Do you have Apple Pay or Google Wallet? How YOU'RE at risk from fraud
It said the use of one-time passcodes by banks could be making people with digital wallets an easy target for scammers.
1
A survey by the consumer champions found that the majority of banks are still using these security features, putting consumers at risk.
Unlike contactless cards, there is no £100 spending cap on cards added to Apple and Google Pay, so fraudsters can quickly drain victims' accounts once they gain access to it.
Scammers normally trick people into divulging their card details by setting up a fake transaction, Which? said.
People will think they're paying for a bargain product advertised online, or they might fall victim to a phishing message.
A common example is parcel delivery scams, where you're asked to pay a nominal amount for re-delivery.
Scammers monitor the transaction in real time, inputting the victim's card details into a digital wallet on their own phone.
Many banks will then ask for a one time passcode (OTP) to verify the cardholder, which the scammer then asks the victim for to complete the "transaction".
The fraudsters are then able to drain the victim's bank account.
Which? surveyed 15 banks and card providers about their digital wallet setup process between April and May this year, and found the majority still use OTPs sent through text message as one of the options for adding cards to a digital wallet.
Of the 14 providers that allow cards to be added to wallets (Capital One is the exception), just two banks confirmed they do not use OTPs, while a third appeared not to when Which? researchers tested the process.
New 'property tax' will PUNISH hard-working Brits and torpedo house market, blasts Kirstie Allsopp
Barclays, Co-op, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs, though they are not the only verification option.
Starling said it still uses OTPs for setting up Apple Pay alongside other options, but it removed them from Google Pay in 2022.
TSB said it is working to set up in-app verification, but is using OTPs in the meantime.
American Express, Lloyds Banking Group and NewDay (which operates the John Lewis Partnership Credit Card) - did not outline which verification methods they use.
When Which? tested the set up processes for cards, Amex did use SMS and email OTPs, while Halifax did not and instead offered several "more robust methods" including in-app approval.
Chase and Monzo said they have never used OTPs for setting up digital wallets.
It comes after Cifas, UK Finance and the Cyber Defence Alliance previously warned about the link between OTP use and digital wallet fraud.
Providers can also limit how many wallets a card can be added to overall, or within a certain time period, but most banks do not implement these restrictions.
Virgin Money allows an individual card to be added to a maximum of five devices.
Starling with a total limit of 15 devices, while Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days.
However, Which? said that even with these limits in place, consumers can still fall victim to scammers as they only need to add one card to a digital wallet to start spending.
Which? Money deputy editor Sam Richardson said: 'For millions of us, digital wallets are a quick, easy and secure way to make payments, but weaknesses in card providers' security means they can also be a gift to scammers.
'Banks have known for years that using one time passcodes (OTPs) to verify account holders is leaving consumers vulnerable.
"It's clear further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025.
'In the meantime, we'd caution shoppers to always think twice before sharing their payment details - or OTPs - online.
"If you think you've been a victim of a scam, contact Action Fraud and your bank immediately.'
Apple told Which? it is not responsible for approving or rejecting the addition of a card to Apple Pay, or for approving or rejecting transactions.
It said that it takes users' security seriously and Apple Pay has been designed in a way to protect users' personal information.
A Google spokesperson said: 'Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud.
"For example, banks notify customers when their card has been added to a new digital wallet, and we provide signals to help issuers detect fraudulent behaviour so they can decide whether to approve added cards.'
An American Express spokesperson said: 'Privacy and security are a priority for American Express.
"We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.'
Barclays said that the verification method used for adding a card to a digital wallet will depend on the user journey. It said it does not currently have plans to phase out use of OTPs.
Co-Op Bank said it monitors for fraudulent registrations through its fraud detection systems and has multiple strategies in place to detect digital wallet fraud. It does not currently have plans to phase out use of OTPs.
HSBC said it has no immediate plans to phase out OTP delivery for adding cards to digital wallets, however, it keeps its digital wallet provisioning process under review.
Lloyds said it has invested millions of pounds in multi-layered fraud defences, and continues to regularly review its authentication methods.
