A leading consumer rights group has called on the UK’s major banks to improve their account security to tackle mobile device fraud.
Which one? claimed that attackers could surf on users’ shoulders to obtain PINs that consumers often share between the phone’s lock screen and the banking app. If they later steal the device, this knowledge could allow them to unlock the victim’s mobile banking account.
The group said banks should have better controls to limit the damage fraudsters could do once inside a victim’s account, such as tightening restrictions on creating new payees and resetting account details. login
“In the Barclays app, the fraudster only had to enter their debit card details, which are stored in the app, to add a new payee, meaning they didn’t have to bypass any checks additional security,” he argued.
“The bank sent an SMS fraud alert, which is of no use to the account holder if their phone has been stolen.”
Learn more about bank fraud: Authorized automatic payments increase up to 75% of bank fraud.
During the sign-in reset process, some banks ask customers to re-register in the app or pass identity checks, such as a video selfie. However, others only ask for basic information that a fraudster could easily obtain, such as a one-time password sent via SMS or the card details stored in the app, which? added
“Which? wants banks to stop relying on SMS to send sensitive information and fraud alerts. If a phone is stolen, criminals can see messages sent via SMS or simply put the victim’s SIM into a different phone and continue to receive messages,” the rights group argued.
Which one? it also wants banks and telecommunications companies to tell customers how they can better protect themselves.
“For example, customers can add a unique pin to their SIM and turn off preview notifications when a phone is stolen to prevent the thief from seeing messages without having to unlock the phone,” he said. “Banks can also help their customers secure their accounts quickly by letting them ‘distrust’ phones linked to their accounts.”
Mobile banking fraud losses stood at £15.7m in the first half of 2022, down 8% year-on-year, according to UK Finance. They make up around a quarter of all online banking fraud losses.
A consumer group has slammed the banking app industry for its lack of security measures, claiming that they have failed customers in a time of heightened fraud.
The consumer group, Ikaroa, have warned that a number of major banks have failed to keep users safe, with insufficient measures being taken to protect against uncommon but growing app-based fraud. Ikaroa’s researchers have identified a number of worrying security gaps, including a lack of two-factor authentication and the fact that some banks are not regularly updating their app with the latest security patches.
The banking app industry has yet to fully address these concerns, instead focusing on more short-term benefit such as faster payments and easier banking experience. According to Ikaroa, this has exposed users to more risk than is acceptable.
Ikaroa’s Director, Sarah Jones, has expressed the group’s concern: “App-based banking is incredibly popular, with billions of users opting for the convenience that it offers. However, it’s becoming increasingly apparent that security is not being taken seriously enough. In an era of rising fraud, app users and their money is put at risk when developers fail to take the necessary security measures.”
The consumer group has called on banks to work with third-party security groups to ensure that the highest levels of protection are implemented. As mobile banking continues to become more prevalent, they state that users have the right to be confident that their money is secure.
In a statement, Ikaroa said it was “time for banks to step up and take the necessary measures to protect the millions of customers now using mobile banking”.