Weak banking security measures are leaving customers dangerously vulnerable to fraud on stolen phones, Which? warns.
The consumer champion cites the case of a company director from Somerset who had £73,000 drained from his account after his mobile was lifted from his jacket pocket.
The thief was able to bypass security measures on his Barclays mobile banking app - potentially by 'shoulder-surfing' to see the code he used to unlock his phone - and then trying similar combinations to access the app.
The fraudster then added an account they controlled as a new payee, and also reset the password on a bulk business payment system.
In the Barclays app, the fraudster only needed to enter debit card details, which are stored in the app, to add a new payee, meaning they did not need to bypass any additional security checks.
The bank sent a fraud warning via SMS, which is of no use to the account holder if their phone has been stolen.
It was only after Which? intervened in the case that the bank refunded £15,000 stolen from his personal account, but refused to reimburse his business account.
Jenny Ross, Which? money editor, says: “While the details are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money."
Which? has raised additional concerns about some banks’ security measures to reset login details. Although some ask customers to re-register for the app or pass strict identity checks, others only request basic information which could be easily obtained by a crriminal.
In tests, the consumer champion found it was too easy to reset the passwords of various Lloyds Banking Group apps. Halifax and MBNA required only credit card details stored in the app and a one-time password (OTP) sent via SMS to the same phone number. Lloyds only required a four-digit code generated on the phone during an automated call.
Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive an OTP sent via text or email, both of which a thief could access directly from a stolen phone.
Which? wants banks to stop relying on SMS to send sensitive information and fraud warnings. In the event of a phone being stolen, criminals can either view messages sent by SMS or simply put the victims’ Sim into a different phone and continue to receive messages.
Says Ross: “A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.
“Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”