SHOPPERS who use Apple Pay or Google Pay may be at higher risk of fraud, consumer group Which? has warned.
It said the use of one-time passcodes by banks could be making people with digital wallets an easy target for scammers.
1
A survey by the consumer champions found that the majority of banks are still using these security features, putting consumers at risk.
Unlike contactless cards, there is no £100 spending cap on cards added to Apple and Google Pay, so fraudsters can quickly drain victims’ accounts once they gain access to it.
Scammers normally trick people into divulging their card details by setting up a fake transaction, Which? said.
People will think they’re paying for a bargain product advertised online, or they might fall victim to a phishing message.
A common example is parcel delivery scams, where you’re asked to pay a nominal amount for re-delivery.
Scammers monitor the transaction in real time, inputting the victim’s card details into a digital wallet on their own phone.
Many banks will then ask for a one time passcode (OTP) to verify the cardholder, which the scammer then asks the victim for to complete the “transaction”.
The fraudsters are then able to drain the victim’s bank account.
Which? surveyed 15 banks and card providers about their digital wallet setup process between April and May this year, and found the majority still use OTPs sent through text message as one of the options for adding cards to a digital wallet.
Of the 14 providers that allow cards to be added to wallets (Capital One is the exception), just two banks confirmed they do not use OTPs, while a third appeared not to when Which? researchers tested the process.
Barclays, Co-op, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs, though they are not the only verification option.
Starling said it still uses OTPs for setting up Apple Pay alongside other options, but it removed them from Google Pay in 2022.
TSB said it is working to set up in-app verification, but is using OTPs in the meantime.
American Express, Lloyds Banking Group and NewDay (which operates the John Lewis Partnership Credit Card) – did not outline which verification methods they use.
When Which? tested the set up processes for cards, Amex did use SMS and email OTPs, while Halifax did not and instead offered several “more robust methods” including in-app approval.
Chase and Monzo said they have never used OTPs for setting up digital wallets.
It comes after Cifas, UK Finance and the Cyber Defence Alliance previously warned about the link between OTP use and digital wallet fraud.
Providers can also limit how many wallets a card can be added to overall, or within a certain time period, but most banks do not implement these restrictions.
Virgin Money allows an individual card to be added to a maximum of five devices.
Starling with a total limit of 15 devices, while Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days.
However, Which? said that even with these limits in place, consumers can still fall victim to scammers as they only need to add one card to a digital wallet to start spending.
Which? Money deputy editor Sam Richardson said: “For millions of us, digital wallets are a quick, easy and secure way to make payments, but weaknesses in card providers’ security means they can also be a gift to scammers.
“Banks have known for years that using one time passcodes (OTPs) to verify account holders is leaving consumers vulnerable.
“It’s clear further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025.
“In the meantime, we’d caution shoppers to always think twice before sharing their payment details – or OTPs – online.
“If you think you’ve been a victim of a scam, contact Action Fraud and your bank immediately.”
Apple told Which? it is not responsible for approving or rejecting the addition of a card to Apple Pay, or for approving or rejecting transactions.
It said that it takes users’ security seriously and Apple Pay has been designed in a way to protect users’ personal information.
A Google spokesperson said: “Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud.
“For example, banks notify customers when their card has been added to a new digital wallet, and we provide signals to help issuers detect fraudulent behaviour so they can decide whether to approve added cards.”
An American Express spokesperson said: “Privacy and security are a priority for American Express.
“We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.”
Barclays said that the verification method used for adding a card to a digital wallet will depend on the user journey. It said it does not currently have plans to phase out use of OTPs.
Co-Op Bank said it monitors for fraudulent registrations through its fraud detection systems and has multiple strategies in place to detect digital wallet fraud. It does not currently have plans to phase out use of OTPs.
HSBC said it has no immediate plans to phase out OTP delivery for adding cards to digital wallets, however, it keeps its digital wallet provisioning process under review.
Lloyds said it has invested millions of pounds in multi-layered fraud defences, and continues to regularly review its authentication methods.
Nationwide said that it has multiple layers of protection in place to keep its customers safe from fraud including warning messaging, AI models and sophisticated internal analytics. It is currently exploring alternatives to OTPs.
Natwest said it regularly reviews its customer experience and authentication to ensure security, and said it is reviewing how it uses OTPs.
NewDay declined to comment.
Santander said it is looking at other forms of authentication, and other security measures, which may be less visible to a user than the mechanism used for two-factor authentication.
Starling said it currently only uses OTPs for Apple Pay, and removed this option from Android phones in 2022.
TSB told Which? that it is working closely with card and wallet providers to implement approval via the TSB Mobile App. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe.
Virgin Money said its fraud team has heightened monitoring and controls around digital wallet fraud. It also said that it is looking at in-app verification as an option but has no current plans to phase out use of OTPs.
Do you have a money problem that needs sorting? Get in touch by emailing money-sm@news.co.uk.
Plus, you can join our Sun Money Chats and Tips Facebook group to share your tips and stories
