Do you have Apple Pay or Google Wallet? How YOU'RE at risk from fraud
BILL BLOW Do you have Apple Pay or Google Wallet? How YOU'RE at risk from fraud
SHOPPERS who use Apple Pay or Google Pay may be at higher risk of fraud, consumer group Which? has warned.
It said the use of one-time passcodes by banks could be making people with digital wallets an easy target for scammers.
1
Shoppers who use Apple Pay or Google Pay may be at higher risk of fraud, Which? has warned
Credit: Getty
A survey by the consumer champions found that the majority of banks are still using these security features, putting consumers at risk.
Unlike contactless cards, there is no £100 spending cap on cards added to Apple and Google Pay, so fraudsters can quickly drain victims' accounts once they gain access to it.
Scammers normally trick people into divulging their card details by setting up a fake transaction, Which? said.
People will think they're paying for a bargain product advertised online, or they might fall victim to a phishing message.
A common example is parcel delivery scams, where you're asked to pay a nominal amount for re-delivery.
Scammers monitor the transaction in real time, inputting the victim's card details into a digital wallet on their own phone.
Many banks will then ask for a one time passcode (OTP) to verify the cardholder, which the scammer then asks the victim for to complete the "transaction".
The fraudsters are then able to drain the victim's bank account.
Which? surveyed 15 banks and card providers about their digital wallet setup process between April and May this year, and found the majority still use OTPs sent through text message as one of the options for adding cards to a digital wallet.
Of the 14 providers that allow cards to be added to wallets (Capital One is the exception), just two banks confirmed they do not use OTPs, while a third appeared not to when Which? researchers tested the process.
New 'property tax' will PUNISH hard-working Brits and torpedo house market, blasts Kirstie Allsopp
Barclays, Co-op, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs, though they are not the only verification option.
Starling said it still uses OTPs for setting up Apple Pay alongside other options, but it removed them from Google Pay in 2022.
TSB said it is working to set up in-app verification, but is using OTPs in the meantime.
American Express, Lloyds Banking Group and NewDay (which operates the John Lewis Partnership Credit Card) - did not outline which verification methods they use.
When Which? tested the set up processes for cards, Amex did use SMS and email OTPs, while Halifax did not and instead offered several "more robust methods" including in-app approval.
Chase and Monzo said they have never used OTPs for setting up digital wallets.
It comes after Cifas, UK Finance and the Cyber Defence Alliance previously warned about the link between OTP use and digital wallet fraud.
Providers can also limit how many wallets a card can be added to overall, or within a certain time period, but most banks do not implement these restrictions.
Virgin Money allows an individual card to be added to a maximum of five devices.
Starling with a total limit of 15 devices, while Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days.
However, Which? said that even with these limits in place, consumers can still fall victim to scammers as they only need to add one card to a digital wallet to start spending.
Which? Money deputy editor Sam Richardson said: 'For millions of us, digital wallets are a quick, easy and secure way to make payments, but weaknesses in card providers' security means they can also be a gift to scammers.
'Banks have known for years that using one time passcodes (OTPs) to verify account holders is leaving consumers vulnerable.
"It's clear further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025.
'In the meantime, we'd caution shoppers to always think twice before sharing their payment details - or OTPs - online.
"If you think you've been a victim of a scam, contact Action Fraud and your bank immediately.'
Apple told Which? it is not responsible for approving or rejecting the addition of a card to Apple Pay, or for approving or rejecting transactions.
It said that it takes users' security seriously and Apple Pay has been designed in a way to protect users' personal information.
A Google spokesperson said: 'Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud.
"For example, banks notify customers when their card has been added to a new digital wallet, and we provide signals to help issuers detect fraudulent behaviour so they can decide whether to approve added cards.'
An American Express spokesperson said: 'Privacy and security are a priority for American Express.
"We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.'
Barclays said that the verification method used for adding a card to a digital wallet will depend on the user journey. It said it does not currently have plans to phase out use of OTPs.
Co-Op Bank said it monitors for fraudulent registrations through its fraud detection systems and has multiple strategies in place to detect digital wallet fraud. It does not currently have plans to phase out use of OTPs.
HSBC said it has no immediate plans to phase out OTP delivery for adding cards to digital wallets, however, it keeps its digital wallet provisioning process under review.
Lloyds said it has invested millions of pounds in multi-layered fraud defences, and continues to regularly review its authentication methods.
