The media recently reported a case of a 26 year old man who had £18,000 stolen from his bank accounts, by criminals who spiked his drink in a bar in London, UK one evening and then took advantage of his indisposed state to access financial apps on his mobile phone. The fraudsters were especially prolific, transferring funds from four independent accounts with different financial institutions – HSBC, Monzo, Revolut and American Express. This is an especially unique case involving social engineering and spoofing to trick unsuspecting victims into transferring money to a fraudster’s account. Quite distinct from the prevailing Authorised Push Payment typology.
So how did the thief(s) do it?
We can only hypothesize, but key is certainly the way in which different banks have adopted authentication methods, to maximize customer experience while remaining compliant with regulations. UK regulations state that, unless exempt, a bank must use a two-factor authentication (2FA) for every payment. This means the customer must prove who they are via two independent sources. An example of an exemption could be low value payments or sending money to a trusted beneficiary (existing payee). This means that whoever targeted the victim managed to get past different authentication factors across four different financial institutions.
How could they have done it?
After analyzing the financial institutions in question, the key stages of the journey in question here are logging in to the app and making a payment to a new payee.
|Login||Make a payment to new payee|
|Monzo||No user entered credentials on login (most of the time).||Range of auth factors that have varied between 4-digit card pin, CVC (card verification code) and off-device biometrics (photo ID/image submission).|
|Revolut||Face/fingerprint biometrics with a fallback to 4-digit app passcode.||1. Face/fingerprint on-device biometrics with a fallback to 4 digit app passcode.
2. One time passcode (OTP) via SMS.
|HSBC||1. Face/fingerprint on-device biometrics with a fallback to password.||1. Face/fingerprint on-device biometrics with a fallback to password.|
|American Express||1. Face/fingerprint on-device biometrics with a fallback to password.||N/A*|
* As American Express aren’t a bank, money can’t be moved out via bank transfer. Therefore, we can assume the money lost was by the thief(s) using the card (whether physically or online). They had access to the card details and the ability to authenticate any payment via a global card authentication standard called 3D Secure. For American Express, this requires SMS one time passcode verification only.
For all these journeys, particularly the ones where there’s seemingly only one credential or none at all, it’s likely that ‘device as an authentication’ factor is actually being used. This ensures the app is only being accessed by a trusted device via a binding mechanism invisible to the user. This is a common authentication pattern used by banks to ensure security whilst limiting friction in the journey.
While it’s possible the victim was in a state where he was conscious enough to tell the fraudsters anything they wanted, the more likely explanation is that the thief(s) impersonated the victim using his phone and accessed the banking apps without his consent. The four targeted financial institutions have a common authentication weakness that permits an ill-intentioned person with access to the phone to use on-device biometrics (face or fingerprint) to transfer money. An additional SMS OTP authentication doesn’t offer further protection as a fraudster who’s able to trigger a payment from the device would also be able to view the OTP. The CVC present on the card also is susceptible to theft as many customers store their cards and phones in the same location e.g., in a pocket or a bag. In fact, the UK regulator the FCA recently issued a policy statement (PS21/19) stating that static card data can neither constitute a knowledge factor nor a possession factor.
How could this be prevented?
There are multiple ways to solve this puzzle. Knowledge based authentication factors (e.g., a passcode) are often written-off as insecure and irrelevant. Enforcing passcode authentication in this scenario would have presented the fraudster with a different obstacle that required the victim to be conscious. Alternatively, behavioural biometrics could be used to risk assess whether the user of the device is acting out of the ordinary. If the thief held the device at a different angle to the victim, the user could be challenged with a more difficult authentication method, such as identity verification with a liveness check.
Regardless of the authentication methods selected, there are a few key considerations that should be part of any customer protection strategy to ensure the holistic identification and management of vulnerabilities.
- The entire customer journey should be mapped out and edge cases or low probability scenarios evaluated to understand the true surface area of risk.
- When looking at trade-offs between security and friction, it’s important to use empirical evidence to work out the true cost of fraud. Is the opportunity cost of stricter authentication worth the potential fallout from a degradation in customer experience?
- Finally, banks need to address operational, organizational and technological impediments to tackle customer trust and protection as a whole and not in functional silos. In this example of financial fraud, attempts to empty each bank account at night, via a bank transfer to a new payee, is as much a job for payment fraud systems as authentication controls. Effective customer security requires multi-layered controls that cut across authentication, transaction monitoring and customer servicing that all need to be in sync.