A decade ago, who would have thought that many of us would now carry over a thousand Euros, Dollars, or Pounds everywhere we go? Sometimes we even boldly display that wealth in public places, with the most trusting amongst us even tempted to put that money down on a cafe table as we sip a latte.
I am of course referring to the near-ubiquitous smartphone. Love them or hate them, many of us would be lost without one. Wherever you live, the risk of being robbed or suffering the loss of your phone through theft has never been greater.
Whilst activation locks and the new biometric security features have undoubtedly reduced the resale value of such devices, criminals have demonstrated a willingness to innovate. The GSMA, which represents mobile operators across the globe, estimates that over 4 million devices are stolen in the United States and subsequently trafficked overseas.
In London, it was reported that criminals set out to steal a mobile phone in nearly two-fifths of robberies and 68% of all thefts. Robbery is a traumatic experience, and these statistics suggest a person in London was subject to or threatened with violence roughly every 55 minutes.
Sadly, the physical and emotional impact of such robberies are no longer the only risk, with some criminals shifting their focus from the value of the device itself, to the value of what it represents. In the eyes of criminals, the theft of a smartphone presents them with an opportunity to ‘double dip’ profiting not only from the sale of the device but also with an opportunity to wreak havoc in the victim’s financial universe. A recent report by BioCatch shows that cases of financial fraud on stolen devices increased 43% in the last year.
|
“It's only a phone... but if you take that out without the right precautions and protections around it, you are essentially walking around with a bag of cash. |
Strong Authentication Can't Help This Fraud
The advent of Strong Customer Authentication (SCA) elevated the humble smartphone from a source of bad selfies to a key factor in the authentication of online banking sessions and payments. Mobile phones effectively act as the 'possession' element of SCA, representing something that only the user possesses and that may be recognised without risk of error by the payment service provider (PSP). However, when the device is stolen, SCA can be used against a financial institution with criminals making use of a trusted device to commit fraud.
The risk is greatest amongst those who we might well categorise as digital natives, a generation that ought to be more aware than most. Some of the key risk factors include:
• Avoiding the use of on-device biometrics or backing them with a simple PIN
• Use of a simple PIN to lock the device
• Storing sensitive information in insecure locations
• Repeated use of the device PIN on financial services apps
• Failing to utilise lost device protection
The scheme itself is simple, with criminals setting out to observe the victim using their device in hopes of catching them entering their PIN (often referred to as 'shoulder surfing'). Once they're confident that they have determined the device PIN code, they hatch a plan to steal it, typically by robbing or pickpocketing the victim. Worst still, in some cases, the victims will have their drink spiked, reducing their ability to identify the loss and respond to any attempted interventions on the part of financial institutions. Examples of some recent public cases are summarised below.
|
Case 1: Spiked Drink Leads to £18,000 Loss Ben Gregory was on a night out in south London. A night that went from a pleasant meal and a couple of drinks ended in him waking up dazed. Unbeknownst to him his device had been taken, along with his wallet, which resulted in two overdrafts being taken out. With over £18,000 taken via bank transfer and point-of-sale transactions. Of the four financial institutions involved, four made immediate refunds and two declined, asserting that the transactions were authorised. Following the involvement of the media, Ben was fully reimbursed. BBC: Fraud: 'I had £18,000 stolen after my drink was spiked' |
Case 2: Victim Loses £22,500 After Device Theft Jacopo de Simone was on a night out when he realised his phone was missing. Frustrated and annoyed, he assumed that the locked device would be protected. That assumption proved to be wrong when, the following morning, he discovered £22,500 had been siphoned from his bank accounts. Jacopo’s bank initially refused to reimburse him as they believed the transactions to have been authorised. Jacopo says he made use of biometrics and had a different PIN for his banking app. After a 10-month fight, he was eventually refunded in full. BBC: Mobile phone fraud: 'They stole £22,500 using my banking app' |
Whilst both examples occurred in London, this is not an issue limited to Europe. Recently, a gang in New York was reportedly involved in the theft of 62 phones, which they passed to their ‘tech guy’ accomplice before sending them to South America for resale.
|
“Officials say the suspects cleared hundreds of thousands of dollars from victims' bank accounts. The phones were then allegedly sent to Colombia, where they were wiped clean.” |
As these two case studies illustrate, many financial institutions are referring to SCA when a customer claims that transactions are unauthorised. Regulators are also showing a growing awareness of this issue, with a good example from the Banque de France which issued a press release entitled, “L’Observatoire de la sécurité des moyens de paiement émet des recommandations sur le remboursement des victimes de fraude” in May 2023. Within the press release they state “l’existence d’une authentification forte n’étant pas suffisante en soi pour considérer que la transaction a été autorisée” (“the existence of strong authentication is not sufficient in itself to consider that the transaction has been authorised”).
What Banks Can Do to Protect Customers
Financial fraud committed following the theft of a device is an emerging threat in several countries – one that is only just starting to gain mainstream attention. Here are several important tips to consider to protect your bank and your customers.
Banks should advise customers to:
• Use a strong memorable alphanumeric passcode, never a 4- or 6-digit PIN
• Utilise on-device biometrics to unlock the device
• Utilise the manufacturer’s stolen device protection features
• Prepare for the possible loss of a device by knowing the password or any cloud-based solutions (iCloud etc), enabling them to lock and mark it as lost/stolen
Banks should also consider:
• Making the reuse of passwords and passcodes across devices and apps considered a breach of terms and conditions
• Treating the loss of a device as akin to the loss of a card, requiring customers to report it via your 24/7 lost or stolen customer contact channel
• Encouraging customers to kill any sessions associated with lost devices, such as email apps
