A new report by Which? has warned that weaknesses in bank mobile app security are leaving customers vulnerable to scams.
The report revealed that fraudsters could easily access bank accounts and transfer money without bypassing any additional security checks. Thieves transferred £73,000 from both the personal and business accounts of one victim after they stole his phone from a pub.
With more people using mobile banking than ever before, criminals are increasingly viewing mobile phones as a gateway to consumers’ personal finances. The report also highlighted the concerns regarding some banks’ security measures to reset login details.
The report highlighted that while some banks required customers to re-register for the app or pass strict identity checks, others only asked for basic information that fraudsters could easily obtain. Tests by the consumer watchdog revealed it was too easy to reset passwords of various Lloyds Banking Group apps.
Halifax and MBNA only required credit card details stored in the app and a one-time password sent via SMS to the same phone number. Lloyds only required a four-digit code generated on the phone during an automated call.
Amex users could also choose the ‘forgot password’ option, enter their credit card details and receive a one-time password sent via text or email, both of which a thief could access directly from a stolen phone.
After £73,000 was drained from his accounts, Nick, a victim of fraud, shared his experience. “Being the victim of a significant financial crime is very traumatic. However, the worst part of the experience for me was not so much the crime itself, but the disgraceful treatment I received from Barclays following the crime, despite having been a loyal customer for over 30 years. Banks have one job, to protect our money, and in my case with Barclays their failure to do so was total.”
Which? has called on banks to stop relying on SMS to send sensitive information and fraud warnings, stating that if a phone is stolen, criminals can either access messages sent by SMS or simply insert the victim’s SIM card into a different phone and continue to receive messages.
The consumer watchdog has also called on banks and telecoms providers to explain to customers how they can better protect themselves.
Jenny Ross, Which? money editor, said: “While the details of Nick’s case are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.
“Banks must up their game to protect customers. Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”
According to UK Finance’s latest figures, mobile banking fraud (unauthorised access via apps) resulted in reported losses of £15.7million during the first half of 2022, with online banking fraud losses totalling £61.2million during the same period.