[Openid-specs-fapi] Bristol man loses £8,000 in banking app scam

[Joseph Heenan]

Hi Kosuke

> On 9 Feb 2023, at 14:51, Kosuke Koiwai via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> 
> FYI 
> 
> Is there anything we can do?
> 
> https://www.bbc.com/news/uk-england-bristol-64559260

As I understand it, the scam works something like this:

The user’s debit card details have been obtained by the scammer.

The scammers try to make payments online using these details, which triggers Mastercard secure3d ( https://www.starlingbank.com/blog/introducing-3D-secure/ ).

The user generates a code in their app, which has copious warnings not to share it (screenshots attached).

I don’t understand the details/limitations of 3d secure, but this feels like the classic problem of OTPs not being context specific - i.e. it’s generally better to have a prompt like “Do you want to approve a transaction of £1523.43 to Amazon Gift Cards?”, although for some reason many of the 3d secure prompts I’ve seen do have a fallback to an sms issued OTP (but again, at least they can include the context in the SMS).

Thanks

Joseph



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230209/012c2d5d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_5164.jpeg
Type: image/jpeg
Size: 67278 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230209/012c2d5d/attachment-0002.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_5165.jpeg
Type: image/jpeg
Size: 56994 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230209/012c2d5d/attachment-0003.jpeg>