As the problem of digital bank fraud grows, one issue that will become increasingly heated is who should pay for it.
This time last year, we discussed the recent explosion in digital fraud and theft, much of it targeting the digital wallets on mobile phones. As one would expect, the more cashless the country, the greater the scale of the problem.
Fortune magazine reported, perhaps somewhat hyperbolically, that going cashless had turned Sweden from one of the safest countries in Europe into a “high-crime nation“:
Law-enforcement agencies estimate that the size of Sweden’s criminal economy could amount to as high as 2.5% of the country’s gross domestic product.
To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it’s a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.
Using complex webs of fake companies and forging documents to gain access to Sweden’s welfare system, sophisticated fraudsters have made Sweden a “Silicon Valley for criminal entrepreneurship,” said Daniel Larson, a senior economic crime prosecutor.
Sweden’s central bank, the Riksbank, acknowledged in its 2024 payments report “serious fraud problems that could undermine trust in the payment system”. Digitalization also makes payments “more vulnerable to cyber attacks and disruptions to the power grid and data communication,” the central bank pointed out.
These developments suggested “that we should concentrate more than before on the challenges of digitalization.” Like the central banks of neighbouring Norway and Finland, the Riksbank is backpedalling plans for a cashless society, and has even begun urging citizens to hold and use cash in the name of civil defence and system resiliance.
Meanwhile, Brazil, Latin America’s most cashless economy, is suffering an epidemic of digital crime, with 1,640 mobile phones stolen every hour, reported El País last year. The target is usually not the device itself but its applications, contacts and passwords, possession of which has helped Brazil’s criminal gangs to exponentially increase their profits. Each victim loses on average 1,500 reais ($275, just over the monthly minimum wage) in addition to the smartphone.
UK Raises Alarm
Now, the consumer magazine Which? has published a report warning about the rise of digital scams in the UK as fraudsters steal card details to set up a digital wallet on their own mobile devices. Worryingly, this can happen even if you don’t have a digital wallet of your own.
The root cause of the problem is banks’ continuing widespread use of one-time passcodes (OTPs) to set up digital wallets, even though they’re prone to abuse by fraudsters, as industry body UK Finance has repeatedly warned. The Which? investigation, which surveyed 15 high-street and digital banks, found that the majority are still using SMS OTPs to verify when a card is added.
As the report notes, victims are almost always reimbursed by the bank for any fraudulent payments made. However, the costs will probably end up being passed on to bank customers in general through higher interest rates on mortgages and loans, less generous account perks and lower interest on savings.
The researchers found that of the 14 providers that allow cards to be linked to Apple Pay, Google Wallet and other apps, only three do not depend on OTPs. Digital-only lenders Chase and Monzo confirmed they have never used them, while Starling has phased them out of Google Pay.
However, high street lenders like HSBC and Santander still issue OTPs via text messages, which leaves consumers reliant on a flawed system that fraudsters have become adept at exploiting. Here’s how the scam works:
Digital wallets can be very convenient and have security advantages compared to paying by card: namely, that you have to authorise every payment with your fingerprint or face.
But as you don’t need a physical card to add a card to a digital wallet, fraudsters could steal your card details and set up a digital wallet on their own phone.
They can then use this to spend your money online or in physical stores. Unlike physical contactless cards, which are typically limited to £100 per transaction, digital wallets have no arbitrary spending limit, making it easier for criminals to make large purchases.
Digital wallet fraud can occur during a takeover of an entire bank account, but another common method involves tricking you into giving up your debit or credit card details.
This often starts with a fake ad for a product or a phishing text or email, such as a bogus parcel delivery message. When you click the link, you are taken to a fake website that prompts you to enter your card details to complete a transaction.
The scammer monitors the website in real time. Once you submit your personal and card information, they receive it and use it to set up a digital wallet immediately.
As part of the setup, banks and providers must verify that you want to add your card to a digital wallet, and many send a one-time passcode (OTP) via text or email. The scammer’s fake website will then ask for this code, claiming it’s needed to authorise the payment you thought you were making.
In reality, the fraudster uses the OTP to complete the digital wallet setup on their own device. Once the digital wallet is set up, the fraudster can spend money from your account. You might not even know it has happened unless your bank notifies you, and research shows that some providers do not.
