SMS Bank Fraud

Watchdog viewer Bernard contacted the programme after criminals stole more than £5000 from his Metro Bank account, by hijacking his mobile phone account and using it to authenticate transactions.

In September, black cab driver Bernard received a mysterious message from his mobile phone provider, EE, giving him his PAC code- the code needed to “port” your mobile number to a different provider. Bernard had not requested the PAC code- so he contacted EE who confirmed that his number had been ported to a different provider, and advised him to get in touch with his bank.

Bernard checked his bank balance and nothing was amiss. For the next three days, while he waited for his number to be ported back to EE, he received no messages on his phone.

But unbeknownst to Bernard, the criminals who had taken over his mobile phone account were receiving his texts, using his mobile phone account to complete a sophisticated fraud. Having already accessed his bank account, they used this as the last piece of the jigsaw, using the One Time Passcodes sent by Metro Bank to authenticate their fraudulent transactions.

Bernard’s case highlights concerns over banks continuing to use One Time Passcodes sent by SMS to authenticate transactions. In recent years, critics have warned that this method of verifying bank payments is insecure – due to criminals hijacking victims’ mobile phone accounts in the way that the scammers who targeted Bernard were able to.

Cyber security expert Harj Singh told Steph McGovern: "Evidence has shown that to protect sensitive information using the SMS is not wise. On its own, SMS isn’t good enough because there’s known vulnerabilities in that process. So we have to use that together with other processes to verify an individual’s identity."

The banking regulator, the FCA, has introduced new rules to tighten authentication- called Strong Customer Authentication (SCA) . Under these rules, banks will still be able to use SMS passcodes for authentication, but only in combination with at least one other independent method.

But banks in Germany have pledged to stop using SMS authentication due to concerns over security. Watchdog questions whether it’s time for UK banks to do the same.

Statement from Metro Bank:

“We take our customers’ security extremely seriously and we have a range of safeguards in place to help defend them against fraud, which we constantly review and update in light of increasingly sophisticated tactics from fraudsters. We also continue to work closely with other stakeholders including banks, network operators and law enforcement agencies to protect customers from these crimes. We understand and appreciate the stress caused by becoming a victim of fraud, and are sorry to hear about [Bernard’s] case. [Bernard] has been fully refunded.”

Statement from EE:

“As soon as [Bernard] called us we immediately asked Tesco Mobile to halt the transfer to their network. Unfortunately, due to porting limitations, it’s not possible to reinstate the number the same day and this is the same across the industry. We advised [Bernard] to contact his bank straight away about his phone number not being safe to use for authentication. This type of fraud is only successful when criminals already have the victim’s bank details and with banks who still rely on SMS verification for financial transfers. While we continue to improve defences against porting fraud, customers should contact EE, their bank and the authorities immediately if they notice any suspicious activity.”