As the problem of digital bank fraud grows, one issue that will become increasingly heated is who should pay for it.
This time last year, we discussed the recent explosion in digital fraud and theft, much of it targeting the digital wallets on mobile phones. As one would expect, the more cashless the country, the greater the scale of the problem.
Fortune magazine reported, perhaps somewhat hyperbolically, that going cashless had turned Sweden from one of the safest countries in Europe into a “high-crime nation“:
Law-enforcement agencies estimate that the size of Sweden’s criminal economy could amount to as high as 2.5% of the country’s gross domestic product.
To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it’s a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.
Using complex webs of fake companies and forging documents to gain access to Sweden’s welfare system, sophisticated fraudsters have made Sweden a “Silicon Valley for criminal entrepreneurship,” said Daniel Larson, a senior economic crime prosecutor.
Sweden’s central bank, the Riksbank, acknowledged in its 2024 payments report “serious fraud problems that could undermine trust in the payment system”. Digitalization also makes payments “more vulnerable to cyber attacks and disruptions to the power grid and data communication,” the central bank pointed out.
These developments suggested “that we should concentrate more than before on the challenges of digitalization.” Like the central banks of neighbouring Norway and Finland, the Riksbank is backpedalling plans for a cashless society, and has even begun urging citizens to hold and use cash in the name of civil defence and system resilience.
Meanwhile, Brazil, Latin America’s most cashless economy, is suffering an epidemic of digital crime, with 1,640 mobile phones stolen every hour, reported El País last year. The target is usually not the device itself but its applications, contacts and passwords, possession of which has helped Brazil’s criminal gangs to exponentially increase their profits. Each victim loses on average 1,500 reais ($275, just over the monthly minimum wage) in addition to the smartphone.
UK Raises Alarm
Now, the consumer magazine Which? has published a report warning about the rise of digital scams in the UK as fraudsters steal card details to set up a digital wallet on their own mobile devices. Worryingly, this can happen even if you don’t have a digital wallet of your own.
The root cause of the problem is banks’ continuing widespread use of one-time passcodes (OTPs) to set up digital wallets, even though they’re prone to abuse by fraudsters, as industry body UK Finance has repeatedly warned. The Which? investigation, which surveyed 15 high-street and digital banks, found that the majority are still using SMS OTPs to verify when a card is added.
As the report notes, victims are almost always reimbursed by the bank for any fraudulent payments made. However, the costs will probably end up being passed on to bank customers in general through higher interest rates on mortgages and loans, less generous account perks and lower interest on savings.
The researchers found that of the 14 providers that allow cards to be linked to Apple Pay, Google Wallet and other apps, only three do not depend on OTPs. Digital-only lenders Chase and Monzo confirmed they have never used them, while Starling has phased them out of Google Pay.
However, high street lenders like HSBC and Santander still issue OTPs via text messages, which leaves consumers reliant on a flawed system that fraudsters have become adept at exploiting. Here’s how the scam works:
Digital wallets can be very convenient and have security advantages compared to paying by card: namely, that you have to authorise every payment with your fingerprint or face.
But as you don’t need a physical card to add a card to a digital wallet, fraudsters could steal your card details and set up a digital wallet on their own phone.
They can then use this to spend your money online or in physical stores. Unlike physical contactless cards, which are typically limited to £100 per transaction, digital wallets have no arbitrary spending limit, making it easier for criminals to make large purchases.
Digital wallet fraud can occur during a takeover of an entire bank account, but another common method involves tricking you into giving up your debit or credit card details.
This often starts with a fake ad for a product or a phishing text or email, such as a bogus parcel delivery message. When you click the link, you are taken to a fake website that prompts you to enter your card details to complete a transaction.
The scammer monitors the website in real time. Once you submit your personal and card information, they receive it and use it to set up a digital wallet immediately.
As part of the setup, banks and providers must verify that you want to add your card to a digital wallet, and many send a one-time passcode (OTP) via text or email. The scammer’s fake website will then ask for this code, claiming it’s needed to authorise the payment you thought you were making.
In reality, the fraudster uses the OTP to complete the digital wallet setup on their own device. Once the digital wallet is set up, the fraudster can spend money from your account. You might not even know it has happened unless your bank notifies you, and research shows that some providers do not.
The Cost of Complacency
One of the most concerning findings of the report is the general complacency in the banking sector. Which? has been warning about the risks of OTP authentication for years yet many major banks, building societies and credit card companies are still using it as part of the digital wallet setup process.
The general mood of complacency also seems to extend to the broader population. According to a survey cited by Cityam, UK shoppers continue to prioritise convenience over safety when it comes to how they pay:
Among those who prefer mobile wallets, the primary driving force is speed, rather than security.
Nearly three-quarters cited convenience as their top reason for using them, and more than half pointed to faster transaction times…
Fraud experts warn that the latest wave of scams marks a new level of sophistication.
By exploiting OTPs, criminals can hijack digital wallets and drain accounts without ever needing to clone a physical card.
Once added to a wallet, stolen credentials can then be used to purchase goods in shops or online, often months after the original scam, to avoid detection.
Gift cards and supermarket vouchers are also common targets, allowing gangs to quickly launder stolen funds.
The recent explosion in digital fraud in near-cashless Sweden provides a cautionary tale of what can happen when mobile payment apps become the dominant form of payment at the point of sale…
Nick Corbishley 