Like most of you, I am confused by the article. There are two issues here - firstly is how the money was accessed from the Revolut account and secondly how easy or not it is to deal with Revolut once a '
bad' transaction occurs. I am guessing that they are not great to deal with in times like this, but despite having used them for many years, I have never had an issue with them or experienced any 'bad' transaction thankfully.
Revolut (like most of the fintechs - N26/Monese etc) support lots of security features traditional banks dont readily offer. This includes the ability to have have vaults/pockets etc that isolate funds from the main account. If someone is saving for something in particular, surely the funds are best placed to be moved into a pocket for safer keeping (both security and bad spending habits). Also Revolut gives you much more control on what type of transactions are permitted on a card at a point in time, including self-managed spending limits, ability to turn on/off online payments, location-based security, swipe payments, ATM withdrawals, contactless payments (and allowing you set your own limit on this). So from a security perspective, I would say the likes of Revolut put much more control into peoples hands via the app than traditional banks. However, this means that people also need to understand this and know what settings are best suited for them and be willing to dynamically change them as required [e.g. when abroad on holidays etc].
I remember having swipe payments disabled on my card and having a payment rejected somewhere - I simply checked the app to see the cause of the rejection, unlocking it and processing the transaction again !
>>So all that the couple was able to establish was that the transactions appeared to have been carried out in person by someone who had access to their Apple Pay details.
From the article this appears to be how the funds were believed to be accessed. The person must have put the Revolut card on Apple Pay. My understanding on Apple Pay is you can make payment with the physical device (iPhone or Apple Watch) but you have to enter the devices security codes. Online payments are also possible - but limited to Apple devices and require use of touch id to work directly, or if no touch id needs to be connected to the iPhone via bluetooth. [I only use Apple Pay with my physical devices and never online]
https://support.apple.com/en-gb/102626
In summary, I think there is more to this story than is reported here. I think the card details were compromised in some way to support the payments - either physical skimming of the card magnetic strip [with PIN also likely compromised] or virtually where all details, including ccv were compromised. However, with 2FA/MFA on the Revolut app, I find it surprised if these were fully online transactions, but rather Point of Sale transactions which do not require authorisation via the app. But POS transactions need to use either PIN or ccv details.
I don't know if Revolut supports the signature option for authorising payments, but my understanding is the physical card is required for signature payments also (so we are back to card skimming) !!