News and resources on cyber and physical threats to banks and fintechs worldwide.

Weaknesses in bank mobile app security are exposing customers to fraud - Which?

Weak banking security measures are leaving customers dangerously vulnerable to fraud on stolen phones, Which? warns.


Weaknesses in bank mobile app security are exposing customers to fraud - Which?


This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The consumer champion cites the case of a company director from Somerset who had £73,000 drained from his account after his mobile was lifted from his jacket pocket.

The thief was able to bypass security measures on his Barclays mobile banking app - potentially by 'shoulder-surfing' to see the code he used to unlock his phone - and then trying similar combinations to access the app.

The fraudster then added an account they controlled as a new payee, and also reset the password on a bulk business payment system.

In the Barclays app, the fraudster only needed to enter debit card details, which are stored in the app, to add a new payee, meaning they did not need to bypass any additional security checks.

The bank sent a fraud warning via SMS, which is of no use to the account holder if their phone has been stolen.

It was only after Which? intervened in the case that the bank refunded £15,000 stolen from his personal account, but refused to reimburse his business account.

Jenny Ross, Which? money editor, says: “While the details are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money."

Which? has raised additional concerns about some banks’ security measures to reset login details. Although some ask customers to re-register for the app or pass strict identity checks, others only request basic information which could be easily obtained by a crriminal.

In tests, the consumer champion found it was too easy to reset the passwords of various Lloyds Banking Group apps. Halifax and MBNA required only credit card details stored in the app and a one-time password (OTP) sent via SMS to the same phone number. Lloyds only required a four-digit code generated on the phone during an automated call.

Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive an OTP sent via text or email, both of which a thief could access directly from a stolen phone.

Which? wants banks to stop relying on SMS to send sensitive information and fraud warnings. In the event of a phone being stolen, criminals can either view messages sent by SMS or simply put the victims’ Sim into a different phone and continue to receive messages.

Says Ross: “A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.

“Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”

Sponsored [Impact Study] Fraud and AML Case Management: How to Operate at the Speed of Risk

Comments: (2)

Hitesh Thakkar Technology Evangelist (Financial Technology) at SME - Fintech startups (APAC and Africa)

User Authentication and access management is always used double edge sword

one side - customer convenience, frictionless usage, ease of use to less tech savvy customers and more..

Other side - same story as described above 

With Facial authentication becoming common it can be used as second factor to make life easy but again if I put as condition for high value transaction amount then that will go against ease of use.

A Finextra member 

It has been well known for many years that banking apps have poor security, so why do people rely on them? I only do banking on a computer at my home, which has three level security.

NextGenAI - Intelligent Banking, Intelligent Future - Save the date! - 26 November 2024 - LondonFinextra PromotedNextGen:AI - Intelligent Banking, Intelligent Future - Save the date! - 26 November 2024 - London