The Cost of Complacency
One of the most concerning findings of the report is the general complacency in the banking sector. Which? has been warning about the risks of OTP authentication for years yet many major banks, building societies and credit card companies are still using it as part of the digital wallet setup process.
The general mood of complacency also seems to extend to the broader population. According to a survey cited by Cityam, UK shoppers continue to prioritise convenience over safety when it comes to how they pay:
Among those who prefer mobile wallets, the primary driving force is speed, rather than security.
Nearly three-quarters cited convenience as their top reason for using them, and more than half pointed to faster transaction times…
Fraud experts warn that the latest wave of scams marks a new level of sophistication.
By exploiting OTPs, criminals can hijack digital wallets and drain accounts without ever needing to clone a physical card.
Once added to a wallet, stolen credentials can then be used to purchase goods in shops or online, often months after the original scam, to avoid detection.
Gift cards and supermarket vouchers are also common targets, allowing gangs to quickly launder stolen funds.
The recent explosion in digital fraud in near-cashless Sweden provides a cautionary tale of what can happen when mobile payment apps become the dominant form of payment at the point of sale. As we noted in an article last year, Sweden’s recent explosion in digital fraud needs to be set against the rash of bank robberies the country was suffering roughly a decade ago, which have apparently fallen to zero in the last couple of years:
However, as NC reader fjallstrom points out, while bank robberies by definition impact banks, the recent digital scams are mostly affecting bank customers. As such, an argument can be made that banks, having pushed for digital transactions for everything, no longer have to bear the risk of bank robberies while at the same time foisting responsibility for the new risks posed by digital crimes onto their customers — a new example of socialising the losses.
In its 2025 payments report, the Riksbank reiterated its warning that “serious fraud problems… could undermine trust in the payment system,” noting that the number of frauds reported to the Swedish Financial Supervisory Authority has continued to increase, totalling more than SEK 1 billion (€900 million) in the first half of 2024.
It’s a similar story in neighbouring Denmark where payment card and wire transfer fraud almost doubled between 2021 and 2023, according to research by the central bank. A more recent study, conducted by the Ministry of Justice, the National Police, and the Crime Prevention Council, found that nearly 6% of Danes fell victim to digital fraud in 2024, up from 4% in 2023.
Potential Impact of AI
The actual numbers involved are still relatively small, especially compared to the total volume of mobile payments processed, but it is the rate of increase that is worrying. From The Danish Dream:
Erik Christensen, the chair of the Crime Prevention Council, stated, “Fraudsters are becoming increasingly sophisticated, exploiting our trust, busyness, and willingness to help.” The emergence of new technologies, including AI, is expected to further exacerbate cybercrime in the coming years.
Cybercrime as a whole is forecast to cost $10.5 trillion annually by 2025, up from $3 trillion in 2015, according to Cybersecurity Ventures. As a report on the World Economic Forum’s website notes, “to put [that] in perspective, if annual cybercrime were a country, it would have the third-largest gross domestic product (GDP) worldwide.”
“Fraud, a common type of cybercrime, is poised for unprecedented acceleration thanks to the advent of generative AI (GenAI),” warns the report. Which is kind of ironic given that one of the most frequent arguments for replacing cash with digital money alternatives is to help reduce crime, rather than making it easier and a lot more lucrative.
Research last year by a team of cybersecurity experts at the University of Massachusetts, Amherst, suggests that even cancelling your bank card after it has been added by thieves to their own digital wallet may not work. The thieves can often keep using that card number even if you lock the card or cancel it completely.
This is because once the card is authenticated, the digital wallet isn’t actually transmitting the card number. It is transmitting a virtual number associated with that credit account. From Investopedia:
“Any transaction on a locked physical card will be blocked. But any transaction on an authenticated digital wallet is allowed,” says Taqi Raza, [one of the study’s authors]. “Because there are two identities: the physical card number, and the virtual card number…. There are so many digital wallets and so many banks, there are too many numbers to lock.”
So, even if you cancel the card and are issued a new one by the bank, the thieves will be able to continue, Raza warns, a thief with your card in their digital wallet can keep using it.
The virtual number in the thief’s digital wallet isn’t connected to the credit card number; it’s connected to the credit account. “Since it’s still attached to the same credit account, the virtual card still works,” says Raza.
