‘Concerning’ lack of security protections on some major banking apps
The findings come as, in the first half of 2022, £15.7 million was reported lost to mobile phone banking fraud and £61.2 million lost to online banking fraud, according to UK Finance.
Which? found big differences in the type of security measures requested, with some banks asking for strict identity checks and others only requesting basic information which could be easily guessed.
The differences included the following:
- With various Lloyds Banking Group apps, the group said it was too easy to reset the password.
- With Halifax and MBNA, only credit card details stored in the app were required and a one-time password (OTP) sent via SMS to the same phone number.
- Lloyds required a four-digit code generated on the phone during an automated call.
- Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive an OTP sent via text or email, both of which a thief could access directly from a stolen phone.
- Barclays scored highly in the Which? latest bank security test but poorly on security checks for new payees. It sends a warning via SMS, for example, if it thinks there is a risk of fraud but if a phone has been stolen this is of no use.
‘No higher priority than the protection of customers’
The banks responded to the Which? claims with the following comments:
- Lloyds Banking Group said: “Helping to keep our customers’ money and data safe is our priority. We have robust, multi-layer security across our online and mobile banking services to protect against potential cybersecurity threats.”
- American Express said: “We use a number of controls to protect Cardmembers from fraudulent activity. All fraud claims are thoroughly investigated by our specialist Fraud team. If a Cardmember believes that their account has been compromised, that they have experienced fraud, or their American Express card has been stolen, we would urge them to report this issue by calling us using the number on the back of their card or contacting us via our website.”
The group said banks need to stop relying on using SMS for fraud warnings and for sending out sensitive information. It is also calling on banks and telecoms providers to give more information to customers about how they can protect themselves.
‘Zero interest in protecting their customers’
One Barclays customer who contacted Which? had £73,000 taken from him after his phone was stolen.
Nick, 46, a company director from Somerset had his phone stolen in a London pub and criminals took £15,000 from his personal account and £58,000 from his business account.
The criminal was able to bypass security measures on the Barclays banking app, potentially by a tactic known as shoulder surfing to see the app he used to unlock his phone and then trying similar combinations on the banking app. They then added a new account and changed the password.
In the Barclays app, the criminal was required to enter debit card details, stored in the app, to add a new payee so they did not need to pass any additional security checks.
Yet Barclays did not immediately refund Nick and it was only after Which? intervened that Barclays repaid the £15,000 and the £58,000 was claimed back via Nick’s business insurance.
Nick said: “At no time did I feel that the bank listened to me, and they only returned the money to my personal account when put under serious scrutiny by the reporter from Which?.
“They still maintain that they can see no evidence of fraud which is completely absurd given the weight of evidence shared, including from the police officer who I reported the crime to at the time.”
A spokesperson for Barclays said: “There is no higher priority than the protection of our customers’ funds and data. The Barclays app has multiple layers of security, continually undergoing rigorous forms of testing, to provide our customers with the highest level of protection.
“We have every sympathy with our customer, who has reported being a victim of a sophisticated and targeted mobile phone theft. Funds sent to a third-party account outside our customer’s control have been returned in full, as a gesture of goodwill.”
Jenny Ross, Which? money editor, said: “While the details of Nick’s case are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.
“A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.
“Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”