[Openid-specs-fapi] Bristol man loses £8,000 in banking app scam
Kosuke Koiwai
kkoiwai at gmail.com
Fri Feb 10 06:48:11 UTC 2023
Thanks Joseph, and yes, it is difficult if banks have to provide an option
to an OTP fallback.
Kosuke
On Fri, Feb 10, 2023 at 2:29 AM Joseph Heenan <joseph at authlete.com> wrote:
> Hi Kosuke
>
> On 9 Feb 2023, at 14:51, Kosuke Koiwai via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
> FYI
>
> Is there anything we can do?
>
> https://www.bbc.com/news/uk-england-bristol-64559260
>
>
> As I understand it, the scam works something like this:
>
> The user’s debit card details have been obtained by the scammer.
>
> The scammers try to make payments online using these details, which
> triggers Mastercard secure3d (
> https://www.starlingbank.com/blog/introducing-3D-secure/ ).
>
> The user generates a code in their app, which has copious warnings not to
> share it (screenshots attached).
>
> I don’t understand the details/limitations of 3d secure, but this feels
> like the classic problem of OTPs not being context specific - i.e. it’s
> generally better to have a prompt like “Do you want to approve a
> transaction of £1523.43 to Amazon Gift Cards?”, although for some reason
> many of the 3d secure prompts I’ve seen do have a fallback to an sms issued
> OTP (but again, at least they can include the context in the SMS).
>
> Thanks
>
> Joseph
>
>
> [image: IMG_5164.jpeg][image: IMG_5165.jpeg]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230210/a1721a69/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_5164.jpeg
Type: image/jpeg
Size: 67278 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230210/a1721a69/attachment-0002.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_5165.jpeg
Type: image/jpeg
Size: 56994 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20230210/a1721a69/attachment-0003.jpeg>
More information about the Openid-specs-fapi
mailing list