Weaknesses in bank mobile app security are leaving customers dangerously exposed to scams, according to Which?, the consumer advice and product testing body.
Which? wants banks to stop relying on SMS to send sensitive information and fraud warnings. In the event of a phone being stolen, criminals can either view messages sent by SMS or simply put the victims’ Sim into a different phone and continue to receive messages.
The consumer body is calling on banks and telecoms providers to explain to customers how they can better protect themselves. For example, customers can add a unique pin to their Sim and to disable preview notifications when a phone has been stolen to prevent the thief from seeing messages without having to unlock the phone. Banks can also help their customers secure their accounts quickly by letting them ‘distrust’ phones linked to their accounts, Which? adds.
Jenny Ross, Which? Money Editor, said that criminals seek to exploit any weakness they can in pursuit of our money. She said: “A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded. Banks must up their game to protect customers. Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”
A Which? video offers ‘three things you need to do, if your phone gets stolen’.
Comment
Which? previously marked banks down on multiple security measures, including failing to block weak passwords, sending one-time passcodes and sensitive data via SMS, noted Jasson Casey, CTO at Beyond Identity. He said: “It’s about time these organisations woke up and fixed their major vulnerabilities. Threat actors are constantly taking advantage of outdated security measures that make it easy, and inexpensive to breach systems. The industry should recognise the need for Zero Trust Authentication – stronger and more robust alternatives. Banks can’t afford to just ‘hope for the best’ where security is concerned anymore. Ensuring accurate prevention should become law, not just an advisory, to make it much harder, and less luck based, for attackers to walk through businesses’ front door.”
