We recently carried a story about a reader who had an e-wallet connected to her credit cards set up on a device not controlled by her.
Her phone had been hacked and the one-time password (OTP) the financial institution who issued the card sent to confirm the setting up of the e-wallet never actually reached her
The institution’s case - Avant Money - was that the OTP was sent and it was used to approve the setting up of the e-wallet so it was case closed, no refund.
It was not the first such story we have highlighted and other readers have been in touch to say that the OTPs their banks said were sent and used simply never arrived.
Texts weren’t designed to be secure, and two-factor authentication isn’t safe
Why are we left on our own when it comes to fraud?
St Valentine’s Day: A-Z of all things romantic, overpriced and good value on February 14th
Energy supplier Yuno hits reader with €870 overcharge and admits others impacted following systems upgrade
The stories have prompted readers to get in touch to express concern and wonder what is going on.
First up was Lionel Barker: “This is not a complaint but rather an observation regarding the rather common cases of credit card losses when a card is linked to a phone e-wallet.”
He says that typically what happens when customers say they never got the OTPs banks claim were sent, the banks have “invoked what I would call the ‘Post Office Horizon defence’‐ essentially claiming, ‘Our software is perfect, so the fault lies with you.’”
“If a phone is infected with malware that breaches a banking app, who is responsible? Is it the phone owner for allowing the malware, or the bank that developed the compromised app?”
Barker notes that while a financial institution may send an OTP via text message, that channel of communication was developed at a very different time and in a very different world.
“Text messages were never designed to be secure,” Lionel says. “They rely on a scheme called Signalling System Seven (SS7), which was developed in the 1970s and has virtually no built-in security.”
He says that while e-wallets are “undoubtedly convenient and expected by customers, they generally only require a single one-time code to link a card to a phone”.
Barker says some financial institutions send the code through apps rather than via SMS. “I cannot comment on the security of these apps, but I assume they are far more secure than a text message. A hacker not only has to hack the phone, they then [has] to hack into the app. Using a text message to transmit sensitive information is akin to broadcasting it with a megaphone on O’Connell Street.”
He stresses that he is “not a security expert” but does have “approximately 40 years of experience in electronic systems development, now retired”.
Barker wasn’t alone in expressing concern. Dave Moore also contacted us to say: “Two-factor authentication using a code sent over plain text SMS is no longer safe. The reason for this is the networks [are] no longer solely and tightly controlled by state telcos [telecommunication companies] as they use to be. With multiple virtual operators worldwide there is opportunities for bad actors to intercept your text messages.”
We relayed these messages to the Central Bank, making it clear we were not asking it to discuss the merits of any particular case but to find out more about the tech being used and to establish where the Central Bank believes the burden lies.
Is it enough for a financial institution to simply say “this thing happened so it is your own fault” and is it reasonable, if they say that, to then expect the consumer to have to go to the Financial Services and Pensions Ombudsman?
In response we were told that firms that are providing payment services in Ireland are required to apply what is known as Strong Customer Authentication (SCA) when customers access their accounts online or when they initiate any class of electronic payment online
That means two independent elements must be used when authorising transactions.
“These elements are categorised as knowledge (something you know), possession (something you own) and inherence (something you are – typically biometrics),” a Central Bank spokeswoman said. “Examples would include passwords (knowledge), one-time passcode (to evidence possession of a phone) and thumbprint (to prove it is you holding the phone).”
The spokeswoman said the two elements used must be from two separate categories.
“The use of SCA is technology neutral, but firms have a responsibility for ensuring that their controls and systems ensure good customer outcomes, including the reduction/elimination of fraud.”
She stressed that while it is “the responsibility of firms to design and use effective systems to protect their customers”, at the very least it is expected that they carry out some basic measures as a matter of routine when fraud happens.
And what are those basic measures?
Banks must “take steps to trace and recover money defrauded without undue delay when the firm identifies or is made aware of a suspected fraud case” and they are expected to “compensate customers to any extent a customer’s loss results from a failure of the firm’s own established systems and controls.”
Banks also must “review existing fraud prevention systems to see what further enhancements could be made to identify and prevent consumers falling victim to fraud, including authorised push payment fraud”.
And they are required to be “clear and transparent to customers about how the firm investigates suspected fraudulent transactions and what the firm’s refund policies are”.
They are, according to the Central Bank, supposed to provide “effective reporting and assistance” to An Garda Síochána.
And under the Consumer Protection Code banks are required to have a complaints process in place “for the handling and resolution of customer complaints, including disputed fraud claims. In cases where a complaint is not resolved within a set timeframe, or to the satisfaction of the customer, the firm must inform the complainant of their right to refer the matter to the Financial Services and Pensions Ombudsman” and provide the relevant contact details.”
