UK banks’ weak mobile security exposes customers to fraud, according to Which?

UK banks are failing to protect their customers from mobile banking fraud, with weak security measures leaving users exposed to theft and financial losses, according to a new report from consumer champion Which?

One customer described how £73,000 was drained from his accounts after his phone was stolen from a pub.

As more people rely on mobile banking, criminals are increasingly targeting mobile phones as gateways to personal finances.

Figures from UK Finance reveal that £15.7 million was reported lost to mobile banking fraud in the first half of 2022, while losses to online banking fraud totalled £61.2 million during the same period.

A company director from Somerset, identified as Nick, 46, became a victim of mobile banking fraud after his phone was stolen from a busy London pub.

The thief bypassed security measures on Nick’s Barclays mobile banking app, potentially by “shoulder-surfing” to see the code he used to unlock his phone, and then tried similar combinations to access the app.

The fraudster added an account they controlled as a new payee and reset the password on a bulk business payment system.

By the time Nick realised, £73,000 had been transferred from his personal (£15,000) and business (£58,000) accounts to the fraudster’s account.

Which? found that some banks’ security measures for resetting login details are insufficient, requesting only basic information that could be easily obtained by a fraudster.

Tests revealed that it was too easy to reset the passwords of various Lloyds Banking Group apps, including Halifax and MBNA, which required only credit card details stored in the app and a one-time password (OTP) sent via SMS to the same phone number.

Similarly, American Express users can choose the ‘forgot password’ option, enter their credit card details, and receive an OTP sent via text or email, both of which a thief could access directly from a stolen phone.

The consumer champion is urging banks to stop relying on SMS to send sensitive information and fraud warnings, as criminals can view messages sent by SMS or simply put the victims’ Sim into a different phone and continue to receive messages.

Which? is calling on banks and telecoms providers to explain to customers how they can better protect themselves and provide tools to help secure their accounts quickly in case of theft.

Following Which?’s intervention in Nick’s case, Barclays refunded £15,000 stolen from his personal account but refused to reimburse his business account.

Nick’s business cyber insurance ultimately covered the stolen funds. The experience significantly impacted Nick’s mental health and highlights the detrimental effect of fraud on victims’ wellbeing.

Jenny Ross, Which? Money Editor, said: “A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.”

Nick commented on his experience: “Banks have one job, to protect our money, and in my case with Barclays their failure to do so was total.”

He added that the worst part of the experience was the “disgraceful treatment” he received from Barclays, despite being a loyal customer for over 30 years.

Which? has provided three tips for customers to protect their phones: adding a Pin to their Sim, disabling preview notifications to prevent thieves from viewing messages on a locked phone, and registering for Find My Phone services such as Google’s Find My Device or Apple’s Find My iPhone.

These measures can help ensure that users’ phones can be located, locked, or wiped of data remotely if lost or stolen.

The report highlights the urgent need for banks to strengthen their mobile app security measures and better educate customers on ways to protect their personal information and finances.