Nationwide said that it has multiple layers of protection in place to keep its customers safe from fraud including warning messaging, AI models and sophisticated internal analytics. It is currently exploring alternatives to OTPs.
Natwest said it regularly reviews its customer experience and authentication to ensure security, and said it is reviewing how it uses OTPs.
NewDay declined to comment.
Santander said it is looking at other forms of authentication, and other security measures, which may be less visible to a user than the mechanism used for two-factor authentication.
Starling said it currently only uses OTPs for Apple Pay, and removed this option from Android phones in 2022.
TSB told Which? that it is working closely with card and wallet providers to implement approval via the TSB Mobile App. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe.
Virgin Money said its fraud team has heightened monitoring and controls around digital wallet fraud. It also said that it is looking at in-app verification as an option but has no current plans to phase out use of OTPs.
Do you have a money problem that needs sorting? Get in touch by emailing money-sm@news.co.uk.
Plus, you can join our Sun Money Chats and Tips Facebook group to share your tips and stories
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Scottish Sun
2 hours ago
- Scottish Sun
Do you have Apple Pay or Google Wallet? How YOU'RE at risk from fraud
Consumer experts share warning to shoppers on how they can avoid falling victim to scammers BILL BLOW Do you have Apple Pay or Google Wallet? How YOU'RE at risk from fraud SHOPPERS who use Apple Pay or Google Pay may be at higher risk of fraud, consumer group Which? has warned. It said the use of one-time passcodes by banks could be making people with digital wallets an easy target for scammers. 1 Shoppers who use Apple Pay or Google Pay may be at higher risk of fraud, Which? has warned Credit: Getty A survey by the consumer champions found that the majority of banks are still using these security features, putting consumers at risk. Unlike contactless cards, there is no £100 spending cap on cards added to Apple and Google Pay, so fraudsters can quickly drain victims' accounts once they gain access to it. Scammers normally trick people into divulging their card details by setting up a fake transaction, Which? said. People will think they're paying for a bargain product advertised online, or they might fall victim to a phishing message. A common example is parcel delivery scams, where you're asked to pay a nominal amount for re-delivery. Scammers monitor the transaction in real time, inputting the victim's card details into a digital wallet on their own phone. Many banks will then ask for a one time passcode (OTP) to verify the cardholder, which the scammer then asks the victim for to complete the "transaction". The fraudsters are then able to drain the victim's bank account. Which? surveyed 15 banks and card providers about their digital wallet setup process between April and May this year, and found the majority still use OTPs sent through text message as one of the options for adding cards to a digital wallet. Of the 14 providers that allow cards to be added to wallets (Capital One is the exception), just two banks confirmed they do not use OTPs, while a third appeared not to when Which? researchers tested the process. New 'property tax' will PUNISH hard-working Brits and torpedo house market, blasts Kirstie Allsopp Barclays, Co-op, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs, though they are not the only verification option. Starling said it still uses OTPs for setting up Apple Pay alongside other options, but it removed them from Google Pay in 2022. TSB said it is working to set up in-app verification, but is using OTPs in the meantime. American Express, Lloyds Banking Group and NewDay (which operates the John Lewis Partnership Credit Card) - did not outline which verification methods they use. When Which? tested the set up processes for cards, Amex did use SMS and email OTPs, while Halifax did not and instead offered several "more robust methods" including in-app approval. Chase and Monzo said they have never used OTPs for setting up digital wallets. It comes after Cifas, UK Finance and the Cyber Defence Alliance previously warned about the link between OTP use and digital wallet fraud. Providers can also limit how many wallets a card can be added to overall, or within a certain time period, but most banks do not implement these restrictions. Virgin Money allows an individual card to be added to a maximum of five devices. Starling with a total limit of 15 devices, while Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days. However, Which? said that even with these limits in place, consumers can still fall victim to scammers as they only need to add one card to a digital wallet to start spending. Which? Money deputy editor Sam Richardson said: 'For millions of us, digital wallets are a quick, easy and secure way to make payments, but weaknesses in card providers' security means they can also be a gift to scammers. 'Banks have known for years that using one time passcodes (OTPs) to verify account holders is leaving consumers vulnerable. "It's clear further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025. 