Bank’s use of a single authentication code allowed scammer to slip through

Categories:
Fraud & scams,
Summary:
In February 2024, Kirk received a call from someone claiming to be from his bank's fraud detection team. The caller, who was in fact a scammer, said the bank had detected suspicious activity on his accounts, and it needed to take steps to make his accounts secure. To that end, the caller said, he needed Kirk’s access number and told him he would send a verification code to his mobile. Kirk received a text, including a code to confirm a password reset. Kirk gave him the code when asked for it. The caller used the code to change the password on Kirk’s internet banking and logged in to Kirk’s accounts using his own device.
Published:
March 2025

Kirk immediately became suspicious and attempted to log in to his banking but was unsuccessful because the scammer had changed his password. Kirk then changed his password himself and called the bank. However, in the 10 minutes it took Kirk to get through, the scammer had made five payments to a new payee totalling $12,500.  

Kirk complained to us that the bank refused to reimburse his loss of $9,300 (the balance of $3,200 having been recovered by the bank).  

Our investigation

We asked the bank how it was possible for the scammer to change a password as well as set up payments to a new payee with only a single two-factor authentication code. The bank said it had set up its systems so that entering one such code was sufficient for all subsequent actions during an online banking session. We found this unsatisfactory because the time immediately following a password change was often when customers were being scammed. We said it was often easier for scammers to convince a customer to hand over a code to reset a password compared to one confirming payment to a new payee.

The bank told us it had subsequently changed its system so that any payment exceeding $2,000 required another two-factor authentication code. It accepted that it was highly unlikely Kirk would have been scammed if this system had been in place at the time. It therefore agreed to reimburse Kirk’s $9,300 loss, as well as offer a goodwill payment of $1,200 in recognition of the stress and inconvenience he had suffered.

Outcome  

Kirk accepted the bank's offer.

Print this page