Nationwide said that it has multiple layers of protection in place to keep its customers safe from fraud including warning messaging, AI models and sophisticated internal analytics. It is currently exploring alternatives to OTPs.
Natwest said it regularly reviews its customer experience and authentication to ensure security, and said it is reviewing how it uses OTPs.
NewDay declined to comment.
Santander said it is looking at other forms of authentication, and other security measures, which may be less visible to a user than the mechanism used for two-factor authentication.
Starling said it currently only uses OTPs for Apple Pay, and removed this option from Android phones in 2022.
TSB told Which? that it is working closely with card and wallet providers to implement approval via the TSB Mobile App. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe.
Virgin Money said its fraud team has heightened monitoring and controls around digital wallet fraud. It also said that it is looking at in-app verification as an option but has no current plans to phase out use of OTPs.
.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
BBC News
22 minutes ago
- BBC News
How a cowboy builder ripped off his customers – and got away with it
When the BBC exposed Russell McMaster as a cowboy builder last year, angry clients demanded he be 64-year-old had accepted about £220,000 from seven customers to complete home improvements over a two-year he left his customers tens of thousands out of pocket with half-built extensions and week, Ayrshire-based McMaster was due to face trial over an allegation he had defrauded a customer by pretending he would carry out construction work at his home four years he was acquitted on Wednesday when the Crown dropped the case. McMaster, it emerged, had handed back £3,000 he was alleged to have taken by did this happen – and what remedies do customers really have when left at the mercy of rogue traders? Retired social worker Jim McGinley reported McMaster to police in late 2022 after waiting more than a year for work to start at his home in Uddingston, North had paid the builder £3,000 to "secure his services" for internal a months-long wait for planning consent, Jim says that McMaster became "evasive" and stopped returning pair eventually fell out after Jim left a negative online review about his business, VJL that he had been "the victim of a con", he contacted said: "Police were very diligent and seemed very keen to present it at court… They felt that he was a fraudster, a bogus builder."McMaster – full name Alexander Russell McMaster – was charged with fraud, accused of obtaining the £3,000 by pretending he would carry out construction work at Jim's when the case called for trial at Hamilton Sheriff Court, prosecutors announced the case would be discontinued because McMaster had repaid the money in the weeks before said he had agreed to drop the case after discussions with the Crown."The reason we went to court was because we wanted to stop this happening to other people," he said."On discussion with the procurator fiscal, it became clear that perhaps taking the money was the best option. But in truth we felt, and it seems crazy, that we'd let people down." Customers left out of pocket This wasn't the first time McMaster, from Irvine, had been reported to least two of his former customers contacted Police Scotland in were among seven clients who contacted the BBC about McMaster, who traded under the company names VJL Builders and Alex McMaster those cases, customers who had contacted police were told their complaints were a "civil matter" and directed to trading Ayrshire trading standards confirmed it had received seven complaints about McMaster's businesses in of those complaints came from Chris we first interviewed him in the autumn of 2023, his loft space was a building site with exposed beams and tarpaulin covering roof we went back to his house in Bridge of Weir last week, not much had changed. Chris said McMaster was paid more than £30,000 for a loft conversion but abandoned the job midway through, leaving the Jardine family with a hole in the he also reported the matter to police and trading standards. He also had assurances from McMaster via his lawyer that he would be repaid £15, payment was made, and the loft remains as it – who is married with two children – took out extra loans to try and finish the work and said the affair had "crippled" his family's finances."It's hard to quantify how much money he owes us, because of the extra damage he did," he said."He has taken food out my kids' mouths. That's what really annoys me. It will affect us long-term because everything I do will be to pay back the debt he has left us with."Another customer, Grant Kilpatrick, told BBC Scotland News that McMaster left him with a half-finished extension and was owed between £15,000 and £20, said he reported McMaster to police and was also told it was a civil Scotland said each case was assessed on its own merits and that it provided "suitable advice" to both the Jardines and the Kilpatricks.A spokesperson said that in Grant Kilpatrick's case, inquiries had been carried out and no criminality was established. Civil action 'not always easy' The Jardines and Kilpatricks had both hired a company called VJL Builders in July 2022. The business was registered at Companies House a month both were pursuing the company, VJL was dissolved in January 2024. It had never filed Knowles, senior project lead for Advice Direct Scotland, said tackling rogue trade was challenging and that "civil action is not always easy"."Rogue traders frequently dissolve their companies to avoid liability leaving consumers