Fintechs.fi

Fintech & Crypto News

What Are The Weaknesses In Bank Mobile App Security?

Which? says that customers of banks with weak security measures are dangerously open to fraud on stolen phones.

The consumer champion gives the example of a Somerset business owner whose bank account was drained of £73,000 after his phone was stolen from his jacket pocket.

The thief was able to get around the security on his Barclays mobile banking app by’shoulder-surfing’ to see the code he used to unlock his phone and then trying similar combinations to get into the app.

The crook then added an account they controlled as a new user and changed the password on a business payment system that was used to send money to many people at once.

To add a new payee in the Barclays app, the fraudster only had to enter the details of their debit card, which are already saved in the app. This meant that they didn’t have to get around any other security checks.

The bank sent an SMS warning about fraud, but the account user can’t use it if their phone was stolen.

After Which? got involved, the bank paid back £15,000 that had been stolen from his personal account, but they wouldn’t pay back his business account.

Jenny Ross, Which? money editor, says: “While the details are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.”

Which? has brought up more worries about the security methods some banks use to reset login information. Some ask customers to re-register for the app or pass tight identity checks. Others, on the other hand, only ask for basic information that a criminal could easily get.

In tests, the consumer champion found that it was too easy to change the passwords for different apps from Lloyds Banking Group. Halifax and MBNA only needed to store credit card information in the app and send a one-time password (OTP) to the same phone number. Lloyds only needed a 4-digit code that was produced by an automated phone call.

Amex users can also choose “forgot password,” enter their credit card information, and receive a One-Time Password (OTP) via text message or email. A thief could use a stolen phone to access both of these options.

Which? wants banks to stop sending important information and scam alerts through SMS. If someone steals a phone, the thief can either read the SMS messages or put the victim’s SIM card into a different phone to keep getting messages.

Says Ross:

“A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers.

Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”

Read Also: