APP fraud losses hit £456 million in 2019

A family member experienced this. She received a call from what showed in her mobile phone as coming from HSBC. Naturally, this made her think that HSBC was calling her. The person on the other side told her that they were contacting her because they want to verify a suspicious transaction - a bank transfer. They told her that they flagged a £750.00 transfer as suspicious. She then panicked and said that of course, she did not do this bank transfer. They then told her that they needed her to generate 2 codes - 1 to confirm that she is the real bank account holder that they are talking to and 2nd code to allow them to cancel that £750.00 transfer. Again, since the phone call showed as coming from HSBC - she generated those 2 single use codes and gave each one to them. Fraudster then used the code to log-in to her account; then trigger a bank transfer with the second code.

APP Fraud is usually done combined with another fraud. In her case, it's called number spoofing.

Surely, it wouldn't be so complicated for the banks to add code so as to store their customers' known device-ids. In addition to processing the single-use code, the bank's system can also check if it's coming from one of the customer's device-ids. If it shows as being triggered from a new device-id then they should stop (not allow) the transaction; notify the customer via text and request customer to confirm that the bank transfer coming from a new device id.

Storing a customer's device ids and checking against the bank of customer's device ids is not a new technique. American Express does this. Amex actually 'whitelists' customer's confirmed device ids.

Only £456M? A couple of days ago, Finextra reported that APP fraud loss was £1B. 

On a side note, there's no end to the amount of security measures that can be implemented by banks. But, they all come at the cost of increasing friction, creating the risk of failed payments, and reducing adoption, as we've seen in India. Banks here have taken a lot of steps but UPI Fraud, which is the Indian version of APP fraud, is rampant. I wish there was a better way of saying it, but, end of the day, as the old adage goes, a fool and his money are easily parted, and there's no point to designing a system for the <1% suckers. In my experience, such people will anyway not be able to handle the extra friction caused by increased security measures and will end up giving their phones to somebody else to fulfill their transaction, which opens up the field for an entirely new fraud threat vector. IMO, the solution to this problem is not to throw the baby out with the bathwater. Instead, the <1% consumers who get defrauded should be reimbursed by banks for the first fraud, receive training on how to use these apps, and be told in no uncertain terms that they won't be reimbursed if they fall for APP fraud another time.   

Ketharaman

The report from a couple of days recording £1.1 billion lost to APP fraud was referring specifically to lossses incurred over the past three years., including the 2019 figure of £456 million.

If a system makes it too easy to impersonate, then consumers can't be blamed. If an institution chooses a low friction / higher risk system, they should also bear the burden. Cost/ benefit tradeoff.

@Paul Penrose: TY for the clarification. 

@Dinesh Katyal:

I did say bank should reimburse for the first time. But, beyond that, forget it, consumers must take responsibility for their actions. Out-of-band authentication has been a best practice for this kind of workflow for ages.

Of course, if you prefer, there's the alternative where the bank blocks access to the app to all users who were defrauded and compensated once. 

I must hasten to add that "first time fraud reimbursement" is itself fraught with huge moral hazard and can be a big source of "first party fraud". When someone knows he can claim APP fraud and get his money back, there's nothing stopping the fraudster from sending money to an accomplice and getting it reimbursed by the bank.

Still, I recommend it, in the largest interest, but with an upper limit or only when fraud happens the first time the app is used.