Flaw in password resetting process contributed to customer’s loss

Common scams targeting bank customers,
James received an automated phone message purportedly from his bank. He followed prompts to be connected to a purported fraud investigator about a credit card transaction he had not made. After several interactions with this person, James gave codes sent to his phone to the purported fraud investigator on the understanding he was helping the bank’s fraud team catch thieves. A few days later, he told a friend what had happened, and the friend said it was a scam.
March 2024

James called the bank and learned internet banking transfers totalling $42,000 had been made from his accounts. The bank was able to retrieve $12,000, leaving James $30,000 out of pocket. The bank said it would not reimburse his loss because he had not taken reasonable care during the calls with the scammer, disqualifying himself from the bank's online fraud guarantee.

Our investigation

We found the scammer had accessed James’ internet banking after resetting his internet banking password. This simply required his customer number and a code sent to his phone by text message (which James had given to the scammer at the very beginning of the call before we thought a reasonable person could have suspected it was a scam). This code did not refer to the fact it would be used to reset his password, and we did not consider James’ action in passing on the code to be unreasonable. Password resets allow access to a customer’s bank accounts, so it is critical the process is done in a way that keeps the customer’s accounts secure. In our view, the text message’s failure to state that the code was to be used to reset the internet banking password undermined the security of this process. However, following this, James gave the scammer his credit card details and various codes sent by text which specified they were to authorise transactions. We considered that a reasonable person would have suspected fraud at the point of receiving text messages to authorise transactions he or she knew nothing about. The bank agreed with our concerns about its process for resetting internet banking passwords and offered to reimburse James a portion of his loss.


James accepted the offer.

Print this page