Consumer Group Slams Bank App Fraud Failings

Written by

A leading consumer rights group has called on the UK’s high street banks to enhance their account security in order to tackle mobile device fraud.

Which? claimed that attackers could shoulder surf users to obtain PINs that consumers often share between the phone lock screen and banking app. If they then steal the device, this knowledge could enable them to unlock the victim’s mobile banking account.

The group said banks should have better controls to limit the damage fraudsters could do once inside a victim’s account, such as tightening the restrictions around setting up new payees and resetting login details.

“In the Barclays app, the fraudster only needed to enter debit card details, which are stored in the app, to add a new payee, meaning they did not need to bypass any additional security checks,” it argued.

“The bank sent a fraud warning via SMS, which is of no use to the account holder if their phone has been stolen.”

Read more on banking fraud: Authorized Push Payments Surge to 75% of Banking Fraud.

During the login reset process, some banks ask customers to re-register for the app or pass identity checks such as a selfie video. However, others only request basic information that could be easily obtained by a fraudster, such as a one-time passcode sent via SMS or card details stored in the app, Which? added.

“Which? wants banks to stop relying on SMS to send sensitive information and fraud warnings. In the event of a phone being stolen, criminals can either view messages sent by SMS or simply put the victim’s SIM into a different phone and continue to receive messages,” the rights group argued.

Which? also wants banks and telcos to explain to customers how they can better protect themselves.

“For example, customers can add a unique pin to their SIM and to disable preview notifications when a phone has been stolen to prevent the thief from seeing messages without having to unlock the phone,” it said. “Banks can also help their customers secure their accounts quickly by letting them ‘distrust’ phones linked to their accounts.”

Mobile banking fraud losses stood at £15.7m for the first half of 2022, an 8% year-on-year decline, according to UK Finance. They comprise around a quarter of total online banking fraud losses.

What’s hot on Infosecurity Magazine?