Raza recommends that digital wallet users, rather than fully trusting in the technology, take basic precautions to lower their risk of falling prey to digital scammers. They include enabling notifications for transactions from your bank accounts or credit cards; contacting your bank immediately if you notice suspicious transactions or lose a debit or credit card; and using two-factor authentication whenever possible, for any kind of account.
As the problem of digital bank fraud grows, the issue of who pays for it will become increasingly heated. In the UK, it is normally the banks; in Sweden, as far as I’m aware, it’s usually the customer.
In Spain, the issue recently went all the way to the Supreme Court, which ruled that the responsibility for money lost via digital fraud ultimately rests with the bank unless it can prove that the customer acted with gross negligence, such as by leaving their PIN or password written down right next to their credit card.
However, even in countries where responsibility is currently borne by the banks, the costs will presumably end up being passed on to bank customers through higher fees and interest rates on mortgages and loans, and lower interest on savings. In other words, all of us will end up paying the price.
Spain’s Supreme Court also urged payment service operators to raise their game when it comes to systems security and controls to detect fraudulent operations. That includes developing tools to detect anomalous operations, such as particularly high volume transactions or transactions carried out in the wee small hours of the morning.
But are these merely teething problems that will be gradually ironed out through the creation of better security protocols? Will banks, tech firms and central banks use the open air laboratories provided by less-cash countries like Brazil and Sweden to tweak and refine the security features of their digital wallets?
Or will today’s cyber-criminal masterminds continue to stay one step ahead of the digital curve as digital wallets gain increasing traction around the world — not just for payments, but also identity verification?
Because if there’s one thing we can all rest assured, it is that the readymade solution to this recent explosion in digital bank fraud will be digital identity and biometric identification, which is exactly what governments and corporations are banking on.
Unsurprisingly, the article on the World Economic Forum’s website already makes this argument. In the case of the UK’s IT disaster-prone government, its “One Login” digital governance and identity system will probably create an even bigger bonanza for hackers and nation-state adversaries. Rinse and repeat.
Well, anyone using cash must be a mobster, tax-evader, drug-dealer, terrorist, …, ..,, or not one of the cool kids at the cool kids lunch table?
If governments are pushing for digital identities for all their citizens while banks and like organizations push for digital wallets, I can see both of them being linked by most people for “convenience”. So now I am wondering if cyber-crims get control of your digital wallet, that this will provide a back door entry into that government identity in a sort of daisy chain. What made me think of this was this tech writer who woke up on morning to find that he was locked out of his mobile. But then he discovered that he was entirely locked out of his whole digital life as all of them were linked together by him for ease of use. And when a hacker got into one account, they went through all his accounts and devices as they were daisy chained together. And this was a guy that wrote about tech stuff for a living.
You mean this one guy? Or perhaps that gal? I read other similar cases in the past (links I unfortunately did not keep), but they all seem to violate two cardinal rules of security for the sake of the ever-preeminent “convenience”:
1) Do not use the same authentication tokens to access different resources, i.e. ensure separation of concerns and compartmentalization of access.
2) Do not use single sign-on mechanisms that implicitly grant access to all resources as soon as authentication to any of them has been successful.
The first case would be like using the same key for your flat, your office, your car, your safe, your letterbox, your gym locker… Evidently a stupid thing to do.
The second case would be like having your flat, your office, your car, your safe, your letterbox automagically unlocked as soon as you have opened your gym locker. Obviously a stupid thing to do.
Notice that these two rules are orthogonal. In the first case, one has to unlock each resource individually, but one uses the same authentication mechanism (key). In the second one, each resource requires a different authentication mechanism (key), but once one is successfully accessed, the others are automatically unlocked too.
Those rules are typically part of best practices, recommendations, and standards in the area of security.
Hence, when I see a sentence such as:
“In the case of the UK’s IT disaster-prone government, its “One Login” digital governance and identity system will probably create an even bigger bonanza for hackers and nation-state adversaries.”
I shudder: this looks very much like a violation of those two rules (same authentication mechanism to access a wide range of resources; single sign-on). The digital future looks bright. Like a bonfire.
Thanks, vao. Different article but that sounds like the guy.