A favorite two-factor method — mobile — is proving insecure
A deaf woman who had over £8000 stolen from her bank account by fraudsters has become the latest symbol of the insecure practice of using phone numbers as proof of identity.
Her case could also be an indicator that banks’ standard responses to “authorised push payment” fraud may be changing, after media pressure forced Metro Bank to reverse its decision not to refund the stolen money.
The incident began when Louise Harte, a profoundly deaf Metro Bank customer, returned from a holiday to find her mobile phone was no longer working, according to a report by the Guardian. It quickly emerged that fraudsters had visited a branch of Three, her mobile provider, and persuaded them to transfer her number to a new SIM.
With access to her voice calls and SMS messages, and apparently some prior knowledge of her bank login information, the scammers were then able to set up a transfer out of her account to one in their control, providing the “security” code sent via SMS to confirm the transaction. £8,371 was transferred out; a second payment was blocked as suspicious.
After a month of wrangling with customer service at both Three and Metro — the latter of which initially refused to let Harte's son participate in conversations as an interpreter — Ms. Harte eventually figured out what had happened and convinced the bank retrieve some £5,700 which was still accessible. The remained £2,671, she was informed, had been moved on and would not be refunded.
After coming under pressure from the Guardian, Metro then reversed this decision, returning the remaining stolen funds and offering compensation of £250 — which was rejected by Ms Harte, who described the payment as “derisory.”
The case once again highlights the inappropriateness of using phone numbers as a reliable proof of identity. With the two-factor requirements of PSD2 on the horizon, banks will need to rethink their policies to ensure they are using truly secure methods.
Many of the simple metrics banks have used in the past are simply not up to the job any more. Part of this shift is cultural — things like your mother’s maiden name or the name of your first pet/school/teacher are far too easy to dig up in the Facebook era — and part of this shift is due to past security lapses such as the Equifax breach exposing Social Security numbers and other private information.
A recent statement from the U.K.’s financial ombudsman may also have had an impact on Metro’s eventual response. Chief ombudsman Caroline Wayman noted in an article that banks would find it increasingly difficult to avoid taking responsibility for fraud by blaming the “gross negligence” of their customers, implying that falling for a sophisticated scam, or having your phone number stolen, should not be considered negligence at all.
With the Financial Conduct Authority in the midst of a major consultation on authorised push payment fraud, expected to include some serious changes to expectations from banks whose customers have been victims of such scams, there could soon be greater expectations of protection for victims. This should provide yet more encouragement for banks to ensure security and authentication methods are up to scratch.