Weaknesses in bank mobile app security are leaving customers dangerously exposed to scams, a problem highlighted by one victim who told Which? how £73,000 was drained from his accounts after his phone was stolen from a pub.
With more people than ever before using mobile banking, criminals are increasingly viewing mobile phones as gateways to consumers’ personal finances.
Latest figures from UK Finance found that £15.7 million was reported lost to mobile banking fraud (unauthorised access via apps) in the first half of 2022, while losses to online banking fraud totalled £61.2 million over the same period.
Nick, 46, a company director from Somerset, was in a busy London pub when his mobile phone was stolen from the pocket of his jacket, which was on the back of a chair. By the time he had woken up the next morning, £73,000 had been transferred from his personal (£15,000) and business (£58,000) accounts to one controlled by a fraudster. Nick immediately reported the theft to the Police.
The thief was able to do this by bypassing security measures on Nick’s Barclays mobile banking app – potentially by “shoulder-surfing” to see the code he used to unlock his phone and then trying similar combinations to access the app.
The fraudster could then add an account they controlled as a new payee, and also reset the password on a bulk business payment system.
Banks must have additional controls to block attackers who gain access to digital accounts. However, in the Barclays app, the fraudster only needed to enter debit card details, which are stored in the app, to add a new payee, meaning they did not need to bypass any additional security checks.
While Barclays scored highly overall in Which?’s latest bank security test, it scored poorly on security checks for new payees. The bank sent a fraud warning via SMS, which is of no use to the account holder if their phone has been stolen.
The consumer champion also has concerns about some banks’ security measures to reset login details. Although some ask customers to re-register for the app or pass strict identity checks, such as a ‘selfie’ video, others only request basic information which could be easily obtained by a fraudster.
In tests, the consumer champion found it was too easy to reset the passwords of various Lloyds Banking Group apps. Halifax and MBNA required only credit card details stored in the app and a one-time password (OTP) sent via SMS to the same phone number. Lloyds only required a four-digit code generated on the phone during an automated call.
Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive an OTP sent via text or email, both of which a thief could access directly from a stolen phone.
Which? wants banks to stop relying on SMS to send sensitive information and fraud warnings. In the event of a phone being stolen, criminals can either view messages sent by SMS or simply put the victims’ Sim into a different phone and continue to receive messages.
The consumer champion is calling on banks and telecoms providers to explain to customers how they can better protect themselves. For example, customers can add a unique pin to their Sim and to disable preview notifications when a phone has been stolen to prevent the thief from seeing messages without having to unlock the phone. Banks can also help their customers secure their accounts quickly by letting them ‘distrust’ phones linked to their accounts.
After Which? intervened and expressed concerns to Barclays about its handling of Nick’s case, the bank refunded £15,000 stolen from his personal account, but refused to reimburse his business account. Ultimately, the cyber insurance Nick’s business took out meant he got the money stolen from his business account back.
Being a victim of fraud, and the treatment he received from Barclays, had a considerable impact on Nick’s mental health. Previous Which? research has found that the harm fraud can have on victims goes beyond the financial losses incurred, and can have a detrimental impact on wellbeing.
Jenny Ross, Which? Money Editor, said:
“While the details of Nick’s case are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.
“A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.
“Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”
Commenting on his experience, Nick said:
“Being the victim of a significant financial crime is very traumatic. However, the worst part of the experience for me was not so much the crime itself, but the disgraceful treatment I received from Barclays following the crime, despite having been a loyal customer for over 30 years.
“It soon became clear that they have zero interest in protecting their customers, they are concerned only to protect their shareholders and their reputation. At no time did I feel that the bank listened to me, and they only returned the money to my personal account when put under serious scrutiny by the reporter from Which?. They still maintain that they can see no evidence of fraud which is completely absurd given the weight of evidence shared, including from the police officer who I reported the crime to at the time.
“Banks have one job, to protect our money, and in my case with Barclays their failure to do so was total.”
Notes to Editors
Three tips on how to protect your phone
- Add a Pin to your Sim to stop someone stealing your Sim and putting it in another phone. You can do this in your phone’s Settings app.
- Disable preview notifications on your phone to stop thieves viewing messages when your phone is locked. On an iPhone, you can change notification settings under ‘messages’. On Android devices, it’s ‘notifications on lock screen’ in your Settings app.
- Register for Find My Phone using Google’s Find My Device or Apple’s Find My iPhone so your phone can be located, locked or wiped of data remotely if it’s lost or stolen.
Right of replies
A spokesperson for Barclays said: ‘There is no higher priority than the protection of our customers’ funds and data. The Barclays app has multiple layers of security, continually undergoing rigorous forms of testing, to provide our customers with the highest level of protection.’
‘We have every sympathy with our customer, who has reported being a victim of a sophisticated and targeted mobile phone theft. Funds sent to a third-party account outside our customer’s control have been returned in full, as a gesture of goodwill.’
‘We assess each case on its individual merits, and although we don’t see signs of fraud, we recognise that this is a complex case involving a loyal customer’.
A spokesperson for Lloyds Banking Group said: ‘Helping to keep our customers’ money and data safe is our priority. We have robust, multi-layer security across our online and mobile banking services to protect against potential cybersecurity threats.’
A spokesperson for American Express said: ‘We use a number of controls to protect Cardmembers from fraudulent activity. All fraud claims are thoroughly investigated by our specialist Fraud team. If a Cardmember believes that their account has been compromised, that they have experienced fraud, or their American Express card has been stolen, we would urge them to report this issue by calling us using the number on the back of their card or contacting us via our website.’
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at email@example.com.