28 Oct 2019
The National Fraud Intelligence Bureau (NFIB) and one of the UK’s largest mobile phone networks, EE, have raised concerns about banks’ growing reliance on text messages when authorising large payments.
The calls follow the release of a declassified document by America’s Federal Bureau of Investigation (FBI) that warns about the risk of so-called Sim swapping — the process used by scammers to intercept passcodes sent by banks via a text message.
The FBI described this as a “common tactic” used to get round the security measure known as two-factor authentication. Victims of the scam have seen their bank accounts drained: the British anti-poverty campaigner Jack Monroe lost about £5,000 after her mobile number was hijacked and her bank account hacked this month.
The warning from across the Atlantic has prompted the NFIB, the UK police unit responsible for cyber-crime, to raise its own concerns.
Phillip Keating, senior crime reviewer at the NFIB, said that he agreed with the findings of the FBI report, which highlighted text messages as a weak link in the banks’ security chain.
He said: “Banks should consider what channels they use and whether they should be using a mobile phone to verify their customers.”
The NFIB is investigating a case where a victim in the UK lost £78,000 because of Sim swapping. The money was transferred to the sort of “mule” accounts commonly used for money laundering.
Banks have been keen to shift the blame for this type of fraud on to phone companies, which have been accused of allowing victims’ phone numbers to be hijacked because they run too few identity checks. Money has highlighted several such cases in recent weeks.
But one of the UK’s mobile phone networks, EE, has hit back, warning that people are more vulnerable to fraud if their banks rely on verification via text message (also known as SMS).
EE said: “While SMS remains a great way for banks and other businesses to communicate with customers, we more often see bank fraud involving mobile accounts happening with banks that still rely solely on SMS verification for financial transfers.”
Banks are increasingly sending text messages to customers that contain one-off, time-sensitive passcodes. The customer needs to enter that code to verify major app and online banking transactions.
Texts cost banks an average of just 1.5p to send.
However, codes over SMS are just one way of meeting new EU requirements for a “second factor” of identification, other than a traditional password, to be provided before any large payment can go through.
The Co-op, Santander, Lloyds, TSB and Barclays all admit to using the flawed system, while HSBC says that SMS is its primary verification method.
As an alternative to SMS, the Co-operative Bank gives its customers the choice of receiving codes by email; TSB offers the option of receiving them over a landline call to a home or work number; while Barclays will send customers a card reader that works with an account-holder’s bank card to generate the required security code.
Newer banks such as Monzo exclusively use encrypted passwords sent over wi-fi that cannot be obtained simply by gaining control of a mobile number.
Eric Priezkalns, chief executive of the Risk & Assurance Group (RAG) of telecoms risk analysts, said the practice of sending such vital codes by text was “simplistic” and “bonkers”.
He said: “If Action Fraud [the UK fraud reporting service] was to give sensible advice to people, it would be saying to check if your bank has a mobile phone app that does not rely on SMS for two-factor authentication. It would be the equivalent of the police encouraging you to get a car with a decent alarm fitted.”
By Kenza Bryan, The Sunday Times, 27 October 2019
Read more at The Sunday Times
RiskScreen: Eliminating Financial Crime with Smart Technology
Count this content towards your CPD minutes, by signing up to our CPD WalletFREE CPD Wallet