App security: what some banks are doing to beat scammers

In the first six months of 2018, UK Finance has reported that £500 million has been stolen by criminals using increasingly clever fraudulent tactics.

As a result, it's no surprise that banks are constantly trying to come up with cleverer solutions to one-up the fraudsters and keep our money safe.

But as more app features are rolled out, campaigns are promoted, systems are put in place, and confirmation prompts are thrust into customers faces, the question remains: are these clever new systems clever enough to keep the criminals at bay?

Victims that are tricked into transferring their money into a fraudster's bank account directly (known as "Authorised Push Payment", or APP scams) currently have major issues getting any of their money back.

Under current rules, banks put the onus fully on the customer to ensure they're transferring money to a legitimate entity - even in cases where very sophisticated tactics, such as number spoofing and social engineering, have been employed.

A new voluntary code set out by the APP Scams Steering Group, however, seeks to change the banks’ rigid mindset by asking them to implement better ways of detecting APP Scams and, when a customer can demonstrate they took a “requisite level of care”, reimbursing them in full.

Verdict: The code itself is certainly a step in the right direction but it relies on banks voluntarily adhering to the code, interpreting it fairly for consumers, and implementing it consistently to avoid creating loopholes for scammers.

With a major component of telephone fraud centring around criminals posing as a victim's bank, Barclays has introduced a new "caller verification" system, aimed at curbing the problem.

During a call with Barclays, a customer can ask for a verification message to be sent via the app if they feel the caller may not be genuine.

The Barclays app displays the member of staff's name and asks if the customer is willing to continue the call.

This verification method relies on a number of factors for it to function effectively for consumers.

Customers need to have the latest Barclays app installed, know their password to log in, be in an area with mobile internet, and prompt the bank themselves to verify via the app.

It also relies on the mobile banking app, and the verification system itself, to be fully operational during their call and not under maintenance.

Fraudsters can be utterly convincing when speaking to victims and, combining things like spoofing the bank's number when initiating the call with sending a spoofed text appearing to come from Barclays indicating the call is legitimate, it's not outside the realm of possibility to assume that some may still fall for a con.

Verdict: While the system might save some people from being duped and integrates safety into a mobile banking app directly, it does rely heavily on a large number of variables in order to work safely.

Taking a less technical approach, Santander has started including prompts to customers who attempt to make a transfer via the bank's website, over the phone, and in branch.

When making a payment, customers are now asked to categorise what the transaction is for before finalising it, and are given relevant anti-scam advice reminding them not to make any hasty decisions that may be a scam.

These prompts echo the Take 5 campaign's idea that the simple act of taking time to think before pressing send, transferring money, or giving your data to an unverified individual over the phone could help reduce fraudulent transactions across the board.

This assumes however that a fraudster isn't on the other end of the phone to a customer, masquerading as the bank, and pressuring them to ignore the warnings.

One feature a customer may not be able to ignore, however, is the new account name validation system.

When making a transfer to an account name and sort code, it will now show customers the name of the account holder in an attempt to stop fraudulent transactions to "secure bank accounts".

Verdict: A simplistic approach may be effective in certain cases but customers making regular payments, who are used to seeing the same screen over and over, may end up glossing over the warnings. It’s a good starting point that needs to be built upon.

Account name validation is an excellent idea. It's good to see the regulator has called for all banks to have this security step in place in 2019. 

Relatively new kids on the financial block, Monzo (an app-based, and branchless, bank), have taken a slightly different, albeit no less secure, approach to security.

Acting more like a start-up than a bank, customer-facing security tools feel more intuitive, perhaps embedded from the beginning rather than tacked on later as an afterthought.

Customers can choose to utilise various optional security features immediately from the app, including:

• "Location-based security", which compares the Monzo card location with the customer's phone
• Card "freezing", which allows customers to temporarily block all transactions on a card (in cases where it's lost or stolen)
• Immediate In-App notifications can alert customers immediately when their card is used.

It's not just in-app where Monzo's security smarts seem to lie.

Almost immediately after the Ticketmaster data breach, Monzo released a statement indicating that they'd spotted the issue and taken steps to mitigate it long before Ticketmaster, or any other bank, had publicly acknowledged the problem.

By silently replacing and reissuing cards once they'd found a common pattern for customers being targeted, they had proactively prevented a large amount of fraud from occurring and customers were none the wiser.

As Monzo breaks tradition by being a purely app-based bank, it instantly gives them the freedom to present fresh ideas and change long-held beliefs around the way banking should be done without the potential backlash from loyal customers.

Verdict: Being new and disruptive can be a breath of fresh air to some, but a burden to others. Having a fully app-based bank relies on users having their phone relatively handy at all times, and be used to app-based products, to make the most of it.

Technology is a fantastic aide. And it should be seen as just that – an aide that can change and evolve over time as the threats arise.

Loopholes that fraudsters are currently exploiting rely heavily on banks taking a long time to investigate, educate customers, and close off before moving on to the next one.

This can often leave many customers feeling overloaded with information about different types of fraud that, ultimately, is all strikingly similar "under the hood".

[Banks should also seek to share counter-fraud technologies, methods, and policies across the industry for the benefit of everyone, rather than using them as marketing tools to attract new, or even retain current, customers.]

It's worth noting that any steps, however small, toward a fraud-free environment should be welcome by both banks and consumers alike.

In-app security features and new verification methods are great tools for the moment but we all need to think more long-term by building solutions, protocols, or even basic habits that can be proactive to fraud across the board, rather than reactive.