Banks must beef up their defences against mobile phone theft, a Which? Money investigation has found, after a string of similar cases reveal how easily thieves can hack into banking apps.
With more of us banking on the go, criminals increasingly see phones as the gateway to accessing our financial accounts.
In the first half of 2022, £15.7m was lost to mobile banking fraud (that is, unauthorised access via apps) – an increase of 16% on the previous six months. Only 9% of losses were recovered.
Here, we shine a light on the weak spots in banking app security and the steps you can take to make it harder for phone thieves to access your accounts.
A happy afternoon spent in a London pub at the beginning of the year quickly turned sour when Nick (pictured above), a company director from Somerset, realised someone had stolen his phone. He reported it to the police and went home. By morning, the thief had drained £73,000 from his personal and business Barclays accounts.
‘My stomach dropped. I immediately called Barclays to suspend all my accounts. The first call handler was sympathetic, but it’s an awful process. I was so stressed, yet there was hardly any dialogue. I was also dealing with the police to get CCTV footage of the thief.’
In just a few hours, the fraudster had logged into Nick's Barclays app, added an account they controlled as a new payee and reset the password on a bulk business payment system provided by a company called Telleroo.
The thief had likely 'shoulder-surfed' Nick first to see the code he used to unlock his phone and then tried similar combinations to access the app.
Barclays only requires you to provide debit card details to add a new payee, and these details are stored in the app, meaning that the thief had everything they needed to steal his money. While Barclays scored highly for app security overall in the latest Which? bank security test, it was marked down on poor security when adding new payees – and Nick’s case demonstrates why.
This case also highlights the problem with financial firms using SMS to deliver security checks. Having realised that Nick's business used Telleroo to send bulk payments, the thief simply reset his account password by triggering a one-time passcode sent to the stolen phone. Similarly, Barclays’ system did detect suspicious activity, but sent a fraud warning via SMS, straight into the hands of the criminal, who authorised the payments while he slept.
Inexplicably, Barclays told Nick it hadn’t found any evidence of fraud because the transactions were properly authorised. After we contacted the bank, expressing our deep concern over its handling of the case, it agreed to refund £15,000 taken from his personal account, but said it won’t refund the transfers from his business account.
Barclays told us: ‘We assess each case on its individual merits, and although we don’t see signs of fraud, we recognise that this is a complex case involving a loyal customer.’ We asked Barclays if its security systems could detect the location of the phone at the time of the transfers, but didn’t receive an answer to this question.
Telleroo declined to comment, as its internal investigation was ongoing at the time of publication. It said that details shared by Which? were inaccurate, but didn’t elaborate any further.
We believe that Barclays should refund all of these unauthorised payments and we've advised Nick to escalate his case to the Financial Ombudsman.
The most obvious vulnerability point is resetting your app login details.
Some banks ask you to re-register for the app or pass strict identity checks to do this (Chase and Monzo both ask for photo ID and a ‘selfie’ video, for example), while others only ask for basic information that’s more easily obtained by a thief.
In our test, we could too easily reset the passwords of various Lloyds Banking Group apps. The Halifax and MBNA apps only required credit card details and a one-time passcode sent via SMS to the same phone. For Lloyds, we had to enter a four-digit code generated on the phone during an automated call.
Amex users can also choose the ‘forgot password’ option, enter their credit card details and receive a one-time passcode sent via text or email, both of which a thief could access directly from a stolen phone.
SMS is widely considered to be an insecure method of sending highly sensitive information (so we penalise banks for this in our annual bank security test).
A thief can see messages (including security codes sent by your bank) flash up on the screen even when a stolen phone is locked – or they could put your stolen Sim in another phone to receive messages. Both features can be disabled.
Other banks using SMS-based security will ask for additional details to recover app login details, such as your online banking password, which could be enough to thwart a thief. But this is largely pointless if that password can also be reset with the same security check. This is the case with Virgin Money, which asks for a one-time passcode to reset both the app passcode and the online banking password (which itself is used to reset the app passcode).
Thieves may also attempt to uncover your card Pin if they’ve stolen your card. Again, we think Lloyds Banking Group apps made this too easy. Unusually, there was no security check at all to find out the Pin via these apps once logged in.
Barclays and Virgin Money only ask for debit or credit card details when customers request a Pin reminder.
Other banks either don’t allow you to see your Pin within the app, or have tighter checks (Monzo asks for photo ID and a selfie video, while Starling asks for a password).
Which? wants banks to do a better job of warning customers about the dangers of mobile phone fraud and explaining exactly how they can protect their devices. Here are three simple steps you can take:
All the banks we’ve highlighted told us that they have additional controls to mitigate the risk of fraud, such as monitoring tools that may block specific suspicious activity.
A spokesperson for Lloyds Banking Group said: ‘Helping to keep our customers’ money and data safe is our priority. We have robust, multi-layer security across our online and mobile banking services to protect against potential cybersecurity threats.’
A spokesperson for Virgin Money said: ‘A stolen phone on its own wouldn’t be sufficient to access the banking app or view a card’s Pin. The criminal would need to obtain additional customer-specific credentials. In addition we use industry-standard tools to monitor transactions and authentication requests to help prevent fraudulent transactions.’
A spokesperson for American Express said: ‘We use a number of controls to protect Cardmembers from fraudulent activity. All fraud claims are thoroughly investigated by our specialist Fraud team. If a Cardmember believes that their account has been compromised, that they have experienced fraud, or their American Express card has been stolen, we would urge them to report this issue by calling us using the number on the back of their card or contacting us via our website.’