Smartphone owners warned about ‘shoulder-surfing’ as thief ‘exploits’ loophole to snatch £73k from victim

Nick, 46, from Somerset, was the victim of “shoulder surfing” after he visited a busy London pub.

More than £70,000 was taken from his bank accounts, with £15,000 poached from his personal pot and £58,000 snatched from a business fund.

Nick, who raised the incident with Which?, suffered at the hands of “shoulder surfers” after leaving his mobile phone in his jacket on the back of a chair.

The fraudster was able to use Nick’s passcode or a similar combination to gain access to his Barclays app.

The criminal managed to transfer tens of thousands of pounds before resetting the password on a bulk business payment system without any additional security checks.

The bank managed to send out a fraud warning text message but the thief was able to circumvent the security measure as he was in possession of the device.

Nick complained about the way Barclays responded to the incident.

He said: “Being the victim of a significant financial crime is very traumatic.

“However, the worst part of the experience for me was not so much the crime itself, but the disgraceful treatment I received from Barclays following the crime, despite having been a loyal customer for over 30 years.

“It soon became clear that they have zero interest in protecting their customers, they are concerned only to protect their shareholders and their reputation.

“At no time did I feel that the bank listened to me, and they only returned the money to my personal account when put under serious scrutiny by the reporter from Which?.

“They still maintain that they can see no evidence of fraud which is completely absurd given the weight of evidence shared, including from the police officer who I reported the crime to at the time.”

Thieves tend to befriend victims before changing their Apple ID password and locking the owner out of the account.

They can also turn off tracking apps and block other trusted devices.

Which? also trialled other banking apps to see how difficult it is to reset passwords.

It concluded Halifax and MBNA only required credit card details already stored in the app and a one-time password sent via text message to the same phone number.

Lloyds only required a four-digit code generated on the phone during an automated call.

Amex users can choose the “forgot password” option, enter their credit card details and receive a one-time passcode sent via text or email.

Which? is hoping its study will encourage banks to stop relying on text messages when sending sensitive information and fraud warnings.

They also want banks to explain how customers can protect themselves from criminals.

Which?'s money editor Jenny Ross said: “While the details of Nick’s case are shocking, unfortunately they are not uncommon as criminals seek to exploit any weakness they can in pursuit of our money.

“A lack of strong security protections in some banks’ mobile apps is a huge concern, and could leave many more consumers at risk of being defrauded.

"Banks also need to ensure they meet their legal obligations to reimburse customers for unauthorised transactions.”

A spokesperson for Barclays also said: “The Barclays app has multiple layers of security, continually undergoing rigorous forms of testing, to provide our customers with the highest level of protection.

“We have every sympathy with our customer, who has reported being a victim of a sophisticated and targeted mobile phone theft. Funds sent to a third-party account outside our customer’s control have been returned in full, as a gesture of goodwill.”

An Apple spokesman added: “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”