'In the meantime, we'd caution shoppers to always think twice before sharing their payment details - or OTPs - online. "If you think you've been a victim of a scam, contact Action Fraud and your bank immediately.' Apple told Which? it is not responsible for approving or rejecting the addition of a card to Apple Pay, or for approving or rejecting transactions. It said that it takes users' security seriously and Apple Pay has been designed in a way to protect users' personal information. A Google spokesperson said: 'Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud. "For example, banks notify customers when their card has been added to a new digital wallet, and we provide signals to help issuers detect fraudulent behaviour so they can decide whether to approve added cards.' An American Express spokesperson said: 'Privacy and security are a priority for American Express. "We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.' Barclays said that the verification method used for adding a card to a digital wallet will depend on the user journey. It said it does not currently have plans to phase out use of OTPs. Co-Op Bank said it monitors for fraudulent registrations through its fraud detection systems and has multiple strategies in place to detect digital wallet fraud. It does not currently have plans to phase out use of OTPs. HSBC said it has no immediate plans to phase out OTP delivery for adding cards to digital wallets, however, it keeps its digital wallet provisioning process under review. Lloyds said it has invested millions of pounds in multi-layered fraud defences, and continues to regularly review its authentication methods. Nationwide said that it has multiple layers of protection in place to keep its customers safe from fraud including warning messaging, AI models and sophisticated internal analytics. It is currently exploring alternatives to OTPs. Natwest said it regularly reviews its customer experience and authentication to ensure security, and said it is reviewing how it uses OTPs. NewDay declined to comment. Santander said it is looking at other forms of authentication, and other security measures, which may be less visible to a user than the mechanism used for two-factor authentication. Starling said it currently only uses OTPs for Apple Pay, and removed this option from Android phones in 2022. TSB told Which? that it is working closely with card and wallet providers to implement approval via the TSB Mobile App. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe. Virgin Money said its fraud team has heightened monitoring and controls around digital wallet fraud. It also said that it is looking at in-app verification as an option but has no current plans to phase out use of OTPs. Do you have a money problem that needs sorting? Get in touch by emailing money-sm@ Plus, you can join our Sun Money Chats and Tips Facebook group to share your tips and stories
The Sun
2 hours ago
- The Sun
Do you have Apple Pay or Google Wallet? How YOU'RE at risk from fraud
SHOPPERS who use Apple Pay or Google Pay may be at higher risk of fraud, consumer group Which? has warned. It said the use of one-time passcodes by banks could be making people with digital wallets an easy target for scammers. 1 A survey by the consumer champions found that the majority of banks are still using these security features, putting consumers at risk. Unlike contactless cards, there is no £100 spending cap on cards added to Apple and Google Pay, so fraudsters can quickly drain victims' accounts once they gain access to it. Scammers normally trick people into divulging their card details by setting up a fake transaction, Which? said. People will think they're paying for a bargain product advertised online, or they might fall victim to a phishing message. A common example is parcel delivery scams, where you're asked to pay a nominal amount for re-delivery. Scammers monitor the transaction in real time, inputting the victim's card details into a digital wallet on their own phone. Many banks will then ask for a one time passcode (OTP) to verify the cardholder, which the scammer then asks the victim for to complete the "transaction". The fraudsters are then able to drain the victim's bank account. Which? surveyed 15 banks and card providers about their digital wallet setup process between April and May this year, and found the majority still use OTPs sent through text message as one of the options for adding cards to a digital wallet. Of the 14 providers that allow cards to be added to wallets (Capital One is the exception), just two banks confirmed they do not use OTPs, while a third appeared not to when Which? researchers tested the process. New 'property tax' will PUNISH hard-working Brits and torpedo house market, blasts Kirstie Allsopp Barclays, Co-op, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs, though they are not the only verification option. Starling said it still uses OTPs for setting up Apple Pay alongside other options, but it removed them from Google Pay in 2022. TSB said it is working to set up in-app verification, but is using OTPs in the meantime. American Express, Lloyds Banking Group and NewDay (which operates the John Lewis Partnership Credit Card) - did not outline which verification methods they use. When Which? tested the set up processes for cards, Amex did use SMS and email OTPs, while Halifax did not and instead offered several "more robust methods" including in-app approval. Chase and Monzo said they have never used OTPs for setting up digital wallets. It comes after Cifas, UK Finance and the Cyber Defence Alliance previously warned about the link between OTP use and digital wallet fraud. Providers can also limit how many wallets a card can be added to overall, or within a certain time period, but most banks do not implement these restrictions. Virgin Money allows an individual card to be added to a maximum of five devices. Starling with a total limit of 15 devices, while Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days. However, Which? said that even with these limits in place, consumers can still fall victim to scammers as they only need to add one card to a digital wallet to start spending. Which? Money deputy editor Sam Richardson said: 'For millions of us, digital wallets are a quick, easy and secure way to make payments, but weaknesses in card providers' security means they can also be a gift to scammers. 