Weak banking security is leaving customers vulnerable to fraud on stolen phones, Which? warns

Losses to mobile banking fraud have risen by 16%, but there are steps that banks and customers can take to make life harder for criminals
Chiara Cavaglieri

Banks must beef up their defences against mobile phone theft, a Which? Money investigation has found, after a string of similar cases reveal how easily thieves can hack into banking apps.

With more of us banking on the go, criminals increasingly see phones as the gateway to accessing our financial accounts. 

In the first half of 2022, £15.7m was lost to mobile banking fraud (that is, unauthorised access via apps) – an increase of 16% on the previous six months. Only 9% of losses were recovered.

Here, we shine a light on the weak spots in banking app security and the steps you can take to make it harder for phone thieves to access your accounts. 

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Phone thief steals £73,000 overnight

A happy afternoon spent in a London pub at the beginning of the year quickly turned sour when Nick (pictured above), a company director from Somerset, realised someone had stolen his phone. He reported it to the police and went home. By morning, the thief had drained £73,000 from his personal and business Barclays accounts.

‘My stomach dropped. I immediately called Barclays to suspend all my accounts. The first call handler was sympathetic, but it’s an awful process. I was so stressed, yet there was hardly any dialogue. I was also dealing with the police to get CCTV footage of the thief.’ 

In just a few hours, the fraudster had logged into Nick's Barclays app, added an account they controlled as a new payee and reset the password on a bulk business payment system provided by a company called Telleroo. 

How did they do it?

The thief had likely 'shoulder-surfed' Nick first to see the code he used to unlock his phone and then tried similar combinations to access the app.

Barclays only requires you to provide debit card details to add a new payee, and these details are stored in the app, meaning that the thief had everything they needed to steal his money. While Barclays scored highly for app security overall in the latest Which? bank security test, it was marked down on poor security when adding new payees – and Nick’s case demonstrates why. 

This case also highlights the problem with financial firms using SMS to deliver security checks. Having realised that Nick's business used Telleroo to send bulk payments, the thief simply reset his account password by triggering a one-time passcode sent to the stolen phone. Similarly, Barclays’ system did detect suspicious activity, but sent a fraud warning via SMS, straight into the hands of the criminal, who authorised the payments while he slept.

Fighting for reimbursment

Inexplicably, Barclays told Nick it hadn’t found any evidence of fraud because the transactions were properly authorised. After we contacted the bank, expressing our deep concern over its handling of the case, it agreed to refund £15,000 taken from his personal account, but said it won’t refund the transfers from his business account. 

Barclays told us: ‘We assess each case on its individual merits, and although we don’t see signs of fraud, we recognise that this is a complex case involving a loyal customer.’ We asked Barclays if its security systems could detect the location of the phone at the time of the transfers, but didn’t receive an answer to this question. 

Telleroo declined to comment, as its internal investigation was ongoing at the time of publication. It said that details shared by Which? were inaccurate, but didn’t elaborate any further. 

We believe that Barclays should refund all of these unauthorised payments and we've advised Nick to escalate his case to the Financial Ombudsman.  

How criminals can bypass bank app security 

The most obvious vulnerability point is resetting your app login details. 

Some banks ask you to re-register for the app or pass strict identity checks to do this (Chase and Monzo both ask for photo ID and a ‘selfie’ video, for example), while others only ask for basic information that’s more easily obtained by a thief. 

In our test, we could too easily reset the passwords of various Lloyds Banking Group apps. The Halifax and MBNA apps only required credit card details and a one-time passcode sent via SMS to the same phone. For Lloyds, we had to enter a four-digit code generated on the phone during an automated call. 

Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive a one-time passcode sent via text or email, both of which a thief could access directly from a stolen phone.

The problem with SMS

SMS is widely considered to be an insecure method of sending highly sensitive information (so we penalise banks for this in our annual bank security test).

A thief can see messages (including security codes sent by your bank) flash up on the screen even when a stolen phone is locked – or they could put your stolen Sim in another phone to receive messages. Both features can be disabled. 

Other banks using SMS-based security will ask for additional details to recover app login details, such as your online banking password, which could be enough to thwart a thief. But this is largely pointless if that password can also be reset with the same security check. This is the case with Virgin Money, which asks for a one-time passcode to reset both the app passcode and the online banking password (which itself is used to reset the app passcode). 

Finding out your card Pin

Thieves may also attempt to uncover your card Pin if they’ve stolen your card. Again, we think Lloyds Banking Group apps made this too easy. Unusually, there was no security check at all to find out the Pin via these apps once logged in. 

Barclays and Virgin Money only ask for debit or credit card details when customers request a Pin reminder. 

Other banks either don’t allow you to see your Pin within the app, or have tighter checks (Monzo asks for photo ID and a selfie video, while Starling asks for a password). 

3 ways to protect your phone

Which? wants banks to do a better job of warning customers about the dangers of mobile phone fraud and explaining exactly how they can protect their devices. Here are three simple steps you can take:

  • Add a unique Pin to your Sim: by securing your Sim with a Pin, you could stop someone stealing yours to put into another phone. If a thief can’t break into a locked phone, they can pop the Sim in a different phone to receive calls and messages. That wouldn’t give them direct access to your banking apps, but it could allow them to pass security checks to activate these apps on a new phone. 
  • Disable preview notifications: messages can flash up on your phone screen even when your phone is locked, meaning a thief could view text messages or emails sent by your bank. On an iPhone, you can change notification settings under 'messages.' On Android devices, it's 'notifications on lock screen' in your Settings app. 
  • Register for phone-finding services: Use Google’s Find My Device or Apple’s Find My iPhone, so your phone can be located, locked or wiped of data remotely if it’s lost or stolen.

What the banks say

All the banks we’ve highlighted told us that they have additional controls to mitigate the risk of fraud, such as monitoring tools that may block specific suspicious activity. 

A spokesperson for Lloyds Banking Group said: ‘Helping to keep our customers’ money and data safe is our priority. We have robust, multi-layer security across our online and mobile banking services to protect against potential cybersecurity threats.’ 

A spokesperson for Virgin Money said: ‘A stolen phone on its own wouldn’t be sufficient to access the banking app or view a card’s Pin. The criminal would need to obtain additional customer-specific credentials. In addition we use industry-standard tools to monitor transactions and authentication requests to help prevent fraudulent transactions.’ 

A spokesperson for American Express said: ‘We use a number of controls to protect Cardmembers from fraudulent activity. All fraud claims are thoroughly investigated by our specialist Fraud team. If a Cardmember believes that their account has been compromised, that they have experienced fraud, or their American Express card has been stolen, we would urge them to report this issue by calling us using the number on the back of their card or contacting us via our website.’

More on this

Related articles

More on this

Related articles