise of one must not undermine the reliability of the others. Since May 2021, strong authentication has been systematic for online purchases in France, in accordance with the PSD2 Directive. In practice, this means validating two elements among a password/passcode, the use of a device in possession (phone, hardware token), or a personal characteristic (fingerprint, facial recognition).

In the event of fraudulent transactions, responsibilities are defined by law (French Monetary and Financial Code). The user has an obligation to take reasonable measures to preserve the security of their personalized security devices. The payment service provider (the bank) must ensure that the security features of the payment instrument are not accessible to persons other than the authorized user.

The burden of proof lies with the bank. When a user disputes a payment transaction, it is incumbent upon their payment service provider to prove that the transaction was authenticated, duly recorded, and accurately accounted for, and that it was not affected by a technical or other deficiency. The mere use of the payment instrument, as recorded by the bank, does not necessarily suffice to prove that the transaction was authorized by the payer or that the payer failed to meet their obligations through gross negligence or intentionally. The bank must provide evidence proving the fraud or gross negligence committed by the user.

Case law: The burden of proving strong authentication rests on the Bank

Recent case law provides important clarifications. The user who denies having authorized a transaction may simply dispute it, with the burden of proof falling on the bank to establish that the order originated from the user. Similarly, it is for the bank to prove the user’s gross negligence, for example by establishing that the user voluntarily disclosed their strictly confidential identification elements.

The case decided by the Nice Judicial Court on 20 February 2025 is illustrative (Tribunal judiciaire de Nice, 4th Civil Chamber, 20 February 2025, No. 23/00836). Ms. [E] [D] disputed transfers made following a presumed “hacking” of her accounts, stating that she had never authorized or validated the transactions, nor received any confirmation request (SMS or email). The court considered that the listing provided by the bank, merely stating “validation by the client” followed by “successful,” was insufficient to prove strong authentication of the disputed transactions, as neither its origin nor its authenticity could be verified. It also emphasized that proof of gross negligence cannot be inferred from the mere fact that the payment instrument or the personal data associated with it were actually used. The court therefore ordered the bank to reimburse Ms. [E] [D] for the amounts fraudulently debited (9,440 euros) with interest. This reinforces the principle that the bank cannot exempt itself from liability without proving the user’s gross negligence.

Banks often attempt to argue that the use of a security pass, enhanced code, or Face ID constitutes sufficient strong authentication and that the client who validates necessarily has the required codes, thus excluding their liability. However, case law recalls that the bank’s compliance with the strong authentication procedure does not suffice to qualify the transaction as “authorized” if proof of authorization by the user is lacking.

Steps to follow if your phone is stolen

Acting quickly is crucial. The recommended steps are as follows, in this precise order:

  1. If you have enabled a “Find My Device” function, use it to wipe your phone immediately.
  2. Call your network operator. Report that your phone has been stolen. If you had not enabled the “Find My Device” function, you can ask your operator to wipe your phone for you. Also block the line.
  3. Change all important passwords. Start with your email address to avoid being locked out, then your banking information, then anything else important to you.
  4. Contact your bank without delay to report the theft and the possibility of fraudulent transactions.
  5. Formally dispute in writing any unauthorized transaction, specifying that you never gave your consent.
  6. Contact a lawyer; before filing a complaint, they can advise you so that your complaint cannot be used against you by the Bank to invoke gross negligence.
  7. Call the police and file a complaint for theft and fraudulent use of payment methods. Keep all evidence of your steps (receipts, copies of letters, etc.).
  8. Demand immediate reimbursement of the amounts fraudulently debited, relying on Article L. 133-18 of the French Monetary and Financial Code.

How to protect yourself: Essential preventive measures

As a lawyer, I cannot stress enough the importance of prevention. Here are measures to protect your data and finances:

  • Enable the “Find My Device” function.
  • Enable the “Stolen Device Protection” setting if available on your device (for example, in iOS 17.3). This setting adds a line of defense when you are away from home or work. A thief would need your face or a fingerprint scan to change an Apple ID password, then would have to wait an hour, then would need your biometric data again. The same applies to adding a new Face ID and disabling “Find My iPhone.” Accessing saved passwords would require your biometric data. Note, however, that certain features, such as using Apple Pay or certain applications like Venmo, could still be vulnerable even with this setting enabled. This setting is disabled by default; you must enable it manually.
  • Do not store your passwords in the Notes application or in your photos.
  • Create a stronger passcode that uses letters and numbers, not just six digits.
  • Be aware of your surroundings and stay vigilant, especially in public places.
  • Do not share sensitive information online, such as photos, as they can be used by AI to create “deepfakes.”
  • Be cautious about granting camera access to applications, particularly third-party applications.
  • Download applications only from official stores such as the Apple Store or the Google Play Store.
  • Do not rely on a single layer of security (such as facial recognition alone); it is always preferable to have one or two additional layers of security, such as a strong passcode.
  • Keep your software up to date and the applications you use.

Conclusion

Phone theft can open the door to significant financial losses and identity theft. The use of facial recognition, while convenient, presents exploitable vulnerabilities, particularly in cases of theft and access to the passcode. However, French law and case law protect users by placing the burden of proving the authorized nature of transactions on banks.

By being aware of thieves’ methods, the risks associated with emerging technologies such as AI, and by taking proactive preventive measures (enabling security features, choosing a strong code, exercising caution online and with applications), you can better protect your personal information and finances. In the event of theft, rapid and methodical action (reporting, changing passwords, disputing with the bank, contacting a lawyer, filing a complaint) is essential to assert your rights and obtain reimbursement of fraudulently debited amounts. Stay vigilant and secure your mobile device now.

1521 2281 max

Besoin de conseils juridiques personnalisés ?

Ne restez pas seul face à vos questions. Un avocat peut vous rappeler gratuitement pour faire le point sur votre situation.

Être recontacté par un avocat

Besoin de conseils juridiques personnalisés ?

RGPD :

Articles similaires

Suretyship: What Business Leaders Need to Know About Proportionality (Recent French Supreme Court Decisions)

As a business leader, you frequently face the need to secure financing to grow your business. These transactions very often involve guarantees, and the personal ...

cabinet lebot avocat 6

When Is the Banker Acting as Wealth Management Advisor at Fault? – CA Rennes, 2nd Ch., 7 Oct. 2025, No. 23/01966

The relationship between a client and their bank, particularly when the latter acts in the capacity of a wealth management advisor, is governed by strict ...

Understanding the Recall Procedure: Protection Against Fraud

Introduction Payment fraud is a growing scourge, particularly with the rise of digital technologies. Fraudsters are increasingly inventive in circumventing the security systems of banks ...