One time passcodes fuel rise in digital wallet fraud

Thursday 28 August 2025 4:20 pm

Share

• Facebook Share on Facebook

• X Share on Twitter

• LinkedIn Share on LinkedIn

• WhatsApp Share on WhatsApp

• Email Share on Email

Digital-first players Chase and Monzo confirmed they have never used them, while Starling has phased them out of Google Pay.

Warnings have emerged over the security of digital wallets, following a report by consumer group Which? found widespread use of easily compromised one-time passcodes (OTPs) by some banks, leaving customers increasingly open to fraud.

The investigation, which surveyed fifteen high-street and digital banks, found that the majority are still relying on SMS OTPs to verify when a card is added to a digital wallet, despite repeated warnings from cybersecurity experts about their weaknesses.

It was noted that criminal actors have been exploiting this system by luring victims into phishing scams, harvesting card details, and then tricking them into entering OTPs under the belief that they are completing a legitimate purchase.

In practice, the code allows fraudulent actors to load the victim’s card onto their personal phone and spend freely online or in-store.

From the fourteen providers that allow cards to be linked to Apple Pay, Google Wallet and other apps, only three do not depend on OTPs.

Digital-first players Chase and Monzo confirmed they have never used them, while Starling has phased them out of Google Pay.

However, household names like HSBC and Santander still issue OTPs via text messages, which leaves consumers reliant on a flawed system that fraudsters have become adept at exploiting.

Convenience over caution

The warnings come alongside new research from card reader provider takepayments, which revealed that UK shoppers continue to prioritise convenience over safety when it comes to how they pay.

A survey of 2,000 consumers found that mobile wallet usage has declined year-over-year, while cash payments have staged a comeback, rising 26 per cent since 2023.

More than half of shoppers still carry physical cash, which has now overtaken mobile wallets as the second most popular in-store payment method.

Among those who prefer mobile wallets, the primary driving force is speed, rather than security.

Nearly three-quarters cited convenience as their top reason for using them, and more than half pointed to faster transaction times.

Just one in five said they viewed mobile wallets as the safest way to pay online. That may prove troubling given the scale of fraud now linked to digital wallets.

Read more

Overreaching banks are locking millions out of the crypto market

Moreover, research earlier this year found seven in ten UK fintechs reported rising fraud volumes in 2024, with losses in some cases running into the millions.

Rona Warne, head of marketing UK&I at Global Payments, said businesses need to recognise the tension between speed and trust: “It’s clear that speed and convenience still win over security for many online shoppers. But just as important is giving your customers a choice.”

“Not everyone trusts or wants to use the same payment method every time. Small businesses can stay one step ahead by ensuring they accept cards, mobile wallets and services like PayPal, while keeping the checkout journey as simple as possible.”

An evolving threat

Fraud experts warn that the latest wave of scams marks a new level of sophistication.

By exploiting OTPs, criminals can hijack digital wallets and drain accounts without ever needing to clone a physical card.

Once added to a wallet, stolen credentials can then be used to purchase goods in shops or online, often months after the original scam, to avoid detection.

Gift cards and supermarket vouchers are also common targets, allowing gangs to quickly launder stolen funds.

John Clark, product manager at takepayments, noted that consumers are more alert to security than many firms assume: “All the IT outages in 2024 have only made people more aware of where they’re tapping, swiping or entering their card details.”

“Small businesses should highlight their use of secure gateways and display trusted symbols like Visa Secure and Mastercard SecureCode to build confidence at checkout,” he added.

Which? has urged banks to accelerate investment in stronger authentication methods, pointing to features already rolled out by some challengers, including instant app notifications, the ability to freeze wallet-linked cards, and the option of disposable virtual cards.

However, many incumbents continue to rely on OTPs, leaving what experts describe as “gaps in the net” for fraudsters to exploit.

As Sam Richardson of Which? Money said: “Further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025.”

Read more

UK banks carry out sweeping branch closures as customers go digital

Similarly tagged content:

Sections

Categories

People & Organisations