Mobile security: are banks taking it seriously enough?
Max Deeley, CMO, Nuke From Orbit
Date: 25th January 2024
When researching whether Nuke From Orbit could be a goer in April 2023, our desk research into mobile security flagged up an interesting story on the BBC. A pickpocket stole Jacopo de Simone’s mobile phone and used his banking apps to steal £22,500.
What makes this story interesting, beyond mirroring James’s experience that led to the eureka moment, is two things. First, the bank in question found him liable for the loss. Second, the Fraud Advisory Panel has identified such mobile security issues as a growing threat.
The good news for Jacopo is that after eight months, the Financial Ombudsman Service (FOS) upheld his complaint against Barclays. And then, weirdly, the story resurfaced last week. I couldn’t see any additional reporting or updates on the story. But it made us think that we should revisit this issue.
With great power comes…you know the rest.
Full disclosure: I used to do PR & comms work for Barclays’ Tech, Media & Telecom corporate investment team. I got to work on the launch of their excellent but somewhat gruesome biometric reader, which leverages finger vein technology (vein patterns are more unique than fingerprints and require blood to flow through the vein to work). I have nothing but good things to say about my two-and-a-half-year working relationship with Barclays. Furthermore, we aspire to partner with them someday to ensure what’s happened here can’t happen again.
So please don’t hate me, Barclays, when I say this isn’t a great look. I accept that you have to protect yourself from fraud, but you’ve probably lost a customer on this individual basis. A drop in the ocean, perhaps. But more broadly, not taking responsibility for the loss leads to negative headlines like this and reputational damage.
When fraud happens, someone loses. Either the customer is out of pocket or the bank has to cough up, which increases their insurance costs. These costs are ultimately passed on to the customers through bank charges and interest rates the bank needs to implement to balance the books. In an increasingly crowded sector, churn is a real problem, so why give customers another reason to leave?
Banks provide an invaluable service to all of us, but that doesn’t give them the right to fatigue customers into giving up on fighting against injustice. Sure, banks swallowing the financial burden of fraud doesn’t make the problem disappear. Their footing the bill doesn’t make it a victimless crime (there is only one bad guy in this scenario, and it’s the criminal). But they can absorb the costs better than the man on the street.
All that said…do they need to?
What if no one has to pay?
Nuke From Orbit exists to protect the little man first and foremost. While we envisage a world where we lock down every online account imaginable, our primary goal is to block criminal access to bank accounts and cards. Our service hopefully means they never have to go through the hassle of trying to recover funds via the bank and, if that fails, getting the FOS involved.
But they’re not the only party to benefit, and our banking partners receive multiple benefits by working with us. They already know fraud prevention is essential because they have whole departments dedicated to it and invest in myriad technologies to protect their customers and, by extension, themselves. They do this because it protects their reputation, reduces financial loss, and decreases insurance premiums.
But robust authentication processes, device fingerprinting and automated transaction monitoring solutions only get you so far when fraudsters commit the fraud using the device that is also the authenticator.
Let’s examine a scenario. A pickpocket steals a phone. Regardless of the password and biometric protection the device and banking app have, the thief has gotten in. The how here is a topic for another day, but suffice it to say, we know this happens. Jacopo’s story is an excellent example in the public domain. And it’s why we exist. I digress; they’re in, but the bank’s transaction monitoring system notices something unusual. It blocks the transaction and sends an SMS or a notification via the app to let the user know they’ve done so.
Unfortunately, the criminal is the one sending it. And if they’ve got this far, we can reasonably assume they have the wherewithal to confirm it’s them. It’s not ‘them’, but you get the point. The card is unblocked, and the transaction goes through this time.
Winning the mobile security arms race
We know that banks are fighting a war against fraudsters on multiple fronts. They constantly update their fraud mitigation capabilities to combat evolving threats. But it isn’t enough to say their online banking services and apps are secure and safe. They need to go further, not just in terms of the defensive technology they use but also how they deal with customers in the aftermath of fraud.
We’re not going to sit here and tar every bank with the same brush, and we are not for a second saying that these aren’t issues they take lightly. They answer to customers, shareholders, regulators, governments and other stakeholders and balancing their responsibilities is unfathomably complex. But it’s clear that they can and should do better on mobile security.
Nobody should endure an eight-month process to prove they did everything possible to protect themselves against this fraud. We can’t help them with that; it’s on them to work out if their processes are fit for purpose. But there is a world where they don’t need to go through the process, and we believe that Nuke From Orbit is a part of that.
And if you want to know how seriously we take security, you can read more here.