Revolut weak point in banking system

masonic

There have been a few discussions recently about banks taking a hard line with transactions involving Revolut. I thought this article gave some good background as to why they might be taking such a stance.

https://www.bbc.co.uk/news/articles/c9wkzv1zk91o

Browntoa

And in each occasion it's people's stupidity falling for the oldest scam " this is your bank " call.

The article also fails to mention that many card suppliers use virtual and one use cards ( I have several) and make it look like it's unique to revolut 

km1500

when will people learn that your bank - and this includes Revolut - will never call you and ask you to transfer your money to a 'safe account'

TheBanker

Browntoa said:

And in each occasion it's people's stupidity falling for the oldest scam " this is your bank " call.

The article also fails to mention that many card suppliers use virtual and one use cards ( I have several) and make it look like it's unique to revolut 

In reality most people say they won't fall for such a scam. Until they do. Working in a bank, I have seen all kinds of people fall for scams including police officers, solicitors and fellow bank staff. It is easy to say 'I wouldn't fall for it' but when you're put under pressure and believe your life savings are at risk, it's different and in reality you don't know how you'll react until it happens to you. 

I do think people need to be responsible for their own actions, and personally I have concerns about the automatic refunds, but I wouldn't write people off as stupid because they fall for it.

flaneurs_lobster

The one "failing" I took from the article was the inability to contact someone urgently to shut down transfers or report fraud, and this lack of an emergency phone contact number does seem to be common among the fintech new banks. 

tacpot12

It's not just Revolut. Fraudsters are using quick loan companies like Loans2Go to take out loans within the hour and pay them to a Revolut account that they have got access to and then moved the money on leaving the victim with a loan to pay that they did not apply for! 

Weak security for the sake of convenience is a bad idea. 

friolento

masonic said:

There have been a few discussions recently about banks taking a hard line with transactions involving Revolut. I thought this article gave some good background as to why they might be taking such a stance.

https://www.bbc.co.uk/news/articles/c9wkzv1zk91o

"lack of accountability displayed by Revolut" - really?

There are some holes in Mr Kumar's story, aren't there? How did the fraudsters get access to his Revolut account (which is the account that got drained)?

masonic

friolento said:

masonic said:

There have been a few discussions recently about banks taking a hard line with transactions involving Revolut. I thought this article gave some good background as to why they might be taking such a stance.

https://www.bbc.co.uk/news/articles/c9wkzv1zk91o

"lack of accountability displayed by Revolut" - really?
There are some holes in Mr Kumar's story, aren't there? How did the fraudsters get access to his Revolut account (which is the account that got drained)?

You've got to expect that in a news article. We would obviously go into much more depth in a discussion here. But I'd hope any of my banks would flag this sort of activity as suspicious before £39k of spending was racked up on my debit card out of the blue. Had Dr Kumar come here, we could certainly have saved him the expense of getting lawyers involved in a FOS complaint.

What was more interesting to me, than the token case studies, was the statistic that "Revolut was also named in more reports of fraud than any other major UK bank, according to figures collected last year by Action Fraud". It certainly has far fewer customers than the major UK banks. So it explains why major UK banks have been reluctant to release payments to Revolut accounts that have been flagged by their systems. I'd say Barclays is potentially at risk of having to refund some of the money if subject to the complaint, even though the transfer from Barclays to Revolut just represented the movement of funds between two accounts held by the customer.

I don't think Revolut customers are any more gullible than the customers of any other bank, so if it is involved in so much more fraud, then it stands to reason that features within its offering are attracting scammers. Ultimately, this is creating problems for other Revolut customers, as these things tend to do.

eskbanker

It'll be revealing to see how the extension of the APP fraud reimbursement mechanism to all banks (including Revolut) will impact on their status as a popular venue for such scams - not only will Revolut now have to reimburse those who've been scammed into sending money from their Revolut accounts, but they'll also be expected to reimburse half the cost of frauds involving payments sent to Revolut accounts.

It seems inevitable to me that this increased financial exposure will be significant for challenger banks who've been outside the scope of the prior voluntary code, and that any with a reputation for facilitating scams via weak security controls would be likely to suffer more than others....

https://www.revolut.com/blog/post/new-regulatory-protections-for-app-scam-reimbursement/

Theleak250

The main problem was that revolute didn’t flag multiple high value payments, however it wasn’t clear as these are business accounts in at least two cases, if the customer normally makes such value payments. 

I think the only real flaw is that fraudsters were allegedly able to register a new device without the customer being present. But even then, I understand they obtained something from the customer in order to do this.

I think the only way to truly stop new device registrations which are fraudulent, would be to require a visit to branch and for them to confirm your ID in person, and secondly all payments to be held for three days before being released. That way they can be recalled. But we all
know these things would never happen because they would be highly inconvenient. Digital banks don’t have branches. I understand the new rules may hold back some payments. 

I’m afraid thus far I have little sympathy for these customers as they acted foolishly. As we move further down the path of digital banking, these things will only increase. I find it incredible a bank can claim to know its customers without ever actually meeting them, this goes for the big four as well. There has been a disconnect between the bank and customers. Although I guess back in the day fraud still occurred when it was all offline. 

masonic

Theleak250 said:

The main problem was that revolute didn’t flag multiple high value payments, however it wasn’t clear as these are business accounts in at least two cases, if the customer normally makes such value payments. 

I think the only real flaw is that fraudsters were allegedly able to register a new device without the customer being present. But even then, I understand they obtained something from the customer in order to do this.

I think the only way to truly stop new device registrations which are fraudulent, would be to require a visit to branch and for them to confirm your ID in person, and secondly all payments to be held for three days before being released. That way they can be recalled. But we all
know these things would never happen because they would be highly inconvenient. Digital banks don’t have branches. I understand the new rules may hold back some payments.

It is interesting that in the first case, the chosen method to get access to funds was via registering a new virtual debit card and then going on a spending spree on the high street. Debit card transactions are held for a few days before clearing, but presumably as the fraudsters made off with goods immediately, there seems to have been a decision that they could not be cancelled leaving the retailer out of pocket. I don't think these could have been cardholder not present transactions, because then there would have been delays due to order processing and shipping, and it would have posed a challenge to have the orders shipped to an alternative address. If you set the app up on a new device and create a new virtual debit card, should that debit card be available for use immediately? It's convenient, but hardly necessary. It used to take a week to get a replacement card in the past. Sometimes a phonecall to a human to activate it.

A few banks allow customers to set limits and restrictions on their account. These are quite limited in scope and perhaps can be changed rather too easily. It is one avenue that could be improved, both to protect the unwary and allow the more savvy to avoid some of the draconian measures preventing them from doing regular transfers that are normal for them, perhaps at the risk of reduced protection if things go wrong. I would be happy to nominate some safe payees or pre-authorise certain transaction patterns for a smoother ride when I come to move my money around.

Theleak250 said:

I’m afraid thus far I have little sympathy for these customers as they acted foolishly. As we move further down the path of digital banking, these things will only increase. I find it incredible a bank can claim to know its customers without ever actually meeting them, this goes for the big four as well. There has been a disconnect between the bank and customers. Although I guess back in the day fraud still occurred when it was all offline.

I believe HSBC experimented with video calling at one time. For those who cannot physically attend a branch, something like this within the secure environment of the app could be a good compromise. Though it would require a lot of investment to do right. Perhaps with the financial burden of APP refunds, this will be re-explored.

Banks have always been in the business of balancing security and convenience. Where losses are in acceptable margins, they will prioritise convenience. The trouble is that if losses are not borne by them, then they will not be motivated to act to improve their security. That is part of the underlying motivation of the new rules around refunds.