Weak banking security measures are leaving customers dangerously vulnerable to fraud on stolen phones, according to consumer advocacy group Which?.
The organization highlighted the case of a company director from Somerset who lost £73,000 after his mobile phone was stolen from his jacket pocket. The thief managed to bypass security on the victim’s Barclays mobile banking app, possibly by observing the code used to unlock the device and attempting similar combinations to access the app.
Once inside, the fraudster added an account they controlled as a new payee, and reset the password on a bulk business payment system. In the Barclays app, adding a new payee was alarmingly easy; the fraudster only needed to enter debit card details stored in the app, eliminating the need to navigate additional security checks.
The bank did send a fraud alert via SMS, but this was ineffective since the account holder no longer had access to the stolen phone. It was only after Which? intervened that the bank refunded £15,000 stolen from the victim’s personal account, while refusing to reimburse the business account.
Jenny Ross, Which? money editor, stated, “While the details are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.”
Additionally, Which? raised concerns about some banks’ methods for resetting login details. While certain banks enforce strict identity checks or require customers to re-register for the app, others only ask for basic information that could easily be acquired by a criminal.
In tests, Which? found that resetting passwords for various Lloyds Banking Group apps was alarmingly simple. Halifax and MBNA required only stored credit card details and a one-time password (OTP) sent via SMS to the same phone, while Lloyds needed just a four-digit code generated during an automated call. American Express users could also opt for a ‘forgot password’ function, providing credit card details and receiving an OTP via text or email, both of which could be accessed by a thief with the stolen phone.
Which? is advocating for banks to cease reliance on SMS for sending sensitive information and fraud warnings. When a phone is stolen, criminals can either read SMS messages or simply insert the victim’s SIM card into another device to continue receiving messages.
Ross emphasized, “A lack of strong security protections in some banks’ mobile apps is a huge concern and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers and ensure they meet their legal obligations to reimburse customers for unauthorized transactions.”