with little recourse," she said."Consumers do have rights, including the ability to cancel contracts and claim refunds if they've been misled or pressured."They may also be entitled to compensation for distress - but these rights are only effective if consumers act quickly and seek advice."We urge anyone affected to report rogue trading to us and to contact their bank if money has been lost."Dr Nick McKerrell, senior law lecturer at Glasgow Caledonian University, said there was a greater chance of a successful prosecution where it could be shown that there was no intention or ability to carry out the work, something which could be seen as a "dishonest misrepresentation".However, it was more complicated if some work was done, because it becomes more difficult to show that the builder was never going to finish the said it was not a fair fight in many of the legal cases."It's an individual against a business organisation which can adopt a number of tactics to avoid private law actions," he said. McMaster has a string of businesses listed on Companies House under different variations of his name – most of them reporting by the Daily Record newspaper in 2006 and 2013 revealed how his old businesses left customers in debt after closing Alex McMaster Builders remains active. A note on the Companies House website states that a strike-off action had been temporarily suspended after someone objected to the attempt to dissolve the BBC attempted to contact the builder between December 2023 and February to answer allegations he was a rogue did not respond until he sent a text messages stating that he was "unavailable".However, we managed to approach McMaster in person outside court this asked whether he planned reimburse his other customers and whether he shut VJL Builders down to avoid paying them away with a friend, he made no comment.
Times
22 minutes ago
- Times
That noisy distraction in the office? They're called boomers
This just in from the buzzing boomer complaints line: yet another grievance with Gen Z concerning their office etiquette. No, it's not our limit-testing approach to appropriate office attire, nor our preference for working from home. What's bugging them now is the fact we are (checks notes) too chatty. Wait, wait — not just chatty. My apologies. Apparently our innocent deskside socialising is loud, disruptive and — more than anything else — quite annoying. A tribunal has just ruled that office oldies who are disturbed by 'noisy and disruptive' younger colleagues are not in fact victims of age discrimination. The ruling came after an administrator in her sixties brought a claim against her former employers, saying it had been hard to work in the office because of the 'extreme time-wasting' and loud socialising of her co-workers, who were mostly in their twenties and thirties. Well, as a representative of the younger generation, I'd like to issue this carefully considered response: pot, kettle. I sit in an open-plan office surrounded by forty, fifty and sixty-plus colleagues. Let me tell you: there is a good reason I have noise-cancelling headphones. • How rude can you be to your colleagues? Where to begin on the long list of communal workspace no-no's I witness (tolerate) on a day-to-day basis? The tech gap is probably the most triggering place to start. As one friend put it, many of her boomer colleagues 'need to go to internet school'. This fact would be forgiven if they didn't constantly make it our problem. There is a marked lack of adaptability that verges on laziness when it comes to computer users of a certain age in my office. I am regularly pulled away from my own work to help with enormous technical feats such as logging in, using the printer or — most dreaded of all — opening Slack. That's if they bother. Some senior colleagues, refusing to download certain essential workflow programs on their own computers, come and use them on mine instead while I am expected to — quite literally — stand by. I am probably too amenable, but I am also not someone who will say no to their boss, not even if it means giving up my chair. Then there are the phones. Why are they never on silent? Why are you taking the call at your desk? Ditto that Zoom meeting, without headphones on. We have plenty of private rooms for exactly these purposes. The rest of us don't need to listen in. It's arrogant and it's boring, and it's a reason why we occasionally prefer to work at home. • Do Gen Z just not understand work meeting etiquette? Noise, generally, is an issue. Boomer office volumes are obnoxious. Where colleagues my age use WhatsApp or internal messaging systems to communicate, our elders tend to just shout from one end to the other. There is also no respect for the fact that I am clearly trying to meet a project deadline. Having my headphones on seems to be an invitation to sit down and have a meandering chat. If I see my bosses are in head-down mode, I do my best to leave them alone and divert anyone who might be on their way to distract them. When the tables are turned, they see it as an opportunity to start telling me about their kitchen renovation. Nearly all fail to read the pained look in my eyes, and I can't help but feel they think my work is simply less important. Or perhaps they just have less to do. Also overheard at my office: very loud sneezing, grunting and snorting. Misogynist, inappropriate comments. Singing. For a long time at work, I wondered why I found it hard to concentrate and if perhaps I had undiagnosed ADHD. Then I started working from home a bit more and hiding away in private offices when I needed to meet deadlines. Turns out I just needed a quiet, boomer-free place to work.
