I was curious about this too, so decided to delete my Halifax app and see what would be required to get hold of my card’s PIN, imagining I just had my locked phone and wallet.
I took screenshots of the whole “forgotten my details” process here if you’re interested: Halifax Forgotten Details – Google Drive
But in a nutshell, Halifax asked for:
- Sort Code & Account No. (On physical card)
- Full name (On physical card)
- Date of Birth (On ID card in wallet)
- 6 digit code via SMS (iPhone default is to “Show Previews”)
- 4 digit code via phone call (No need to unlock phone to answer)
This allowed me to:
- Retrieve the online banking username
- Reset the online banking password
- Reset the online banking “memorable information”
Which in turn meant I could log into the Halifax app and have full control including displaying the card’s PIN.
I don’t have any active accounts with Santander anymore, but a quick check seems to show the process is similar for them, asking for the card number and verification code, plus full name and DOB.
It’s clear the banks need to beef up their security, to ensure this can’t carry on, but I can see this is easier said than done.
As others mentioned, Starling’s request for video authentication is a good way to protect against this, (and interestingly you need to do this even if you know your login details but are just installing the app on a new device).
Even if other banks implemented this only if you needed to recover/reset your online banking login details (as opposed to every time you installed their app), it would help foil this scam without delaying access to users who already knew their login details.
Thinking about it though, with Starling being primarily an app based bank, they do have an advantage here. What about older customers at other banks without smartphones, who use online banking on their PC with no webcam, how would they reset their details? Maybe this is part of the reason many banks haven’t introduced this security approach yet, as they have some more hurdles to get over compared with app based banks.
Yes people can make their phone messages more secure, but ultimately it needs to be up to the banks, to ensure everyone is protected no matter what phone or phone settings they use.