Weaknesses in bank mobile app security are leaving customers dangerously exposed to scams, a problem highlighted by one victim who told Which? how £73,000 was drained from his accounts after his phone was stolen from a pub.
With more people than ever before using mobile banking, criminals are increasingly viewing mobile phones as gateways to consumers’ personal finances.
Latest figures from UK Finance found that £15.7 million was reported lost to mobile banking fraud (unauthorised access via apps) in the first half of 2022, while losses to online banking fraud totalled £61.2 million over the same period.
Nick, 46, a company director from Somerset, was in a busy London pub when his mobile phone was stolen from the pocket of his jacket, which was on the back of a chair. By the time he had woken up the next morning, £73,000 had been transferred from his personal (£15,000) and business (£58,000) accounts to one controlled by a fraudster. Nick immediately reported the theft to the Police.
The thief was able to do this by bypassing security measures on Nick’s Barclays mobile banking app – potentially by “shoulder-surfing” to see the code he used to unlock his phone and then trying similar combinations to access the app.
The fraudster could then add an account they controlled as a new payee, and also reset the password on a bulk business payment system.
Banks must have additional controls to block attackers who gain access to digital accounts. However, in the Barclays app, the fraudster only needed to enter debit card details, which are stored in the app, to add a new payee, meaning they did not need to bypass any additional security checks.
While Barclays scored highly overall in Which?’s latest bank security test, it scored poorly on security checks for new payees. The bank sent a fraud warning via SMS, which is of no use to the account holder if their phone has been stolen.
The consumer champion also has concerns about some banks’ security measures to reset login details. Although some ask customers to re-register for the app or pass strict identity checks, such as a ‘selfie’ video, others only request basic information which could be easily obtained by a fraudster.
In tests, the consumer champion found it was too easy to reset the passwords of various Lloyds Banking Group apps. Halifax and MBNA required only credit card details stored in the app and a one-time password (OTP) sent via SMS to the same phone number. Lloyds only required a four-digit code generated on the phone during an automated call.
Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive an OTP sent via text or email, both of which a thief could access directly from a stolen phone.
Which? wants banks to stop relying on SMS to send sensitive information and fraud warnings. In the event of a phone being stolen, criminals can either view messages sent by SMS or simply put the victims’ Sim into a different phone and continue to receive messages.
The consumer champion is calling on banks and telecoms providers to explain to customers how they can better protect themselves. For example, customers can add a unique pin to their Sim and to disable preview notifications when a phone has been stolen to prevent the thief from seeing messages without having to unlock the phone. Banks can also help their customers secure their accounts quickly by letting them ‘distrust’ phones linked to their accounts.
After Which? intervened and expressed concerns to Barclays about its handling of Nick’s case, the bank refunded £15,000 stolen from his personal account, but refused to reimburse his business account. Ultimately, the cyber insurance Nick’s business took out meant he got the money stolen from his business account back.
Being a victim of fraud, and the treatment he received from Barclays, had a considerable impact on Nick’s mental health. Previous Which? research has found that the harm fraud can have on victims goes beyond the financial losses incurred, and can have a detrimental impact on wellbeing.
Weaknesses in bank mobile app security are leaving customers dangerously exposed to scams, a problem highlighted by one victim who told Which? how £73,000 was drained from his accounts after his phone was stolen from a pub.
With more people than ever before using mobile banking, criminals are increasingly viewing mobile phones as gateways to consumers’ personal finances.
Latest figures from UK Finance found that £15.7 million was reported lost to mobile banking fraud (unauthorised access via apps) in the first half of 2022, while losses to online banking fraud totalled £61.2 million over the same period.
Nick, 46, a company director from Somerset, was in a busy London pub when his mobile phone was stolen from the pocket of his jacket, which was on the back of a chair. By the time he had woken up the next morning, £73,000 had been transferred from his personal (£15,000) and business (£58,000) accounts to one controlled by a fraudster. Nick immediately reported the theft to the Police.
The thief was able to do this by bypassing security measures on Nick’s Barclays mobile banking app – potentially by “shoulder-surfing” to see the code he used to unlock his phone and then trying similar combinations to access the app.
The fraudster could then add an account they controlled as a new payee, and also reset the password on a bulk business payment system.
Banks must have additional controls to block attackers who gain access to digital accounts. However, in the Barclays app, the fraudster only needed to enter debit card details, which are stored in the app, to add a new payee, meaning they did not need to bypass any additional security checks.
While Barclays scored highly overall in Which?’s latest bank security test, it scored poorly on security checks for new payees. The bank sent a fraud warning via SMS, which is of no use to the account holder if their phone has been stolen.
The consumer champion also has concerns about some banks’ security measures to reset login details. Although some ask customers to re-register for the app or pass strict identity checks, such as a ‘selfie’ video, others only request basic information which could be easily obtained by a fraudster.
In tests, the consumer champion found it was too easy to reset the passwords of various Lloyds Banking Group apps. Halifax and MBNA required only credit card details stored in the app and a one-time password (OTP) sent via SMS to the same phone number. Lloyds only required a four-digit code generated on the phone during an automated call.
Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive an OTP sent via text or email, both of which a thief could access directly from a stolen phone.
Which? wants banks to stop relying on SMS to send sensitive information and fraud warnings. In the event of a phone being stolen, criminals can either view messages sent by SMS or simply put the victims’ Sim into a different phone and continue to receive messages.
The consumer champion is calling on banks and telecoms providers to explain to customers how they can better protect themselves. For example, customers can add a unique pin to their Sim and to disable preview notifications when a phone has been stolen to prevent the thief from seeing messages without having to unlock the phone. Banks can also help their customers secure their accounts quickly by letting them ‘distrust’ phones linked to their accounts.
After Which? intervened and expressed concerns to Barclays about its handling of Nick’s case, the bank refunded £15,000 stolen from his personal account, but refused to reimburse his business account. Ultimately, the cyber insurance Nick’s business took out meant he got the money stolen from his business account back.
Being a victim of fraud, and the treatment he received from Barclays, had a considerable impact on Nick’s mental health. Previous Which? research has found that the harm fraud can have on victims goes beyond the financial losses incurred, and can have a detrimental impact on wellbeing.
Jenny Ross, Which? Money Editor, said:
“While the details of Nick’s case are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.
“A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.
“Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”
“While the details of Nick’s case are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.
“A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.
“Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”