BBC News
22 minutes ago
- BBC News
Arsenal's ruthless Eze coup shows intent
Arsenal's dramatic move to steal Eberechi Eze away from arch-rivals Tottenham Hotspur is a ruthless statement of intent designed to show this is the season they plan to finally claim the biggest were ready to roll out the welcoming carpet for Crystal Palace's England forward on Wednesday, the deal virtually done with every indication the 27-year-old was set on the then filtered out that Arsenal were assessing the seriousness of a knee injury to forward Kai Havertz, which could potentially put a dent in their attacking resources - a weakness that played a significant part in manager Mikel Arteta's side ending empty handed for the fifth year in succession last of taking the cheaper option of exploring the loan market, as was first expected, Arsenal went for broke in spectacular style by setting up a £60m coup to take Eze to Emirates Stadium from right under the noses of move to Arsenal, which is now fully expected to be successfully concluded, is not simply a devastating psychological blow aimed across north London at is a clear signal that they have no intention of falling short in their stated aim of mounting a serious Premier League title challenge, as well as making inroads deep into the Champions League once more after reaching the semi-final last is strategy in stark contrast to the inertia that gripped Arsenal last season, when their failure to solve an obvious problem - namely sign a recognised striker - cost them thought they had Eze wrapped up, the possibility of a cash-plus-Richarlison deal discussed, but Arsenal moved with lightning speed once they were confronted by the possibility of Havertz facing a spell on the have been linked with Eze all summer, but it was thought their interest had cooled once Ethan Nwaneri agreed a new five-year contract, on top of signing Chelsea winger Noni Madueke in a £48.5m injury, and its potential consequences, reignited that interest to leave Spurs stunned. Arteta knows this is the season he must land a major prize, and to do this he has been heavily backed by Arsenal's well as Madueke, the Gunners have concluded moves to sign Spain's outstanding midfield man Martin Zubimendi in a deal worth up to £60m and, at least 12 months too late, a recognised striker in Viktor Gyokeres, signed from Sporting Lisbon for £ Eze, who had two years left on his Palace contract, Arsenal will get a versatile forward rich in natural talent who is a match-winner - as he proved when scoring the winner against Manchester City in the FA Cup final in was a follow-up to the spectacular right-foot finish that set Palace on their way to a 3-0 win over Aston Villa at Wembley in the semi-final. Eze also scored the Eagles' opener when they beat Fulham 3-0 at Craven Cottage in the has demonstrated he has the temperament and talent for the big occasion when inspiring Palace to the first major trophy in their will hope he has plenty of those occasions is a scorer and creator of goals, adding real threat to Arsenal's front line, with 14 goals in all competitions last was a boyhood Arsenal fan and was part of the club's academy until he was 13. He may have been initially keen on a move to Spurs, but once the Gunners showed their hand was only one part of north London he was heading has achieved his goals the hard way, spending time at Fulham, Reading and Millwall before signing for Queen's Park Rangers. He left Loftus Road for Palace in a £19.5m deal in August believe they did all they could to conclude a deal - apart from actually concluding it - but it is a hammer blow to chairman Daniel Levy and manager Thomas Frank, who also thought they had a deal for Morgan Gibbs-White in the bag only for him to sign a new contract at Nottingham will revel in the local rivalry of snatching away a prime transfer target for Spurs, but the wider context demonstrates the Gunners are deadly serious about ending the wait for success that now stretches back to has previously admitted to "crying for a week" when he was let go by Arsenal in 2011, but this gifted forward has now been given a golden opportunity to make up for lost time.