'Banks have known for years that using one time passcodes (OTPs) to verify account holders is leaving consumers vulnerable. "It's clear further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025. 'In the meantime, we'd caution shoppers to always think twice before sharing their payment details - or OTPs - online. "If you think you've been a victim of a scam, contact Action Fraud and your bank immediately.' Apple told Which? it is not responsible for approving or rejecting the addition of a card to Apple Pay, or for approving or rejecting transactions. It said that it takes users' security seriously and Apple Pay has been designed in a way to protect users' personal information. A Google spokesperson said: 'Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud. "For example, banks notify customers when their card has been added to a new digital wallet, and we provide signals to help issuers detect fraudulent behaviour so they can decide whether to approve added cards.' An American Express spokesperson said: 'Privacy and security are a priority for American Express. "We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.' Barclays said that the verification method used for adding a card to a digital wallet will depend on the user journey. It said it does not currently have plans to phase out use of OTPs. Co-Op Bank said it monitors for fraudulent registrations through its fraud detection systems and has multiple strategies in place to detect digital wallet fraud. It does not currently have plans to phase out use of OTPs. HSBC said it has no immediate plans to phase out OTP delivery for adding cards to digital wallets, however, it keeps its digital wallet provisioning process under review. Lloyds said it has invested millions of pounds in multi-layered fraud defences, and continues to regularly review its authentication methods. Nationwide said that it has multiple layers of protection in place to keep its customers safe from fraud including warning messaging, AI models and sophisticated internal analytics. It is currently exploring alternatives to OTPs. Natwest said it regularly reviews its customer experience and authentication to ensure security, and said it is reviewing how it uses OTPs. NewDay declined to comment. Santander said it is looking at other forms of authentication, and other security measures, which may be less visible to a user than the mechanism used for two-factor authentication. Starling said it currently only uses OTPs for Apple Pay, and removed this option from Android phones in 2022. TSB told Which? that it is working closely with card and wallet providers to implement approval via the TSB Mobile App. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe. Virgin Money said its fraud team has heightened monitoring and controls around digital wallet fraud. It also said that it is looking at in-app verification as an option but has no current plans to phase out use of OTPs. .
Scottish Sun
3 hours ago
- Scottish Sun
From delaying tactics to age limits and finding your tribe – ten ways to resist giving in to your kid's phone demands
78 per cent of teens check their devices at least every hour SMART IDEAS From delaying tactics to age limits and finding your tribe – ten ways to resist giving in to your kid's phone demands MORE than half of all kids in Britain are addicted to technology – with 91 per cent owning a mobile phone by the age of 11, research reveals. A 2025 Ofcom report found a massive 78 per cent of teens check their devices at least every hour. 5 We have ten ways to resist giving in to your kid's phone demands Credit: Getty 5 Dr Martha Deiros Collado is the author of The Smartphone Solution: When And How To Give Your Child A Phone Advertisement And even when parents try their hardest to control the situation, it is easy to get it wrong, according to clinical psychologist Dr Martha Deiros Collado, whose new book, The Smartphone Solution: When And How To Give Your Child A Phone, is packed with practical advice. In her two decades of experience, Dr Collado has helped thousands of families and appeared on Channel 4's The Great British Phone Switch. She has vowed not to let her own two daughters, aged six and two, have a smartphone until they are at least 15, but admits pester power is already making it a challenge. Dr Collado explained: 'I know the road ahead is going to be tough. Advertisement 'Our children were born with digital devices all around them — I'm not saying it's easy. 'We're the first generation of parents having to navigate the choppy seas of the internet with very few safety floats to support us. 'We're all going to make mistakes along the way, and that's OK. 'Like many parents, I worry about smartphones' effect on children's development. Advertisement 'Kids really do need real-life interaction, attention and play. 'And they need to learn to cope if they are bored or frustrated: pulling out a phone out of habit means they don't get this chance. Battling the 'Crypad' Habit: A Parent's Dilemma 'In the meantime, we teach them safety from an early age.' Here are Dr Collado's top ten tips for parents on how to resist giving their kids a smartphone. DON'T SAY NO, SAY NOT YET Delaying smartphones can be empowering to you and your child. Advertisement A ban instantly makes them more desirable, but tell children that smartphones are not out of bounds, they're simply not ready yet to have one with unimpeded access to all the apps and content they offer. 'Not yet' opens up a conversation — we're not ignoring their wishes, but there's still learning to be done. A hard 'no' can feel like rejection, but delaying offers time to develop digital skills which will protect them from engaging in harmful communications online, like learning when it's time to take a break. SMARTPHONES ARE NOT FOR CHILDREN Making kids wait to own a device emphasises that they're not toys. Smartphones shouldn't be considered an object of fun, a status symbol or rite of passage into secondary school. Advertisement They're a wonderful tool and a dangerous machine. Be present if your children are using their smartphone. Say loud and clear, 'You can take a photo, but I'm trusting you to hold it very carefully. Smartphones are really expensive'. MAKE THE AGE LIMIT CLEAR EARLY ON 5 It's good to let kids know there's an age they can get a phone Credit: Getty You needn't wait until your child asks to say, 'You won't be getting a phone until you're at least 13'. Advertisement Children benefit from knowing that there's an age when you might start to consider it — and guess what happens? Most kids get excited. Because you haven't said no, there's a lot of hope and possibility that youngsters will grab on to. HOLD FIRM Stay strong and wait until their brains and hearts are sufficiently developed and they possess the impulse control and critical-thinking skills to stay safe when they're bombarded with inappropriate content. Your child might not like it, or agree, but it's not your job to justify your decision or convince them that you're right. It's your job to keep them safe, even when it's hard to do so. Advertisement Dig deep and find the courage to teach them patience and delayed gratification — two life skills that smartphones are really good at stealing away from them. OFFER OTHER DIGITAL EXPERIENCES We can't completely protect our children from the digital world, but find ways to alleviate the downsides of not having a smartphone when their friends get one. This might be allowing them to video call friends via a tablet under your supervision, using an 'un-smart' phone for calls and texts when they're away from home and at certain agreed hours in your home, or letting them enjoy gaming online with their friends on closed digital platforms where you have oversight of what they play, who with and for how long. SET A GOOD EXAMPLE 5 You should set a good example for your child with your phone usage Credit: Getty Children learn more by what you do than what you say. Advertisement How you behave with your phone is crucial in shaping your child's attitudes. If you limit their screen time, but the rules don't apply to you, it sends mixed messages. And it's more likely that you'll end up fighting daily battles about why it's OK for you to have a phone at the dinner table but not them. Get into the habit of telling them what you're doing on your device — this is useful for training yourself to cut back on usage. Also, resist the chance to reach for the phone's camera when you see your kids doing something adorable — join them in their real-life adventures. Advertisement TELL OTHER ADULTS YOUR RULES You have parental power to say no at the homes of friends who have older children with smartphones. Even though it might be age-appropriate, it's important to teach that they can't play on someone else's smartphone either. This can be tough with friends, and doesn't always work out, but learn to speak up about mobile usage to prevent a situation that you don't feel comfortable with. Say, 'We know your child has one, but if we could keep it out of reach for a couple of hours it would really help us', or 'It's OK if that's what you want to do, but we'd be really grateful if you don't do it in front of her'. FIND YOUR TRIBE Find a parenting circle in which others are delaying phones, too. Advertisement A few years ago, it might have seemed like you would be alone in this venture. But now, lots of parents have started to wake up to the potential risks of smartphones for children. And momentum is growing. Some parents may fear being rejected by those who are strongly in favour of delaying. Try to be inclusive and compassionate to anyone who wants to consider this idea with you. Advertisement START CONVERSATION EARLY For toddlers and preschoolers, be a positive role model and set a strong example by ensuring you follow well-defined rules when your child is with you. This might involve putting your phone in a different room or ensuring that if it beeps or buzzes, you don't allow it to interfere in interactions with your child. See your child as the first priority and your smartphone as the last. Use simple language and stay honest, such as, 'When you're older you'll be allowed to use one'. BE READY FOR SCHOOL 5 Explain to kids that phones distract from schoolwork and the internet has lots of risks Credit: Getty Advertisement Set clear expectations when they start school. Say, 'You need to be at least 13 to have the skills and maturity to use them (devices) responsibly and safely'. State your position, get kids involved, listen to their views, opinions and ideas so they feel part of the rules rather than having something 'done' to them. Try offering an alternative, like a brick phone without apps, so they can make and receive calls and messages. Explain that phones distract from schoolwork and the internet has lots of risks that might make them overwhelmed. Advertisement Say, 'My job as your parent is to keep you safe. Let's keep talking'.
